1 / 32

Buffer Overflow Attacks

Buffer Overflow Attacks. Adrian Norris. Overview. Buffer Overflow Attacks explained What are they? How are they accomplished? Simple Example Buffer Overflow Mitigations Explanation Pros and cons Buffer Overflow Alternatives History. What are BOF attacks?.

kyria
Download Presentation

Buffer Overflow Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Buffer Overflow Attacks Adrian Norris

  2. Overview • Buffer Overflow Attacks explained • What are they? • How are they accomplished? • Simple Example • Buffer Overflow Mitigations • Explanation • Pros and cons • Buffer Overflow Alternatives • History

  3. What are BOF attacks? • A Buffer Overflow, or BOF, attack corrupts data values in memory adjacent to a buffer by writing outside its bounds • Commonly occur when copying character strings from buffer to buffer • Previously the dominate hacking technique • Higher level of memory intimacy

  4. Makeup of a BOF attack • Roughly put: • Discover vulnerable code • Overwrite the return address • New return address points to alternate code • Varies based on architecture, OS, and memory region

  5. Stack Based Exploitation • Done in one of several ways: • Overwrite a local variable near the buffer • Overwrite the return address • Overwrite a function pointer or exception handler • Inject shellcode in to the stack • Platform suitable

  6. Heap Based Exploitation • Conceptually the same as stack based • Details differ: • Occurs in the heap • Generally much harder • Insert instructions in to the heap  trick the program in to executing them • Most mitigations focus on the stack rather than the heap

  7. Simple BOF Example • Taken from the Open Web Application Security Project (OWASP) wiki - Code:#include <stdio.h>#include <string.h>void doit(void){ char buf[8]; gets(buf);printf(%s\n”, buf);} int main(void) { printf(“So… The End…\n”); doit(); printf(“or…maybe not?\n”); return 0; } -Compilation: rezos@dojo-labs~/owasp/buffer_overflow $ gcc example02.c -o example02 -ggdb /tmp/cccbMjcN.o: In function `doit': /home/rezos/owasp/buffer_overflow/example02.c:8: warning: the `gets' function is dangerous and should not be used.

  8. Simple BOF Example - Output 1: rezos@dojo-labs ~/owasp/buffer_overflow $ ./example02 So... The End... TEST // user data on input TEST // print out stored user data or... maybe not? - Output 2: rezos@dojo-labs ~/owasp/buffer_overflow $ ./example02 So... The End... TEST123456789 TEST123456789 Segmentation fault

  9. Simple BOF Example • Obtaining an objdump allows for the analysis of necessary information for further exploitation - objdump: 080483be <main>: … 80483cf: c7 04 24 bc 84 04 08 movl $0x80484bc,(%esp) 80483d6: e8 f5 feffff call 80482d0 <puts@plt> 80483db: e8 c0 ffffff call 80483a0 <doit> 80483e0: c7 04 24 cd 84 04 08 movl $0x80484cd,(%esp) 80483e7: e8 e4 feffff call 80482d0 <puts@plt> 80483ec: b8 00 00 00 00 mov $0x0,%eax 80483f1: 83 c4 04 add $0x4,%esp …

  10. Simple BOF Example • Arbitrarily omit the second printf() call -Output 3: rezos@dojo-labs ~/owasp/buffer_overflow $ perl -e 'print "A"x12 ."\xf9\x83\x04\x08"' | ./example02 So... The End... AAAAAAAAAAAAu*. Segmentation fault

  11. BOF Mitigations • Proper programming language application • Safe library usage • Executable Space Protection • Address Space Layout Randomization (ASLR) • Deep Packet Inspection (DPI) • Pointer Protection

  12. Programming Languages • Be careful when settling on a programming language. • C/C++ have weak bounds checking when it comes to buffers • Other languages may raise a warning or exception: • E.g. Ada, Lisp, or D • Safety versus performance tradeoffs

  13. Safe Library • C/C++ issue: • Low level buffer details exposed • Lack of buffer management • String and array data types • Avoid standard library functions which are not bounds checked: • E.g. gets(), scanf(), and strcpy() • Safe library alternatives: “The Better String Library” and Vstr • Provides a moderate amount of coverage

  14. Executable Space Protection • Detects common BOF • Function returns  Was the stack altered? • Segmentation fault if yes • Example Systems • Libsafe • StackGuard and ProPolicegcc patches • Data Execution Prevention • SEH pointer explicitly protected • Stack splitting • One for data and one for function returns • Increases protection • Found in the Forth programming language

  15. Executable Space Protection • Not a complete solution • Return-to-libc • Other attacks not reliant on executing the attacker’s code • Generally makes it more difficult

  16. Address Space Layout Randomization (ASLR) • Arranges process data areas randomly • E.g. the base of the executable • Library, heap, and stack positions • Makes BOF more difficult • Forced to tailor attacks

  17. Deep Packet Inspection (DPI) • Detects remote BOF exploits • Network perimeter • Uses attack signatures and heuristics • Blocks packets with known attack signatures or detected NOP-sled • Not effective due to limitations • Known signatures only • Different ways to encode NOP-sled • Alphanumeric, metamorphic, and self-modifying shellcodeevade detection

  18. Pointer Protection • PointGuard: Compiler adds code to XOR-encode pointers • Before and after usage • Attacker doesn’t know what a pointer points to after overwriting it • PointGuard never released • Microsoft’s Alternative • Similar approach to PointGuard • Windows XP SP2, Windows Server 2003 SP1 • API routinecalled by the programmer • Better performance, but requires additional programmer knowledge.

  19. Altered BOF attacks • NOP Sled • Register Usage • Alphanumeric Code • Metamorphic Code • Self-Modifying Code • Return-to-libc

  20. NOP Sled • Oldest and most widely known • Solves finding the exact address of the buffer • Attacker guesses where NOP sled is located • At the end is a jmp instruction to the shellcode • Need not contain traditional no-op instructions • Not without problems • Relies on luck • Requires buffer and stack size not be small • Sought out in intrusion prevention systems

  21. Using Registers • Allows for exploitation without a NOP sled • No guessing stack offsets • Most common method for internet worms • Strategy: • Overwrite return address  • Jump to a known pointer within a register  • Points to shellcode

  22. Example • I386 jmpespopcode = FF E4 • DbgPrint • Two byte sequence at one byte offset • Attack • Overwrite the return address with 0x7C941EED • Jump is executed  interpret opcode FF E4 • Jump to shellcode

  23. Alphanumeric Code • Machine code written to resemble ASCII or Unicode • Uses 0-9, A-Z, and a-z characters • Working machine code appears to be text • Requires a strong understanding of an architecture’s instruction set • Possible to write code to execute on more than one machine • Similar to Printable Code which uses all printable characters

  24. Metamorphic Code • Code that outputs its own code under a new interpretation • Translates binary code into a new representation, then in to machine code • No part stays the same • Mutation performed one of several ways • Mutated code accomplishes the same thing • May give the capabilities to infect different OS or architectures • Differs from Polymorphic Code • Provides no protection against heuristic analysis

  25. Self-Modifying Code • Code that alters its own instructions while executing. • Usually used to improve performance • Can be applied to make a BOF attack harder to detect

  26. Return-to-libc • Usually starts with a BOF • Calls a preexisting function • Replaces call stack address • Overwrites stack portion with parameters • No need to inject malicious code • libc is the most likely target • Could return anywhere • libcusually linked • Provides many useful functions

  27. Return-to-libc Mitigations • Resistant to non executable stacks • ASLR • Extremely unlikely on 64-bit machines • Little benefit on 32-bit machines

  28. History behind BOF • Immense • Started in 1972: Computer Security Technology Planning Study • 1988: Morris Worm • 1996: Elias Levy (aka Aleph One) • Phrack Magazine – “Smashing the Stack for Fun and Profit” • 2000: Alexander Peslyak (aka Solar Designer) • Return-to-libc attack • 2001: Code Red Worm • 2003: SQL Slammer Worm • 2003+: Xbox Modchips, PS2 Independence Exploit, Wii Twilight Hack

  29. Recap • Buffer Overflow Attacks explained • What are they? • How are they accomplished? • Simple Example • Buffer Overflow Mitigations • Explanation • Pros and cons • Buffer Overflow Alternatives • History

  30. Bibliography • . "Buffer Overflow." Wikipedia. Wikipedia, 25 2012. Web. 3 Dec 2012. <http://en.wikipedia.org/wiki/Buffer_overflow>. • . "Buffer Overflow Attack." OWASP. OWASP, 7 2009. Web. 3 Dec 2012. <https://www.owasp.org/index.php/Buffer_overflow_attack>. • Ogorkiewicz, Maciej, and PiotrFrej. "Window Security." Analysis Of Buffer Overflow Attacks. Window Security, 8 2008. Web. 5 Dec 2012. <http://www.windowsecurity.com/articles/analysis_of_buffer_overflow_attacks.html>.

  31. Bibliography cont. • . "Abyssec Security Research." Past, Present, and Future of Windows Exploitation. Abyssec Security Research. Web. 3 Dec 2012. <http://www.abysssec.com/blog/tag/buffer-overflow/>. • . "Wikipedia." Alphanumeric Code. Wikipedia, 25 2012. Web. 3 Dec 2012. <http://en.wikipedia.org/wiki/Alphanumeric_code>. • . "Wikipedia." Metamporphic Code. Wikipedia, 8 2012. Web. 3 Dec 2012. <http://en.wikipedia.org/wiki/Metamorphic_code>.

  32. Bibliography cont. • . "Wikipedia." Self-Modifying Code. Wikipedia, 19 2012. Web. 3 Dec 2012. <http://en.wikipedia.org/wiki/Self-modifying_code • . "Wikipedia." Return-to-libc attack. Wikipedia, 12 2012. Web. 3 Dec 2012. <http://en.wikipedia.org/wiki/Return-to-libc_attack>.

More Related