CAP 6135 Malware and Software Vulnerability Analysis Buffer
CAP 6135: Malware and Software Vulnerability Analysis Buffer Overflow I: Attack Introduction Cliff Zou Spring 2014
Use Unix Machine in Department q q The Unix machine: eustis. eecs. ucf. edu Must use SSH to connect q Find free SSH clients on Internet E. g. , Putty (command line based) q http: //en. wikipedia. org/wiki/Ssh_client q Find a GUI-based free SSH client q q q E. g. , Win. SCP http: //winscp. net/eng/index. php If you are off campus, you must first set up VPN to UCF campus q https: //publishing. ucf. edu/sites/itr/cst/Pages/NSvpn. aspx 2
Use Unix Machine in Department q q Username: NID default password: Pyymmdd q q q If you have trouble to log in, please email to: help@cs. ucf. edu for tech. support The machine has installed many programming languages q q (birth year, month and day) Java, Gcc, Python, Perl, Gdb Basic Unix Commands Tutorial: q q q http: //freeengineer. org/learn. UNIXin 10 minutes. html http: //mally. stanford. edu/~sr/computing/basic-unix. html Under Eustis, you can use ‘pico’ to do simple code editing 3
Putty and Psftp Usage q Both are executable in windows, no need to install q q Putty: command line shell over secure channel Psftp: FTP over the secure channel You can save sessions for later usage: q Remote host, default window, font… q http: //kb. site 5. com/shell-access-ssh/putty-how-to-load-save-or-delete-server-connection-settings/ To find commands, type “help” Psftp: put, get, cd, ls, pwd, lpwd q Putty: normal Unix commands q q http: //mally. stanford. edu/~sr/computing/basic-unix. html 4
Acknowledgement q This lecture uses some contents from: q q q Dr. Erik Poll : software security Dr. Dawn Song: CS 161: computer security Buffer Overflow Prevention Buffer Overflow Dr. Ninghui Li: CS 426: Computer Security 5
The Problem void foo(char *s) { char buf[10]; strcpy(buf, s); printf(“buf is %sn”, s); } … foo(“this string is too long for foo”); 6
Exploitation q q q The general idea is to give servers very large strings that will overflow a buffer. For a server with sloppy code – it’s easy to crash the server by overflowing a buffer. It’s sometimes possible to actually make the server do whatever you want (instead of crashing). 7
Necessary Background q q C functions and the stack. A little knowledge of assembly/machine language. How system calls are made (at the level of machine code level). exec() system calls q How to “guess” some key parameters. 8
What is a Buffer Overflow? q Intent q Denial of service q Cause software to crash q q q Arbitrary code execution q q E. g. , ping of death attack Relatively easy to do as long as you find an overflow hole Spawn a remote shell or infect with worm/virus Code Injection Steps Inject attack code into buffer q Overflow return address q Redirect control flow to attack code q Execute attack code q 9
Attack Possibilities q Targets Stack, heap, static area q Parameter modification (non-pointer data) q Change parameters for existing call to exec() q Change privilege control variable q q Injected code vs. existing code Absolute vs. relative address dependence Related Attacks Integer overflows q Format-string attacks q 10
q Stack Overflow Overview 11
Address Space 0 x. FFFF kernel space 0 x. C 0000000 stack shared library 0 x 42000000 heap bss static data code 0 x 08048000 0 x 0000 From Dawn Song’s RISE: http: //research. microsoft. com/projects/SWSec. Institute/slides/Song. ppt 12
C Call Stack q C Call Stack When a function call is made, the return address is put on the stack. q Often the values of parameters are put on the stack. q Usually the function saves the stack frame pointer (on the stack). q Local variables are on the stack. q 13
A Stack Frame BP SP+offset Parameters Return Address Calling Stack Pointer Local Variables SP Addresses 0000 SP: stack pointer BP: base/frame pointer 14
Sample Stack -- Main()-x=2; foo(18); y=3; 18 addressof(y=3) return address saved stack pointer buf y x void foo(int j) { int x, y; char buf[100]; x=j; … } 15
“Smashing the Stack”* q q q The general idea is to overflow a buffer so that it overwrites the return address. When the function is done it will jump to whatever address is on the stack. We put some code in the buffer and set the return address to point to it! *taken from the title of an article in Phrack 49 -7 16
Before and After void foo(char *s) { char buf[100]; strcpy(buf, s); … address of s return-address modified addr. saved sp buf Small Program 17
q What causes buffer overflow? 18
Example: gets() char buf[20]; gets(buf); // read user input until // first Eo. L or Eo. F character q q Never use gets Use fgets(buf, size, stdout) instead 19
Example: strcpy() char dest[20]; strcpy(dest, src); // copies string src to dest q q strcpy assumes dest is long enough , and assumes src is null-terminated Use strncpy(dest, src, size) instead 20
Spot the defect! (1) char buf[20]; char prefix[] = ”http: //”; . . . strcpy(buf, prefix); // copies the string prefix to buf strncat(buf, path, sizeof(buf)); // concatenates path to the string buf 21
Spot the defect! (1) char buf[20]; char prefix[] = ”http: //”; . . . strcpy(buf, prefix); // copies the string prefix to buf strncat(buf, path, sizeof(buf)); // concatenates path to the string buf strncat’s 3 rd parameter is number of chars to copy, not the buffer size Another common mistake is giving sizeof(path) as 3 rd argument. . . 22
Spot the defect! (2) base_url is 10 chars long, including its null terminator, so src won’t be null-terminated char base_url = ”www. ru. nl”; strncpy(src, base_url, 9); // copies base_url to src strcpy(dest, src); // copies src to dest char src[9]; char dest[9]; so strcpy will overrun the buffer dest since it copies byte-by-byte until meets a NULL (value 0) byte 23
Example: strcpy and strncpy q Don’t replace strcpy(dest, src) by q q strncpy(dest, src, sizeof(dest)) but by q q strncpy(dest, src, sizeof(dest)-1) dest[sizeof(dest)-1] = ` `; q q if dest should be null-terminated! A strongly typed programming language could of course enforce that strings are always nullterminated. . . 24
Spot the defect! (3) char *buf; int i, len; read(fd, &len, sizeof(len)); buf = malloc(len+10); read(fd, buf, len); 25
Spot the defect! (3) char *buf; int i, len; read(fd, &len, sizeof(len)); buf = malloc(len+10); read(fd, buf, len); Didn’t check if negative e. g. , len = -5; Then buf has 5 bytes len cast to unsigned (read function’s requirement), and “-5” will be a very big value q Memcpy() prototype: q q void *memcpy(void *dest, const void *src, size_t n); Definition of size_t: q typedef unsigned int size_t 26
Implicit Casting Bug q A signed/unsigned or an implicit casting bug q q Very nasty – hard to spot C compiler doesn’t warn about type mismatch between signed int and unsigned int q Silently inserts an implicit cast 27
Spot the defect! (4) May results in integer overflow char *buf; When len is close to upper bound of int, Len+5 could be very small value int i, len; read(fd, &len, sizeof(len)); if (len < 0) {error ("negative length"); return; } buf = malloc(len+5); read(fd, buf, len); buf[len] = '