This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• Three generations of flawsThree generations of flaws Classic stack smashingClassic stack smashing Off-by-one errorsOff-by-one errors Format string bugs and heap overrunsFormat string bugs and heap overruns
• What are buffer overruns?What are buffer overruns? Program allocates a contiguous chunk of memory of Program allocates a contiguous chunk of memory of
fixed size to store data (a fixed size to store data (a bufferbuffer)) Amount of data copied to buffer exceeds its capacity Amount of data copied to buffer exceeds its capacity
and overwrites other memoryand overwrites other memory
• Why are they a problem?Why are they a problem? Many critical programs are written in C/C++…Many critical programs are written in C/C++… ……but C/C++ have no run-time bounds checkingbut C/C++ have no run-time bounds checking
Memory Layout: A ReminderMemory Layout: A Reminder
• Text segment holds program Text segment holds program instructions (read-only)instructions (read-only)
• Data and BSS segments provide Data and BSS segments provide storage for static/global datastorage for static/global data
• Stack and heap change size as Stack and heap change size as program executesprogram executes
• Stack holds information about Stack holds information about context of function calls in a context of function calls in a stack framestack frame
Function parametersFunction parameters Local variablesLocal variables Saved register informationSaved register information Return address for callReturn address for call
• Sensible choice of Sensible choice of strncpystrncpy in place of in place of strcpystrcpy• ……but attempt to null-terminate the copied string but attempt to null-terminate the copied string
results in a one-byte overrunresults in a one-byte overrun
• PreconditionsPreconditions Buffer next to saved EBPBuffer next to saved EBP 32-bit alignment32-bit alignment Little-endian architectureLittle-endian architecture
• EventEvent Attempt to null-terminate buffer Attempt to null-terminate buffer
contents, resulting in one-byte contents, resulting in one-byte overrunoverrun
• ConsequencesConsequences LSB of saved EBP now zeroLSB of saved EBP now zero Saved EBP now points lower Saved EBP now points lower
in memory—possibly into in memory—possibly into buffer itselfbuffer itself
• Just before function exit, saved EBP is popped Just before function exit, saved EBP is popped off stack into EBP registeroff stack into EBP register
• On function exit, saved EIP is restored to EIP On function exit, saved EIP is restored to EIP register and control returns to callerregister and control returns to caller
• Just before caller exits, stack pointer is moved to Just before caller exits, stack pointer is moved to address in EBP register, with aim of restoring address in EBP register, with aim of restoring the saved EIP…the saved EIP…
• ……instead, attacker-supplied address is loaded instead, attacker-supplied address is loaded into EIP register, and we have control!into EIP register, and we have control!
• Format string vulnerabilitiesFormat string vulnerabilities First appeared in Summer 2000First appeared in Summer 2000 Affect the Affect the *printf*printf family of functions family of functions Allow reading from & writing to arbitrary addressesAllow reading from & writing to arbitrary addresses Easy to exploit, but also easy to find and fixEasy to exploit, but also easy to find and fix
• Heap overrunsHeap overruns Less standardized than format string bugsLess standardized than format string bugs Allow writing of arbitrary data to arbitrary addressesAllow writing of arbitrary data to arbitrary addresses Hard to exploit, but also hard to detectHard to exploit, but also hard to detect
• Two ways of printing a string in C:Two ways of printing a string in C: printf(printf(""%s%s"", input), input) printf(input)printf(input)
• Lazy programmers may do the latter, but what if Lazy programmers may do the latter, but what if inputinput contains format specifiers? contains format specifiers?
• %n specifier will write data onto the stack%n specifier will write data onto the stack Value could be address of some shellcode…Value could be address of some shellcode… ……which could overwrite saved EIP in stack framewhich could overwrite saved EIP in stack frame
• If possible, use languages with intrinsic run-time If possible, use languages with intrinsic run-time bounds checking instead of C or C++bounds checking instead of C or C++ Java, C#, Python, Perl, etcJava, C#, Python, Perl, etc
• When writing C++, use its features rather than When writing C++, use its features rather than those of C standard librarythose of C standard library std::stringstd::string class, not class, not char*char* and and strcpystrcpy, etc, etc
• Use C library functions Use C library functions veryvery carefully carefully Never, ever, use Never, ever, use getsgets!! Prefer ‘safe’ versions of other functionsPrefer ‘safe’ versions of other functions
• High-risk functions includeHigh-risk functions include strcatstrcat, , strcpystrcpy
• Use Use strncatstrncat, , strncpystrncpy – carefully! – carefully! printfprintf, , sprintfsprintf, , vsprintfvsprintf
• Always use a format string; use Always use a format string; use snprintfsnprintf, not , not sprintfsprintf scanfscanf, , sscanfsscanf, , vscanfvscanf, , vsscanfvsscanf getoptgetopt, , getpassgetpass, , realpathrealpath, , syslogsyslog
• Truncate string arguments before passing them inTruncate string arguments before passing them in
• Some risk with other functionsSome risk with other functions See WSC2 or BSS for more informationSee WSC2 or BSS for more information Always check destination buffer is as big as you are claiming, Always check destination buffer is as big as you are claiming,
and watch out for off-by-one errors!and watch out for off-by-one errors!
Safety Through RecompilationSafety Through Recompilation
• Compile against safer version of C libraryCompile against safer version of C library
• Use compiler support for array bounds checkingUse compiler support for array bounds checking Patches for GCC:Patches for GCC:
• http://http://web.inter.nl.net/hcc/Haj.Ten.Bruggeweb.inter.nl.net/hcc/Haj.Ten.Brugge// /RTCs compiler option in Visual C++ .NET/RTCs compiler option in Visual C++ .NET
• Protect return address on stack with a Protect return address on stack with a canarycanary StackGuard, StackGuard, http://http://www.immunix.org/stackguard.htmlwww.immunix.org/stackguard.html
/GS compiler option in Visual C++ .NET/GS compiler option in Visual C++ .NET
• Requires kernel patchRequires kernel patch Won’t trap overruns in heap, data or BSS segmentsWon’t trap overruns in heap, data or BSS segments
• libverifylibverify Binary rewriting of process memory to force stack Binary rewriting of process memory to force stack
verification prior to useverification prior to use
• libsafe, libsafe, http://http://www.research.avayalabs.com/project/libsafewww.research.avayalabs.com/project/libsafe// Estimates safe upper limit on buffer size at run timeEstimates safe upper limit on buffer size at run time Intercepts dangerous library calls, substituting Intercepts dangerous library calls, substituting
versions that respect buffer size limitversions that respect buffer size limit
• Buffer overruns and related flaws are the major Buffer overruns and related flaws are the major cause of security problems in softwarecause of security problems in software
• Attacks are varied, but typically involve transfer Attacks are varied, but typically involve transfer of control to shellcode supplied by attackerof control to shellcode supplied by attacker
• Partial solutions existPartial solutions exist Compilation of run-time checks into codeCompilation of run-time checks into code Transparent memory protectionTransparent memory protection
• Best solution is to avoid C/C++ if possible, or Best solution is to avoid C/C++ if possible, or avoid dangerous C library function callsavoid dangerous C library function calls