Secure Programming II: the Revenge

Secure Programming II: the Revenge

Secure Programming II: The Revenge Lecture for 5/11/20 (slides from Prof. Dooley) CS 330 Secure Programming 13 Administrivia • Seminar on Tuesday (5/12, 7pm): Tech Career Tips and Strategies for International Students (Extra credit!) • HW 6 (password cracking) due Thursday night CS 330 Secure Programming Recall: Secure programming problems • Buffer overflow • Resource exhaustion • Incomplete mediation (checking valid data) • Time-of-check to time-of-use errors • Other race conditions • Numeric over/underflow • Trust in general (users and privileges, environment variables, trusting other programs) CS 330 Secure Programming 15 General principles of secure software • Simplicity is a virtue • If code is complex, you don’t know if it’s right (but it probably isn’t) • In a complex system, isolate the security-critical modules. Make them simple • Modules should have a clean, clear, precisely defined interface CS 330 Secure Programming 16 General principles of secure software - 2 • Reliance on global state is bad (usually) • Reliance on global variables is bad (usually) • Use of explicit parameters makes input assumptions explicit • Validate all input data • Don’t trust tHe values of environment variables • Don’t trust library functions tHat copy data CS 330 Secure Programming 17 Buffer Overflows CS 330 Secure Programming Buffer Overflow • 1988: Morris worm exploits buffer overflows in fingerd to infect 6,000 Unix servers • 2001: Code Red exploits buffer overflows in IIS to infect 250,000 servers – Single largest cause of vulnerabilities in CERT advisories – Buffer overflow threatens Internet- WSJ(1/30/01) • CERT advisory dated 12 April 2005 notes several vulnerabilities in MS Windows, including three buffer overflows in Explorer, MSN Messenger, and MS Exchange Server. CS 330 Secure Programming 19 More buffer overflows • A buffer overflow in Apple’s Quicktime (January 7, 2007) • Buffer overflows in Mozilla products (December 20, 2006) CS 330 Secure Programming 20 Recent Buffer Overflow Exploits • 01/20/2016 - Oracle Outside In versions 8.5.2 and earlier contain stack buffer overflow vulnerabilities in the parsers for WK4, Doc, and Paradox DB files, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. • 06/29/2016 - WECON LeviStudio BaseSet ScrIDWordAddr Buffer Overflow Remote Code Execution Vulnerability ZDI- 16-384: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WECON LeviStudio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. CS 330 Secure Programming 21 More Buffer Overflow • Just so you shouldn’t be too complacent, CERT also lists an advisory with a buffer overflow problem in McAfee’s Virus Scan Engine! • http://www.kb.cert.org/vuls/id/361180 CS 330 Secure Programming 22 Basics of Buffer Overflows • A buffer, of course, is an area of memory that you set aside to hold data for your program – it can be a string (char name[30]) – or an array of structures – (struct employee gburg_div[MAX];) – or Just an array of pointers to other buffers – (struct account *checking[FOO];) CS 330 Secure Programming 23 Basics of Buffer Overflows • Buffers are everywhere in your programs • In languages like C and C++, you can make them dynamically using system functions like malloc() and realloc() and free them using free() • In oBject oriented languages, you can also make them dynamically by instantiating new objects • RememBer an array is an oBject in Java, so – int [ ] myList = new int[42]; // is an oBject CS 330 Secure Programming 24 What is a buffer overflow? • A buffer overflow occurs when your program (either through an inadvertent use or a malicious attack) allows data to be written outside the boundary of the buffer – usually to memory immediately after the buffer CS 330 Secure Programming 25 What is a buffer overflow? • If the buffer is on the stack this is called a stack overflow or more colorfully “smashing the stack” • How does a buffer get on the stack? – if it’s a local variable or function arguments • This is possible because many programming languages and operating systems don’t do bounds checking on buffers CS 330 Secure Programming 26 Why is this a security problem? • Overflowed data could be anything – A pointer that tells the program what instructions to execute next. (i.e. a pointer to a different function or return address on the stack) – An integer where “0” means that you can’t access a particular file and and “1” means you can. A hacker would overwrite the “0” with a “1” and access the file – Even a minor change could cause the program to crash which can be a security problem (denial-of-service attacks and core dump exploits are very serious) CS 330 Secure Programming 27 How could this happen? • The programmer might not check the size of the buffer first before trying to put all of the data into it • Languages like C/C++ don’t automatically check the bounds of the buffer CS 330 Secure Programming 28 How could this happen? • Programmers who use C/C++ are responsible for performing this check. Often they don’t • The problem can be a lot more complex when you start talking about supporting international character sets and copying/ formatting/ processing buffers that store different kinds of things CS 330 Secure Programming 29 Technical Details... CS 330 Secure Programming L/Unix permission structures Every file has a number of bits of permissions associated with it • Owner/User - rwx • Group - rwx • Other - rwx • Setuid bit – Real vs effective userid and groupid • Directory/regular file bit • Sticky bit CS 330 Secure Programming L/Unix Process memory image Allocators request additional heap memory from the operating system using the sbrk() function CS 330 Secure Programming 32 • Integer Registers IA32/Linux Register – Two have special uses Usage • %ebp, %esp – Three managed as Caller-Save %eax Temporaries callee-save %edx • %ebx, %esi, %edi %ecx • Old values saved on Callee-Save %ebx stack prior to using Temporaries – Three managed as %esi caller-save %edi • %eax, %edx, %ecx Special %esp • Do what you please, but %ebp expect any callee to do In the x86-64 architecture there so, as well are also %rax, %rbx, %rsp, %rbp, – Register %eax also etc. stores returned value CS 330 Secure Programming 33 x86-64 Registers The program instruction counter %rip is also available. CS 330 Secure Programming 34 Copying Data and Registers • Moving Data (Really Copying) – movl Source,Dest • Move 4-byte (“long”) word – Accounts For 31% oF all instructions in sample CS 330 Secure Programming 35 Addressing Modes for i86 • Immediate: Constant integer data • Like C constant, but prefixed with ‘$’ • E.g., $0x400, $-533 • Encoded with 1, 2, or 4 bytes • Register: One of 8 integer registers • But %esp and %ebp reserved for special use • Others have special uses for particular instructions • Memory: 4 consecutive bytes of memory • Various addressing modes • value(%register) • E.g. 8(%eax) is c(eax) + 8 used as mem address CS 330 Secure Programming 36 IA32 Simple Addressing Modes • Normal (R) Mem[Reg[R]] – Register R specifies memory address – movl (%ecx), %eax => int t = *p; • Displacement D(R) Mem[Reg[R]+D] – Register R specifies start of memory region – Constant displacement D specifies offset – movl 8(%ecx),%edx => int t = p[2]; – movl 8(%ebp),%edx => int t = some_arg; • %ebp, %esp used to reference stack. Stack contains arguments to function CS 330 Secure Programming 37 movl Operand Combinations – Cannot do memory-memory transfers with single instruction • Example of NON-ORTHOGONALITY in the IA32 ISA – Makes it much harder to program or compile for Source Destination C Analog Reg movl $0x4,%eax eax = 0x4; Imm Mem movl $-147,(%eax) *eax = -147; edx = eax; movl %eax,%edx movl Reg Reg Mem movl %eax,(%edx) *edx = eax; Mem Reg movl (%eax),%edx edx = *eax; CS 330 Secure Programming 38 IA32 Stack – Register %esp (%rsp) indicates Stack “Bottom” lowest allocated position in stack (top) – Pushing – pushl src Stack Increasing – Fetch operand at src Pointer Addresses – Decrement %esp by 4 %esp – Write operand at address given by %esp • Popping Stack Grows Down – popl dest – Read operand at address given by %esp Stack “Top” – Increment %esp by 4 – Write to dest CS 330 Secure Programming 39 IA32 Stack Discipline • ret – Pops into %eip (returns to next next instruction after call) • Stack “frame” stores the context in which the procedure operates • Stack-based languages – Stack stores context of procedure calls – Multiple calls to a procedure can be outstanding simultaneously CS 330 Secure Programming 40 Executing Functions 0x00001f50 <main+0>: push %ebp 0x00001f51 <main+1>: mov %esp,%ebp 0x00001f53 <main+3>: sub $0x28,%esp These three lines (or something like them) are called the Function Prologue, and it's automatically added by the GCC compiler on the standard x86 (32-bit) and x86_64 (64-bit) architectures. The Function Prologue has one purpose - to preserve the value of the base pointer of the previous frame on the stack, that is, the calling function's stack frame. On the 32-bit architecture, the EBP register is used for this purpose, on the 64-bit architecture, the RBP register. CS 330 Secure Programming 41 Similarly, at the end of the assembly dump, there's the Function Epilogue, which does exactly the same as the Prologue, in reverse. The epilogue typically consists of the leave and ret instructions. CS 330 Secure Programming 42 IA32 Stack Frame Example .text Consider the

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    114 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us