1 / 36

Methods of Protecting the Stack Overflow Vulnerability

Methods of Protecting the Stack Overflow Vulnerability. Aiman Rasheed Department: ICS KFUPM, Dhahran, KSA May 4, 2004. Agenda. Introduction What are Buffer Overflows? How Severe are Buffer Overflows Recent Buffer Overflow Vulnerabilities Most Severe Buffer Overflow Vulnerabilities

henryray
Download Presentation

Methods of Protecting the Stack Overflow Vulnerability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Methods of Protecting the Stack Overflow Vulnerability Aiman Rasheed Department: ICS KFUPM, Dhahran, KSA May 4, 2004

  2. Agenda • Introduction • What are Buffer Overflows? • How Severe are Buffer Overflows • Recent Buffer Overflow Vulnerabilities • Most Severe Buffer Overflow Vulnerabilities • Requirements to Launch an Attack • Attack Goals • Attack Targets • Benefits an Attacker may get • Protection Mechanism • Solutions Based Taxonomy • Proposed Strategy • Conclusion

  3. Introduction • Operations happening at Function Call • Stack Structure

  4. Introduction • Operations happening at Function Call • The function’s parameters are saved onto the stack • The caller’s registers are also saved onto the stack • The return address is saved onto stack • Execution is transferred to the called function. • Once the function completes its task, it jumps back to the return address saved on the stack

  5. Introduction • Stack Structure

  6. What are Buffer Overflows? • Source data more than destination data while copying • No checking for data limit SRC DST

  7. What are Buffer Overflows? • A simple example; void main(){ char bufferA[256]; myFunction(bufferA); } void myFunction(char *str) { char bufferB[16]; strcpy(bufferB, str); }

  8. Attack Example char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; char large_string[128]; void main(){ char buffer[96]; int i; long *long_ptr = (long *) large_string; for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; strcpy(buffer,large_string); }

  9. Example

  10. Example

  11. How Severe are Buffer Overflows

  12. Recent Vulnerabilities

  13. Most Severe Vulnerabilities

  14. Requirements to Launch an Attack • Size of the buffer must be determined • Must be able to control the data written into the buffer • There must be security sensitive variables or executable program instructions stored below the buffer in stack

  15. Attack Goal • Insert malicious code also known as ‘Code Injections’ • Change the execution path of a program

  16. Attack Targets • Return Address • Overwriting the Return Address of a function with that of an Attack code • Function Pointer • Overwriting the Function Pointer with an address of Attack code

  17. Benefits an Attacker may get! • Change privilege from normal user to super user • Launch DOS ( Denial of Service) Attacks • Crash an application, or may cause it to give incorrect results • Launch any Malicious Code fruitful for an attacker • Get a remote control on the machine • Corrupting application in order to disclose confidential information

  18. Protection Mechanism • Static Approaches • Requires the analysis of source code for detection and removal of vulnerabilities • Dynamic Approaches • Run time preventive measurements

  19. Protection Mechanism • Static Approaches • Need updated database of programming flaws to test for • Need source code recompilation for updated applications • Existing vulnerable libraries need to be recompiled again as well • Useful for applications that are being developed

  20. Protection Mechanism • Dynamic Approaches • Need database of known attacks • No need of recompilation of source code or libraries • It can be applied to legacy systems

  21. Protection Mechanism

  22. Solution Based Taxonomy • Return Address Protection • Canary Insertion • Guard Value • Return Address Repository • Access Violation Probing • Code Segment Boundary Checking • Run-time Memory Access Checking • Bounds Checking • Array Bounds Checking • Source to Source Transformation

  23. Solution Based Taxonomy • Return Address Protection • Canary Insertion • A dummy value between previous frame pointer and return address • Upon returning if Canary is tampered, buffer overflow is detected Arguments Return Address Canary Prev. frame pointer Local variables

  24. Solution Based Taxonomy • Return Address Protection • Canary Insertion, some ways to circumvent • Keep the Canary as intact; overwriting it with the same value • Jump over it using an abused pointer • Counter solutions • Random Canary • Terminator Canary as NULL character, -1, carriage return and line feed etc

  25. Solution Based Taxonomy • Return Address Protection • Guard Value • Similar to Canary value • Rearrangement of stack contents; i.e. charter buffer come before all other variables and just after Guard value

  26. Solution Based Taxonomy • Return Address Protection • Return Address Repository • At every function call, new stack frame is created and copy of return address is saved • When the function returns; • Copy of Return Address is retrieved • Retrieved copy is compared with Return Address • Examples; • StackGuard, Propolice,Libverify, etc

  27. Solution Based Taxonomy • Access Violation Probing • Code Segment Boundary Checking • To make it assured before executing any code that it belongs to the code segment • Storing a global variable in data segment and its address is taken as boundary value • Any reference outside this boundary value is taken as malicious activity • Example; StackShield

  28. Solution Based Taxonomy • Access Violation Probing • Run-time Memory Access Checking • Concerns incorrect read and/or write to memory locations • Referring to block of memory which is already de-allocated • Examples; Valgrind, Cyclone, Purify etc

  29. Solution Based Taxonomy • Bounds Checking • Array Bounds Checking • Useful technique for code injection attacks protection • Needs manual checking to look for illegal buffer assignments • Keeping array limits for checking

  30. Solution Based Taxonomy • Bounds Checking • Source to Source Transformation • Used to detect unsafe string operations • Programs are instrumented with additional variables • Instrumented variables describe string attributes • Such variables are checked statically • Space complexity is increased • Good for small scale applications

  31. Proposed Strategy • Memory Mirror • A bit acting as mirror against every memory locations • Set the bit corresponding to memory location containing return address • Overwriting of return address will be protected as bit is already set • It works as atomic mutex

  32. Proposed Strategy

  33. Conclusion • In today’s computing environment, one of the most common ways of breaching system security is Buffer Overflow • Two basic approaches are Static and Dynamic • Overlapping solutions can be categorized as; Return Address Protection, Access Violation Probing and Bounds Checking • Performance criteria decides whether to use the solution as a debugging tool or as normal application • A Memory Mirror approach is presented to enhance security of a system

  34. Special Thanks Dr. Khalid Salah & Syed Zeeshan Muzaffar

  35. Thank You

  36. Q & A

More Related