CSCE 510 - Systems Programming Lecture 17 Sockets CSCE March 20, 2013.
CSCE 548 Buffer Overflow SQL Injection. Process Memory Organization Process memory: 3 regions –...
-
Upload
alexina-moody -
Category
Documents
-
view
218 -
download
0
Transcript of CSCE 548 Buffer Overflow SQL Injection. Process Memory Organization Process memory: 3 regions –...
CSCE 548 CSCE 548 Buffer OverflowBuffer OverflowSQL InjectionSQL Injection
Process Memory OrganizationProcess Memory Organization
Process memory: 3 regions– Text: fixed by the program, includes code,
read-only (attempt to write: segmentation fault)– Data: initialized and uninitialized data– Stack: stores application data and control data
Low-level languages: direct access to application memory
2
MemoryMemoryLower memory address
Text
DataStack pointer
Frame pointer
Stack
Higher memory address
3
How do applications use the How do applications use the stack?stack?
4
ExampleExample
void function(int a, int b, int c) {
char buffer1[5];
char buffer2[10];
}
Void main() { function(1,2,3); }
5
Buffer OverflowBuffer Overflow
Inserting more data into the buffer than it can handle
Stack-base attacks most commonMost vulnerable languages: C, C++
6
Example cont.Example cont.void function(char *str) {
char buffer[16];
strcpy(buffer,str); }
void main() {
char large_string[256];
int i;
for( i = 0; i < 255; i++)
large_string[i] = 'A';
function(large_string);
}
7
Exploitation of Buffer OverflowExploitation of Buffer Overflow
Lack of input validationDefault case: mistrust input
– Never allow input over the maximum length to be stored in a variable
– Process input one character, word, or byte at a time
– Never leave extra input on the incoming line
8
TypesTypes
Stack overflow: buffer, which has been declared on the stack, is written to with more data than it was allocated to hold, static overflow, very common
Heap overflow: similarly to the stack overflow, it can lead to overflow and corruption, dynamic, may be harder to exploit, common
Array indexing error or integer overflow: unchecked index is a signed/unsigned integer mismatch where a negative number was supplied to an array index
9
Cases and EffectsCases and Effects
Overwriting local variables change the program’s behavior
Overwriting a return address execution will resume at the attacker’s specified address, executing the attacker’s code
Overwriting function pointers or exception handlers (note, heap: overwrites memory allocation linkage, such as malloc)
10
Cases and EffectsCases and Effects
Allocated page: Unused memory: nothing happens… …at least, nothing visible happens until you try
to use that memory Corruption and invalid results Potentially change local variables
Administrator = true Potentially change exception handler or function
pointer to execute arbitrary function call jmp_buf / SEH
11
Controlling Program FlowControlling Program Flow
Controlled corruption of the stack allows an attacker to exploit buffer overflows Most commonly exploited buffer overflow –
stack based Writing into function arguments (inputs) Writing into the return address
Jump to arbitrary address – alter program flow Execute arbitrary code
Including attack payload in the buffer!
12
Problems for AttackersProblems for Attackers
Find the location of the buffer Not a big issue, since the code is usually loaded
in the same place for performance Use a “NOP sled”
Pad the payload with NOP (no operation) instructions, or effectively NOP instructions
Jump anywhere into the NOP sled to get to the payload
13
Defensive MeasuresDefensive Measures
Canaries Pad buffers with a random, secret value
determined at compile time or runtime Check to see if the secret value is the same
before allowing transfer of control If you smash the boundaries of the array on the
stack, how do you know what the values are?
14
Defensive MeasuresDefensive Measures
Write xor execute Mark pages as executable code or data
von Neumann architecture Harvard architecture
Prevent data from being executed Buffers are data, thus not executable
15
Defensive MeasuresDefensive Measures
ASLR Randomize locations for loading of code Requires compiler, linker, and runtime support
for position-independent code (PIC) Prevent attackers from being able to jump
reliably to function calls or payload in the stack Why? Because regular code is linked in by the
runtime linker whereas the payload is not
16
Defensive MeasuresDefensive Measures
Stop using unsafe code! strcpy strlcpy strncat strlcat scanf fgets on %s gets fgets
Use a safer language Anything with bounds checking – Java, C#,
VB.net, Python, Perl, Ruby, PHP, D… …but be careful when calling C/C++/asm libraries
17
Defensive MeasuresDefensive Measures
Input validation Allow only input that you expect
Example: [a-zA-Z0-9]+ on usernames Prevent some shellcode
Run static code analyzers Detects use of unsafe (unbounded) functions
18
Sin # 4 SQL InjectionSin # 4 SQL Injection
IntroductionIntroduction
SQL Injection is a “code defect” E-commerce applications are often targeted
PII (Personally Identifiable information)Threat
Compromise machine Disclose sensitive information
Malicious attack can propagate into the server and eventually the network
All languages using a server interface are affected
20
SQL Injection- ExplainedSQL Injection- Explained
Attacker provides malformed data to applicationApplication uses data to create a SQL statement
via string concatenationAllows attacker to change the semantics of the
SQL querySusceptible in string parameters in a stored
procedureWhy use concatenation?
Don’t know a safer way Laziness
21
Testing Techniques to Find the Testing Techniques to Find the SinSin
Code Review Look for code that queries the database
Automated Tools (No replacement for code review) Watchfire - http://www.watchfire.com (Windows) Sqlmap – http://www.sqlmap.sourceforge.net (Linux)
Language Key Words to Look For
C# SqlClient, OracleClient
PHP Mysql_connect
Java Java.slq, sql
C++ (ODBC) #include “sql.h”
SQL ADODB, #import “msado15.dll”
Perl DBI, Oracle, SQL
22
Spotting SQL InjectionSpotting SQL Injection
Takes user inputDoes not check user input validityUses user-input data to query a databaseUses string concatenation or string replacement to build the SQL query or uses SQL EXEC command
23
RedemptionRedemption
Thou shalt never trust input to SQL statements Always validate
Use regular expressions to parse input Use prepared or parameterized SQL statements
Use placeholders or binding
24
ConclusionsConclusions
SQL injection is a code exploitation technique.Exploits security vulnerabilities occurring SQL string parsing.Always validate user input.Use code review and automated testing tools.
25
Defenses Defenses Primary Defenses:
– Option #1: Use of Prepared Statements (Parameterized Queries)
– Option #2: Use of Stored Procedures – Option #3: Escaping all User Supplied Input
Additional Defenses: – Also Enforce: Least Privilege – Also Perform: White List Input Validation
26
27
Analysis ToolsAnalysis Tools
Free Tools– Usually designed toward a specific back end database– Lack of product support– Lack of statistic collecting– Usability
Purchased Tools– Policy Based– Better support– Cost
28
Purchased ToolsPurchased Tools
N-Stalker (free version available, http://www.sharewareconnection.com/n-stalker-web-app-security-scanner-free-edition.htm )– Policy Based Driven Engine– Able to create its own False Positive filter– Able to run reports and keep a database of
vulnerabilities– GUI Based System– Requires a subscription service
Free Tools: SQLiXFree Tools: SQLiX SQLiX uses multiple techniques
– conditional errors injection – blind injection based on integers, strings or statements – MS-SQL verbose error messages ("taggy" method)
SQLiX using UDF (User defined functions) SQLix is able to identify the database version and gather
sensitive information for the following SQL servers: MS-Access, MS-SQL, MySQL, Oracle and PostgreSQL.
SQLiX contains an exploit module to demonstrate how a hacker could exploit the found SQL injection to gather sensitive information
29
Integer Overflows
Arithmetic OperationsArithmetic Operations
Number system: base, radix– 724.5 == 7102 + 2 101 +4 100 +5 10-1
– Binary, Octal, Hexadecimal representation
Fixed point representation – Sign, magnitude, decimal point
Complements: represent negative numbers– r’s complement -- 2’s complement– (r-1)’s complement – 1’s complement
1’s complement of 1010 is 0101 2’s complement of 1010 is 0101 + 1 = 0110
Binary Fixed Point Binary Fixed Point
Positive number: 0 and the magnitude by a positive binary number
Negative number: 1 (sign) and Signed magnitureSigned 1’s complement Signed 2’s complement
+9: 0 001001-9:
Signed magnitude: 1 001001Signed 1’s complement: 1 110110Signed 2’s complement: 1 110111
OverflowOverflow
Two numbers of n digit each are added and the sum occupies n+1 digits
True for binary or decimal numbers, signed or unsigned
Cannot occur after an addition if one number is positive and the other is negative
Using sign-magnitude representation, the overflow can be detected by the carry out of the number bit
Adding 2’s complement, the sign is treated as part of the number, therefore the carry out does not indicate overflow
Problems with overflow:Problems with overflow:
Fixed size registersMost computers check for register overflow
overflow flip-flop
C/C++ Data TypesC/C++ Data Types
Source: http://hubpages.com/hub/Data-Types-in-C-Language
Type CastingType Casting
Casting OperationsCasting Operations
Casting OperationsCasting Operations
Casting OperationsCasting Operations
Implicit CastingImplicit Casting
SecuritySecurity ConcernsConcerns
MitigationMitigation
Understand casting (explicit / implicit, sign-extension)
Understand data types (signed / unsigned, range)
Understand operators (upcasting, return types)
Verify user input
Don't depend on your compiler