buffer overflows and various code injection methods n.
Download
Skip this Video
Download Presentation
Buffer overflows and various code injection methods

Loading in 2 Seconds...

play fullscreen
1 / 23

Buffer overflows and various code injection methods - PowerPoint PPT Presentation


  • 127 Views
  • Uploaded on

Buffer overflows and various code injection methods. Raghunathan Srinivasan CSE 539, 2/2/2011. What is the deal with overflows. Why does it exist? Can we get rid of it? Why cant we get rid of it?. Since 80 % of the general population uses Microsoft OS lets google Microsoft buffer overflow.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Buffer overflows and various code injection methods' - julius


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
buffer overflows and various code injection methods
Buffer overflows and various code injection methods

Raghunathan SrinivasanCSE 539, 2/2/2011

what is the deal with overflows
What is the deal with overflows
  • Why does it exist?
  • Can we get rid of it?
  • Why cant we get rid of it?
bounds checking
Bounds checking?

int main()

{

int a[4]; int n;

scanf(“%d”, &n);

while (n>0){

scanf(“%d”, &a[n]);

n--;

}

}

slide5
int main()

{

int a[4]; int n;

scanf(“%d”, &n);

if (n>3) n=3;// return

while (n>0){

scanf(“%d”, &a[n]);

n--;

}

}

why buffer overflow is possible
Why buffer overflow is possible
  • Are our machines different?
  • What does the stack look like?
takeaways
Takeaways?
  • How secure is any code?
  • What would happen if we all used different architecture, custom compiled OS?
benefits of custom compilation
Benefits of custom compilation
  • Randomize application memory
  • Modify the relative distance between Return address and locals on stack for every binary
    • Attacker needs to determine correct input values on every binary
    • Return of investment is lower
slide9
Randomize the stack frame of every routine
    • Add padding between local variables and return address
    • Makes buffer overflow exploits difficult
  • So how to randomize the code
    • Source code?
    • Executable?
binary re writing
Binary re writing
  • No net instructions added (or subtracted)
  • Change arguments for adding space on stack
  • Every instruction that use locations on stack (local variables) has to be fixed
slide11
void foo() {

char buffer[1024];

gets(buffer);

}

push %ebp

mov %esp,%ebp

sub $0x408,%esp

lea -0x400(%ebp),%eax

mov %eax,(%esp)

call 80482c8 <gets@plt>

leave

ret

was this done
Was this done
  • Yes
  • Use objdump to parse out the text
  • Identify instructions
  • Determine max pad for each function
  • Go and re write instructions
code injection
Code injection

Mprotect

Ptrace

Let take a look at the man page of these system calls

lets write code
Lets write code

#include <stdio.h> #include <stdlib.h> #include <errno.h> #include <sys/mman.h> #include <limits.h>    /* for PAGESIZE */ #ifndef PAGESIZE #define PAGESIZE 4096 #endif

int test(); int main() {  int a;  char *location = &test;  char *d = &test;  test();  printf("\nAttempting not possible stuff");  fflush(NULL);  d = (char *)(((int) d) & ~(PAGESIZE-1));  if (mprotect(d, 1024, PROT_WRITE|PROT_EXEC)) {         perror("Couldn't mprotect");         exit(errno);     }  location [1] = 0xc3; test();

 printf("\nShould not be here"); fflush(NULL);  return 0;

}

int test() {  int i;  printf("\n hello from test");  return 0;

}

what does this show
What does this show
  • If an application wants to, it can cause havoc on itself.
  • Is this useful?
  • But this is a system call
  • All system calls are available to every binary
  • Can you make the execution jump to mprotect with correct stack arguments?
ptrace
ptrace
  • Parent process may observe and control a child process
  • Essentially debugger
slide18
fork
  • Creates a child process
  • Execution returns back twice at the same location
  • If return value is 0, it’s a child, else parent
  • Code example 1
example 2
Example 2
  • PTRACE_TRACEME
    • Process allows parent to trace it. When child executes a system call (any signal), the control causes it to wait and sends control to parent which is waiting.
  • PTRACE_CONT
    • Parent resumes the stopped child
example 3
Example 3
  • Reads a word at offset addr in the child's USER area, which holds the registers and other information about the process
example 6
Example 6
  • PTRACE_ATTACH
    • Attaches to the process specified in pid, making it a traced "child" of the current process; the behavior of the child is as if it had done a PTRACE_TRACEME.
  • PTRACE_GETREGS
    • Copies the child's general purpose or floating-point registers, respectively, to location data in the parent.
  • PTRACE_PEEKTEXT
    • Reads a word at the location addr in the child's memory, returning the word as the result of the ptrace() call.
example 7
Example 7
  • PTRACE_SETREGS
    • Copies the child's general purpose or floating-point registers, respectively, from location data in the parent.
example 8
Example 8
  • Do it yourself at home