1 / 14

Libsafe for Windows

Libsafe for Windows. Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001. Background: Libsafe for Linux. Released in April 2000, Libsafe has gained popularity in the Linux community. Libsafe is very easy to install. Once installed, Libsafe does its job transparently.

oshin
Download Presentation

Libsafe for Windows

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Libsafe for Windows Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001

  2. Background: Libsafe for Linux • Released in April 2000, Libsafe has gained popularity in the Linux community. • Libsafe is very easy to install. Once installed, Libsafe does its job transparently. • Libsafe does not need access to the source code of the program to be protected. • Libsafe protection is system-wide. Libsafe automatically attaches to applications. • Libsafe incurs only a slight overhead.

  3. Motivation for porting Libsafe to Windows • Windows is also susceptible to buffer overflow attacks. • Windows is also susceptible to buffer overflow attacks. • Unchecked string functions are still widely used in Windows system DLLs and applications. • Unchecked string functions are still widely used in Windows system DLLs and applications. From 1999 to 2001, there were 54 buffer overflow bugs reported to SecurityFocus.com for Microsoft products running on Windows. Eleven of them were reported between Jan. 2001 and August 2001. Our investigation reveals that: 1) 63% of executables and DLLs are still using unchecked string functions. 2) 83% of services are still using unchecked string functions.

  4. Magic of Microsoft Detours • Runtime insertion of the detour function and trampoline functions between source function and target function.

  5. Sample exploit program Buffer (80 bytes) fp ra Attack code g & a b r u b f a f g e e r void foo(char * input_string) { char buffer[80]; strcpy(buffer,input_string); return; } /*input_string = attack code+garbage+&buffer total length = 88 bytes */ A vulnerable program running without Libsafe

  6. Sample exploit program(cont.) Buffer (80 bytes) fp ra void foo(char * input_string) { char buffer[80]; strcpy(buffer,input_string); return; }/*len(input_string)=88 bytes*/ char * libsafeStrcpy( char *dest, const char * src) { if (src is longer than max_size) report the event; else return strcpy(dest,src); } max_size=80 A vulnerable program running with Libsafe

  7. Real exploit: vCard buffer overflow • When a .vcf file contains a long BDAY string, a buffer in Windows Address Book (wab.exe) will overflow. BEGIN:VCARD VERSION:2.1 N:Chen;Shuo FN:Shuo Chen BDAY:19750317AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EMAIL;PREF;INTERNET:shuochen@avaya.com REV:20010619T141800Z END:VCARD

  8. Real exploit: Netscape Smartdownload 1.3 buffer overflow • A component for URL parsing has an unchecked buffer. <HTML><BODY> This is a test.<P> <A HREF="http://www.yahoo.com/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zip" onMouseOver="window.status='I am friendly'; return true">Crash Me</A><P> End test. </BODY></HTML>

  9. Real exploit: FrontPage Server Extension sub-component buffer overflow vulnerability When we make the following request: $ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x258'` we get such response: <HEAD><TITLE>HTTP Error 501</TITLE></HEAD><BODY><H1>NOT IMPLEMENTED</H1>The server is unable to perform the method <b>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</b> at this time.</BODY> But if that it is longer than 258 bytes, a buffer overflow will occur. $ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x259'`

  10. IIS running without Libsafe: Remote attack succeeds (Screen Shots) Start attack from kira Try to get a shell Get full access

  11. IIS running with Libsafe: Remote attack fails (Screen Shots) Start attack from kira Try to get a shell Attack fails

  12. Limitations of Libsafe • The buffer overflow should be caused by the string functions intercepted by Libsafe. • The program to be protected should use frame-pointers. • The attack string should try to overwrite the return address. This implies that the buffer has to be on the stack. (Libsafe is bypassed when it cannot handle the situation. It does no harm to the program.)

  13. My work in this summer • Investigated the effectiveness of Libsafe on Windows • Ported Libsafe to Windows • Tested Libsafe with sample/real-world exploit programs • Wrote a detailed TM • This work will be distributed internally and externally

  14. Acknowledgment • My mentor: Tim Tsai • ARC Help people: Tarek Warraky, Lookman Fazal and Eniko Kovacs • My “first-week-mentors”: Navjot Singh and Hamilton Slye

More Related