Computer Security CS 426 Lecture 7 - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Computer Security CS 426 Lecture 7

Description:

String functions will not copy beyond terminator. ... if either operand is an unsigned long, both are cast to an unsigned long ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 30
Provided by: cristinan2
Category:

less

Transcript and Presenter's Notes

Title: Computer Security CS 426 Lecture 7


1
Computer Security CS 426Lecture 7
  • Software Vulnerabilities (Continued)

2
Readings for this and the last lecture
  • Security in Computing
  • 3.1, 3.2
  • Counter Hack Reloaded
  • Chapter 7
  • Additional readings
  • Buffer Overflows Attacks and Defenses for the
    Vulnerability of the Decade, Crispin Cowan, et
    al.
  • Smashing The Stack For Fun And Profit, Aleph One
  • wikipedia topics buffer overflow, format string
    attack

3
Review
  • Steps in a standard break-in
  • Get your foot in the door
  • Use partial access to gain root (admin) access
  • Set up some way to return
  • Cover your tracks
  • Common software vulnerabilities
  • Input validation, Buffer overflows, Format string
    problems, Integer overflows, Race conditions

4
Buffer Overflow
  • Stack overflow
  • Shell code
  • Return-to-libc
  • Overflow sets ret-addr to address of libc
    function
  • Off-by-one
  • Overflow sets the least significant byte of
    stored stack frame pointer to 0
  • Heap overflow

5
Heap Overflow
  • Heap overflow is a general term that refers to
    overflow in data sections other than the stack
  • buffers that are dynamically allocated, e.g., by
    malloc
  • statically initialized variables (data section)
  • uninitialized buffers (bss section)

6
An Example of Heap Overflow
  • FILE tmpfd
  • static char bufBUFSIZE, tmpfile
  • tmpfile "/tmp/vulprog.tmp"
  • gets(buf)
  • tmpfd fopen(tmpfile, "w")

Does not change the control flow.
7
Preventing Buffer Overflow Attacks
  • Non-executable stack
  • Static source code analysis.
  • Run time checking StackGuard, Libsafe, SafeC,
    (Purify).
  • Randomization.
  • Type safe languages (Java, ML).
  • Legacy code?
  • Detection deviation of program behavior
  • Sandboxing
  • Many more (covered later in course)

8
Marking stack as non-execute
  • Basic stack exploit can be prevented by marking
    stack segment as non-executable.
  • Support in SP2. Code patches exist for Linux,
    Solaris.
  • Problems
  • Does not defend against return-to-libc exploit.
  • Some apps need executable stack (e.g. LISP
    interpreters).
  • Does not block more general overflow exploits
  • Overflow on heap overflow buffer next to func
    pointer.

9
Static source code analysis
  • Statically check source code to detect buffer
    overflows.
  • Several consulting companies.
  • Can we automate the review process?
  • Several tools exist
  • Coverity (Engler et al.) Test trust
    inconsistency.
  • Microsoft program analysis group
  • PREfix looks for fixed set of bugs (e.g.
    null ptr ref)
  • PREfast local analysis to find idioms for prog
    errors.
  • Berkeley Wagner, et al. Test constraint
    violations.
  • Find lots of bugs, but not all.

10
Bugs to Detect
  • Some examples
  • Crash Causing Defects
  • Null pointer dereference
  • Use after free
  • Double free
  • Array indexing errors
  • Mismatched array new/delete
  • Potential stack overrun
  • Potential heap overrun
  • Return pointers to local variables
  • Logically inconsistent code
  • Uninitialized variables
  • Invalid use of negative values
  • Passing large parameters by value
  • Underallocations of dynamic data
  • Memory leaks
  • File handle leaks
  • Network resource leaks
  • Unused values
  • Unhandled return codes
  • Use of invalid iterators

11
Run time checking StackGuard
  • Many many run-time checking techniques
  • Solutions 1 StackGuard (WireX)
  • Run time tests for stack integrity.
  • Embed canaries in stack frames and verify their
    integrity prior to function return.

Frame 1
Frame 2
topofstack
str
ret
sfp
local
canary
str
ret
sfp
local
canary
12
Canary Types
  • Random canary
  • Choose random string at program startup.
  • Insert canary string into every stack frame.
  • Verify canary before returning from function.
  • To corrupt random canary, attacker must learn
    current random string.
  • Terminator canary Canary 0, newline,
    linefeed, EOF
  • String functions will not copy beyond terminator.
  • Hence, attacker cannot use string functions to
    corrupt stack.

13
StackGuard (Cont.)
  • StackGuard implemented as a GCC patch.
  • Program must be recompiled.
  • Minimal performance effects 8 for Apache.
  • Newer version PointGuard.
  • Protects function pointers and setjmp buffers by
    placing canaries next to them.
  • More noticeable performance effects.
  • Note Canaries dont offer fullproof protection.
  • Some stack smashing attacks can leave canaries
    untouched.

14
Windows XP SP2 /GS
  • Non executable stack.
  • Compiler /GS option
  • Combination of ProPolice and Random canary.
  • Triggers UnHandledException in case of Canary
    mismatch to shutdown process.
  • Litchfield vulnerability report.
  • Overflow overwrites exception handler.
  • Redirects exception to attack code.

15
Run time checking Libsafe
  • Solutions 2 Libsafe (Avaya Labs)
  • Dynamically loaded library.
  • Intercepts calls to strcpy (dest, src)
  • Validates sufficient space in current stack
    frame frame-pointer dest gt strlen(src)
  • If so, does strcpy. Otherwise, terminates
    application.

topofstack
dest
ret-addr
sfp
src
buf
ret-addr
sfp
main
libsafe
16
More methods
  • StackShield
  • At function prologue, copy return address RET and
    SFP to safe location (beginning of data
    segment)
  • Upon return, check that RET and SFP is equal to
    copy.
  • Implemented as assembler file processor (GCC)

17
Randomization Motivations.
  • Buffer overflow and return-to-libc exploits need
    to know the (virtual) address to which pass
    control
  • Address of attack code in the buffer
  • Address of a standard kernel library routine
  • Same address is used on many machines
  • Slammer infected 75,000 MS-SQL servers using same
    code on every machine
  • Idea introduce artificial diversity
  • Make stack addresses, addresses of library
    routines, etc. unpredictable and different from
    machine to machine

18
Randomization
  • PaX Address Space Layout Randomization
  • Randomize location of libc.
  • Attacker cannot jump directly to exec function.
  • Attacks
  • Repetitively guess randomized address
  • Spraying injected attack code
  • Instruction Set Randomization (ISR)
  • Each program has a different and secret
    instruction set
  • Use translator to randomize instructions at
    load-time
  • Attacker cannot execute its own code.

19
Other Bugs
20
Format string problem
  • int func(char user)
  • fprintf( stdout, user)
  • Problem what if user sssssss ??
  • Most likely program will crash DoS.
  • If not, program will print memory contents.
    Privacy?
  • Full exploit using user n
  • Correct form
  • int func(char user)
  • fprintf( stdout, s, user)

21
History
  • Danger discovered in June 2000.
  • Examples
  • wu-ftpd 2. remote root.
  • Linux rpc.statd remote root
  • IRIX telnetd remote root
  • BSD chpass local root

22
Vulnerable functions
  • Any function using a format string.
  • Printing
  • printf, fprintf, sprintf,
  • vprintf, vfprintf, vsprintf,
  • Logging
  • syslog, err, warn

23
Integer Overflow
  • Direct causes
  • Truncation
  • Integer casting
  • Example
  • const long MAX_LEN 20K
  • short len strlen(input)
  • if (len lt MAX_LEN)
  • // do something
  • How long does input needs to be to bypass the
    check?

24
Where Does Integer Overflow Matter?
  • Allocating spaces using calculation.
  • Calculating indexes into arrays
  • Checking whether an overflow could occur

25
How does casting work?
  • Signed int to Larger signed int
  • Signed int to Same-size unsigned int
  • Signed int to Larger unsigned int
  • Unsigned int to Larger unsigned int
  • Unsigned int to Same-size signed int
  • Unsigned int to Larger signed int
  • Downcast

Language, system dependent!
26
When casting occurs in C?
  • For binary operators , -, , /, , , , ,
  • if either operand is an unsigned long, both are
    cast to an unsigned long
  • in all other cases where both operands are
    32-bits or less, the arguments are both upcast to
    int, and the result is an int
  • For unary operators
  • changes type, e.g., ((unsigned short)0) is int
  • and -- does not change type

27
Another Example
  • bool IsValidAddition(unsigned short x,
  • unsigned short y)
  • if (xy lt x)
  • return false
  • return true

28
Race conditions
  • Idea
  • Race conditions lead to many subtle bugs (hard to
    find, fix, etc.)
  • Specific problems with file permission checks
  • Example Ghostscript temporary files
  • Ghostscript creates a lot of temporary files
  • Temporary file names under Unix often generated
    by maketemp()
  • name maketemp("/tmp/gs_XXXXXXXX")
  • fp fopen(name,"w")
  • Problem predictable file names, derived from the
    process ID
  • Attack
  • Create symlink /tmp/gs_12345A -gt /etc/passwd, at
    right time
  • This causes Ghostscript to rewrite /etc/passwd.
  • Similar problems with enscript, other programs
    with temp files
  • Recommendation
  • Use atomic mkstemp() which creates and opens a
    file atomically

29
Coming Attractions
  • September 14 More on Unix Access Control
    Sandboxing Programs
Write a Comment
User Comments (0)
About PowerShow.com