1 / 16

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. Crispin Cowan SANS 2000. Buffer Overflows. Inject and execute attack code at the privilege of the vulnerable program. “exec(/bin/sh)”. Inject Code. On the stack (automatic variables)

diella
Download Presentation

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Buffer Overflows:Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000

  2. Buffer Overflows • Inject and execute attack code at the privilege of the vulnerable program. • “exec(/bin/sh)”

  3. Inject Code • On the stack (automatic variables) • On the heap (malloc’d variables) • In static data areas • Code does not need to be in the overflowing buffer.

  4. Use Code Already There • “exec(arg)” by making arg point to “/bin/sh”

  5. Jump to Attacker’s Code • Activation Record • Overflow into return address on the stack and make it point at the code. • Function pointers • Overflow into “void (*foo())()” and it point at the code.

  6. Buffer Overflow Defenses • Writing Correct Code • Vulnerable programs continue to emerge on a regular basis • C has many error-prone idioms and a culture that favors performance over correctness. • Static Analysis Tools • Fortify – looks for vulnerable constructs • Too many false positives.

  7. Buffer Overflow Defenses • Non-executable buffers • Non executable data segments • Optimizing compiles emit code into program data segments • Non executable stack segments • Highly effective against code injection on the stack but not against code injections on the heap or static variables.

  8. Buffer Overflow Defenses • Array Bound Checking • Can run 12x-30x slower • a[3] is checked but *(a+3) is not

  9. Buffer Overflow Defenses • Type safe languages: Java or ML • There are millions of lines of C code in operating systems and security system applications • Attack the Java Virtual Machine which is a C program

  10. Canary • Terminator Canary • 0 (null), CR, LF, -1 (EOF) • Random Canary • 32 bit random number

  11. StackGuard Compiler • Recompiled Linux • Prevented old and new attacks • Execution cost of SSH and Apache was indistinguishable

  12. StackGuard Compiler • Performance • Pointer dereferencing occurs much less than array references • There does not exist any bounds checking compiler capable of approaching the compatibility and performance of the StackGuard compiler

  13. PointGuard Compiler • Put canary next to function pointers as well. • Only the relative obscure form of buffer overflow attack that corrupts non-pointer variables to affect the program’s logic will escape PointGuard (Morris worm)

  14. Conclusion • Use Safer Library : Strsafe.h • Visual C++.NET /GS option • Similar to StackGuard

More Related