Professional Documents
Culture Documents
02 Vulns MemCorruption
02 Vulns MemCorruption
memory corruption
Classifying vulnerabilities
• Memory corruption (safety)
– Buffer Overflow
– Integer Overflow
– Stack Overflow
– Use after free/ Double free
– Null pointer dereference
• Exploiting memory corruption to control program
– Format string attacks
– Stack buffer overflow (or stack-based buffer overflow)
– Heap buffer overflow (or heap-based buffer overflow)
– Overflowing on non “control-data” memory
• Resulting attacks
– Code injection on the stack (e.g., shellcodes)
– Code reuse techniques (Return-to-libc, Return-Oriented
Programming, Jump-Oriented Programming)
Buffer Overflows
• A buffer overflow occurs any time a program attempts
to store data beyond the boundaries of a buffer,
overwriting the adjacent memory locations
• Originates from mistakes done while writing code
– unfamiliarity with language
– Boundary or arithmetic errors
• Mostly C / C++ programs
• Addressed by languages with automatic memory
management: dynamic bounds checks (e.g., Java) or
automatic resizing of buffers (e.g., Perl)
– Still native libraries that are written in C (e.g., JNI)
Buffer Overflows: Basics
char src[]=“ABCDEFGHI”;
char tmp_buff[5];
int password_checked;
strcpy(tmp_buff, src);
Buffer Overflows: After strcpy()
char src[]=“ABCDEFGHI”;
char tmp_buff[5];
int password_checked;
strcpy(tmp_buff, src);
Buffer Overflows: usual suspects
• String manipulation functions that don't
properly check string length
– gets(), strcpy(), …
• Copy with incorrect parameters
– memcpy() …
• Incorrect computation of required memory
length
– zero-sized malloc()s …
Preventing Buffer Overflows
• Safe usage of copy primitives using libc
methods
– For instance, limit amount of data to copy
– strncpy(tmp_buff, src, sizeof(tmp_buf))
• Compiler extension if array length can be
computed
• Annotations (e.g. Deputy, CCured…)
Integer overflows
• Unsigned ints
– 32 bits: range from 0 to 2^32-1 (4,294,967,295)
– Overflow: 4,294,967,295 + 1 = 0
• Signed ints
– 32 bits: range from − (2^31) to 2^31 − 1 (2,147,483,647)
– Overflow: 2,147,483,647+2 = -2,147,483,648
• Some languages (Java, Ada) throw exceptions, many don't
• Attacker can supply large values used in :
– Computation of the size of a buffer allocation (malloc)
– Array access (in particular the bound checks)
• Solution: always check overflow before critical operation!
More about Memory Layout
• Text
– Also called code segment
• Data
– Global initialized data
• BSS
– Global uninitialized data
• Stack
– Local variables
– Also used to store function
environments and parameters
during calls (stack frames)
– LIFO
– Multi-threading : multiple stacks
• Heap
– Dynamically allocated variables
– Reserved through calloc() and
malloc()
Program Memory Stack
a,b, ptr
ptr points to
the memory
here
y
x
Order of the function arguments
in stack
Function Call Stack
void f(int a, int b)
{
int x;
}
void main()
{
f(1,2);
printf("hello world");
}
Stack Layout for Function Call Chain
main()
foo()
bar()
Stack Overflow
• Stack Overflows can be caused by:
– Recursive calls
– Reentrant interrupts
– Allocations on the stack
• Large
• Controlled by the attacker
• Alloca(), char array[function_parameter]
Stack Overflow
• This should never happen ?
• Invalid instruction
• Non-existing address
• Access violation
• Attacker’s code Malicious code to gain access
How to Run Malicious Code
More on Modifying return address
• Not always easy to know the
exact address
• Trampolines :
– jmp %esp at a fixed address
• NOP sled
– A long sequence of NOP
– Followed by the shellcode
– Jumping anywhere in there
leads to the shellcode
Exploiting Stack Buffer Overflows
• Corrupting the Control Flow
– Return address in a stack frame
– Function pointer
– Exception handler
– Global Offset Table (GOT)
– C++ objects
1
2
3
Evolution of machine code level
attacks
Code injection DEP/NX Code reuse
code code
R-X R-X
0xb8800000:
0xb8800030 pop eax eax = 1
ret
0x00400000 ... ebx = 2
0xb8800010 0xb8800010: eax += ebx
0xb8800020 pop ebx
ret ebx = 0x400000
0x00000002 ...
*ebx = eax
0xb8800010 0xb8800020:
add eax, ebx
0x00000001
ret
0xb8800000 ...
esp
0xb8800030:
mov [ebx], eax
ret
Simple race:
• 2 threads read count
• both write count+1
• missed 1 increment
UNIX File System Security
• Access control: user should only be able to
access a file if he has the permission to do so
• But what if user is running as setuid-root?
– E.g., a printing program is usually setuid-root in
order to access the printer device
• Runs “as if” the user had root privileges
– But a root user can access any file!
– How does the printing program know that the user
has the right to read (and print) any given file?
• UNIX has a special access() system call
slide 45
Unix File System: Access/Open Race
• A possible attack:
– guess the tmp file name: "/tmp/tmp0001"
– ln -s /etc/target /tmp/tmp0001
– victim program will create file /etc/target for you,
when it tries to create the temporary file!
– if first guess doesn't work, try 1 million times
Races on temporary files
Unix File System: Script Execve Race
• Filename redirection
– soft links again
• Setuid Scripts
– execve() system call invokes seteuid() call prior to executing
program
– A: program is a script, so command interpreter is loaded first
– B: program interpreter (with root privileges) is invoked on script
name
• attacker can replace script content between step A and B
• Setuid not allowed on scripts on most platforms!
– Some work-arounds
Unix File System: Script Execve Race
Threaded programs: Use-after-free
• Thread #3 gives access to protected resources
Window of Vulnerability
• Window of vulnerability can be very short
– race condition problems are difficult to find with testing
– difficult to reproduce and debug
• Myths about race conditions
– "races are hard to exploit”
– "races cannot be exploited reliably"
– "only 1 chance in 10000 that the attack will work!"
• Attackers can often find ways to beat the odds!
– Repeated attempts
– Attacker can try to slow down the victim machine/process to
improve the odds (high load, computational complexity)
– Attacker can run the attack many times in parallel to increase
the probability that the attacking process will be scheduled by
the processor at the right moment
Slow file lookups
• Deeply nested directory structure:
– d/d/d/d/d/d/d/....../d/file.txt