SlideShare una empresa de Scribd logo

Software Security Buffer Overflows Explained

Karthic Rao
Karthic Rao

This document discusses buffer overflows as a major software security problem. It begins by explaining how a buffer overflow occurs when a program writes past the end of an allocated buffer through errors like failing to check array bounds. This can allow attackers to execute arbitrary code by overwriting return addresses on the stack. The document covers various dynamic countermeasures implemented by compilers like stack canaries to help detect and prevent buffer overflow attacks. However, it notes these don't prevent all overflows like those on the heap.

EducaciónTecnología
1 de 59
Descargar para leer sin conexión
Software Security Buffer Overflows public enemy number 1 Erik Poll Digital Security Radboud University Nijmegen
Essence of the problem Suppose in a C program we have an array of length 4 char buffer[4]; What happens if we execute the statement below ? buffer[4] = ‘a’; Anything can happen ! If the data written (ie. the “a”) is user input that can be controlled by an attacker, this vulnerability can be exploited: anything that the attacker wants can happen. 2
Solution to this problem • Check array bounds at runtime – Algol 60 proposed this back in 1960! • Unfortunately, C and C++ have not adopted this solution, for efficiency reasons. ( (Ada, Perl, Python, Java, C#, and even Visual Basic have.) • As a result, buffer overflows have been the no 1 security problem in software ever since. 3
Problems caused by buffer overflows • The first Internet worm, and all subsequent ones (CodeRed, Blaster, ...), exploited buffer overflows • Buffer overflows cause in the order of 50% of all security alerts – Eg check out CERT, cve.mitre.org, or bugtraq • Trends – Attacks are getting cleverer • defeating ever more clever countermeasures – Attacks are getting easier to do, by script kiddies 4
Any C(++) code acting on untrusted input is at risk Eg • code taking input over untrusted network – eg. sendmail, web browser, wireless network driver,... • code taking input from untrusted user on multi- user system, – esp. services running with high privileges (as ROOT on Unix/Linux, as SYSTEM on Windows) o • code acting on untrusted files – that have been downloaded or emailed • also embedded software, eg. in devices with (wireless) network connection such as mobile phones with Bluetooth, wireless smartcards, airplane navigation systems, ... 5
How does buffer overflow work?
Memory management in C/C++ • Program responsible for its memory management • Memory management is very error-prone – Who here has had a C(++) program crash with a segmentation fault? • Typical bugs: – Writing past the bound of an array – Dangling pointers • missing initialisation, bad pointer arithmetic, incorrect de- allocation, double de-allocation, failed allocation, ... – Memory leaks • For efficiency, these bugs are not detected at run time, as discussed before: – behaviour of a buggy program is undefined 7
Process memory layout High Arguments/ Environment Stack grows addresses down, Stack by procedure calls Unused Memory H Heap (dynamic data) Heap grows up, eg. by malloc Static Data .data and new Low addresses Program Code .text 8
Stack overflow The stack consists of Activation Records: x AR main() m return address AR f() f buf[4..7] buf[0..3] Stack grows void f(int x) { Buffer grows downwards char[8] buf; upwards gets(buf); } void main() { f(…); … } void format_hard_disk(){…} 9
Stack overflow What if gets() reads more than 8 bytes ? x AR main() m return address AR f() f buf[4..7] buf[0..3] void f(int x) { Buffer grows char[8] buf; upwards gets(buf); } void main() { f(…); … } void format_hard_disk(){…} 10
Stack overflow What if gets() reads more than 8 bytes ? x AR main() m return address AR f() f buf[4..7] buf[0..3] Stack grows void f(int x) { Buffer grows downwards char[8] buf; upwards gets(buf); } never use void main() { f(…); … gets()! } void format_hard_disk(){…} 11
Stack overflow • Lots of details to get right: – No nulls in (character-)strings – Filling in the correct return address: • Fake return address must be precisely positioned • Attacker might not know the address of his own string – Other overwritten data must not be used before return from function – … 12
Variants & causes • Stack overflow is overflow of a buffer allocated on the stack • Heap overflow idem, of buffer allocated on the heap Common causes: • poor programming with of arrays and strings – esp. library functions for null-terminated strings • problems with format strings But other low-level coding defects than can result in buffer overflows, eg integer overflows or data races 13
What causes buffer overflows?
Example: gets char buf[20]; gets(buf); // read user input until // first EoL or EoF character • Never use gets • Use fgets(buf, size, stdin) instead 15
Example: strcpy char dest[20]; strcpy(dest, src); // copies string src to dest • strcpy assumes dest is long enough , and assumes src is null-terminated • Use strncpy(dest, src, size) instead 16
S Spot the defect! (1) char buf[20]; char prefix[] = ”http://”; ... strcpy(buf, prefix); // copies the string prefix to buf strncat(buf, path, sizeof(buf)); // concatenates path to the string buf 17
S Spot the defect! (1) char buf[20]; char prefix[] = ”http://”; ... strcpy(buf, prefix); // copies the string prefix to buf strncat(buf, path, sizeof(buf)); // concatenates path to the string buf strncat’s 3rd parameter is number of chars to copy, not the buffer size Another common mistake is giving sizeof(path) as 3rd argument... 18
S Spot the defect! (2) char src[9]; char dest[9]; char base_url = ”www.ru.nl”; strncpy(src, base_url, 9); // copies base_url to src strcpy(dest, src); // copies src to dest 19
S Spot the defect! (2) base_url is 10 chars long, incl. its char src[9]; null terminator, so src won’t be char dest[9]; not null-terminated char base_url = ”www.ru.nl/”; strncpy(src, base_url, 9); // copies base_url to src strcpy(dest, src); // copies src to dest 20
Spot the defect! (2) base_url is 10 chars long, incl. its char src[9]; null terminator, so src won’t be char dest[9]; not null-terminated char base_url = ”www.ru.nl/”; strncpy(src, base_url, 9); // copies base_url to src strcpy(dest, src); // copies src to dest so strcpy will overrun the buffer dest 21
Example: strcpy and strncpy • Don’t replace s strcpy(dest, src) by s strncpy(dest, src, sizeof(dest)) but by s strncpy(dest, src, sizeof(dest)-1) dst[sizeof(dest-1)] = `0`; if dest should be null-terminated! • Btw: a strongly typed programming language could of course enforce that strings are always null-terminated... 22
S Spot the defect! (3) char *buf; We forget to check for bytes int i, len; representing a negative int, so len might be negative read(fd, &len, sizeof(len)); // read sizeof(len) bytes, ie. an int // and store these in len buf = malloc(len); read(fd,buf,len); len cast to unsigned and negative length overflows read then goes beyond the end of buf 23
S Spot the defect! (3) char *buf; int i, len; read(fd, &len, sizeof(len)); i if (len < 0) {error ("negative length"); return; } buf = malloc(len); read(fd,buf,len); Remaining problem may be that buf is not null-terminated 24
S Spot the defect! (3) char *buf; May result in integer overflow; int i, len; we should check that len+1 is positive read(fd, &len, sizeof(len)); i if (len < 0) {error ("negative length"); return; } buf = malloc(len+1); read(fd,buf,len); buf[len] = '0'; // null terminate buf 25
S Spot the defect! (4) #ifdef UNICODE #define _sntprintf _snwprintf #define TCHAR wchar_t #else #define _sntprintf _snprintf #define TCHAR char #endif TCHAR buff[MAX_SIZE]; _sntprintf(buff, sizeof(buff), ”%sn”, input); [slide from presentation by Jon Pincus] 26
Spot the defect! (4) #ifdef UNICODE #define _sntprintf _snwprintf #define TCHAR wchar_t #else #define _sntprintf _snprintf #define TCHAR char #endif _snwprintf’s 2nd param is # of chars in buffer, not # of bytes TCHAR buff[MAX_SIZE]; _sntprintf(buff, sizeof(buff), ”%sn”, input); The CodeRed worm exploited such an ANSI/Unicode mismatch [slide from presentation by Jon Pincus] 27
S Spot the defect! (5) #define MAX_BUF = 256 v void BadCode (char* input) { short len; char buf[MAX_BUF]; len = strlen(input); if (len < MAX_BUF) strcpy(buf,input); } 28
Spot the defect! (5) #define MAX_BUF = 256 What if input is longer than 32K ? v void BadCode (char* input) { short len; len will be a negative number, char buf[MAX_BUF]; due to integer overflow hence: potential len = strlen(input); buffer overflow if (len < MAX_BUF) strcpy(buf,input); } The integer overflow is the root problem, but the (heap) buffer overflow that this enables make it exploitable 29
S Spot the defect! (6) b bool CopyStructs(InputFile* f, long count) { structs = new Structs[count]; f for (long i = 0; i < count; i++) { if !(ReadFromFile(f,&structs[i]))) break; } } 30
S Spot the defect! (6) b bool CopyStructs(InputFile* f, long count) { structs = new Structs[count]; f for (long i = 0; i < count; i++) { if !(ReadFromFile(f,&structs[i]))) break; } } effectively does a malloc(count*sizeof(type)) which may cause integer overflow And this integer overflow can lead to a (heap) buffer overflow. (Microsoft Visual Studio 2005(!) C++ compiler adds check to prevent t this) 31
Spot the defect! (7) char buff1[MAX_SIZE], buff2[MAX_SIZE]; // make sure url a valid URL and fits in buff1 and buff2: if (! isValid(url)) return; if (strlen(url) > MAX_SIZE – 1) return; // copy url up to first separator, ie. first ’/’, to buff1 out = buff1; do { // skip spaces if (*url != ’ ’) *out++ = *url; } while (*url++ != ’/’); strcpy(buff2, buff1); ... [slide from presentation by Jon Pincus] 32
Spot the defect! (7) Loop termination (exploited by Blaster) ( char buff1[MAX_SIZE], buff2[MAX_SIZE]; // make sure url a valid URL and fits in buff1 and buff2: if (! isValid(url)) return; if (strlen(url) > MAX_SIZE – 1) return; // copy url up to first separator, ie. first ’/’, to buff1 out = buff1; do { length up to the first null // skip spaces if (*url != ’ ’) *out++ = *url; } while (*url++ != ’/’); strcpy(buff2, buff1); ... what if there is no ‘/’ in the URL? [slide from presentation by Jon Pincus] 33
Spot the defect! (7) char buff1[MAX_SIZE], buff2[MAX_SIZE]; // make sure url a valid URL and fits in buff1 and buff2: if (! isValid(url)) return; if (strlen(url) > MAX_SIZE – 1) return; // copy url up to first separator, ie. first ’/’, to buff1 out = buff1; do { // skip spaces if (*url != ’ ’) *out++ = *url; } while (*url++ != ’/’) && (*url != 0); strcpy(buff2, buff1); ... [slide from presentation by Jon Pincus] 34
Spot the defect! (7) char buff1[MAX_SIZE], buff2[MAX_SIZE]; // make sure url a valid URL and fits in buff1 and buff2: if (! isValid(url)) return; if (strlen(url) > MAX_SIZE – 1) return; // copy url up to first separator, ie. first ’/’, to buff1 out = buff1; do { // skip spaces if (*url != ’ ’) *out++ = *url; } while (*url++ != ’/’) && (*url != 0); strcpy(buff2, buff1); ... Order of tests is wrong (note the first test includes ++) What about 0-length URLs? [slide from presentation by Jon Pincus] Is buff1 always null-terminated? 35
Spot the defect! (8) #include <stdio.h> int main(int argc, char* argv[]) { if (argc > 1) printf(argv[1]); return 0; } This program is vulnerable to format string attacks, where calling the program with strings containing special characters can result in a buffer overflow attack. 36
Format string attacks • Complete new type of attack, invented/discovered in 2000. Like integer overflows, it can lead to buffer overflows. • Strings can contain special characters, eg %s in printf(“Cannot find file %s”, filename); Such strings are called format strings • What happens if we execute the code below? printf(“Cannot find file %s”); • What may happen if we execute printf(string) where string is user-supplied ? Esp. if it contains special characters, eg %s, %x, %n, %hn? 37
Format string attacks • %x reads and prints 4 bytes from stack – this may leak sensitive data • %n writes the number of characters printed so far onto the stack – this allow stack overflow attacks... • Note that format strings break the “don’t mix data & code” principle. • Easy to spot & fix: replace printf(str) by printf(“%s”, str) ) 38
Dynamic countermeasures incl. stack canaries
Dynamic countermeasures protection by kernel • non-executable memory (NOEXEC) – prevents attacker executing her code • address space layout randomisation (ASLR) ( – generally makes attacker's life harder • instruction set randomisation – hardware support needed to make this efficient enough protection inserted by the compiler • stack canaries to prevent or detect malicious changes to the stack; examples to follow • obfuscation of memory addresses Doesn't prevent against heap overflows 40
Dynamic countermeasure: stack canaries • introduced in StackGuard in gcc • a dummy value - stack canary or cookie - is written on the stack in front of the return address and checked when function returns • a careless stack overflow will overwrite the canary, which can then be detected. • a careful attacker can overwrite the canary with the correct value. • additional countermeasures: – use a random value for the canary – XOR this random value with the return address – include string termination characters in the canary value 41
Further improvements • PointGuard – also protects other data values, eg function pointers, with canaries • ProPolice's Stack Smashing Protection (SSP) by IBM – also re-orders stack elements to reduce potential for trouble • Stackshield has a special stack for return addresses, and can disallow function pointers to the data segment 42
Dynamic countermeasures NB none of these protections are perfect! Eg • even if attacks to return addresses are caught, integrity of other data other the stack can still be abused • clever attacks may leave canaries intact • where do you store the "master" canary value – a cleverer attack could change it • none of this protects against heap overflows – eg buffer overflow within a struct... • .... 43
Windows 2003 Stack Protection The subtle ways in which things can still go wrong... • Enabled with /GS command line option • Similar to StackGuard, except that when canary is corrupted, control is transferred to an exception handler • Exception handler information is stored ... on the stack – http://www.securityfocus.com/bid/8522/info • Countermeasure: register exception handlers, and don't trust exception handlers that are not registered or on the stack • Attackers may still abuse existing handlers or point to exception outside the loaded module... 44
Other countermeasures
Countermeasures • We can take countermeasures at different points in time – before we even begin programming – during development – when testing – when executing code to prevent, to detect – at (pre)compile time or at runtime -, and to migitate problems with buffer overflows 46
Prevention • Don’t use C or C++ • Better programmer awareness & training Eg read – and make other people read - • Building Secure Software, J. Viega & G. McGraw, 2002 • Writing Secure Code, M. Howard & D. LeBlanc, 2002 • 19 deadly sins of software security, M. Howard, D LeBlanc & J. Viega, 2005 • Secure programming for Linux and UNIX HOWTO, D. Wheeler, • Secure C coding, T. Sirainen 47
Dangerous C system calls source: Building secure software, J. Viega & G. McGraw, 2002 Extreme risk High risk (cntd) H Moderate risk Low risk • gets • streadd • getchar • fgets • strecpy • fgetc • memcpy High risk • strtrns • getc • snprintf • strcpy • read • strccpy • realpath • strcat • bcopy • strcadd • syslog • sprintf • strncpy • scanf • getenv • strncat • sscanf • getopt • vsnprintf • fscanf • getopt_long • vfscanf • getpass • vsscanf 48
Prevention – use better string libraries • there is a choice between using statically vs dynamically allocated buffers – static approach easy to get wrong, and chopping user input may still have unwanted effects – dynamic approach susceptible to out-of-memory errors, and need for failing safely 49
B Better string libraries (1) • libsafe.h provides safer, modified versions of eg strcpy – prevents buffer overruns beyond current stack frame in the dangerous functions it redefines • libverify enhancement of libsafe – keeps copies of the stack return address on the heap, and checks if these match • strlcpy(dst,src,size) and strlcat(dst,src,size) with size the size of dst, not the maximum length copied. Consistently used in OpenBSD 50
B Better string libraries (2) • glib.h provides Gstring type for dynamically growing null- terminated strings in C – but failure to allocate will result in crash that cannot be intercepted, which may not be acceptable • Strsafe.h by Microsoft guarantees null-termination and always takes destination size as argument • C++ string class – but data() and c-str()return low level C strings, ie char*, with result of data()is not always null-terminated on all platforms... 51
Detection before shipping • Testing – Difficult! How to hit the right cases? – Fuzz testing - test for crash on long, random inputs – can be succesful in finding some weaknesses • Code reviews – Expensive & labour intensive • Code scanning tools (aka static analysis) C Eg – RATS () – also for PHP, Python, Perl – Flawfinder , ITS4, Deputy, Splint – PREfix, PREfast by Microsoft plus other commercial tools – Coverity – Parasoft – Klockwork. 52
More prevention & detection • Bounds Checkers – add additonal bounds info for pointers and check these at run time – eg Bcc, RTcc, CRED, ..... – RICH prevents integer overflows • Safe variants of C – adding bound checks, but also type checks and more: eg garbage collection or region-based memory m management) – eg Cyclone (http://cyclone.thelanguage.org), CCured, Vault, e Control-C, Fail-Safe C, … 53
More prevention & detection The most extreme form of static analysis: • Program verification – proving by mathematical means (eg Hoare logic) that memory management of a program is safe – extremely labour-intensive  – eg hypervisor verification project by Microsoft & Verisoft: • http://www.microsoft.com/emic/verisoft.mspx 54
Reducing attack surface • Not running or even installing certain software, or enabling all features by default, mitigates the threat 55
Summary • Buffer overflows are the top security vulnerability • Any C(++) code acting on untrusted input is at risk • Getting rid of buffer overflow weaknesses in C(++) c code is hard (and may prove to be impossible) – Ongoing arms race between countermeasures and ever more clever attacks. – Attacks are not only getting cleverer, using them is getting easier 56
More general Buffer overflow is an instance of three more general problems: 1) lack of input validation 2) mixing data & code – data and return address on the stack 1) believing in & relying on an abstraction – in this case, the abstraction of procedure calls offered by C • Attacks often exploit holes in abstractions that are not 100% enforced 57
Moral of the story • Don’t use C(++), if you can avoid it – but use a language that provides memory safety, such as Java or C# • If you do have to use C(++), become or hire an expert • Required reading – A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, by John Wilander and Mariam Kamkar 58
Optional Reading • If you want/need to read some more to understand on how buffer overflows attacks work, or are interested in a very comprehensive account of countermeasures: Y. Younan,W. Joosen, F. Piessens, Code injection in C and C++: a survey of vulnerabilities and countermeasures 59

Recomendados

Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Romana Project
 
そのデータフロー NiFiで楽にしてあげましょう
そのデータフロー NiFiで楽にしてあげましょうそのデータフロー NiFiで楽にしてあげましょう
そのデータフロー NiFiで楽にしてあげましょうKoji Kawamura
 
Embedded Linux Quick Start Guide v1.5
Embedded Linux Quick Start Guide v1.5Embedded Linux Quick Start Guide v1.5
Embedded Linux Quick Start Guide v1.5Chris Simmonds
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMULinaro
 
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...linuxlab_conf
 
Solaris Operating System
Solaris Operating SystemSolaris Operating System
Solaris Operating SystemJoshua Guillano
 
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Shinya Takamaeda-Y
 
Advanced Network Design
Advanced Network DesignAdvanced Network Design
Advanced Network DesignCisco Russia
 

Recomendados

Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Routed Provider Networks on OpenStack
Routed Provider Networks on OpenStack Romana Project
 
そのデータフロー NiFiで楽にしてあげましょう
そのデータフロー NiFiで楽にしてあげましょうそのデータフロー NiFiで楽にしてあげましょう
そのデータフロー NiFiで楽にしてあげましょうKoji Kawamura
 
Embedded Linux Quick Start Guide v1.5
Embedded Linux Quick Start Guide v1.5Embedded Linux Quick Start Guide v1.5
Embedded Linux Quick Start Guide v1.5Chris Simmonds
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMUSFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMULinaro
 
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...
Marco Cavallini - Yocto Project, an automatic generator of embedded Linux dis...linuxlab_conf
 
Solaris Operating System
Solaris Operating SystemSolaris Operating System
Solaris Operating SystemJoshua Guillano
 
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)
Debian Linux on Zynq (Xilinx ARM-SoC FPGA) Setup Flow (Vivado 2015.4)Shinya Takamaeda-Y
 
Advanced Network Design
Advanced Network DesignAdvanced Network Design
Advanced Network DesignCisco Russia
 
Cloud, SDN, NFV
Cloud, SDN, NFVCloud, SDN, NFV
Cloud, SDN, NFVIgor D.C.
 
The basic concept of Linux FIleSystem
The basic concept of Linux FIleSystemThe basic concept of Linux FIleSystem
The basic concept of Linux FIleSystemHungWei Chiu
 
系統程式 -- 第 12 章
系統程式 -- 第 12 章系統程式 -- 第 12 章
系統程式 -- 第 12 章鍾誠 陳鍾誠
 
U-Boot - An universal bootloader
U-Boot - An universal bootloader U-Boot - An universal bootloader
U-Boot - An universal bootloader Emertxe Information Technologies Pvt Ltd
 
Dell OS10 VLT Architecture Guide.pdf
Dell OS10 VLT Architecture Guide.pdfDell OS10 VLT Architecture Guide.pdf
Dell OS10 VLT Architecture Guide.pdfdjameleddine2015
 
Présentation ubuntu 12.10 PDF
Présentation ubuntu 12.10 PDFPrésentation ubuntu 12.10 PDF
Présentation ubuntu 12.10 PDFMohamed Ben Bouzid
 
How to Integrate Kubernetes in OpenStack
How to Integrate Kubernetes in OpenStack How to Integrate Kubernetes in OpenStack
How to Integrate Kubernetes in OpenStack Meng-Ze Lee
 
Important adb commands
Important adb commandsImportant adb commands
Important adb commandsSuresh Kamasala
 
Historia de ANDROID
Historia de ANDROIDHistoria de ANDROID
Historia de ANDROIDJose David Leon
 
Data Structures in and on IPFS
Data Structures in and on IPFSData Structures in and on IPFS
Data Structures in and on IPFSC4Media
 
Xen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time SystemXen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time SystemStefano Stabellini
 
Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 
Software Exploits
Software ExploitsSoftware Exploits
Software ExploitsKevinCSmallwood
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++corehard_by
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits BVBA (freelancer)
 
test
testtest
testaaro11
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacksharshal kshatriya
 
Common mistakes in C programming
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programmingLarion
 
C cheat sheet for varsity (extreme edition)
C cheat sheet for varsity (extreme edition)C cheat sheet for varsity (extreme edition)
C cheat sheet for varsity (extreme edition)Saifur Rahman
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflowsdrewz lin
 
Hacker Thursdays: An introduction to binary exploitation
Hacker Thursdays: An introduction to binary exploitationHacker Thursdays: An introduction to binary exploitation
Hacker Thursdays: An introduction to binary exploitationOWASP Hacker Thursday
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 

Más contenido relacionado

La actualidad más candente

Cloud, SDN, NFV
Cloud, SDN, NFVCloud, SDN, NFV
Cloud, SDN, NFVIgor D.C.
 
The basic concept of Linux FIleSystem
The basic concept of Linux FIleSystemThe basic concept of Linux FIleSystem
The basic concept of Linux FIleSystemHungWei Chiu
 
系統程式 -- 第 12 章
系統程式 -- 第 12 章系統程式 -- 第 12 章
系統程式 -- 第 12 章鍾誠 陳鍾誠
 
Dell OS10 VLT Architecture Guide.pdf
Dell OS10 VLT Architecture Guide.pdfDell OS10 VLT Architecture Guide.pdf
Dell OS10 VLT Architecture Guide.pdfdjameleddine2015
 
Présentation ubuntu 12.10 PDF
Présentation ubuntu 12.10 PDFPrésentation ubuntu 12.10 PDF
Présentation ubuntu 12.10 PDFMohamed Ben Bouzid
 
How to Integrate Kubernetes in OpenStack
How to Integrate Kubernetes in OpenStack How to Integrate Kubernetes in OpenStack
How to Integrate Kubernetes in OpenStack Meng-Ze Lee
 
Data Structures in and on IPFS
Data Structures in and on IPFSData Structures in and on IPFS
Data Structures in and on IPFSC4Media
 
Xen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time SystemXen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time SystemStefano Stabellini
 

La actualidad más candente (11)

Cloud, SDN, NFV
Cloud, SDN, NFVCloud, SDN, NFV
Cloud, SDN, NFV
 
The basic concept of Linux FIleSystem
The basic concept of Linux FIleSystemThe basic concept of Linux FIleSystem
The basic concept of Linux FIleSystem
 
系統程式 -- 第 12 章
系統程式 -- 第 12 章系統程式 -- 第 12 章
系統程式 -- 第 12 章
 
U-Boot - An universal bootloader
U-Boot - An universal bootloader U-Boot - An universal bootloader
U-Boot - An universal bootloader
 
Dell OS10 VLT Architecture Guide.pdf
Dell OS10 VLT Architecture Guide.pdfDell OS10 VLT Architecture Guide.pdf
Dell OS10 VLT Architecture Guide.pdf
 
Présentation ubuntu 12.10 PDF
Présentation ubuntu 12.10 PDFPrésentation ubuntu 12.10 PDF
Présentation ubuntu 12.10 PDF
 
How to Integrate Kubernetes in OpenStack
How to Integrate Kubernetes in OpenStack How to Integrate Kubernetes in OpenStack
How to Integrate Kubernetes in OpenStack
 
Important adb commands
Important adb commandsImportant adb commands
Important adb commands
 
Historia de ANDROID
Historia de ANDROIDHistoria de ANDROID
Historia de ANDROID
 
Data Structures in and on IPFS
Data Structures in and on IPFSData Structures in and on IPFS
Data Structures in and on IPFS
 
Xen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time SystemXen Cache Coloring: Interference-Free Real-Time System
Xen Cache Coloring: Interference-Free Real-Time System
 

Similar a Software Security Buffer Overflows Explained

Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer OverflowsSumit Kumar
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits BVBA (freelancer)
 
Common mistakes in C programming
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programmingLarion
 
C cheat sheet for varsity (extreme edition)
C cheat sheet for varsity (extreme edition)C cheat sheet for varsity (extreme edition)
C cheat sheet for varsity (extreme edition)Saifur Rahman
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflowsdrewz lin
 
Hacker Thursdays: An introduction to binary exploitation
Hacker Thursdays: An introduction to binary exploitationHacker Thursdays: An introduction to binary exploitation
Hacker Thursdays: An introduction to binary exploitationOWASP Hacker Thursday
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Chapter 13.1.10
Chapter 13.1.10Chapter 13.1.10
Chapter 13.1.10patcha535
 
Memory Optimization
Memory OptimizationMemory Optimization
Memory OptimizationWei Lin
 
Memory Optimization
Memory OptimizationMemory Optimization
Memory Optimizationguest3eed30
 
streams and files
streams and files streams and files
streams and filesMariam Butt
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredKory Kyzar
 
Exploits
ExploitsExploits
ExploitsKen Sai
 

Similar a Software Security Buffer Overflows Explained (20)

Buffer Overflows
Buffer OverflowsBuffer Overflows
Buffer Overflows
 
Software Exploits
Software ExploitsSoftware Exploits
Software Exploits
 
Rust vs C++
Rust vs C++Rust vs C++
Rust vs C++
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
 
test
testtest
test
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
Common mistakes in C programming
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programming
 
C cheat sheet for varsity (extreme edition)
C cheat sheet for varsity (extreme edition)C cheat sheet for varsity (extreme edition)
C cheat sheet for varsity (extreme edition)
 
6 buffer overflows
6 buffer overflows6 buffer overflows
6 buffer overflows
 
Hacker Thursdays: An introduction to binary exploitation
Hacker Thursdays: An introduction to binary exploitationHacker Thursdays: An introduction to binary exploitation
Hacker Thursdays: An introduction to binary exploitation
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Chapter 13.1.10
Chapter 13.1.10Chapter 13.1.10
Chapter 13.1.10
 
Memory Optimization
Memory OptimizationMemory Optimization
Memory Optimization
 
Memory Optimization
Memory OptimizationMemory Optimization
Memory Optimization
 
streams and files
streams and files streams and files
streams and files
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Buffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly RequiredBuffer Overflows 101: Some Assembly Required
Buffer Overflows 101: Some Assembly Required
 
Exploits
ExploitsExploits
Exploits
 
Nethemba - Writing exploits
Nethemba - Writing exploitsNethemba - Writing exploits
Nethemba - Writing exploits
 
Writing exploits
Writing exploitsWriting exploits
Writing exploits
 

Más de Karthic Rao

Scaling your GraphQL applications with Dgraph
Scaling your GraphQL applications with DgraphScaling your GraphQL applications with Dgraph
Scaling your GraphQL applications with DgraphKarthic Rao
 

Más de Karthic Rao (10)

Scaling your GraphQL applications with Dgraph
Scaling your GraphQL applications with DgraphScaling your GraphQL applications with Dgraph
Scaling your GraphQL applications with Dgraph
 
Childexittest
ChildexittestChildexittest
Childexittest
 
Childexittest
ChildexittestChildexittest
Childexittest
 
Fileinc
FileincFileinc
Fileinc
 
Forkexpe
ForkexpeForkexpe
Forkexpe
 
Usrinfogetpwuid
UsrinfogetpwuidUsrinfogetpwuid
Usrinfogetpwuid
 
Countrytime.c
Countrytime.cCountrytime.c
Countrytime.c
 
Timesleep
TimesleepTimesleep
Timesleep
 
Time2.c
Time2.cTime2.c
Time2.c
 
Fork.c
Fork.cFork.c
Fork.c
 

Último

Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationRosabel UA
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
Food processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsFood processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsManeerUddin
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfPatidar M
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 

Último (20)

Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translation
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
Food processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture honsFood processing presentation for bsc agriculture hons
Food processing presentation for bsc agriculture hons
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
Active Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdfActive Learning Strategies (in short ALS).pdf
Active Learning Strategies (in short ALS).pdf
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 

Software Security Buffer Overflows Explained

  • 1. Software Security Buffer Overflows public enemy number 1 Erik Poll Digital Security Radboud University Nijmegen
  • 2. Essence of the problem Suppose in a C program we have an array of length 4 char buffer[4]; What happens if we execute the statement below ? buffer[4] = ‘a’; Anything can happen ! If the data written (ie. the “a”) is user input that can be controlled by an attacker, this vulnerability can be exploited: anything that the attacker wants can happen. 2
  • 3. Solution to this problem • Check array bounds at runtime – Algol 60 proposed this back in 1960! • Unfortunately, C and C++ have not adopted this solution, for efficiency reasons. ( (Ada, Perl, Python, Java, C#, and even Visual Basic have.) • As a result, buffer overflows have been the no 1 security problem in software ever since. 3
  • 4. Problems caused by buffer overflows • The first Internet worm, and all subsequent ones (CodeRed, Blaster, ...), exploited buffer overflows • Buffer overflows cause in the order of 50% of all security alerts – Eg check out CERT, cve.mitre.org, or bugtraq • Trends – Attacks are getting cleverer • defeating ever more clever countermeasures – Attacks are getting easier to do, by script kiddies 4
  • 5. Any C(++) code acting on untrusted input is at risk Eg • code taking input over untrusted network – eg. sendmail, web browser, wireless network driver,... • code taking input from untrusted user on multi- user system, – esp. services running with high privileges (as ROOT on Unix/Linux, as SYSTEM on Windows) o • code acting on untrusted files – that have been downloaded or emailed • also embedded software, eg. in devices with (wireless) network connection such as mobile phones with Bluetooth, wireless smartcards, airplane navigation systems, ... 5
  • 6. How does buffer overflow work?
  • 7. Memory management in C/C++ • Program responsible for its memory management • Memory management is very error-prone – Who here has had a C(++) program crash with a segmentation fault? • Typical bugs: – Writing past the bound of an array – Dangling pointers • missing initialisation, bad pointer arithmetic, incorrect de- allocation, double de-allocation, failed allocation, ... – Memory leaks • For efficiency, these bugs are not detected at run time, as discussed before: – behaviour of a buggy program is undefined 7
  • 8. Process memory layout High Arguments/ Environment Stack grows addresses down, Stack by procedure calls Unused Memory H Heap (dynamic data) Heap grows up, eg. by malloc Static Data .data and new Low addresses Program Code .text 8
  • 9. Stack overflow The stack consists of Activation Records: x AR main() m return address AR f() f buf[4..7] buf[0..3] Stack grows void f(int x) { Buffer grows downwards char[8] buf; upwards gets(buf); } void main() { f(…); … } void format_hard_disk(){…} 9
  • 10. Stack overflow What if gets() reads more than 8 bytes ? x AR main() m return address AR f() f buf[4..7] buf[0..3] void f(int x) { Buffer grows char[8] buf; upwards gets(buf); } void main() { f(…); … } void format_hard_disk(){…} 10
  • 11. Stack overflow What if gets() reads more than 8 bytes ? x AR main() m return address AR f() f buf[4..7] buf[0..3] Stack grows void f(int x) { Buffer grows downwards char[8] buf; upwards gets(buf); } never use void main() { f(…); … gets()! } void format_hard_disk(){…} 11
  • 12. Stack overflow • Lots of details to get right: – No nulls in (character-)strings – Filling in the correct return address: • Fake return address must be precisely positioned • Attacker might not know the address of his own string – Other overwritten data must not be used before return from function – … 12
  • 13. Variants & causes • Stack overflow is overflow of a buffer allocated on the stack • Heap overflow idem, of buffer allocated on the heap Common causes: • poor programming with of arrays and strings – esp. library functions for null-terminated strings • problems with format strings But other low-level coding defects than can result in buffer overflows, eg integer overflows or data races 13
  • 14. What causes buffer overflows?
  • 15. Example: gets char buf[20]; gets(buf); // read user input until // first EoL or EoF character • Never use gets • Use fgets(buf, size, stdin) instead 15
  • 16. Example: strcpy char dest[20]; strcpy(dest, src); // copies string src to dest • strcpy assumes dest is long enough , and assumes src is null-terminated • Use strncpy(dest, src, size) instead 16
  • 17. S Spot the defect! (1) char buf[20]; char prefix[] = ”http://”; ... strcpy(buf, prefix); // copies the string prefix to buf strncat(buf, path, sizeof(buf)); // concatenates path to the string buf 17
  • 18. S Spot the defect! (1) char buf[20]; char prefix[] = ”http://”; ... strcpy(buf, prefix); // copies the string prefix to buf strncat(buf, path, sizeof(buf)); // concatenates path to the string buf strncat’s 3rd parameter is number of chars to copy, not the buffer size Another common mistake is giving sizeof(path) as 3rd argument... 18
  • 19. S Spot the defect! (2) char src[9]; char dest[9]; char base_url = ”www.ru.nl”; strncpy(src, base_url, 9); // copies base_url to src strcpy(dest, src); // copies src to dest 19
  • 20. S Spot the defect! (2) base_url is 10 chars long, incl. its char src[9]; null terminator, so src won’t be char dest[9]; not null-terminated char base_url = ”www.ru.nl/”; strncpy(src, base_url, 9); // copies base_url to src strcpy(dest, src); // copies src to dest 20
  • 21. Spot the defect! (2) base_url is 10 chars long, incl. its char src[9]; null terminator, so src won’t be char dest[9]; not null-terminated char base_url = ”www.ru.nl/”; strncpy(src, base_url, 9); // copies base_url to src strcpy(dest, src); // copies src to dest so strcpy will overrun the buffer dest 21
  • 22. Example: strcpy and strncpy • Don’t replace s strcpy(dest, src) by s strncpy(dest, src, sizeof(dest)) but by s strncpy(dest, src, sizeof(dest)-1) dst[sizeof(dest-1)] = `0`; if dest should be null-terminated! • Btw: a strongly typed programming language could of course enforce that strings are always null-terminated... 22
  • 23. S Spot the defect! (3) char *buf; We forget to check for bytes int i, len; representing a negative int, so len might be negative read(fd, &len, sizeof(len)); // read sizeof(len) bytes, ie. an int // and store these in len buf = malloc(len); read(fd,buf,len); len cast to unsigned and negative length overflows read then goes beyond the end of buf 23
  • 24. S Spot the defect! (3) char *buf; int i, len; read(fd, &len, sizeof(len)); i if (len < 0) {error ("negative length"); return; } buf = malloc(len); read(fd,buf,len); Remaining problem may be that buf is not null-terminated 24
  • 25. S Spot the defect! (3) char *buf; May result in integer overflow; int i, len; we should check that len+1 is positive read(fd, &len, sizeof(len)); i if (len < 0) {error ("negative length"); return; } buf = malloc(len+1); read(fd,buf,len); buf[len] = '0'; // null terminate buf 25
  • 26. S Spot the defect! (4) #ifdef UNICODE #define _sntprintf _snwprintf #define TCHAR wchar_t #else #define _sntprintf _snprintf #define TCHAR char #endif TCHAR buff[MAX_SIZE]; _sntprintf(buff, sizeof(buff), ”%sn”, input); [slide from presentation by Jon Pincus] 26
  • 27. Spot the defect! (4) #ifdef UNICODE #define _sntprintf _snwprintf #define TCHAR wchar_t #else #define _sntprintf _snprintf #define TCHAR char #endif _snwprintf’s 2nd param is # of chars in buffer, not # of bytes TCHAR buff[MAX_SIZE]; _sntprintf(buff, sizeof(buff), ”%sn”, input); The CodeRed worm exploited such an ANSI/Unicode mismatch [slide from presentation by Jon Pincus] 27
  • 28. S Spot the defect! (5) #define MAX_BUF = 256 v void BadCode (char* input) { short len; char buf[MAX_BUF]; len = strlen(input); if (len < MAX_BUF) strcpy(buf,input); } 28
  • 29. Spot the defect! (5) #define MAX_BUF = 256 What if input is longer than 32K ? v void BadCode (char* input) { short len; len will be a negative number, char buf[MAX_BUF]; due to integer overflow hence: potential len = strlen(input); buffer overflow if (len < MAX_BUF) strcpy(buf,input); } The integer overflow is the root problem, but the (heap) buffer overflow that this enables make it exploitable 29
  • 30. S Spot the defect! (6) b bool CopyStructs(InputFile* f, long count) { structs = new Structs[count]; f for (long i = 0; i < count; i++) { if !(ReadFromFile(f,&structs[i]))) break; } } 30
  • 31. S Spot the defect! (6) b bool CopyStructs(InputFile* f, long count) { structs = new Structs[count]; f for (long i = 0; i < count; i++) { if !(ReadFromFile(f,&structs[i]))) break; } } effectively does a malloc(count*sizeof(type)) which may cause integer overflow And this integer overflow can lead to a (heap) buffer overflow. (Microsoft Visual Studio 2005(!) C++ compiler adds check to prevent t this) 31
  • 32. Spot the defect! (7) char buff1[MAX_SIZE], buff2[MAX_SIZE]; // make sure url a valid URL and fits in buff1 and buff2: if (! isValid(url)) return; if (strlen(url) > MAX_SIZE – 1) return; // copy url up to first separator, ie. first ’/’, to buff1 out = buff1; do { // skip spaces if (*url != ’ ’) *out++ = *url; } while (*url++ != ’/’); strcpy(buff2, buff1); ... [slide from presentation by Jon Pincus] 32
  • 33. Spot the defect! (7) Loop termination (exploited by Blaster) ( char buff1[MAX_SIZE], buff2[MAX_SIZE]; // make sure url a valid URL and fits in buff1 and buff2: if (! isValid(url)) return; if (strlen(url) > MAX_SIZE – 1) return; // copy url up to first separator, ie. first ’/’, to buff1 out = buff1; do { length up to the first null // skip spaces if (*url != ’ ’) *out++ = *url; } while (*url++ != ’/’); strcpy(buff2, buff1); ... what if there is no ‘/’ in the URL? [slide from presentation by Jon Pincus] 33
  • 34. Spot the defect! (7) char buff1[MAX_SIZE], buff2[MAX_SIZE]; // make sure url a valid URL and fits in buff1 and buff2: if (! isValid(url)) return; if (strlen(url) > MAX_SIZE – 1) return; // copy url up to first separator, ie. first ’/’, to buff1 out = buff1; do { // skip spaces if (*url != ’ ’) *out++ = *url; } while (*url++ != ’/’) && (*url != 0); strcpy(buff2, buff1); ... [slide from presentation by Jon Pincus] 34
  • 35. Spot the defect! (7) char buff1[MAX_SIZE], buff2[MAX_SIZE]; // make sure url a valid URL and fits in buff1 and buff2: if (! isValid(url)) return; if (strlen(url) > MAX_SIZE – 1) return; // copy url up to first separator, ie. first ’/’, to buff1 out = buff1; do { // skip spaces if (*url != ’ ’) *out++ = *url; } while (*url++ != ’/’) && (*url != 0); strcpy(buff2, buff1); ... Order of tests is wrong (note the first test includes ++) What about 0-length URLs? [slide from presentation by Jon Pincus] Is buff1 always null-terminated? 35
  • 36. Spot the defect! (8) #include <stdio.h> int main(int argc, char* argv[]) { if (argc > 1) printf(argv[1]); return 0; } This program is vulnerable to format string attacks, where calling the program with strings containing special characters can result in a buffer overflow attack. 36
  • 37. Format string attacks • Complete new type of attack, invented/discovered in 2000. Like integer overflows, it can lead to buffer overflows. • Strings can contain special characters, eg %s in printf(“Cannot find file %s”, filename); Such strings are called format strings • What happens if we execute the code below? printf(“Cannot find file %s”); • What may happen if we execute printf(string) where string is user-supplied ? Esp. if it contains special characters, eg %s, %x, %n, %hn? 37
  • 38. Format string attacks • %x reads and prints 4 bytes from stack – this may leak sensitive data • %n writes the number of characters printed so far onto the stack – this allow stack overflow attacks... • Note that format strings break the “don’t mix data & code” principle. • Easy to spot & fix: replace printf(str) by printf(“%s”, str) ) 38
  • 39. Dynamic countermeasures incl. stack canaries
  • 40. Dynamic countermeasures protection by kernel • non-executable memory (NOEXEC) – prevents attacker executing her code • address space layout randomisation (ASLR) ( – generally makes attacker's life harder • instruction set randomisation – hardware support needed to make this efficient enough protection inserted by the compiler • stack canaries to prevent or detect malicious changes to the stack; examples to follow • obfuscation of memory addresses Doesn't prevent against heap overflows 40
  • 41. Dynamic countermeasure: stack canaries • introduced in StackGuard in gcc • a dummy value - stack canary or cookie - is written on the stack in front of the return address and checked when function returns • a careless stack overflow will overwrite the canary, which can then be detected. • a careful attacker can overwrite the canary with the correct value. • additional countermeasures: – use a random value for the canary – XOR this random value with the return address – include string termination characters in the canary value 41
  • 42. Further improvements • PointGuard – also protects other data values, eg function pointers, with canaries • ProPolice's Stack Smashing Protection (SSP) by IBM – also re-orders stack elements to reduce potential for trouble • Stackshield has a special stack for return addresses, and can disallow function pointers to the data segment 42
  • 43. Dynamic countermeasures NB none of these protections are perfect! Eg • even if attacks to return addresses are caught, integrity of other data other the stack can still be abused • clever attacks may leave canaries intact • where do you store the "master" canary value – a cleverer attack could change it • none of this protects against heap overflows – eg buffer overflow within a struct... • .... 43
  • 44. Windows 2003 Stack Protection The subtle ways in which things can still go wrong... • Enabled with /GS command line option • Similar to StackGuard, except that when canary is corrupted, control is transferred to an exception handler • Exception handler information is stored ... on the stack – http://www.securityfocus.com/bid/8522/info • Countermeasure: register exception handlers, and don't trust exception handlers that are not registered or on the stack • Attackers may still abuse existing handlers or point to exception outside the loaded module... 44
  • 46. Countermeasures • We can take countermeasures at different points in time – before we even begin programming – during development – when testing – when executing code to prevent, to detect – at (pre)compile time or at runtime -, and to migitate problems with buffer overflows 46
  • 47. Prevention • Don’t use C or C++ • Better programmer awareness & training Eg read – and make other people read - • Building Secure Software, J. Viega & G. McGraw, 2002 • Writing Secure Code, M. Howard & D. LeBlanc, 2002 • 19 deadly sins of software security, M. Howard, D LeBlanc & J. Viega, 2005 • Secure programming for Linux and UNIX HOWTO, D. Wheeler, • Secure C coding, T. Sirainen 47
  • 48. Dangerous C system calls source: Building secure software, J. Viega & G. McGraw, 2002 Extreme risk High risk (cntd) H Moderate risk Low risk • gets • streadd • getchar • fgets • strecpy • fgetc • memcpy High risk • strtrns • getc • snprintf • strcpy • read • strccpy • realpath • strcat • bcopy • strcadd • syslog • sprintf • strncpy • scanf • getenv • strncat • sscanf • getopt • vsnprintf • fscanf • getopt_long • vfscanf • getpass • vsscanf 48
  • 49. Prevention – use better string libraries • there is a choice between using statically vs dynamically allocated buffers – static approach easy to get wrong, and chopping user input may still have unwanted effects – dynamic approach susceptible to out-of-memory errors, and need for failing safely 49
  • 50. B Better string libraries (1) • libsafe.h provides safer, modified versions of eg strcpy – prevents buffer overruns beyond current stack frame in the dangerous functions it redefines • libverify enhancement of libsafe – keeps copies of the stack return address on the heap, and checks if these match • strlcpy(dst,src,size) and strlcat(dst,src,size) with size the size of dst, not the maximum length copied. Consistently used in OpenBSD 50
  • 51. B Better string libraries (2) • glib.h provides Gstring type for dynamically growing null- terminated strings in C – but failure to allocate will result in crash that cannot be intercepted, which may not be acceptable • Strsafe.h by Microsoft guarantees null-termination and always takes destination size as argument • C++ string class – but data() and c-str()return low level C strings, ie char*, with result of data()is not always null-terminated on all platforms... 51
  • 52. Detection before shipping • Testing – Difficult! How to hit the right cases? – Fuzz testing - test for crash on long, random inputs – can be succesful in finding some weaknesses • Code reviews – Expensive & labour intensive • Code scanning tools (aka static analysis) C Eg – RATS () – also for PHP, Python, Perl – Flawfinder , ITS4, Deputy, Splint – PREfix, PREfast by Microsoft plus other commercial tools – Coverity – Parasoft – Klockwork. 52
  • 53. More prevention & detection • Bounds Checkers – add additonal bounds info for pointers and check these at run time – eg Bcc, RTcc, CRED, ..... – RICH prevents integer overflows • Safe variants of C – adding bound checks, but also type checks and more: eg garbage collection or region-based memory m management) – eg Cyclone (http://cyclone.thelanguage.org), CCured, Vault, e Control-C, Fail-Safe C, … 53
  • 54. More prevention & detection The most extreme form of static analysis: • Program verification – proving by mathematical means (eg Hoare logic) that memory management of a program is safe – extremely labour-intensive  – eg hypervisor verification project by Microsoft & Verisoft: • http://www.microsoft.com/emic/verisoft.mspx 54
  • 55. Reducing attack surface • Not running or even installing certain software, or enabling all features by default, mitigates the threat 55
  • 56. Summary • Buffer overflows are the top security vulnerability • Any C(++) code acting on untrusted input is at risk • Getting rid of buffer overflow weaknesses in C(++) c code is hard (and may prove to be impossible) – Ongoing arms race between countermeasures and ever more clever attacks. – Attacks are not only getting cleverer, using them is getting easier 56
  • 57. More general Buffer overflow is an instance of three more general problems: 1) lack of input validation 2) mixing data & code – data and return address on the stack 1) believing in & relying on an abstraction – in this case, the abstraction of procedure calls offered by C • Attacks often exploit holes in abstractions that are not 100% enforced 57
  • 58. Moral of the story • Don’t use C(++), if you can avoid it – but use a language that provides memory safety, such as Java or C# • If you do have to use C(++), become or hire an expert • Required reading – A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, by John Wilander and Mariam Kamkar 58
  • 59. Optional Reading • If you want/need to read some more to understand on how buffer overflows attacks work, or are interested in a very comprehensive account of countermeasures: Y. Younan,W. Joosen, F. Piessens, Code injection in C and C++: a survey of vulnerabilities and countermeasures 59