Embed Size (px)
Citation preview
Buffer Overflow
Group 7 Group 8
Nathaniel Crowell Derek Edwards
Punna Chalasani Axel Abellard
Steven Studniarz
Basic Concepts
Buffer Region of memory used to hold temporary
input and output data
Memory Organization
Stack
Helps implementation of High-level languages
Used to dynamically allocate memory
Frame Pointer (FP): points to fixed location within frame
Stack Pointer (SP): points to the top of the stack
Buffer Overflow
A process attempts to store more data in a buffer than there is memory allocated for it
Triggered by specific inputs which may be designed to execute arbitrary code.
Up to 50 percent of today's widely exploited vulnerabilities are buffer overflows
Source: 2005 Network and Distributed Systems Security
conference
Shell Code
Designing Shell Code Utilizing debugger
Disassembling system commands Generating machine code
Problems with null termination How to avoid? When it matters?
Disassembled System Commands
Eliminating null
What’s the “????” ?
Remove bad intermediate valuesBetter choice of registersUse similar instructions with
different op codes
Smashing the stack
Executing arbitrary code Typically for remote access Access level (and raising it)
Improvements Generating exploitive input ($EGG) NOP sled
imapd: A Real World Example
University of Washington's IMAP Server (UW-IMAP)
Insufficient bounds checking on user-supplied values for specifying mailbox name
Parsing error allowed a string that started with a “ character to continuously read input until another “ is encountered
More info at: http://www.idefense.com/intelligence/vulnerabilities/display.php?type=vulnerabilities&id=313
imapd: The Code In Questionlong mail_valid_net_parse_work (char *name,NETMBX *mb,char *service){ int i,j;#define MAILTMPLEN 1024 /* size of a temporary buffer */ char c,*s,*t,*v,tmp[MAILTMPLEN],arg[MAILTMPLEN]; ...snip... if (t - v) { /* any switches or port specification? */1] strncpy (t = tmp,v,j); /* copy it */ tmp[j] = ''; /* tie it off */
...
if (*t == '"') { /* quoted string? */2] for (v = arg,i = 0,++t; (c = *t++) != '"';) { /* Vulnerability */ /* quote next character */ if (c == '\') c = *t++; arg[i++] = c; }
imapd: The Code In Questionlong mail_valid_net_parse_work (char *name,NETMBX *mb,char *service){ int i,j;#define MAILTMPLEN 1024 /* size of a temporary buffer */ char c,*s,*t,*v,tmp[MAILTMPLEN],arg[MAILTMPLEN]; ...snip... if (t - v) { /* any switches or port specification? */1] strncpy (t = tmp,v,j); /* copy it */ tmp[j] = ''; /* tie it off */
...
if (*t == '"') { /* quoted string? */2] for (v = arg,i = 0,++t; (c = *t++) != '"';) { /* Vulnerability */
if (!c) return NIL; /* unterminated string */ /* quote next character */ if (c == '\') c = *t++;
if (!c) return NIL; /* can't quote NUL either */ arg[i++] = c; }
The Moral of the Story…
Careful programming is the first line of defense against buffer overflows
Parsing such as that done in imapd must be very carefully checked (unit testing, perhaps) to ensure such vulnerabilities do not exist
Many overflows come from simply using unsafe library functions…
Unsafe Library Functions and Their Safe(r) Counterparts strcpy() → strncpy() strcat() → strncat() strcmp() → strncmp() sprintf() → snprintf() From manpage for gets():
Never use gets(). Because it is impossible to tell without knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security. Use fgets() instead.
Simple Prevention Techniques
Buffer Overflow Prevention with Libsafe
•Intercepts calls to vulnerable functions
•No need to recompile kernel
•No need to access source code
•Protects against currently unknown vulnerabilities
Partial List of Vulnerable C Functions
Source: http://www.research.avayalabs.com/project/libsafe/
Source: http://www.research.avayalabs.com/project/libsafe
Source: http://www.research.avayalabs.com/project/libsafe
Countering buffer overflows
There are many defensive measures available. The most popular measures can be grouped into these categories:
Canary-based defenses Non-executing stack defenses
Other defense approaches & tools
Canary-based defenses
There are four types of canaries that have been used to date:
Random Canary Random XOR Canary Null Canary Terminator Canary
Non-executing stack defenses
Other approaches start by making it impossible to execute code on the stack.
“non-exec stack patch” Move all executable code to an area of memory called the
"ASCII armor" region
Other Approaches & Tools
Libsafe
Split control and data stack
Randomizing the locations of executables
Crispen's "PointGuard" extends the canary idea to the heap
Flawfinder and Viega's RATS
A New Preventative Technology:XD/NX
Intel → XD (Execute Disable) AMD → NX (No Execute) (Marketing mumbo-jumbo) Last bit in paging table entry (bit 63) If bit is set to 0, code can be executed from the
page (and if it’s 1…) Has been included in Sparc, Alpha, PowerPC,
and IA-64 Emulation available in software for Linux (PaX,
Exec Shield) and OpenBSD (W^X)
Questions?
