Lab2:BufferOverflows

FengweiZhang

WayneStateUniversity Course:CyberSecurityPrac@ce 1

BufferOverflows

•  Oneofthemostcommonvulnerabili@esinsoEware

•  ProgramminglanguagescommonlyassociatedwithbufferoverflowsincludingCandC++

•  Opera@ngsystemsincludingWindows,LinuxandMacOSXarewriMeninCorC++

WayneStateUniversity Course:CyberSecurityPrac@ce 2

HowItWorks

•  Applica@onsdefinebuffersinthememory– Unsignedchar[10]

•  Applica@onsuseadjacentmemorytostorevariables,arguments,andreturnaddressofafunc@on.

•  BufferOverflowsoccurswhendatawriMentoabufferexceedsitssize.

WayneStateUniversity Course:CyberSecurityPrac@ce 3

OverflowingABuffer

•  DefiningabufferinC– charbuf[10];

•  Overflowingthebuffer– Charbuf[10]=‘x’;– strcpy(buf,“AAAAAAAAAAAAAAAAAAAAAAA”)

WayneStateUniversity Course:CyberSecurityPrac@ce 4

WhyWeCare

•  Becauseadjacentmemorystoresprogramvariables,parameters,andarguments

•  AMackerscanchangethesevaluesthroughoverflowingabuffer

•  AMackerscangaincontrolovertheprogramflowtoexecutearbitrarycode

WayneStateUniversity Course:CyberSecurityPrac@ce 5

ProcessMemoryLayout

WayneStateUniversity Course:CyberSecurityPrac@ce 6

Stack

Heap

DataSegment

TextSegment

Highmemory

Lowmemory

MemoryLayoutfor32-bitLinux

WayneStateUniversity Course:CyberSecurityPrac@ce 7

KernelSpace

Stack

Heap

BSSSegment

DataSegment

TextSegment(ELF)

1GB

3GB

Localvariable:inta

Func@onmalloc()

Unini@alizedsta@cvariables:sta@cchar*u

sta@cchar*s=“Helloworld”

Binaryoftheprogram

VirtualMemoryLayout

WayneStateUniversity Course:CyberSecurityPrac@ce 8

StackFrame

WayneStateUniversity Course:CyberSecurityPrac@ce 9

•  Thestackcontainsac@va@onframesincludinglocalvariables,func@onparameters,andreturnaddress

•  Star@ngatthehighestmemoryaddressandgrowingdownwards

•  Lastinfirstout

WayneStateUniversity Course:CyberSecurityPrac@ce 10

Add(2,3)

32

RetAddressEBPC

Highmemory

Lowmemory ESP

intadd(inta,intb){

intc;c=1+b;returnc;

}

ASimpleProgram

AnotherProgramintfunc(char*str){

charmybuff[512];strcpy(myBuff,str);return1;

}intmain(intargc,char**argv){

func(argv[1]);return1;

}

WayneStateUniversity Course:CyberSecurityPrac@ce 11

DrawtheStackFrame!

Overflowing“myBuff”

WayneStateUniversity Course:CyberSecurityPrac@ce 12

(A)str(A)

Retaddr(A)EBP(A)

A

AAA

AA

Highmemory

Lowmemory ESP

BufferOverflowDefenses•  TheaMackdescribedisaclassicalstacksmashingaMackwhichexecutethecodeonthestack

•  Itdoesnotworktoday– NX–non-executablestack.Mostcompilersnowdefaulttoanon-executablestack.Meaningasegmenta@onfaultoccursifrunningcodefromthestack(i.e.,DataExecu@onPreven@on-DEP)•  Disableitwith–zexecstackop@on•  Checkitwithreadelf–e<PROGRAM>|grepSTACK

–  StackGuard:Cannaries•  Disableitwith–fno-stack-protectorop@on•  Enableitwith–fstack-protectorop@on

WayneStateUniversity Course:CyberSecurityPrac@ce 13

StackCanaries

•  StacksmashingaMacksdotwothings– Overwritethereturnaddress– WaitforalgorithmtocompleteandcallRET

•  StackCanaries:StackSmashingProtector(SSP)–  Placingaintegervaluetostackjustbeforethereturnaddress

–  Tooverwritethereturnaddress,thecanaryvaluewouldalsobemodified

–  Checkingthisvaluebeforethefunc@onreturns

WayneStateUniversity Course:CyberSecurityPrac@ce 14

StackCanaries(cont’d)

WayneStateUniversity Course:CyberSecurityPrac@ce 15

(A)str(A)

Retaddr(A)EBP(A)

Canary(A)

AAA

AA

Highmemory

Lowmemory ESP

BypassingNXandCanaries

•  NX-non-executablestack– Execu@ngcodeintheheap– DataExecu@onPreven@on(DEP)– ReturnOrientedProgramming(ROP)

•  StackCanaries– Overwri@ngtheCanarywiththesamevalue– BruteforceaMack(e.g.,DynaGuardinACSAC’15)

WayneStateUniversity Course:CyberSecurityPrac@ce 16

•  Lab0– Turnintheclassagreement

•  Lab1– Duetodayat11:59pm– Lateassignmentpolicy– SubmititviaBlackboard

•  Lab2instruc@ons

WayneStateUniversity Course:CyberSecurityPrac@ce 17

Reminders