buffer overflows attacks and defenses for the vulnerability of the decade n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade PowerPoint Presentation
Download Presentation
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade

Loading in 2 Seconds...

play fullscreen
1 / 16

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade - PowerPoint PPT Presentation


  • 175 Views
  • Uploaded on

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. Crispin Cowan SANS 2000. Buffer Overflows. Inject and execute attack code at the privilege of the vulnerable program. “exec(/bin/sh)”. Inject Code. On the stack (automatic variables)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade' - diella


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
buffer overflows
Buffer Overflows
  • Inject and execute attack code at the privilege of the vulnerable program.
  • “exec(/bin/sh)”
inject code
Inject Code
  • On the stack (automatic variables)
  • On the heap (malloc’d variables)
  • In static data areas
  • Code does not need to be in the overflowing buffer.
use code already there
Use Code Already There
  • “exec(arg)” by making arg point to “/bin/sh”
jump to attacker s code
Jump to Attacker’s Code
  • Activation Record
    • Overflow into return address on the stack and make it point at the code.
  • Function pointers
    • Overflow into “void (*foo())()” and it point at the code.
buffer overflow defenses
Buffer Overflow Defenses
  • Writing Correct Code
    • Vulnerable programs continue to emerge on a regular basis
      • C has many error-prone idioms and a culture that favors performance over correctness.
  • Static Analysis Tools
    • Fortify – looks for vulnerable constructs
    • Too many false positives.
buffer overflow defenses1
Buffer Overflow Defenses
  • Non-executable buffers
    • Non executable data segments
      • Optimizing compiles emit code into program data segments
    • Non executable stack segments
      • Highly effective against code injection on the stack but not against code injections on the heap or static variables.
buffer overflow defenses2
Buffer Overflow Defenses
  • Array Bound Checking
    • Can run 12x-30x slower
    • a[3] is checked but *(a+3) is not
buffer overflow defenses3
Buffer Overflow Defenses
  • Type safe languages: Java or ML
    • There are millions of lines of C code in operating systems and security system applications
    • Attack the Java Virtual Machine which is a C program
canary
Canary
  • Terminator Canary
    • 0 (null), CR, LF, -1 (EOF)
  • Random Canary
    • 32 bit random number
stackguard compiler
StackGuard Compiler
  • Recompiled Linux
  • Prevented old and new attacks
  • Execution cost of SSH and Apache was indistinguishable
stackguard compiler1
StackGuard Compiler
  • Performance
    • Pointer dereferencing occurs much less than array references
  • There does not exist any bounds checking compiler capable of approaching the compatibility and performance of the StackGuard compiler
pointguard compiler
PointGuard Compiler
  • Put canary next to function pointers as well.
  • Only the relative obscure form of buffer overflow attack that corrupts non-pointer variables to affect the program’s logic will escape PointGuard (Morris worm)
conclusion
Conclusion
  • Use Safer Library : Strsafe.h
  • Visual C++.NET /GS option
    • Similar to StackGuard