Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
CSE484/CSEM584:ComputerSecurityandPrivacy
SoftwareSecurity:BufferOverflowAttacks
Fall2016
Adam(Ada)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
Announcements
• Signtheethicsformbytodayat5!• Homework1isdueonMonday.
• Pleasestartforminggroupsforlab1– Youcanusetheforumtofindgroupmembers
10/5/16 CSE484/CSEM584-Fall2016 2
Announcements
• TAofficehourshavebeenmovedtoMondaysat4:30(afterclass),inthesecondfloorbreakout.– Sorryfortheconfusion!
10/5/16 CSE484/CSEM584-Fall2016 3
Security:NotJustforPCs
10/5/16 CSE484/CSEM584-Fall2016 4
smartphones
wearables
gameplatforms
cars
medicaldevicesEEGheadsetsvotingmachines
RFID mobilesensingplatforms
airplanes
SoftwareProblemsareUbiquitous
10/5/16 CSE484/CSEM584-Fall2016 5
SoftwareProblemsareUbiquitous
10/5/16 CSE484/CSEM584-Fall2016 6
SoftwareProblemsareUbiquitous
10/5/16 CSE484/CSEM584-Fall2016 7
SoftwareProblemsareUbiquitous
• Otherseriousbugs(manyothersexist)– USVincennestrackingsoftware– MV-22Osprey
– MedtronicModel8870SoftwareApplicationCard
10/5/16 CSE484/CSEM584-Fall2016 8
AdversarialFailures
• Softwarebugsarebad– Consequencescanbeserious
• Evenworsewhenanintelligentadversarywishestoexploitthem!– Intelligentadversaries:Forcebugsinto“worstpossible”conditions/states
– Intelligentadversaries:Picktheirtargets
10/5/16 CSE484/CSEM584-Fall2016 9
BUFFEROVERFLOWS
10/5/16 CSE484/CSEM584-Fall2016 10
AdversarialFailures
• Bufferoverflowsbugs:Bigclassofbugs– Normalconditions:Cansometimescausesystemstofail
– Adversarialconditions:Attackerabletoviolatesecurityofyoursystem(control,obtainprivateinformation,...)
10/5/16 CSE484/CSEM584-Fall2016 11
ReferenceforQ1
10/5/16 CSE484/CSEM584-Fall2016 12
Text region Heap StackAddr 0x00...0 Addr 0xFF...F
Top Bottom
ret/IP Caller’s frame
Addr 0xFF...F
Saved FP
Executecodeatthisaddressafterfunc()finishes
buf
Localvariables
str
Args
ABitofHistory:MorrisWorm
• Wormwasreleasedin1988byRobertMorris– GraduatestudentatCornell,sonofNSAchiefscientist– ConvictedunderComputerFraudandAbuseAct,
sentencedto3yearsofprobationand400hoursofcommunityservice
– NowanEECSprofessoratMIT• Wormwasintendedtopropagateslowlyand
harmlesslymeasurethesizeoftheInternet• Duetoacodingerror,itcreatednewcopiesasfast
asitcouldandoverloadedinfectedmachines• $10-100Mworthofdamage
10/5/16 CSE484/CSEM584-Fall2016 13
MorrisWormandBufferOverflow
• Oneoftheworm’spropagationtechniqueswasabufferoverflowattackagainstavulnerableversionoffingerdonVAXsystems– Bysendingspecialstringtofingerdaemon,worm
causedittoexecutecodecreatinganewwormcopy– UnabletodetermineremoteOSversion,wormalso
attackedfingerdonSunsrunningBSD,causingthemtocrash(insteadofspawninganewcopy)
10/5/16 CSE484/CSEM584-Fall2016 14
FamousInternetWorms
• Bufferoverflows:verycommoncauseofInternetattacks– In1998,over50%ofadvisoriespublishedbyCERT(computer
securityincidentreportteam)werecausedbybufferoverflows
• Morrisworm(1988):overflowinfingerd– 6,000machinesinfected
• CodeRed(2001):overflowinMS-IISserver– 300,000machinesinfectedin14hours
• SQLSlammer(2003):overflowinMS-SQLserver– 75,000machinesinfectedin10minutes(!!)
• Sasser(2005):overflowinWindowsLSASS– Around500,000machinesinfected
10/5/16 CSE484/CSEM584-Fall2016 15
…AndMore
• Conficker(2008-08):overflowinWindowsRPC– Around10millionmachinesinfected(estimatesvary)
• Stuxnet(2009-10):severalzero-dayoverflows+sameWindowsRPCoverflowasConficker– Windowsprintspoolerservice– WindowsLNKshortcutdisplay– Windowstaskscheduler
• Flame(2010-12):sameprintspoolerandLNKoverflowsasStuxnet– Targetedcyperespionagevirus
• Stillubiquitous,especiallyinembeddedsystems
10/5/16 CSE484/CSEM584-Fall2016 16
AttacksonMemoryBuffers
• Bufferisapre-defineddatastorageareainsidecomputermemory(stackorheap)
• Typicalsituation:– Afunctiontakessomeinputthatitwritesintoapre-
allocatedbuffer.– Thedeveloperforgetstocheckthatthesizeoftheinput
isn’tlargerthanthesizeofthebuffer.– Uhoh.
• “Normal”badinput:crash• “Adversarial”badinput:takecontrolofexecution
10/5/16 CSE484/CSEM584-Fall2016 17
StackBuffers
10/5/16 CSE484/CSEM584-Fall2016 18
• SupposeWebservercontainsthisfunction void func(char *str) {
char buf[126]; ... strcpy(buf,str); ... }
• Noboundscheckingonstrcpy()• Ifstrislongerthan126bytes– Programmaycrash– Attackermaychangeprogrambehavior
buf uh oh!
AnswerQ2
10/5/16 CSE484/CSEM584-Fall2016 19
• SupposeWebservercontainsthisfunction void func(char *str) {
char buf[126]; ... strcpy(buf,str); ... }
• Noboundscheckingonstrcpy()• Ifstrislongerthan126bytes– Programmaycrash– Attackermaychangeprogrambehavior
buf uh oh!
Example:ChangingFlags
10/5/16 CSE484/CSEM584-Fall2016 20
• authenticated variable
buf authenticated11 ( :-) ! )
Example:ChangingFlags
10/5/16 CSE484/CSEM584-Fall2016 21
• authenticated variable
• Morriswormalsooverflowedabuffertooverwriteanauthenticatedflaginfingerd
buf authenticated11 ( :-) ! )
MemoryLayout
• Textregion:Executablecodeoftheprogram• Heap:Dynamicallyallocateddata• Stack:Localvariables,functionreturnaddresses;
growsandshrinksasfunctionsarecalledandreturn
10/5/16 CSE484/CSEM584-Fall2016 22
Text region Heap StackAddr 0x00...0 Addr 0xFF...F
Top Bottom
RedirectingProgramFlow
• Insteadof“normal”string,attackersends2thingsasinput:– Assemblycodeshewantstoexecute– Theaddresswheresheexpectsthatcodetoappear
10/5/16 CSE484/CSEM584-Fall2016 23
RedirectingProgramFlow
• Insteadof“normal”string,attackersends2thingsasinput:– Assemblycodeshewantstoexecute– Theaddresswheresheexpectsthatcodetoappear
10/5/16 CSE484/CSEM584-Fall2016 24
“Shellcode”
StackBuffers
• SupposeWebservercontainsthisfunc3on: void func(char *str) {
char buf[126]; strcpy(buf,str); }
• Whenthisfunc3onisinvoked,anewframe(ac3va3onrecord)ispushedontothestack.
Allocatelocalbuffer(126bytesreservedonstack)
Copyargumentintolocalbuffer
ret/IP Caller’s frame
Addr 0xFF...F
Saved FP
Executecodeatthisaddressafterfunc()finishes
buf
Localvariables
str
Args
10/5/16 CSE484/CSEM584-Fall2016 25
WhatifBufferisOverstuffed?
• Memorypointedtobystriscopiedontostack… void func(char *str) {
char buf[126]; strcpy(buf,str); }
• Ifastringlongerthan126bytesiscopiedintobuffer,itwilloverwriteadjacentstacklocations.
strcpydoesNOTcheckwhetherthestringat*strcontainsfewerthan126characters
Thiswillbeinterpretedasreturnaddress!
ret/IP Caller’s frame
Addr 0xFF...F
Saved FPbuf
Localvariables
str
Args
10/5/16 CSE484/CSEM584-Fall2016 26
WhatifBufferisOverstuffed?
• Whatifthestringisreadinfromanattackeronthenetwork?
Thiswillbeinterpretedasreturnaddress!
ret/IP Caller’s frame
Addr 0xFF...F
Saved FPbuf
Localvariables
str
Args
10/5/16 CSE484/CSEM584-Fall2016 27
WhatifBufferisOverstuffed?
exec(“/bin/sh”) asdf…asdf 0xFFFFFFA2
Thiswillbeinterpretedasreturnaddress!
ret/IP Caller’s frame
Addr 0xFF...F
Saved FPbuf
Localvariables
str
Args
10/5/16 CSE484/CSEM584-Fall2016 28
ExecutingAttackCode
• Whenfunc3onexits,codeinthebufferwillbeexecuted,givingaAackerashell– Rootshellifthevic3mprogramissetuidroot
ret/IPSaved FPbuf Caller’s stack frame
Addr 0xFF...F
Attackerputsactualassemblyinstructionsintohisinputstring,e.g.,binarycodeofexecve(“/bin/sh”)
exec(“/bin/sh”)
Intheoverflow,apointerbackintothebufferappearsinthelocationwherethesystemexpectstofindreturnaddress
Caller’s framestr
10/5/16 CSE484/CSEM584-Fall2016 29
StretchBreak
• Whenfunc3onexits,codeinthebufferwillbeexecuted,givingaAackerashell– Rootshellifthevic3mprogramissetuidroot
ret/IPSaved FPbuf Caller’s stack frame
Addr 0xFF...F
Attackerputsactualassemblyinstructionsintohisinputstring,e.g.,binarycodeofexecve(“/bin/sh”)
exec(“/bin/sh”)
Intheoverflow,apointerbackintothebufferappearsinthelocationwherethesystemexpectstofindreturnaddress
Caller’s framestr
10/5/16 CSE484/CSEM584-Fall2016 30
BufferOverflowscanbeHard
• OverflowportionofthebuffermustcontaincorrectaddressofattackcodeintheRETposition– ThevalueintheRETpositionmustpointtothebeginningofattackassemblycodeinthebuffer• Otherwiseapplicationwill(probably)crashwithsegmentationviolation
– Attackermustcorrectlyguessinwhichstackpositionhis/herbufferwillbewhenthefunctioniscalled
10/5/16 CSE484/CSEM584-Fall2016 31
Problem:NoBoundsChecking
• strcpydoesnotcheckinputsize– strcpy(buf,str)simplycopiesmemorycontentsintobuf
startingfrom*struntil“\0”isencountered,ignoringthesizeofareaallocatedtobuf
• ManyClibraryfunctionsareunsafe– strcpy(char*dest,constchar*src)– strcat(char*dest,constchar*src)– gets(char*s)– scanf(constchar*format,…)– printf(constchar*format,…)
10/5/16 CSE484/CSEM584-Fall2016 32
• strncpy(char*dest,constchar*src,size_tn)– Ifstrncpyisusedinsteadofstrcpy,nomorethanncharacterswill
becopiedfrom*srcto*dest• Programmerhastosupplytherightvalueofn
• Potentialoverflowinhtpasswd.c(Apache1.3):strcpy(record,user); strcat(record,”:”); strcat(record,cpw);
• Publishedfix:strncpy(record,user,MAX_STRING_LEN-1); strcat(record,”:”) strncat(record,cpw,MAX_STRING_LEN-1);
DoesBoundsCheckingHelp?
10/5/16 CSE484/CSEM584-Fall2016 33
Copiesusername(“user”)intobuffer(“record”),thenappends“:”andhashedpassword(“cpw”)
• strncpy(char*dest,constchar*src,size_tn)– Ifstrncpyisusedinsteadofstrcpy,nomorethanncharacterswill
becopiedfrom*srcto*dest• Programmerhastosupplytherightvalueofn
• Potentialoverflowinhtpasswd.c(Apache1.3):strcpy(record,user); strcat(record,”:”); strcat(record,cpw);
• Publishedfix:strncpy(record,user,MAX_STRING_LEN-1); strcat(record,”:”) strncat(record,cpw,MAX_STRING_LEN-1);
AnswerQ3
10/5/16 CSE484/CSEM584-Fall2016 34
Copiesusername(“user”)intobuffer(“record”),thenappends“:”andhashedpassword(“cpw”)
Misuseofstrncpyinhtpasswd“Fix”
• Published“fix”forApachehtpasswdoverflow:strncpy(record,user,MAX_STRING_LEN-1); strcat(record,”:”) strncat(record,cpw,MAX_STRING_LEN-1);
10/5/16 CSE484/CSEM584-Fall2016 35
MAX_STRING_LENbytesallocatedforrecordbuffer
contentsof*user
PutuptoMAX_STRING_LEN-1charactersintobuffer
:
Put“:”
contentsof*cpw
AgainputuptoMAX_STRING_LEN-1charactersintobuffer
WhatAboutThis?
• Home-brewedrange-checkingstringcopy
void mycopy(char *input) { char buffer[512]; int i; for (i=0; i<=512; i++) buffer[i] = input[i]; } void main(int argc, char *argv[]) { if (argc==2) mycopy(argv[1]); }
• 1-byteoverflow:can’tchangeRET,butcanchangepointertopreviousstackframe– Onlittle-endianarchitecture,makeitpointintobuffer– RETforpreviousfunctionwillbereadfrombuffer!
10/5/16 CSE484/CSEM584-Fall2016 36
Off-By-OneOverflow
• Home-brewedrange-checkingstringcopy
void mycopy(char *input) { char buffer[512]; int i; for (i=0; i<=512; i++) buffer[i] = input[i]; } void main(int argc, char *argv[]) { if (argc==2) mycopy(argv[1]); }
• 1-byteoverflow:can’tchangeRET,butcanchangepointertopreviousstackframe– Onlittle-endianarchitecture,makeitpointintobuffer– RETforpreviousfunctionwillbereadfrombuffer!
10/5/16 CSE484/CSEM584-Fall2016 37
Thiswillcopy513charactersintobuffer.Oops!
FramePointerOverflow
ret/IP Caller’s frame
Addr 0xFF...F
Saved FPbuf
Localvariables
str
Args
Fake RETFake FPATTACKCODE
10/5/16 CSE484/CSEM584-Fall2016 38
AnotherVariant:FunctionPointerOverflow
• Cusesfunctionpointersforcallbacks:ifpointertoFisstoredinmemorylocationP,thenanotherfunctionGcancallFas(*P)(…)
10/5/16 CSE484/CSEM584-Fall2016 39
attackcode
Bufferwithattacker-suppliedinputstring
Callbackpointer
Heap
LegitimatefunctionF
overflow
(elsewhereinmemory)
OtherOverflowTargets
• FormatstringsinC– Moredetailsnexttime
• Heapmanagementstructuresusedbymalloc()– Moredetailsinsection
• TheseareallattacksyoucanlookforwardtoinLab#1J
10/5/16 CSE484/CSEM584-Fall2016 40
LookingForward
• Ethicsformdueat5!• Homework#1dueMonday,Oct10• Nextfewclasses:– Friday:guestlecturebyDavidAucsmith– Monday:morebufferoverflows– Wednesday:guestlecturebyEmilyMcReynolds
• SectiontomorrowaboutLab1
10/5/16 CSE484/CSEM584-Fall2016 41