Buffer Overflow Prevention - Computer Science

Buffer Overflow Prevention - Computer Science

Buffer Overflow Prevention \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\ x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80 Presented to CRAB April 27, 2004 Outline Buffer overflow review Prevention overview Randomized instruction sets Address randomization Solutions compared Conclusion

What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus Denial of service Steps

Inject attack code into buffer Redirect control flow to attack code Execute attack code Attack Possibilities Targets Stack, heap, static area Parameter modification (non-pointer data) E.g., change parameters for existing call to exec()

Injected code vs. existing code Absolute vs. relative address dependencies Related Attacks Integer overflows, double-frees Format-string attacks Typical Address Space 0xFFFFFFFF kernel space 0xC0000000 argument 2 stack argument 1 Address of RAcode Attack

shared library 0x42000000 frame pointer locals Attack code buffer heap bss static data code 0x08048000 0x00000000 Examples (In)famous: Morris worm (1988)

Code Red (2001) MS IIS .ida vulnerability Blaster (2003) gets() in fingerd MS DCOM RPC vulnerability Mplayer URL heap allocation (2004) % mplayer http://`perl e print \x1024;`

Preventing Buffer Overflows Strategies Detect and remove vulnerabilities (best) Prevent code injection Detect code injection Prevent code execution Stages of intervention

Analyzing and compiling code Linking objects into executable Loading executable into memory Running executable Preventing Buffer Overflows Splint - Check array bounds and pointers Non-executable stack Stackguard put canary before RA Libsafe replace vulnerable library functions RAD check RA against copy

Analyze call trace for abnormality PointGuard encrypt pointers Binary diversity change code to slow worm propagation PAX binary layout randomization by kernel Randomize system call numbers Preventing Buffer Overflows Randomize code Barrantes, Ackley, Forrest, Palmer, Stefanovic, Zovi, Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks, ACM CCS 2003. Randomize location of code/data

Bhatkar, DuVarney, Sekar, Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits, USENIX Security 2003. Randomized Instruction Sets Threat: binary code injection from network Goal: de-standardize each system in an externally unobservable way Solution:

Each program has a different and secret instruction set Use translator to randomize instructions at loadtime Limits: no defense against data-only modifications RISE: loading binary Valgrind / RISE Key Memory Scrambled Code ELF binary file Code Data + Data

RISE: executing code Valgrind / RISE Key Memory Scrambled Code + Data Hardware Code RISE: foreign code Valgrind / RISE Key Memory Scrambled Code

Injected from network + Code Data Code Hardware L L I SIG Scrambled Code Complications Shared libraries

Protecting plaintext Usually code from libraries is shared among multiple processes RISE scrambles shared code, at increased memory expense Descrambled code blocks stored in trace cache Make cache read-only except when updating Entanglement

Should not use same libraries as process emulated Some libraries use dispatch tables stored in code Performance 9 out of 14 attacks failed due to Valgrind itself Others were stopped by RISE RISE costs ~5% more than Valgrind (which is 4-50x slower than native) Keeping key and shared libs triples memory x86 opcode space is dense, so random instruction might not be illegal Percentage of runs

RISE: locations of crash 25% 6% Offset from start address to failure location Address Randomization Threat: memory error exploits Goal: remove predictability from memory access Solution:

Relocate memory regions Permute order of variables and code Introduce random gaps between objects Limits: not all are easy to implement with common ABIs at load-time Randomizing Obfuscations kernel space Randomize base addresses of memory regions

Stack: subtract large value Heap: allocate large block DLLs: link with dummy lib Code/static data: convert to shared lib, or re-link at different address Makes absolute addressdependent attacks harder stack shared library heap bss static data code Randomizing Obfuscations

Permute the order of variables / routines Local variables in stack frame Order of static variables Order of routines in DLLs or executable Makes relative-address dependent attacks harder Not implemented by authors Randomizing Obfuscations Introduce random gaps between objects

Randomly pad stack frames Between frame pointer and local variables Randomly pad successive malloc() calls Randomly pad between static variables Add gaps inside routines and jumps to skip them Helps randomize objects which must maintain relative order First two are implemented by authors

Performance A probabilistic approach, increasing attackers expected work Each failed attempt results in crash; at restart, randomization is different ~3000 attempts for P(success) = 0.5 0-21% overhead on execution time Limited protection for: Modifications within heap-allocated blocks Overflows of adjacent data within stack frame or static

variables Comparison RISE x x x Conclusion Common weaknesses: Overflows onto adjacent data

Read/write attacks Double-pointer attacks Lack of information at runtime Distinguishing pointers from non-pointers Determining sizes of data objects Distinguishing code from data Static analysis + Link & Load-time randomization can be very effective (for now) References

Barrantes, Ackley, Forrest, Palmer, Stefanovic, Zovi, Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks, ACM CCS 2003. Bhatkar, DuVarney, Sekar, Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits, USENIX Security 2003. Cowan, Beattie, Johansen, Wagle, PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities, USENIX Security 2003. Wilander, Kamkar, A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, NDSS 2003.

Recently Viewed Presentations

  • March 22, 2017 - Pease Science

    March 22, 2017 - Pease Science

    Work DOL 6 th Grade TEK 7.7(A) contrast situations where work is done with different amounts of force to situations where no work is done such as moving a box with a ramp and without a ramp, or standing still;
  • Single Sign-On

    Single Sign-On

    Single Sign-On Vijay Kumar, CISSP Agenda What is Single Sign-On (SSO) Advantages of SSO Types of SSO Examples Case Study Summary What is SSO Single sign-on is a user/session authentication process that permits a user to enter one name and...
  • Diapositiva 1

    Diapositiva 1

    * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *...
  • TM Kangen Water The Enagic Business A Sleeping

    TM Kangen Water The Enagic Business A Sleeping

    The Enagic Business. ... Australia. Mexico. The Complete Picture $ $ $ $ $ $ $ $ Two years ago I got motivated by these 2 pictures on my left and on my right. And today here I am with...
  • Physics coursework - Mr. C - JCS

    Physics coursework - Mr. C - JCS

    Physics coursework Title2017. Using conductors made of children's play (modelling) dough, investigate quantitatively the effect on . resistance, calculated from measurements of voltage across and current through the conductors, of . changing the conductor length and obtain data to establish...
  • Outreach Technical Advisory Committee June 13, 2014

    Outreach Technical Advisory Committee June 13, 2014

    QHP, WAH, Individual, mixed, SHOP, enrolled, eligible but not enrolled. Characteristics - insurance status, access to care, need for care. Conduct survey in August and receive results in September. Health Literacy Project Update Pam Cowley, Outreach Manager.
  • Venture Name - University of Missouri System

    Venture Name - University of Missouri System

    Identify your competitors and present a matrix including the competitors and your venture comparing on key attributes including functionality, price, quality, etc. Value proposition to Customer Segments (Product-Market Fit)
  • Security and Cooperation in Wireless Networks Chapter 1

    Security and Cooperation in Wireless Networks Chapter 1

    Security and Cooperation in Wireless Networks Chapter 1 The security of existing wireless networks Security of cellular networks WiFi Security: WEP, WPA, and WPA2