Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns - PowerPoint PPT Presentation

About This Presentation
Title:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns

Description:

What is a Buffer Overrun? ... Uses a stack buffer overrun to modify return address to point to a location ... Buffer overruns are likely to be continued source ... – PowerPoint PPT presentation

Number of Views:155
Avg rating:3.0/5.0
Slides: 17
Provided by: Carl1179
Category:

less

Transcript and Presenter's Notes

Title: Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns


1
Beyond Stack SmashingRecent Advances in
ExploitingBuffer Overruns
  • Jonathan Pincus
  • Microsoft Research
  • Brandon Baker
  • Microsoft

Carl Hartung CSCI 7143 Secure Sensor Networks
2
Overview
  • Buffer Overruns
  • Basics
  • Techniques
  • Stack Smashing
  • Arc Injection
  • Pointer Subterfuge
  • Function-pointer Clobbering
  • Data Pointer Modification
  • Exception-handler Hijacking
  • VPTR Smashing
  • Heap Smashing
  • Conclusions

3
What is a Buffer Overrun?
  • When a program attempts to read or write beyond
    the end of a bounded array (also known as a
    buffer)
  • Typically, attackers use this to modify a return
    address saved on the stack to point to code
    residing in a stack buffer at a known location

4
Examples
  • Stack Buffer Overrun
  • void f1a (void arg, size_t len)
  • char buff100
  • memcpy(buf, arg, len) / buffer
    overrun if len gt 100 /
  • return
  • Heap Buffer Overrun
  • void f1b ( void arg, size_t len)
  • char ptr malloc(100)
  • if (ptr NULL_ return
  • memcpy(ptr, arg, len) / buffer
    overrun if len gt 100 /
  • return

5
How does it work?
  • void function(char str)
  • char buffer16
  • strcpy(buffer,str)

bottom of stack
top of stack
buffer sfp ret str

6
How does it work? contd
  • int main ()
  • char large_string256
  • ..fill large_string.
  • function(large_string)

bottom of stack
top of stack
buffer sfp ret str sssssssssssssss
0xD8.
7
Stack Smashing
  • void f1a (void arg, size_t len)
  • char buff100
  • memcpy(buf, arg, len) / buffer
    overrun if len gt 100 /
  • return
  • Attacker must provide a value for arg that
    contains an executable payload and the address
    here the payload will be loaded into memory (the
    address of buff).
  • Program control transferred to buff rather than
    return to the calling procedure.

8
Stack Smashing -- Enhancements
  • Trampolining
  • If buffs absolute address is not known ahead of
    time, an attacker can use a program register R
    containing a value relative to buff by first
    transferring control to a sequence of
    instructions that indirectly transfers via R.
  • Find the address on the stack using instructions
    pop/pop/return
  • Separating payload (attackers code) from the
    buffer overrun operation.
  • Storing code in an environment variable
  • Good for overrunning small buffers

9
Arc Injection
  • Attacker supplies data that, when a program
    operates on that data, causes a desired (by the
    attacker) effect.
  • Uses a stack buffer overrun to modify return
    address to point to a location already in the
    programs address space.
  • Usually the system function in the C stdlib.
  • Useful when the program has non-executable stacks

10
Pointer Subterfuge
  • Involves modifying a pointers value.
  • Many different attacks
  • Function-pointer Clobbering
  • Data Pointer Modification
  • Exception-handler Hijacking
  • VPTR Smashing

11
Function-pointer Clobbering
  • Modifying a function pointer to point to
    attackers code.
  • void f3 (void arg, size_t len)
  • char buff100
  • void (f) ()
  • memcpy(buff, arg, len) / buffer overrun /
  • f()
  • return
  • Use overrun to set f to buff, and call will send
    control to code in buff
  • Can combine with Arc to point F to system call.

12
Data-pointer modification
  • void f4(void arg, size_t len)
  • char buff100 long val long ptr
  • extern void (f)()
  • memcpy(buff, arg, len) / overrun! /
  • ptr val
  • f()
  • return
  • Allows attacker to modify memory locations
  • Can use ptr val to assign any 4 bytes of memory

13
Exception-handler hijacking
  • When an exception is generated, Windows examines
    a linked list of exception handlers (registered
    by program when it starts) and invokes one or
    more of them via function pointers stored in the
    list. Because the list entries are stored on the
    stack, it is possible to replace the
    exception-handler function pointer with a buffer
    overflow.
  • The known variations of this vulnerability are
    supposedly fixed in WindowsXP SP2.

14
VPTR smashing
  • VTBL (associated with each class) is an array of
    function pointers used at runtime to implement
    dynamic dispatch.
  • Objects point to appropriate VTBL with virtual
    pointers (VPTR) stored as part of the objects
    header. Replacing the VPTR with a pointer to an
    attacker supplied VTBL transfers control when the
    next virtual function is invoked.
  • Can apply to both stack and heap overruns

15
Heap smashing
  • Allocators keep headers for each heap block
    chained together in a doublely linked list of
    allocated and freed blocks.
  • If you have three adjacent blocks X, Y, Z an
    overrun of X into Y can corrupt pointers in Ys
    header, and lead to modification of arbitrary
    memory locations when Y is freed.
  • More complicated because
  • Attacker typically doesnt know the heap blocks
    location ahead of time
  • Difficult to predict when heap-free operation
    will occur.
  • Difficult (especially in with multiple threads)
    to predict whether the next block has been
    allocated at time of overrun.

16
Conclusions
  • Buffer overruns are likely to be continued source
    of potential vulnerabilities.
  • New techniques invalidate old assumptions
  • Arc injection needs no injected code
  • Pointer subterfuge doesnt overwrite return
    addresses
  • Heap smashing and pointer subterfuge show not
    just the stack thats vulnerable.
  • Developers need to be cautious of assumptions.
  • Arms race continues.
Write a Comment
User Comments (0)
About PowerShow.com