lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM
Transcript of lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM
![Page 1: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/1.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
Lecture 3:Buffer Overflows
1https://cs161.org
![Page 2: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/2.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
Announcements
• Discussion today, tomorrow, Wednesday. Go to any one that isn’t full. Please respond to poll on Piazza.
• Expect Homework 1 to be released tonight. Check Piazza.
2
![Page 3: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/3.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
Security Principles
3
![Page 4: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/4.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
More security principles
• Use fail-safe defaults• Consider human factors• Only as secure as the weakest link• Don’t rely on security through obscurity• Trusted path
4
![Page 5: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/5.jpg)
5
![Page 6: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/6.jpg)
6
![Page 7: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/7.jpg)
7
![Page 8: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/8.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
Time of Check to Time of UseVulnerability: Race Condition
8
procedure withdraw(w) // contact central server to get balance 1. let b := balance 2. if b < w, abort
// contact server to set balance 3. set balance := b - w
4. dispense $w to user
TOCTTOU = Time of Check To Time of Use
Suppose that here an attacker arranges to suspend first call, and calls withdraw again concurrently
![Page 9: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/9.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
A Hundred Million Dollar TOCTTOU Bug...• Ethereum is a cryptocurrency which offers "smart"
contracts• Program you money in a language that makes JavaScript and PHP
look beautiful and sane
• The DAO (Distributed Autonomous Organization) was an attempt to make a distributed mutual fund in Ethereum
• Participants could vote on "investments" that should be made
• The DAO supported withdrawals as well
9
![Page 10: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/10.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
A "Feature" In The Smart Contract• To withdraw, the code was:• Check the balance, then send the money, then decrement the balance
• But sending money in Ethereum can send to another program written by the recipient
• So someone "invested", then did a withdraw to his program• Which would initiate another withdraw...
10
![Page 11: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/11.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
Buffer Overflows
11
![Page 12: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/12.jpg)
12
![Page 13: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/13.jpg)
13
![Page 14: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/14.jpg)
14
![Page 15: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/15.jpg)
15
#293 HRE-THR 850 1930 ALICE SMITH COACH SPECIAL INSTRUX: NONE
![Page 16: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/16.jpg)
16
![Page 17: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/17.jpg)
17
#293 HRE-THR 850 1930 ALICE SMITHHHHHHHHHHH HHACH SPECIAL INSTRUX: NONE
How could Alice exploit this? Find a partner and talk it through.
![Page 18: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/18.jpg)
18
![Page 19: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/19.jpg)
19
#293 HRE-THR 850 1930 ALICE SMITH FIRST SPECIAL INSTRUX: NONE
![Page 20: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/20.jpg)
20
char name[20];
void vulnerable() { ... gets(name); ...}
![Page 21: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/21.jpg)
21
char name[20];char instrux[80] = "none";
void vulnerable() { ... gets(name); ...}
![Page 22: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/22.jpg)
22
char name[20];int seatinfirstclass = 0;
void vulnerable() { ... gets(name); ...}
![Page 23: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/23.jpg)
23
char name[20];int authenticated = 0;
void vulnerable() { ... gets(name); ...}
![Page 24: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/24.jpg)
24
char line[512];char command[] = "/usr/bin/finger";
void main() { ... gets(line); ... execv(command, ...);}
![Page 25: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/25.jpg)
25
char name[20];int (*fnptr)();
void vulnerable() { ... gets(name); ...}
![Page 26: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/26.jpg)
26
![Page 27: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/27.jpg)
27
void vulnerable() { char buf[64]; ... gets(buf); ...}
![Page 28: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/28.jpg)
28
void still_vulnerable?() { char *buf = malloc(64); ... gets(buf); ...}
![Page 29: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/29.jpg)
29
![Page 30: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/30.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
Disclaimer: x86-32
• For this class, we are going to use 32-bit x86• Almost everyone in this class has access to an x86 system:
Mac, Linux, Windows...
• But these attacks do apply to other microarchitectures
30
![Page 31: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/31.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
Linux (32-bit) process memory layout
31
Reserved for Kernel
user stack
shared libraries
run time heap
static data segment
text segment (program)
unused
-0xC0000000
-0x40000000
-0x08048000
$esp
brk
Loaded from exec
-0x00000000
-0xFFFFFFFF
![Page 32: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/32.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
The main x86 registers…
• EAX-EDX: General purpose registers• EBP: “Frame pointer”: points to the start of the current call
frame on the stack• ESP: “Stack pointer”: points to the current stack
• PUSH: Decrement the stack pointer and store something there• POP: Load something and increment the stack pointer
32
![Page 33: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/33.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
x86 function calling
• Place the arguments on the stack• CALL the function• Which pushes the return address onto the stack (RIP == Return Instruction Pointer)
• Function saves old EBP on the stack (SFP == Saved Frame Pointer)• Function does its stuff• Function restores everything• Reload EBP, pop ESP as necessary
• RET• Which jumps to the return address that is currently pointed to by ESP• And can optionally pop the stack a lot further…
33
![Page 34: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/34.jpg)
34
user stack
shared libraries
run time heap
static data segment
text segment (program)
unused
-0xC0000000
-0x40000000
-0x08048000
-0x00000000
arguments
return address
saved frame pointer
exception handlers
local variables
callee saved registers
To previous saved frame pointer
To the point at which this function was called
![Page 35: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/35.jpg)
35
void safe() { char buf[64]; ... fgets(buf, 64, stdin); ...}
![Page 36: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/36.jpg)
36
void safer() { char buf[64]; ... fgets(buf, sizeof(buf), stdin); ...}
![Page 37: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/37.jpg)
37
void vulnerable(int len, char *data) { char buf[64]; if (len > 64) return; memcpy(buf, data, len);}
memcpy(void *s1, const void *s2, size_t n);
Assume these are both under the control of an attacker.
size_t is unsigned:What happens if len == -1?
![Page 38: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/38.jpg)
38
void safe(size_t len, char *data) { char buf[64]; if (len > 64) return; memcpy(buf, data, len);}
![Page 39: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/39.jpg)
39
void f(size_t len, char *data) { char *buf = malloc(len+2); if (buf == NULL) return; memcpy(buf, data, len); buf[len] = '\n'; buf[len+1] = '\0';}
Vulnerable!If len = 0xffffffff, allocates only 1 byte
Is it safe? Talk to your partner.
![Page 40: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/40.jpg)
40
![Page 41: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/41.jpg)
41
void vulnerable() { char buf[64]; if (fgets(buf, 64, stdin) == NULL) return; printf(buf);}
![Page 42: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/42.jpg)
42
printf("you scored %d\n", score);
![Page 43: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/43.jpg)
43
r i ps f p
s f p
p r i n t f ( )
0x8048464
0x8048464score
p r i n t f (“you scored %d\ n ”, s c o r e ) ;
o yuc sor
d e%
\ n d\ 0
![Page 44: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/44.jpg)
44
printf("a %s costs $%d\n", item, price);
![Page 45: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/45.jpg)
45
r i ps f p
s f p
p r i n t f ( )
0x8048464
0x8048464i tem
p r i n t f (" a %s c o s t s $%d\ n ", i t e m , p r i c e ) ;
a%s
cos
s t$
d %\ n\ 0
p r i c e
![Page 46: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/46.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
Fun With printf format strings...
46
printf("100% dude!");
Format argument is missing!
![Page 47: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/47.jpg)
47
r i ps f p
s f p
p r i n t f ( )
0x8048464
0x8048464
p r i n t f (“100% dude!”) ;
0 10%dud
! e\ 0
???
![Page 48: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/48.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
More Fun With printf format strings...
48
printf("100% dude!"); ⇒ prints value 4 bytes above retaddr as integer printf("100% sir!");
⇒ prints bytes pointed to by that stack entry up through first NUL
printf("%d %d %d %d ..."); ⇒ prints series of stack entries as integers printf("%d %s"); ⇒ prints value 4 bytes above retaddr plus bytes pointed to by preceding stack entry printf("100% nuke’m!");
What does the %n format do??
![Page 49: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/49.jpg)
49
int report_cost(int item_num, int price) { int colon_offset; printf("item %d:%n $%d\n", item_num, &colon_offset, price); return colon_offset;}
report_cost(3, 22) prints "item 3: $22" and returns the value 7
report_cost(987, 5) prints "item 987: $5" and returns the value 9
%n writes the number of characters printed so far into the corresponding format argument.
![Page 50: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/50.jpg)
Computer Science 161 Spring 2020 Popa and Wagner
Fun With printf format strings...
50
printf("100% dude!"); ⇒ prints value 4 bytes above retaddr as integer printf("100% sir!");
⇒ prints bytes pointed to by that stack entry up through first NUL
printf("%d %d %d %d ..."); ⇒ prints series of stack entries as integers printf("%d %s"); ⇒ prints value 4 bytes above retaddr plus bytes pointed to by preceding stack entry printf("100% nuke’m!"); ⇒ writes the value 3 to the address pointed to by stack entry
![Page 51: lec03 overflows - sp20.cs161.org · Title: lec03_overflows Created Date: 1/27/2020 8:57:55 PM](https://reader033.fdocuments.us/reader033/viewer/2022052101/603b500d19ee7e2c7a39c426/html5/thumbnails/51.jpg)
51
void safe() { char buf[64]; if (fgets(buf, 64, stdin) == NULL) return; printf("%s", buf);}