CSE 127: Buffer Overflow
Spring 2022 Lecture 2
How did you spend your day?
Copyright By PowCoder代写 加微信 powcoder
Go to www.menti.com and use the code 4959 1104
Stack Buffer Overflows
My nephew got angry when I told him: “The sky is the limit for you”.
My nephew got angry when I told him: “The sky is the limit for you”.
He wants to be an astronaut.
When is a program secure?
• Formal approach: When it does exactly what it should • Notmore
• But how do we know what it is supposed to do?
When is a program secure?
• Formal approach: When it does exactly what it should • Notmore
• But how do we know what it is supposed to do?
• Somebodytellsus?(Dowetrustthem?)
• Wewritethecodeourselves?(Whatfractionofthe
software you use have you written?)
When is a program secure?
• Pragmatic approach: When it doesn’t do bad things • Often easier to specify a list of “ bad” things:
• Delete or corrupt important files
• Crashmysystem
• Sendmypasswordovertheinternet
• Sendthreateningemailtotheprofessor
When is a program secure?
What if the program doesn’t do bad things, but could? Is it secure?
Weird machines
• Complex systems contain unintended functionality
• Attackerscantriggerthisunintendedfunctionality • i.e.theyareexploitingvulnerabilities
Source: https://www.biggerplate.com/mindmaps/84Hrd05h/my- top-10-software-vulnerability
What is a software vulnerability?
What is a software vulnerability?
• A bug is a program that allows an unprivileged user capabilities that should be denied to them
What is a software vulnerability?
• A bug is a program that allows an unprivileged user capabilities that should be denied to them
• There are many types of vulnerabilities
• Today:bugsthatviolate“controlflowintegrity”
• Why? This lets an attacker run code on your computer!
What is a software vulnerability?
• A bug is a program that allows an unprivileged user capabilities that should be denied to them
• There are many types of vulnerabilities
• Today:bugsthatviolate“controlflowintegrity”
• Why? This lets an attacker run code on your computer!
• Typicallytheseinvolveviolatingassumptionsofthe programming language or its runtime
Exploiting vulnerabilities (the start)
• Diveintolow-leveldetailsofhowexploitswork
• Howcanaremoteattackergetavictimprogramto execute their code?
• Threat model: Victim code is handling input that comes from across a security boundary
• Whataresomeexamplesofthis?
• Security policy: Want to protect integrity of execution and confidentiality of data from being compromised by malicious and highly skilled users of our system.
Scenario 1
As a proud script kid, Bob enjoys adding SQL code to an application’s input form to gain access to resources and make changes to data. What kind of attack is this?
a. SQL Injection
b. Buffer Overflow
c. Cross Site Scripting d. None of the above
Go to www.menti.com and use the code: 9041 8629
Scenario 2
As a new intern at ABC Inc, Alice erroneously performed the below into a memory for an array with 3 elements. What kind of vulnerability is this?
a. SQL Injection
b. Buffer Overflow
c. Cross Site Scripting d. None of the above
Go to www.menti.com and use the code: 9523 0539
Today: Stack buffer overflows Lecture objectives:
• Understand how buffer overflow vulns can be exploited • Identify buffer overflow and assess their impact
• Avoidintroducingbufferoverflowvulnerabilities
• Correctly fix buffer overflow activities
Buffer overflows
• Definition: An anomaly that occurs when a program writes
data beyond the boundary of a buffer • Archetypalsoftwarevulnerability
• Ubiquitous in system software (C/C++)
• OSes,webservers,webbrowsers,etc.
• Ifyourprogramcrasheswithmemoryfaults,youprobably have a buffer overflow vulnerability
Why are they interesting?
• Coreconcept→broadrangeofpossibleattacks • Sometimesasinglebyteisallanattackerneeds
• Ongoingarmsracebetweendefendersandattackers • Co-evolutionofdefensesandexploitationtechniques
How are they introduced?
How are they introduced?
• No automatic bounds checking in C/C++
• C/C++failstodetectwhetheravariableiswithinsome bounds.
How are they introduced?
• No automatic bounds checking in C/C++
• C/C++failstodetectwhetheravariableiswithinsome bounds.
• The problem is made more acute by the fact that many C stdlib functions make it easy to go past bounds.
• Stringmanipulationfunctionslikegets(),strcpy(), and strcat() all write to the destination buffer until they encounteraterminating‘\0’byteintheinput
How are they introduced?
• No automatic bounds checking in C/C++
• C/C++failstodetectwhetheravariableiswithinsome bounds.
• The problem is made more acute by the fact that many C stdlib functions make it easy to go past bounds.
• Stringmanipulationfunctionslikegets(),strcpy(), and strcat() all write to the destination buffer until they encounter a terminating ‘\0’ byte in the input
• Whoever is providing the input (often from the other side of a security boundary) controls how much gets written
Let’s look at the finger daemon in BSD 4.3
Morris worm
• This fingerd vuln was one of several exploited by the Morris worm in 1988
• CreatedbyRobertMorris,graduate student at Cornell.
• Oneofthefirstinternetworms
• Devastating effect on the internet
• Took over thousands of computers and shut down large chunks of the internet
• First conviction under CFAA
That was over 30+ years ago!
Surely buffer overflows are no longer a problem…
How does a buffer overflow let you take over a machine?
• Yourprogrammanipulatesdata • Datamanipulatesyourprogram
What we need to know
• HowCarrayswork
• Howmemoryislaidout
• Howthestackandfunctioncallswork
• How to turn an array overflow into an exploit
How do C arrays work?
• What does a[idx] get compiled to? • *((a)+(idx))
• Whatdoesthespecsay?
• 6.5.2.1ArraysubscriptinginISO/IEC9899:2017 • Thereisnoconceptofbounds!
Linux process memory layout
• Stack: Stores local variables.
• Heap:Dynamic memory for programmer to allocate.
• Data segment: Stores global variables, separated into initialized and uninitialized.
• Textsegment:Stores the code being executed.
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com