Buffer Overflow

What is a buffer overflow?

A buffer overflow is a bug that affects low-level code, typically in C and C++, with significant security implications Causes the application to behave improperly and unexpectedly Attacker can alter the situation, and cause the program to do much worse - Steal private information - Corrupt important data - Run code of his choice Perform any other malicious activities

Secure Coding

As developers, we must use discipline Rule1: Enforce input compliance - Check the inputs ensuring their compliance with your needs Rule2: Use safe string functions - Traditional string library routines assume target buffers have sufficient length (DON'T USE THEM e.g. strcpy(), strcat()) - Safe versions check the destination length (USE THESE e.g strlcpy(), strlcat()) Rule3: Do not forget the NULL terminator - Strings require one additional character to store the NULL terminator .... DO NOT FORGET! - Use safe string library calls Rule4: Understand Pointer Arithmetic (e.g sizeof() returns the number of bytes) Rule5: Use NULL after freeing a pointer

Why Study Buffer Overflows?

Buffer Overflows are still relevant today - C and C++ are still commonly used languages - Developers still fail to implement code checks - Security is not always in mind Long history (approaches developed to defend against them) Share common features with other bugs and exploits - Way they operate - Way to defend them Pool of common targets - Most OS kernels (Fingerd, X Windows Server, Linux Shell) - High performance servers (Microsoft IIS, Apache httpd, MS SQL) - Embedded Systems (Industrial Control Systems, Automobiles)

Buffer Overflow from 10,000 ft

Buffer: - Contiguous memory associated with a variable or field - Common concept in C (e.g. strings are a null terminated buffer of chars) Overflow: write to the buffer more than its capacity (more than it can hold) What happens when the program reads or writes to a buffer outside its bounds? - According to the C programing language standard, such a program is undefined (program can do anything) - C compiler assumes that the program does not have any overflow - Program will access whatever memory happens to be at the accessed location - Attacker can use out of bounds accesses to his advantage

Read Overflow

Bug that permits reading past the end of the buffer rather than writing Ability to leak secret information Heartbleed Vulnerability: - Based on Read Overflow - SSL server should accept a "heartbeat" message that echoes back - Length of echo-pack portion is specified by the "heartbeat" message - Buggy SSL software did not check if the length is accurate - Attacker could request a longer length and read past the content of the buffer - Leakage of passwords, cryptographic keys, .. etc

Formatted Input/Output

C programming language supports formatted input and output using printf() and scanf() Format Specifier: - Position in string indicates stack argument to print - Specifier indicates type of argument to be printed What could possibly happen: - Attacker can control the format string in the printf() method - Treats the stack as a buffer and exposes certain values (return address for example) - Example: partial stack dump - printf("%08x.%08x.%08x.%08x.%08x.")

Function Calls

Calling Function: - Push the arguments into the stack - Push the return address: address of the instruction to be executed when the called function is processed - Jump to target function's address Called Function (Target Function): - Push the old frame pointer onto the stack (old EBP) - Set the frame pointer (EBP) to where the current stack end (Pointed by ESP) - Push the local variables onto the stack Returning Function: - Reset the previous stack frame - Jump back to the return address - Resume main execution

Heap Overflow

Code Injection is also known as Stack Smashing: - Overflows a stack allocated buffer Heap Overflow: - Overflows a buffer allocated by "malloc" which resides on the heap Heap Overflow Variants: - Overflow into C++ Object Virtual Table - Overflow into adjacent objects - Overflow heap metadata Real Life Example: - iOS jailbreaking often uses heap overflows to gain arbitrary code execution - Kernel exploits to achieve the ability to replace the kernel with the one jailbreak provides

What is Code Injection

Code Injection: - An exploit which takes control of the attacked target - Injects code to "span a shell" or "shellcode" Shellcode: - Code assembled in the CPUs native instruction set - Injected as a part of the buffer that is overflowed - Code is injected into the buffer sent for the attack Main Objective: - Load my own code into memory - Somehow get the EIP (Instruction Pointer Register) point to it Attacker fills the buffer with the shellcode Return address is overwritten with an address referring to the buffer directing the processor to execute the shellcode

Type Safety

Each object is ascribed a type (int, pointer to int, pointer to function etc.) Operations on the object are always compatible with the object's type Enforce C/C++ to be type safe: - Garbage collection: can be fast as malloc() but uses much more memory - Bounds and Null-Pointer Checks to avoid spatial violations - Such solutions come at the expense of performance

On the x86 processor, when a caller pushes arguments on the stack, what order are they pushed in ?

In the opposite order they appear in the function definition

Cat and Mouse

Make Stack/Heap nonexecutable to prevent code injection - Attack: Return-to-Libc Hide the address of desired libc code or return address using ASLR - Attack: Brute force search in 32-bit systems and information leak through string-format vulnerability What's next: On going efforts to prevent such attacks - Ensure Memory Safety

NX ("No Xecute") and Address Space Layout Randomization (ASLR)

NX: No execute is to render the stack or heap nonexecutable - Prevents code injection - Text segment, the code, are immutable - Every other portion of memory in the program is non-executable - Weakness: attack known as Return-to-Libc ASLR: randomizes the position of the stack and the in-memory location of libraries and executables - Change every time a program is run - Change every time a system is booted - Some combination of the two - Mitigates the effect of Return-to-Libc - Introduced in 2004 for Linux, 2007 for Windows, 2011 iOS, and 2012 Android OS

What is a Memory Safe Execution

Program execution: - Creates pointers through standard means (malloc() for e.g.) - Only uses pointers to access memory that belongs to that pointer - Combines temporal and spatial safety Spatial Safety: - The pointer will be of three parts: p the actual pointer, b the base of the mem region and e the bounds of the region - Access allowed if and only if: b ≤ p ≤ e - sizeof(typeof(p)) Temporal Safety: - Never access undefined memory - Assures that the region is still allocated - Example: accessing a freed pointer violates temporal safety Languages that are memory safe: - Java, Python, C#, Ruby - Such languages are also type safe

Detecting Overflows with Canaries

Random Canaries: - Write a new random value at each process start - Save the real value somewhere safe in memory - Must write-protect the stored value The canary is placed in the stack prior to the return address, so that any attempt to over-write the return address also over-writes the canary

Why is it the best from the attacker's point of view to overwrite the return address during a buffer overflow ?

The attacker can replace that address with an address of code that he wants to run. When the function returns, it will go to the attacker's code

What is the key reason that printf(buf) might be vulnerable to a format string attack while print("%s",buf) would not be, assuming the attacker can affect the contents of buf?

The problem arises when buf contains format specifiers

The Stack

The stack is a variable-sized structure for storing objects New objects can be added to ("pushed") to one end of the stack (top of the stack) and other objects can also be removed ("popped") Most important function of the stack is to store the return address Processors (including x86 processors) include built-in support for the stack which include: - EIP register: acts as the instruction pointer - ESP register: acts as the stack pointer - EBP register: acts as the frame pointer ESP register: - Points to the top of the stack - Value decreased when items are pushed into the stack EIP register: - Includes the address of the current instruction - Maintained by the processor itself EBP register: - stores the address of the start of the stack frame

Why is it best for the attacker if the injected code does not contain zero bytes ?

Then it can be copied to the stack by string copying functions which stop at NULL

Normal, running processes typically access memory through what kind of addresses?

Virtual

Address Space BSS:

block started by symbol static variable that are uninitialized

Address Space Heap:

data dynamically generated during the execution process

The heap is the memory that ....

grows upward in the address range

Address Space: Text:

machine code of the program, compiled from the source code

Virtual Memory

programs need to access memory in order to be executed Today's operating systems use a scheme called Virtual Memory - No direct correspondence between a memory address and a physical location in RAM - Mapping between virtual and physical memory is maintained by OS and processors Virtualization: - Enables what is known as protected memory - Prevents one process from damaging the memory section allocated for other processes Note: the way the memory is managed is irrelevant to the process

The heartbleed bug could be exploited to induce a server with the buggy SSL implementation to do which of the following?

read past the allocated end of the buffer

Address Space Data:

static program variables initialized in the source code prior to execution

Address Space Stack:

structure that grows downwards and keeps track of the activated method calls, their arguments and local variables