1 / 18

Beyond stack smashing: recent advances in exploiting buffer overruns

Beyond stack smashing: recent advances in exploiting buffer overruns. Authors: J. Pincus and B. Baker from Microsoft Publish: IEEE Security & Privacy Magazine, 2004 Presenter: Jingfei Kong (04/06/2006). Overview. Three new techniques beyond the traditional “ stack smashing ” attack.

shika
Download Presentation

Beyond stack smashing: recent advances in exploiting buffer overruns

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Beyond stack smashing: recent advances in exploiting buffer overruns Authors: J. Pincus and B. Baker from Microsoft Publish: IEEE Security & Privacy Magazine, 2004 Presenter: Jingfei Kong (04/06/2006)

  2. Overview • Three new techniques beyond the traditional “stack smashing” attack

  3. Result from Rapid Growth on Size and Complexity of Software Systems

  4. Buffer Overflow– why? • No bounds checking for C/C++ • C/C++ • Type Casting, pointer arithmetic • Other languages • Pascal • No type casting, no pointer arithmetic and only same type assignment

  5. Simple Buffer Overflow

  6. Launch Attacks • Step One • Change the program’s control flow • Step Two • Execute some code • One exception • Security-critical variable data

  7. Stack Smashing

  8. Two important enhancements • Trampolining • pop/pop/…/ret • Transferring the code can be separated from buffer overflow operation which modifies the control flow

  9. Arc Injection • Control flow transfer • Bypass • Non-executable stack • W^X mechanism

  10. Pointer Subterfuge • Modify a pointer’s value

  11. Pointer Subterfuge (cont.) Bypass LibSafe

  12. Pointer Subterfuge (cont.) Bypass

  13. Pointer Subterfuge (cont.) • Structured Exception Handling • Virtual Function Table • In all, they are all well-known structures at somehow well-known locations

  14. Heap Smashing #define unlink(P, BK, FD) \ { \ BK = P->bk; \ FD = P->fd; \ FD->bk = BK; \ BK->fd = FD; \ }

  15. Heap Smashing (cont.) • Difficulty • Don’t know the heap object’s location • Difficult to predict operations on heap objects

  16. Twenty attack forms -- from John Wilander etc. • Buffer overflow on the stack all the way to the target: • (a) Return address • (b) Old base pointer • (c) Function pointer as local variable • (d) Function pointer as parameter • (e) Longjmp buffer as local variable • (f) Longjmp buffer as function parameter • Buffer overflow on the heap/BSS/data all the way to the target: • (a) Function pointer • (b) Longjmp buffer

  17. Twenty attack forms (cont.) • Buffer overflow of a pointer on the stack and then pointing at target: • (a) Return address • (b) Base pointer • (c) Function pointer as variable • (d) Function pointer as function parameter • (e) longjmp buffer as variable • (f) longjmp buffer as function parameter • Buffer overflow of a pointer on the heap/BSS/data and then pointing at target: • (a) Return address • (b) Base pointer • (c) Function pointer as variable • (d) Function pointer as function parameter • (e) longjmp buffer as variable • (f) longjmp buffer as function parameter

  18. References • Alpha One, “Smashing The Stack For Fun And Profit”http://www.phrack.org/ • John Wilander and Mariam Kamkar, "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention” NDSS’03 • … more

More Related