Buffer Overflows: A Technical Discussion - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Buffer Overflows: A Technical Discussion

Description:

... buffer overflow protection. Both specific and generic protection against buffer overflow ... Protect against all 3 major buffer overflow techniques. Feedback ... – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 28
Provided by: ehe76
Category:

less

Transcript and Presenter's Notes

Title: Buffer Overflows: A Technical Discussion


1
Buffer Overflows A Technical Discussion
Chad Harrington Entercept Security
Technologies The Proven Leader in Intrusion
Prevention
Technical Assistance 1-888-526-6170
International Dial 1-650-526-6170
2
Agenda
  • How Buffer Overflow Exploits Work
  • Why Buffer Overflow Vulnerabilities Exist
  • New Buffer Overflow Exploit Techniques
  • Buffer Overflow Protection from Entercept

Technical Assistance 1-888-526-6170
International Dial 1-650-526-6170
3
Public Enemy 1
  • Buffer Overflows are
  • Common
  • account for over 60 of CERT advisories
  • Powerful
  • can execute arbitrary code, often with root
    privileges
  • Easy to Use
  • once written, any script kiddie can run it

Technical Assistance 1-888-526-6170
International Dial 1-650-526-6170
4
Why Buffer Overflow Vulnerabilities Exist
  • Unchecked Buffers
  • Software Developers are too busy
  • Trade off time to market vs. security
  • Security is an afterthought
  • QA doesnt include security validation

Technical Assistance 1-888-526-6170
International Dial 1-650-526-6170
5
Exploiting an Unchecked Buffer
  • Objectives
  • Load arbitrary exploit code
  • Execute the code
  • Three techniques
  • Stack-based
  • Heap-based
  • Return-into-Libc

6
What is the Stack?
  • Temporary storage area - Scratchpad
  • Stores buffers for subroutines
  • Stores return address for subroutines
  • Stores parameters to called subroutines
  • Resides high in memory, grows downward

7
What is the Stack?
43 (C)
68 (h)
name_buffer (100 Bytes)
61 (a)
64 (d)

34
Stored return address (4 Bytes)
D7
40
00
8
A Vulnerable Program
9
Specifying the Argument
10
Normal Output
11
Assembly Language Version
Here is the Call instruction that tells the OS
to jump to our SayHello subroutine
12
Assembly Language Version
This is where the program SHOULD return after
executing SayHello 0040D734
13
Stack View After Entering the SayHello()
Subroutine
The return address (00 40 D7 34) is now pushed
onto the stack. Intel architectures are
little-endian, so the address appears reversed
34 D7 40 00
14
Clearing the Stack Frame
The debugger has cleared the stack frame for us
by filling it with CC bytes
15
Filling the Buffer
Now the strcpy() function is called. The data
supplied is copied into the buffer.
16
Normal Output
17
Specifying a Malicious Argument
18
Stack View After Entering the SayHello()
Subroutine
Note the valid return address bytes 34 D7 40 00
19
Stack View After Entering the SayHello()
Subroutine
When strcpy() is called, the malicious data is
copied into the buffer and overflows it,
overwriting the return address. The bytes of the
return address are now 35 39 34 35.
20
Crash!
  • The program attempted to jump into unused memory
    and crashed.

21
What is the heap?
  • Heap stores dynamically allocated buffers
  • Often used for storing large amounts of data
  • Heap buffers are also fixed-size, just like stack
    buffers

22
Heap-based Exploits
  • Growing in popularity
  • Execute code on the heap, not the stack
  • Heap is more likely to be executable
  • Code Red used a heap-based exploit
  • Vulnerable data on the heap
  • atexit() function pointers
  • rpc callback function pointers
  • Signal handler pointers
  • And much more!

23
What is libc?
  • The C language library of standard functions
  • Example of a standard libc function
    system(dir)
  • Executes the parameter in the parentheses as if
    you typed it into a command prompt
  • Other functions handle file I/O, memory
    management, etc.
  • libc is linked with every program written in the
    C language

24
Return-into-Libc Exploits
  • Up-and-coming exploit technique
  • Does not execute code on the stack or the heap
  • Uses a stack (or heap) overflow to redirect
    program execution to a function in the libc
    library

25
Entercept Technology
  • Multiple layers protecting the entire server
  • operating system
  • applications
  • data
  • Blocks both known and unknown malicious attacks
  • Industry leading buffer overflow protection
  • Both specific and generic protection against
    buffer overflow exploits
  • Protect against all 3 major buffer overflow
    techniques

26
Feedback
  • For our current white paper on Attackers and
    their Tools, please visit our web site
  • www.entercept.com/dr/ws/
  • Sign up for our next Web seminar
  • SQL Injection A Technical Discussion
  • www.entercept.com/events/signup.asp
  • Please send comments, questions or suggestions
    for other topics to
  • webmaster_at_entercept.com

27
Q A
Write a Comment
User Comments (0)
About PowerShow.com