Review: Software Security David Brumley [email protected] Carnegie Mellon University.
-
Upload
sheila-newman -
Category
Documents
-
view
217 -
download
0
Transcript of Review: Software Security David Brumley [email protected] Carnegie Mellon University.
Review: Software Security
David [email protected] Mellon University
2
Basic Execution Model
ProcessMemory
Stack
Heap
Processor
Fetch, decode, execute
read and write
Code
Data
...
3
cdecl – the default for Linux & gccint orange(int a, int b){ char buf[16]; int c, d; if(a > b) c = a;
else c = b;
d = red(c, buf); return d;}
…
b
a
return addr
caller’s ebp
callee-save
locals(buf, c, d ≥ 28 bytes if stored
on stack)
caller-save
buf
c
return addr
orange’s ebp
…
%ebpframe
%espstack
parameterarea (caller)
orange’sinitialstack
frame
to be createdbefore
calling red
after red hasbeen called
grow
4
Be prepared to draw and analyze stack diagrams
5
Control Flow Hijack: Always Computation + Control
computation + control
shellcode (aka payload) padding &buf
• code injection• return-to-libc• Heap metadata overwrite• return-oriented programming• ...
Same principle,different
mechanism
6
Channeling Vulnerabilities
... arise when control and dataare mixed into one channel.
Situation Data Channel Control Channel Security
Format Strings Output string Format parameters
Disclose or write to memory
malloc buffers malloc data Heap metadata info
Control hijack/write to memory
Stack Stack data Return address Control hijack
Phreaking Voice or data Operator tones Seize line control
7
Buffer overflows
• Gaining control through...– Overwriting saved return addresses– Overwriting function pointers
8
format strings
• For non-variadic functions, the compiler:– knows number and types of arguments– emits instructions for caller to push arguments
right to left– emits instructions for callee to access arguments
via frame pointer (or stack pointer [advanced])
• For variadic functions, the compiler emits instructions for the program towalk the stack at runtime for arguments
9
format string exploits
• Occur when the user can control the format string specifier
• Can be used to:1. View memory (e.g., information disclosure)2. Write to specific addresses3. sprintf: expand user input to cause a buffer
overflow
10
Defenses
computation + control
shellcode (aka payload) padding &buf
Primarily DEP Primarily ASLR
11
How to attack with ASLR?
Attack
Brute Force
Non-randomized
memory
Stack Juggling
ret2text
Func ptr
ret2ret
ret2pop
GOTHijacking
ret2got
12
Return-Oriented Programming (ROP)how it works and when it is needed
Desired Shellcode
Mem[v2] = v1…
argv
argc
return addr
caller’s ebp
buf(64 bytes)
argv[1]
buf
%ebp
%esp
a3
v2
a2
v1
a1
a1: pop eax; ret
a2: pop ebx; ret
a3: mov [ebx], eax
Desired store executed!
13
CFI
• Sound/Complete
• Sensitivity in program analysis
• CFI instrumentation
• CFI assumptions
14
Test
• In-class
• Timed
• Closed book, closed note, closed computer
Good Luck!
15
Questions?
END
17
Thought