Scribd
Upload
40 views34 pages

S23U14438 - Lecture 19 - Buffer Overflow

The document discusses buffer overflow attacks, which occur when a program's input buffer is overwritten with more data than it can hold, potentially allowing an attacker to manipulate the EIP register and execute malicious code. It explains how memory is organized on a computer with the stack and heap, and how a buffer overflow can divert the CPU to an unauthorized route by overwriting the EIP. Examples are given of buffer overflows in real-world situations like bypassing security on devices.

Uploaded by

sara hashemi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
40 views34 pages

S23U14438 - Lecture 19 - Buffer Overflow

The document discusses buffer overflow attacks, which occur when a program's input buffer is overwritten with more data than it can hold, potentially allowing an attacker to manipulate the EIP register and execute malicious code. It explains how memory is organized on a computer with the stack and heap, and how a buffer overflow can divert the CPU to an unauthorized route by overwriting the EIP. Examples are given of buffer overflows in real-world situations like bypassing security on devices.

Uploaded by

sara hashemi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

1 of 34

Software security
Buffer overflow
2 of 34

Outline
 Fundamentals
 Buffer Overflow attacks
 Stuxnet – A buffer overflow based attack
 Countering Buffer Overflow attacks
FUNDAMENTALS
Terminology and how memory is organised on a computer
Fundamentals 4 of 34

Memory and Register organisation

D
O
W
Memory N

Direction data allocated in memory


 Segmented
 Organised from higher to lower addresses

UP
Registers
 Vary with processor
 General purpose registers on x86 CPU:
 EAX EBX ECX EDX
 ESI EDI ESP EBP

 Address of next instruction: EIP register

2 min
Fundamentals 5 of 34

Stack and Heap

D
O
W
Stack
N
Direction of growth

UP
Heap

MEMORY

 The Stack and Heap are two areas of memory


 Each grows in opposite directions
4 min
Fundamentals 6 of 34

The Stack

HIGH

 Area of high memory MEMORY


Data Data Data
1
Data Data
 Allocated ‘top-down’ 2
Data
3
 Used with functions/methods
 Stores return address STACK STACK STACK

 Stores calling arguments


Last-In First-Out
 Stores local variables
 Rules:
 Last-In-First-Out (LIFO)

6 min
Fundamentals 7 of 34

ESP, EBP and EIP Registers

 ESP
 Extended Stack Pointer
 Keep track of where a program is on the Stack
 Points to the ‘top’ (next free space) of the Stack

 EBP
 Extended Base Pointer
 Acts as the reference point (or anchor) for all subsequent calls

 EIP
 Extended Instruction Pointer
 Points to the next instruction the CPU is to run

10 min
BUFFER OVERFLOW
What’s the big deal?
Buffer Overflow Attacks 9 of 34

Buffer Overflow
 Nearly half of all exploits of computer programs
stem historically from some form of buffer overflow1
 The classic buffer overflow is listed in the top 3 of
the most dangerous software bugs2
 The input buffer used to hold program input is
overwritten with data that is larger than the buffer
can hold.
 Root cause
 Poor programming practice
 Programming language weaknesses.
[1] 2015, Conklin et. al. Principles of Computer Security, Fourth Edition, 4e,
[2] http://cwe.mitre.org/top25/ 12 min
Buffer Overflow Attacks 10 of 34

Buffer Overflows in action


[1]

[2]

[1] https://arstechnica.com/gadgets/2016/12/buffer-overflow-exploit-can-bypass-activation-lock-on-ipads-running-ios-10-1-1/
[2] https://www.scmagazineuk.com/vulnerability-discovered-in-atm-cash-machine-security-enables-theft/article/654651/ 14 min
Buffer Overflow Attacks 11 of 34

Buffer Overflow Attack Goal

 Manipulate the EIP to make the CPU run code that


was not intended to be run
 Examples:
 Run malware
 Circumvent copy-protection or security checks

16 min
Buffer Overflow Attacks 12 of 34

EIP Register Analogy


Normal bus route

Bus Driver (CPU)


16 min
Buffer Overflow Attacks 13 of 34

EIP Register Analogy


Normal bus route
Diverted bus route

Normal route (main


program) resumes

Next Turn (EIP) Diversion is like a


function call

Bus Driver (CPU)


18 min
Buffer Overflow Attacks 14 of 34

EIP Register Analogy


Normal route (main
program) resumes
Normal bus route
Diverted bus route
Unauthorised diversion

Next Turn (EIP)

Unauthoirsed
Route (code execution)

Bus Driver (CPU)


20 min
Buffer Overflow Attacks 15 of 34

Normal stack operation – Using a smart kettle


Main program Function Make tea(N = Name of person)
C
1. Arrive home D
B 1. Create local array User[3]
A 2. Make tea(“Ian”) E 2. Copy string User[3] = N
F 3. Drink tea 3. Remove lid from Kettle
4. Fill the kettle with water
4. Watch TV
5. Replace kettle lid
6. Power on kettle
7. Wait for kettle to boil
8. Back
A B C D E F
ESP N=Ian N=Ian N=Ian N=Ian N=Ian N=Ian
ESP
ESP RET=3 RET=3 RET=3 RET=3 RET=3
ESP EBP EBP EBP
N
A
ESP ESP

24 min
I
STACK STACK STACK STACK STACK STACK
Buffer Overflow Attacks 16 of 34

Stack overflow – Using a smart kettle


Main program Function Make tea(N = Name of person)
C
1. Arrive home D
B 1. Create local array User[3]
A 2. Make tea(“ABCDE”) E 2. Copy string User[3] = N
3. Drink tea 3. Remove lid from Kettle
4. Fill the kettle with water
4. Watch TV
5. Replace kettle lid
6. Power on kettle
F E. Malware code 7. Wait for kettle to boil
8. Back
A B C D E F
ESP N=ABCDE N=ABCDE N=ABCDE N=ABCDE N=ABCDE N=ABCDE

ESP
ESP RET=3 RET=3 RET=3 RET=3E RET=3E
ESP EBP EBP EBP
D

C
B
ESP ESP

28 min
A
STACK STACK STACK STACK STACK STACK
Buffer Overflow Attacks 17 of 34

Script-Kiddie collections

 Ready-made exploits are widely available:


 Packet Storm Security
http://packetstormsecurity.org

 Metasploit Project
http://metasploit.com

 Exploit Database
https://www.exploit-db.com

30 min
STUXNET –BUFFER OVERFLOW IN
PRACTICE
A Brief review
Buffer Overflow Attacks 19 of 34

What is Stuxnet

 Malicious worm, targeting a specific Siemens PLCs

 Destroyed 1,000 centrifuges, reducing output

 Discovered in June 2010

 Used stolen digital signatures

 Believed to target Iran’s uranium enrichment program

 Used four zero-day exploits, utilising….

.......a buffer overflow attack

30 min
Buffer Overflow Attacks 20 of 34

Exploit detail

 Stuxnet employed multiple exploits, among them CVE-2008-42501

 This exploit attacks the Server Message Block (SMB) protocol2, used to
authenticate over Remote Procedure Call (RPC) in a Windows environment

 The use of RPC is one way to run a client/server network

 The classic Buffer Overflow is classified on the Common Weakness Enumeration


(CWE) database under CWE-1203

 Symantec produced a detailed dossier on Stuxnet4

[1] - http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-4250
[2] - https://msdn.microsoft.com/en-us/library/windows/desktop/aa365233(v=vs.85).aspx
[3] - https://cwe.mitre.org/data/definitions/120.html
[4] - https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf 34 min
COUNTERING BUFFER OVERFLOW
ATTACKS
How can we defend against these attacks?
Countering Buffer Overflow Attacks 22 of 34

Countering Buffer Overflow Attacks

Buffer Overflow
Defences

Compile time Run-time

Aim Aim
Harden new Detect and abort
programs to resist attacks in existing
attack programs

36 min
Countering Buffer Overflow Attacks : Compile time defences 23 of 34

Countering Buffer Overflow Attacks

Compile time defences


Countering Buffer Overflow Attacks : Compile time defences 24 of 34

Countering Buffer Overflow Attacks


Compile time defences

Compile  Large base of existing vulnerable code


time hinders deployment of compile time fixes1
 Fixes typically require code to be recompiled
Methods:
 Choice of programming language
 Data entry validation checks (safe coding)
 Stack Canaries
 Copy and compare the return (RET) address

[1] Lhee, K.S. and Chapin, S.J., 2003.


Buffer overflow and format string overflow vulnerabilities. Software: Practice and Experience, 33(5)
https://surface.syr.edu/cgi/viewcontent.cgi?article=1095&context=eecs 38 min
Countering Buffer Overflow Attacks : Compile time defences 25 of 34

Countering Buffer Overflow Attacks


Compile time defences

Compile Choice of programming language


time
 Try to use languages that are ‘strongly typed’
 Usually, the compiler performs range checks
 Drawbacks:
 Code is more abstracted from hardware
 So we have less low level control
 Impacts particularly on device drivers

40 min
Countering Buffer Overflow Attacks : Compile time defences 26 of 34

Countering Buffer Overflow Attacks


Compile time defences

Compile Safe Coding


time
 Some languages allow direct memory writes
 Locate and rewrite vulnerable areas of code
 Code audit underway on OpenBSD project1

[1] https://www.openbsd.org/security.html 42 min


Countering Buffer Overflow Attacks : Compile time defences 27 of 34

Compile Countering Buffer Overflow Attacks


time Secure Programming Techniques

 Stack Canaries
 Compiler option to place a unique value on the stack just below
the return pointer (see StackGuard1)
 Canary sits between buffer and return pointer on stack
 Will be overwritten if buffer overflowed
 Before function returns, check if canary is intact (unchanged)
N=ABC N=ABCDEF

RET=3 RET=3
F

EBP EBP
E

CANARY CANARY
D
C C
B B
A A

STACK STACK
[1] - http://www.usenix.net/legacy/publications/library/proceedings/sec98/full_papers/cowan/cowan.pdf
Countering Buffer Overflow Attacks : Compile time defences 28 of 34

Compile Countering Buffer Overflow Attacks


time Secure Programming Techniques

 Copying and comparing the Return address


 Comparing the return address with an earlier copy
(see StackShield1 and Return Address Defender2)
 Return address copied at start of function to a safe location
 At end of function return address on stack compared to copy
3 3

N=ABC N=ABCDEF

3=3 E=3
RET=3 ? RET=3
E
?

EBP D
EBP
C C
B B
A A

STACK STACK
[1] - http://www.angelfire.com/sk/stackshield/
[2] - Chiueh, T.C. and Hsu, F.H., 2001, April. RAD: A compile-time solution to buffer overflow attacks. In Distributed Computing Systems, 2001. 21st International Conference on. IEEE.
Countering Buffer Overflow Attacks : Run time defences 29 of 34

Countering Buffer Overflow Attacks

Run time defences

48 min
Countering Buffer Overflow Attacks : Run time defences 30 of 34

Countering Buffer Overflow Attacks


Run time defences
 Easier to deploy through OS patches/updates
Run time
 Typically alter properties of memory or make
it difficult to predict location of buffers
 Generally configurable through OS settings1
Methods:
 Data Execution Prevention
 Address space layout randomisation
 Guard pages

[1] - https://technet.microsoft.com/en-us/security/jj653751 48 min


Countering Buffer Overflow Attacks : Run time defences 31 of 34

Countering Buffer Overflow Attacks


Run time
Operating System Configuration

 Data Execution Prevention (DEP)1,2


 Security feature to prevents harmful programs trying to execute
code from system memory locations reserved for Windows
 Available from Windows XP onwards
 Hardware and software

[1] - https://msdn.microsoft.com/en-us/library/windows/desktop/aa366553(v=vs.85).aspx
[2] - https://technet.microsoft.com/en-us/library/bb457155.aspx
Countering Buffer Overflow Attacks : Run time defences 32 of 34

Countering Buffer Overflow Attacks


Run time
Operating System Configuration

 Address Space Layout Randomization (ASLR)1


 Security feature to hinder attackers ability to predict where key
memory structures, such as the stack, are located in memory
 More effective when the search space is larger (ie: more
randomness in the offsets to data structures = more secure)
 Available from Windows Vista onwards
 Several bypass techniques1,2

[1] - https://www.exploit-db.com/docs/english/17914-bypassing-aslrdep.pdf
[2] - https://codingvision.net/bypassing-aslr-dep-getting-shells-with-pwntools
Countering Buffer Overflow Attacks : Run time defences 33 of 34

Countering Buffer Overflow Attacks


Run time
Operating System Configuration

 Guard pages
 Security feature to raise an alarm when a process attempts
access to selected areas of specially reserved memory
 These reserved areas are inserted at strategic points between
sensitive areas of memory, eg: Stack and Heap
 Memory manager marks these areas as illegal addresses
 Attempts to access aborts the process
34
34 of 34

Review
 Fundamentals
 Buffer Overflow attacks
 Countering Buffer Overflow attacks

You might also like