CSE 523S:
Systems Security
Computer & Network
Systems Security
Spring 2018
Jon Shidal
Plan for Today
• Announcements
– HW3 due 1pm 3/21
– Get started early. It is harder than 1 & 2.
• Security news
• Assignment
• Stack buffer overflows
Security News
Memcrashed: amplification attack using Memcached
Memcached servers speedup loading of dynamic web
pages by caching objects.
Recently found vulnerable to amplification attacks:
1, src_ip = target ~51,000X
attacker —-> Memcached Server —-> target
Used on Wednesday for largest DDoS attack ever,
target was github(~1.3 Tbps)
Assignment
• For Wednesday, 3/7
– Readings
• HTAOE: Ch 5 295-302
Today: Lecture and Exercises
• Many of today’s slides come from CSE361
– from an old offering
– they use 32-bit architecture
– Based on Computer Systems, by Bryant
and O’Hallaron
Stack Reminders
• Stack grows down from high address
• Each procedure has its own stack frame
• Stack frame contents:
– return address
– frame pointer
– local storage
– arguments to callee (if needed)
– temporary space (if needed)
• Set-up code at beginning of procedure
• Clean-up code before return
• For ‘C’ code, managed by the compiler
String Library Code
– Implementation of Unix function gets()
• No way to specify limit on number of characters to read
– Similar problems with other Unix functions
• strcpy: Copies string of arbitrary length
• scanf, fscanf, sscanf, when given %s conversion
specification
/* Get string from stdin */
char *gets(char *dest)
{
int c = getc();
char *p = dest;
while (c != EOF && c != ‘\n’) {
*p++ = c;
c = getc();
}
*p = ‘\0’;
return dest;
}
Vulnerable Buffer Code
int main()
{
printf(“Type a string:”);
echo();
return 0;
}
/* Echo Line */
void echo()
{
char buf[4]; /* Way too small! */
gets(buf);
puts(buf);
}
Buffer Overflow Executions
unix>./bufdemo
Type a string:123
123
unix>./bufdemo
Type a string:12345
Segmentation Fault
unix>./bufdemo
Type a string:12345678
Segmentation Fault
Buffer Overflow Stack
echo:
pushl %ebp # Save %ebp on stack
movl %esp,%ebp
subl $20,%esp # Allocate stack space
pushl %ebx # Save %ebx
addl $-12,%esp # Allocate stack space
leal -4(%ebp),%ebx # Compute buf as %ebp-4
pushl %ebx # Push buf on stack
call gets # Call gets
. . .
/* Echo Line */
void echo()
{
char buf[4]; /* Way too small! */
gets(buf);
puts(buf);
}
Return Address
Saved %ebp
[3] [2] [1] [0] buf
%ebp
Stack
Frame
for main
Stack
Frame
for echo
Buffer
Overflow
Stack Example
Before call to gets
unix> gdb bufdemo
(gdb) break echo
Breakpoint 1 at 0x8048583
(gdb) run
Breakpoint 1, 0x8048583 in echo ()
(gdb) print /x *(unsigned *)$ebp
$1 = 0xbffff8f8
(gdb) print /x *((unsigned *)$ebp + 1)
$3 = 0x804864d
8048648: call 804857c
804864d: mov 0xffffffe8(%ebp),%ebx # Return Point
Return Address
Saved %ebp
[3] [2] [1] [0] buf
%ebp
Stack
Frame
for main
Stack
Frame
for echo
0xbffff8f8
Return Address
Saved %ebp
[3
]
[2
]
[1
]
[0
]
buf
Stack
Frame
for main
Stack
Frame
for echo
bf ff f8 f8
08 04 86 4d
xx xx xx xx
Buffer Overflow Example #1
Before Call to gets Input = “123”
No Problem
0xbffff8f8
Return Address
Saved %ebp
[3
]
[2
]
[1
]
[0
]
buf
Stack
Frame
for main
Stack
Frame
for echo
bf ff f8 f8
08 04 86 4d
00 33 32 31
Return Address
Saved %ebp
[3] [2] [1] [0] buf
%ebp
Stack
Frame
for main
Stack
Frame
for echo
Buffer Overflow Stack Example #2
Input = “12345”
8048592: push %ebx
8048593: call 80483e4 <_init+0x50> # gets
8048598: mov 0xffffffe8(%ebp),%ebx
804859b: mov %ebp,%esp
804859d: pop %ebp# %ebp gets set to invalid value
804859e: ret
echo code:
0xbffff8f8
Return Address
Saved %ebp
[3
]
[2
]
[1
]
[0
]
buf
Stack
Frame
for main
Stack
Frame
for echo
bf ff 00 35
08 04 86 4d
34 33 32 31
Return Address
Saved %ebp
[3] [2] [1] [0] buf
%ebp
Stack
Frame
for main
Stack
Frame
for echo
Saved value of %ebp set to
0xbfff0035
Bad news when later
attempt to restore %ebp
Buffer Overflow Stack Example #3
Input = “12345678”
Return Address
Saved %ebp
[3] [2] [1] [0] buf
%ebp
Stack
Frame
for main()
Stack
Frame
for echo()
8048648: call 804857c
804864d: mov 0xffffffe8(%ebp),%ebx # Return Point
0xbffff8f8
Return Address
Saved %ebp
[3] [2] [1] [0] buf
Stack
Frame
for main()
Stack
Frame
for echo()
38 37 36 35
08 04 86 00
34 33 32 31
Invalid address
No longer pointing to desired
return point
%ebp and return
address corrupted
Malicious Use of Buffer Overflow
– Input string contains byte representation of executable code
– Overwrite return address with address of buffer
– When bar() executes ret, will jump to exploit code
void bar() {
char buf[64];
gets(buf);
…
}
void foo(){
bar();
…
}
Stack
after call to gets()
B
return
address
A
foo stack
frame
bar stack
frame
B
exploit
code
pad
data
written
by
gets()
Let’s get to work!
• See exploring-stack-overflow-notes in Google
Docs
– Important: use your host OS browser, do not use
the browser in your VM
• Also use “Tracking Progress 3/5/2018” to
indicate when you have reached a gate
• Additional background slides follow!
Linux Memory Layout
•Stack
– Runtime stack (8MB limit)
•Heap
– Dynamically allocated storage
– When call malloc(), calloc(), new()
•Shared Libraries
– Dynamically Linked Libraries
– Library routines (e.g., printf(), malloc())
– Linked into object code when loaded
•Data
– Statically allocated data
– E.g., arrays & strings declared in code
•Text
– Executable machine instructions
– Read-only
Upper
2 hex
digits of
address
Red Hat
v. 6.2
~1920MB
memory
limit
FF
BF
3F
C0
40
00
Stack
Shared
Libs
Text
Data
Heap
08
Linux Memory Allocation
Linked
BF
7F
3F
80
40
00
Stack
DLLs
Text
Data
08
Some
Heap
BF
7F
3F
80
40
00
Stack
DLLs
Text
Data
Heap
08
More
Heap
BF
7F
3F
80
40
00
Stack
DLLs
Text
Data
Heap
Heap
08
Initially
BF
7F
3F
80
40
00
Stack
Text
Data
08
Text & Stack Example
(gdb) break main
(gdb) run
Breakpoint 1, 0x804856f in main ()
(gdb) print $esp
$3 = (void *) 0xbffffc78
•Main
– Address 0x804856f (0x0804856f)
•Stack
– Address 0xbffffc78
Initially
BF
7F
3F
80
40
00
Stack
Text
Data
08
Dynamic Linking Example
(gdb) print malloc
$1 = {
0x8048454
(gdb) run
Program exited normally.
(gdb) print malloc
$2 = {void *(unsigned int)}
0x40006240
•Initially
– Code in text segment that invokes dynamic
linker
– Address 0x8048454 (should be read
0x08048454)
•Final
– Code in shared library region
Linked
BF
7F
3F
80
40
00
Stack
Shared
Libs
Text
Data
08
Memory Allocation Example
char big_array[1<<24]; /* 16 MB */
char huge_array[1<<28]; /* 256 MB */
int beyond;
char *p1, *p2, *p3, *p4;
int useless() { return 0; }
int main()
{
p1 = malloc(1 <<28); /* 256 MB */
p2 = malloc(1 << 8); /* 256 B */
p3 = malloc(1 <<28); /* 256 MB */
p4 = malloc(1 << 8); /* 256 B */
/* Some print statements ... */
}
Example Addresses
$esp 0xbffffc78
p3 0x500b5008
p1 0x400b4008
Final malloc 0x40006240
p4 0x1904a640
p2 0x1904a538
beyond 0x1904a524
big_array 0x1804a520
huge_array 0x0804a510
main() 0x0804856f
useless() 0x08048560
Initial malloc 0x08048454
BF
7F
3F
80
40
00
Stack
DLLs
Text
Data
Heap
Heap
08
&p2? 0x1904a42c
Internet Worm and IM War
•November, 1988
– Internet Worm attacks thousands of Internet hosts.
– How did it happen?
•July, 1999
– Microsoft launches MSN Messenger (instant messaging system).
– Messenger clients can access popular AOL Instant Messaging Service
(AIM) servers
AIM
server
AIM
client
AIM
client
MSN
client
MSN
server
Internet Worm and IM War (cont.)
August 1999
– Mysteriously, Messenger clients can no longer access
AIM servers.
– Microsoft and AOL begin the IM war:
• AOL changes server to disallow Messenger clients
• Microsoft makes changes to clients to defeat AOL changes.
• At least 13 such skirmishes.
– How did it happen?
The Internet Worm and AOL/Microsoft War were both
based on stack buffer overflow exploits!
• many Unix functions do not check argument sizes.
• allows target buffers to overflow.
Exploits Based on Buffer Overflows
Buffer overflow bugs allow remote machines to
execute arbitrary code on victim machines.
Internet worm
– Early versions of the finger server (fingerd) used
gets() to read the argument sent by the client:
• finger joe@cse.wustl.edu
– Worm attacked fingerd server by sending phony
argument:
• finger “exploit-code padding
new-return-address”
• exploit code: executed a root shell on the victim machine
with a direct TCP connection to the attacker.
The Internet Worm
11/2 18:24 first west coast computer infected
19:04 ucb gateway infected
20:00 mit attacked
20:49 cs.utah.edu infected
21:21 load avg reaches 5 on cs.utah.edu
21:41 load avg reaches 7
22:01 load avg reaches 16
22:20 worm killed on cs.utah.edu
22:41 cs.utah.edu reinfected, load avg 27
22:49 cs.utah.edu shut down
23:31 reinfected, load reaches 37
Exploits Based on Buffer Overflows
Buffer overflow bugs allow remote machines to
execute arbitrary code on victim machines.
IM War
– AOL exploited existing buffer overflow bug in AIM
clients
– exploit code: returned 4-byte signature (the bytes at
some location in the AIM client) to server.
– Server would only respond to clients that sent the
right signature
– When Microsoft changed code to match signature,
AOL changed signature location.
Date: Wed, 11 Aug 1999 11:30:57 -0700 (PDT)
From: Phil Bucking
To: rms@pharlap.com
Mr. Smith,
I am writing you because I have discovered something that I think you
might find interesting because you are an Internet security expert with
experience in this area. I have also tried to contact AOL but received
no response.
I am a developer who has been working on a revolutionary new instant
messaging client that should be released later this year.
…
It appears that the AIM client has a buffer overrun bug. By itself
this might not be the end of the world, as MS surely has had its share.
But AOL is now *exploiting their own buffer overrun bug* to help in
its efforts to block MS Instant Messenger.
….
Since you have significant credibility with the press I hope that you
can use this information to help inform people that behind AOL’s
friendly exterior they are nefariously compromising peoples’ security.
Sincerely,
Phil Bucking
Founder, Bucking Consulting
philbucking@yahoo.com It was later determined that this email
originated from within Microsoft!
Code Red Worm
History
– June 18, 2001. Microsoft announces buffer overflow
vulnerability in IIS Internet server
– July 19, 2001. over 250,000 machines infected by new
virus in 9 hours
– White house must change its IP address. Pentagon shut
down public WWW servers for day
Still in the wild, today
– Web servers receive strings of form (contains the virus
‘boot sequence’)
GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN….NNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%
ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u
8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0″ 400 325 “-” “-”
Code Red Exploit Code
– Starts 100 threads running
– Spread self
• Generate random IP addresses & send attack string
• Between 1st & 19th of month
– Attack www.whitehouse.gov
• Send 98,304 packets; sleep for 4-1/2 hours; repeat
– Denial of service attack
• Between 21st & 27th of month
– Deface server’s home page
• After waiting 2 hours
Avoiding Overflow Vulnerability
Use Library Routines that Limit String Lengths
– fgets instead of gets
– strncpy instead of strcpy
– Don’t use scanf with %s conversion specification
• Use fgets to read the string
• Or use %ns where n is a suitable integer
/* Echo Line */
void echo()
{
char buf[4]; /* Way too small! */
fgets(buf, 4, stdin);
puts(buf);
}
System-Level Protections
• Randomized stack offsets
– At start of program, allocate
random amount of space on stack
– Makes it difficult for hacker to
predict beginning of inserted code
• Nonexecutable code segments
– In traditional x86, can mark region
of memory as either “read-only” or
“writeable”
• Can execute anything readable
– Add explicit “execute” permission