Title: Computer Security CS 426 Lecture 7
1Computer Security CS 426Lecture 7
- Software Vulnerabilities (Continued)
2Readings for this and the last lecture
- Security in Computing
- 3.1, 3.2
- Counter Hack Reloaded
- Chapter 7
- Additional readings
- Buffer Overflows Attacks and Defenses for the
Vulnerability of the Decade, Crispin Cowan, et
al. - Smashing The Stack For Fun And Profit, Aleph One
- wikipedia topics buffer overflow, format string
attack
3Review
- Steps in a standard break-in
- Get your foot in the door
- Use partial access to gain root (admin) access
- Set up some way to return
- Cover your tracks
- Common software vulnerabilities
- Input validation, Buffer overflows, Format string
problems, Integer overflows, Race conditions
4Buffer Overflow
- Stack overflow
- Shell code
- Return-to-libc
- Overflow sets ret-addr to address of libc
function - Off-by-one
- Overflow sets the least significant byte of
stored stack frame pointer to 0 - Heap overflow
5Heap Overflow
- Heap overflow is a general term that refers to
overflow in data sections other than the stack - buffers that are dynamically allocated, e.g., by
malloc - statically initialized variables (data section)
- uninitialized buffers (bss section)
6An Example of Heap Overflow
- FILE tmpfd
- static char bufBUFSIZE, tmpfile
- tmpfile "/tmp/vulprog.tmp"
- gets(buf)
- tmpfd fopen(tmpfile, "w")
-
Does not change the control flow.
7Preventing Buffer Overflow Attacks
- Non-executable stack
- Static source code analysis.
- Run time checking StackGuard, Libsafe, SafeC,
(Purify). - Randomization.
- Type safe languages (Java, ML).
- Legacy code?
- Detection deviation of program behavior
- Sandboxing
- Many more (covered later in course)
8Marking stack as non-execute
- Basic stack exploit can be prevented by marking
stack segment as non-executable. - Support in SP2. Code patches exist for Linux,
Solaris. - Problems
- Does not defend against return-to-libc exploit.
- Some apps need executable stack (e.g. LISP
interpreters). - Does not block more general overflow exploits
- Overflow on heap overflow buffer next to func
pointer.
9Static source code analysis
- Statically check source code to detect buffer
overflows. - Several consulting companies.
- Can we automate the review process?
- Several tools exist
- Coverity (Engler et al.) Test trust
inconsistency. - Microsoft program analysis group
- PREfix looks for fixed set of bugs (e.g.
null ptr ref) - PREfast local analysis to find idioms for prog
errors. - Berkeley Wagner, et al. Test constraint
violations. - Find lots of bugs, but not all.
10Bugs to Detect
- Crash Causing Defects
- Null pointer dereference
- Use after free
- Double free
- Array indexing errors
- Mismatched array new/delete
- Potential stack overrun
- Potential heap overrun
- Return pointers to local variables
- Logically inconsistent code
- Uninitialized variables
- Invalid use of negative values
- Passing large parameters by value
- Underallocations of dynamic data
- Memory leaks
- File handle leaks
- Network resource leaks
- Unused values
- Unhandled return codes
- Use of invalid iterators
11Run time checking StackGuard
- Many many run-time checking techniques
- Solutions 1 StackGuard (WireX)
- Run time tests for stack integrity.
- Embed canaries in stack frames and verify their
integrity prior to function return.
Frame 1
Frame 2
topofstack
str
ret
sfp
local
canary
str
ret
sfp
local
canary
12Canary Types
- Random canary
- Choose random string at program startup.
- Insert canary string into every stack frame.
- Verify canary before returning from function.
- To corrupt random canary, attacker must learn
current random string. - Terminator canary Canary 0, newline,
linefeed, EOF - String functions will not copy beyond terminator.
- Hence, attacker cannot use string functions to
corrupt stack.
13StackGuard (Cont.)
- StackGuard implemented as a GCC patch.
- Program must be recompiled.
- Minimal performance effects 8 for Apache.
- Newer version PointGuard.
- Protects function pointers and setjmp buffers by
placing canaries next to them. - More noticeable performance effects.
- Note Canaries dont offer fullproof protection.
- Some stack smashing attacks can leave canaries
untouched.
14Windows XP SP2 /GS
- Non executable stack.
- Compiler /GS option
- Combination of ProPolice and Random canary.
- Triggers UnHandledException in case of Canary
mismatch to shutdown process. - Litchfield vulnerability report.
- Overflow overwrites exception handler.
- Redirects exception to attack code.
15Run time checking Libsafe
- Solutions 2 Libsafe (Avaya Labs)
- Dynamically loaded library.
- Intercepts calls to strcpy (dest, src)
- Validates sufficient space in current stack
frame frame-pointer dest gt strlen(src) - If so, does strcpy. Otherwise, terminates
application.
topofstack
dest
ret-addr
sfp
src
buf
ret-addr
sfp
main
libsafe
16More methods
- StackShield
- At function prologue, copy return address RET and
SFP to safe location (beginning of data
segment) - Upon return, check that RET and SFP is equal to
copy. - Implemented as assembler file processor (GCC)
17Randomization Motivations.
- Buffer overflow and return-to-libc exploits need
to know the (virtual) address to which pass
control - Address of attack code in the buffer
- Address of a standard kernel library routine
- Same address is used on many machines
- Slammer infected 75,000 MS-SQL servers using same
code on every machine - Idea introduce artificial diversity
- Make stack addresses, addresses of library
routines, etc. unpredictable and different from
machine to machine
18Randomization
- PaX Address Space Layout Randomization
- Randomize location of libc.
- Attacker cannot jump directly to exec function.
- Attacks
- Repetitively guess randomized address
- Spraying injected attack code
- Instruction Set Randomization (ISR)
- Each program has a different and secret
instruction set - Use translator to randomize instructions at
load-time - Attacker cannot execute its own code.
19Other Bugs
20Format string problem
- int func(char user)
- fprintf( stdout, user)
-
- Problem what if user sssssss ??
- Most likely program will crash DoS.
- If not, program will print memory contents.
Privacy? - Full exploit using user n
- Correct form
- int func(char user)
- fprintf( stdout, s, user)
-
21History
- Danger discovered in June 2000.
- Examples
- wu-ftpd 2. remote root.
- Linux rpc.statd remote root
- IRIX telnetd remote root
- BSD chpass local root
22Vulnerable functions
- Any function using a format string.
- Printing
- printf, fprintf, sprintf,
- vprintf, vfprintf, vsprintf,
- Logging
- syslog, err, warn
23Integer Overflow
- Direct causes
- Truncation
- Integer casting
- Example
- const long MAX_LEN 20K
- short len strlen(input)
- if (len lt MAX_LEN)
- // do something
- How long does input needs to be to bypass the
check?
24Where Does Integer Overflow Matter?
- Allocating spaces using calculation.
- Calculating indexes into arrays
- Checking whether an overflow could occur
25How does casting work?
- Signed int to Larger signed int
- Signed int to Same-size unsigned int
- Signed int to Larger unsigned int
- Unsigned int to Larger unsigned int
- Unsigned int to Same-size signed int
- Unsigned int to Larger signed int
- Downcast
Language, system dependent!
26When casting occurs in C?
- For binary operators , -, , /, , , , ,
- if either operand is an unsigned long, both are
cast to an unsigned long - in all other cases where both operands are
32-bits or less, the arguments are both upcast to
int, and the result is an int - For unary operators
- changes type, e.g., ((unsigned short)0) is int
- and -- does not change type
27Another Example
- bool IsValidAddition(unsigned short x,
- unsigned short y)
-
- if (xy lt x)
- return false
- return true
28Race conditions
- Idea
- Race conditions lead to many subtle bugs (hard to
find, fix, etc.) - Specific problems with file permission checks
- Example Ghostscript temporary files
- Ghostscript creates a lot of temporary files
- Temporary file names under Unix often generated
by maketemp() - name maketemp("/tmp/gs_XXXXXXXX")
- fp fopen(name,"w")
- Problem predictable file names, derived from the
process ID - Attack
- Create symlink /tmp/gs_12345A -gt /etc/passwd, at
right time - This causes Ghostscript to rewrite /etc/passwd.
- Similar problems with enscript, other programs
with temp files - Recommendation
- Use atomic mkstemp() which creates and opens a
file atomically
29Coming Attractions
- September 14 More on Unix Access Control
Sandboxing Programs