Dearthis task is discussion,please find the attachments.All the best.
bufferoverflow.pptx
discussion_3.docx
Unformatted Attachment Preview
Buffer Overflow
Questions
• How do we keep programs free from flaws?
• How do we protect computing resources
against programs that contain flaws?
Introduction
• Program flaws take many forms
– Inadvertent human errors
– Malicious human errors
• System attack – exploiting an unintentional
program flaw to perform intentional
damage
Techniques to Stop all Program Flaws?
• Sadly no…
• Almost impossible to ensure that a
program does precisely what was
intended and nothing more
• Programming techniques change and
evolve more rapidly that computer
security techniques
Types of Flaws
• Input validation error
• Inadequate identification and authentication
• Other exploitable logic errors
Buffer Overflows
• Buffer (or array or string) = space in which
data is held
What is a Buffer Overflow?
• It is to overwrite the parts of the memory,
which aren’t supposed to be overwritten, by a
segment of code and making the process
execute it.
• Mostly due to lack of safe string-handling
routines and no run-time checking of array
boundaries.
Buffer overflow
• Depending on the location of the memory and
the size of the overflow, a buffer overflow may
go undetected but can:
– corrupt data
– cause misbehavior
– terminate the program abnormally
Process Memory Organization
Text Segment
• Read-only segment
• Contains the assembly instructions for the
program
• There is instruction pointer that points to the
Next instruction to be executed.
Data Segment
•
•
•
•
Contains static and global Data
Fixed size
Initialized Data Segment
Uninitialized Data Segment
(Also refer to as block storage segment (BSS))
Stack segment
• Stack pointer (register) points to the top of
the stack; either to the last element on the stack
or the next free available memory on the stack,
depends on the implementation.
Activation/Stack Frame
•
•
•
•
Parameters
Local data
Saved state information
Frame pointer
– Base pointer register
– When a function is called the frame pointer of calling
function is also pushed on the stack
• Return address
• Temporary storage
Heap Segment
• Segment of memory which holds dynamic data
that is allocated and deallocated through
library procedures.
• Grows towards the stack
Example
Void main () {
char buf [1024];
gets (buf);
}
Buffer Overflow Sources in C
• No bound check on arrays and pointer
references.
• Several unsafe string operations in C Library
– Strcpy()
– Gets()
Buffer Overflow
bool rootPriv = false;
char name[8];
cin >> name;
• When the program reads the name “Smith”
S
m
i
t
h
char name[8]
false
rootPriv
Buffer Overflow
bool rootPriv = false;
char name[8];
cin >> name;
• When the program reads the name “Armstrong”
A
r
m
s
t
r
char name[8]
o
n
g
rootPriv
Overflow
• A buffer overflow exploit occurs when a user
enters data that exceeds the memory reserved
for the input. The input can change adjacent
data or the return address on the stack.
char myStuff[4];
W X
Y
Z
0
0
0
0
Program Stack
Return address
16
4
4
4
AAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA
buffer
sfp
ret
*str
The return address is overwritten with ‘AAAA’ (0x41414141)
Function exits and goes to execute instruction at 0x41414141…..
Top of memory
Bottom of stack
Bottom of memory
Top of stack
Example
So What?
• We have seen how we can overwrite the return
address of our own program to crash it or skip
a few instructions.
• How can these principles be used by an
attacker to hijack the execution of a program?
Buffer Overrun Results
• If you are lucky, you get an access violation error
– Denial of service against servers
• If you are unlucky, you get instability
– Difficult to debug
• If you are really unlucky, the hacker injects code into
your process and then executes it with the same
privileges as the process
– Hence, use the principle of least privilege
– Use least privileged accounts to run processes
Output to figure out the Next Instr Addr
What can the attackers do once they
are executing code?
• Use any privileges of the process! If the
process is running as root or Administrator, it
can do whatever it wants on the system.
• Even if the process is not running as root, it
can send spam, read files, and interestingly,
attack or subvert other machines behind the
firewall.
why didn’t the OS notice that the
buffer has been overrun?
• As far as the OS is aware, nothing strange has
happened! Remember that, to a first
approximation, the OS only gets invoked when
the program does IO or IPC.
• Other than that, the OS basically sits back and
lets the program execute, relying on hardware
to prevent processes from tampering with
each other’s memory.
Approaches
• Approach #1: Avoid bugs in C code
• Approach #2: Build tools to help programmers
find bugs
• Approach #3: Use a memory-safe language
(JavaScript, C#, Python).
Malicious code
• Malicious code can be:
• A program
• A part of a program
• A program attached to another program
Crafting an Exploit
• Find a vulnerability
• Overwrite the return address to direct the
control flow to a place of your choosing
– Back to injected code on the stack/heap
• Directly or indirectly
– To code already in the program (or libraries)
Shellcode
• A shellcode is a small piece of code used in the
exploitation of a software vulnerability and is
injected into the memory.
• Easily available on the Internet
Kinds of Malicious Code
• Malicious code/rogue program – generic
name for unanticipated or undesired effects
in programs caused by an agent intent on
damage
• Virus – program that can pass on malicious
code to other nonmalicious programs by
modifying them
– Transient – runs with attached program
– Resident – remains active after attached
program ends
Kinds of Malicious Code
(continued)
• Trojan horse – in addition to its primary function, has a
nonobvious malicious effect
• Logic bomb – goes off when a specified condition
occurs
• Time bomb – logic bomb whose trigger is a time or date
• Trapdoor/backdoor – an access to a program other than
the obvious direct call
• Worm – spreads or copies itself through a network
How Viruses Attach
• A virus has to be executed
– Attaches itself to a program and runs whenever
the program runs – simple and effective
Virus
Original
Program
Virus
Original
Program
Problematic Virus Qualities
• Hard to detect
• Hard to destroy or deactivate
• Spreads infection widely
DETECTION AND PREVENTION
OF BUFFER OVERFLOW
ATTACKS
Buffer Overflow
• The goals of buffer overflows are to change
variables, return addresses, or function pointers.
Variables and function pointers may be modified
by overflows in any area, while return addresses
may be modified only on the stack. Changing
return addresses and function pointers alter flow
of control, while changing variables results in
changes to data.
• Example of data buffer overflow: username &
password which were allocated next to each other.
Preventing Buffer Overflows
➢Detect and remove vulnerabilities from the
source code (code auditing)
➢Time consuming and many vulnerabilities will
be missed
➢Prevent code injection
➢Detect code injection
➢Prevent code execution
Kernel-enforced Techniques
• Non-executable memory pages:
– Make the memory that holds the stack, heap,
anonymous memory mappings and any section not
specifically marked as executable.
– Every memory mapping should have permission
attributes.
– Under normal operation, a memory segment may
have both write and execute permissions; however,
to prevent buffer overflows this should not be
allowed.
Kernel-enforced Techniques
• Address Space Layout Randomization
– Randomizes the layout of the process address
space, e.g. the locations of the stack, heap, loaded
libraries and executable binaries, etc.
– It reduces the success rate of an exploit that relies
on hardcoded addresses.
Stack-gap randomization
• Introduce random gaps between objects
– Randomly pad between frame pointer and local
variables
– Randomly pad between static variables
Compiler-enforced Techniques
• Stack Guard
– Places a “canary” on the stack between stack
pointer and the return address
– Initialized to some random number at program
start up
– Before using the return address, it checks the
canary with the initial value. If it is different, there
was an overflow and the program terminates.
Stack Guard
Low address
Local Variables
Old Frame Pointer
Canary Value
Return Address
Arguments
High address
Stack Guard
• Canary value must be either hard to guess or it
may use a special fix value composed of 0,
CR, LF and -1
• These special values are very difficult to be
inserted as part of the exploit
Compiler-enforced Techniques
• ProPolice Stack-Smashing Protection (SSP)
– Re-arranges argument locations, return addresses,
previous frame pointers and local variables.
– Allocate space for the buffers and local variables
below the return address.
– Overflowing a buffer doesn’t overwrite the return
address
ProPolice Stack-Smashing Protection
Low address
Arguments (A)
Return Address
Old Frame Pointer
Canary Value
Arrays (B)
High address
Local Variables (C )
Stack Shield
• A Linux security add-on
• Maintain a different stack of return addresses
in a different data segment (Global Return
Stack).
• Upon return, copies RA from GRS to the run –
time stack.
• Prevents an attack but does not detect it – it
does not compare values.
RAD
• Return address defender (RAD)
• Similar to StackShield stores a copy of return
addresses in a repository.
• It uses the OS memory protection and makes
the repository/ memory page read-only.
Instruction Set Encryption
• Encrypt code segment in memory
• Decrypt on CPU just before execution
• Injected code would need to guess the key to
be able to properly encrypt
• Needs hardware support to be efficient!
Proof-carrying Code
• Binary programs are bundled with a
machine-verifiable “proof” of what the
program is going to do.
• Execution behavior of the program is
observed by a security monitor
• Any deviations will be flagged
SmashGuard
• Hardware supported technique
• Modifies CALL instruction
• Stores copy of the return address within the
processor area.
• Raises a hardware exception if there is a
discrepancy
– Explain the buffer overflow problem.
– Give one real life example of buffer overflow attacks (research on the web).
…
Purchase answer to see full
attachment
Recent Comments