2. Intro to Instructor
Born in Dalian, China Prof., UC Berkeley
Close to Korea PhD, UC Berkeley Summer school
Prof., CMU
Sep, 2002 Jul, 2007 Aug, 2012
http://www.cs.berkeley.edu/~dawnsong
dawnsong@cs.berkeley.edu
Dawn Song 2
3. Research Interests & Projects
• Computer security & privacy
• BitBlaze: Binary analysis for computer security
• WebBlaze: New technologies to enhance web security
• DroidBlaze: Android security analysis infrastructure
• Machine learning & security
• Platform for private data
Dawn Song 3
4. BitBlaze: Computer Security via Program Binary Analysis
Unified platform to accurately analyze security properties of binaries
Security evaluation & audit of third-party code
Defense against morphing threats
Faster & deeper analysis of malware
Detecting Generating Dissecting
Vulnerabilities Filters Malware
BitBlaze Binary Analysis Infrastructure
Dawn Song 4
5. WebBlaze: New Security Technologies for the Web
• Does the browser correctly enforce desired security policy?
– Cross-origin capability leaks: attacks & defense [USENIX 09]
• Is third-party content such as malicious ads securely sandboxed?
– Preventing Capability Leaks in Secure JavaScript Subsets [NDSS10]
• Do browsers & servers have consistent interpretations/views to enforce
security properties?
– Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense
[NDSS09]
– Content sniffing XSS: attacks & defense [IEEE S&P 09]
• Do applications have security vulnerabilities?
– Symbolic Execution Framework for JavaScript [IEEE S&P10]
• Do different web protocols interact securely?
– Model checking web protocols [CSF 10]
• How to build secure web applications by construction?
– Context-sensitive auto-sanitization in web applications [CCS 11]
• How to reduce TCB in web applications?
– Privilege Separation in HTML5 Applications [USENIX Security 12]
Dawn Song 5
6. DroidBlaze
Apps
Static App Runner VM
Analysis
Execution
Static Data Execution
Analyzer Exploration
App Dynamic
Rewriter Rewritten App Analysis
Behavior Analysis
Analyzed
Behavior Property
Apps
Analyzer Checker
Dawn Song 6
8. Intro of Students
• Name
• Institution
• Areas of interest
– Systems? Programming languages? AI? Theory?
• Background in computer security
– Have you taken a computer security class?
– Have you done research in computer security?
• Find partners for labs
Dawn Song 8
9. Overview of Lectures
• Syllabus
• Labs: hands-on experience
• TAs
– Dylan
– Taebum
Dawn Song 9
10. Overview of Lectures
Date/Time Topic Notes
Part 1: Software Security
Mon Aug 20 Software Security (I.1): Vulnerabilities, Attacks & Defenses. Different classes of
(09:00-12:00) vulnerabilities and attacks. Runtime defenses.
(13:00-18:00) Software Security (I.2): Deeper look at vulnerabilities and attacks (Lab Session)
Tues Aug 21 Software Security (II.1): Automatic vulnerability discovery. Static Analysis. Dynamic
(09:00-12:00) Analysis. Symbolic Execution
(13:00-18:00) Software Security (II.2): Tools for software security analysis and vulnerability discovery (Lab Session)
Part 2: Web Security
Wed Aug 22 Web Security (I.1): Vulnerabilities & attacks. Overview of web security. Different classes of
(09:00-12:00) web vulnerabilities and attacks
(13:00-18:00) Web Security (I.2): Vulnerabilities & attacks. Deeper look at web vulnerabilities & attacks (Lab Session)
Thurs Aug 23 Web Security (II.1): Automatic vulnerability discovery & defense. Automatic analysis
(09:00-12:00) techniques and tools to detect web vulnerabilities. New security primitives and
mechanisms for defenses
(13:00-18:00) Web Security (II.2): Automatic vulnerability discovery & defense. Deeper look at web (Lab Session)
defenses
Part 3: Malware and Mobile Security
Fri Aug 24 Malware and Mobile Security (1): Overview of malware. Worms and botnets. Overview of
(09:00-12:00) mobile security. Different classes of vulnerabilities & attacks. State-of-the-art defenses
(13:00-18:00) Dawn Song
Malware and Mobile Security (2): Deeper look at mobile vulnerabilities & attacks (Lab10
Session)
11. Computer Security Course. Dawn Song
Introduction to Computer Security:
Goals & Threat Models
Dawn Song 11
12. What is Computer Security About?
• General goals:
– Allow intended use of computer systems
– Prevent unintended use that may cause harm
• Examples:
– Only share your photos & location with friends
– Don’t want attackers install key-logger on your
machine to steal your password
Dawn Song 12
13. Why Should You Care?
• It impacts your day-to-day life
Dawn Song 13
14. Why Should You Care?
• It impacts everybody’s day-to-day life
– Millions of computers compromised
– Millions of passwords stolen
Dawn Song 14
15. What is Computer Security About?
• General goals:
– Allow intended use of computer systems
– Prevent unintended use that may cause harm
• More precisely…
Dawn Song 15
17. Basic Security Properties (I)
• Confidentiality:
– Information is only disclosed to authorized people or
systems
– E.g., attackers cannot learn your banking info
Dawn Song 17
18. Basic Security Properties (II)
• Integrity:
– Information cannot be tampered with in an
unauthorized way
– E.g., attacker cannot change the balance of your bank
account
Dawn Song 18
19. Basic Security Properties (III)
• Availability:
– Information and services are accessible in a timely
fashion to authorized people or systems
– E.g., you should be able to login and perform
transactions on your online banking account when
you want to
Dawn Song 19
23. It Depends …
• What are the assets? What are the goals?
Dawn Song 23
24. It Depends …
• Threat model
– In SafeLand, you don’t need to lock the door
– Attackers who pick locks
– Attackers who drive a bull-dozer
– Attackers who have super advanced technology
– Attackers who may know you well
Dawn Song 24
25. Is the House Secure?
• Is the house’s protection mechanism strong
enough to protect the assets from attackers in
a certain threat model?
Dawn Song 25
27. Cost of Security
• Should you always build & evaluate a system
secure against the strongest attacker?
– A student may simply not be able to afford an alarm
system
• Not about perfect security
Perfect Security
Risk Analysis
Dawn Song 27
28. Is the Computer System Secure?
• Is the system’s protection mechanism strong
enough to protect the assets & achieve
security goals against attackers in a certain
threat model?
Dawn Song 28
29. Key Elements to Security Analysis
Security
properties
Security
Analysis ?
Threat
Model
Dawn Song 29
30. Threat Model
• Assumptions on attackers’ abilities and resources
Network
Eavesdropper
0Day
DES Cracker
DDoS
MITM Attack Dawn Song 30
31. Which Threat Models to Choose?
• For the grade database system for your class?
• For your phone?
• For a major online banking site?
• For the system to control nuclear weapon launch?
Dawn Song 31
32. Cost of Security
• There’s no free lunch.
• There’s no free security.
• Cost of security
– Expensive to develop
– Performance overhead
– Inconvenience to users
Dawn Song 32
33. Prioritize Your Security Solution
according to Your Threat Model
• No one wants to pay more for security than
what they have to lose
• Not about perfect security
– Risk analysis Perfect Security
Risk Analysis
Dawn Song 33
34. Changing Threat Model
• Be careful when your threat model changes
– E.g., online account
Over time….
New account, nothing of value;
Account accumulates value;
No incentive for attackers
More incentive for attackers
Dawn Song 34
35. Design Impacts Cost of Security
• Good system design & architecture can reduce
cost of security
Dawn Song 35
36. Design Impacts Cost of Security
Known unpatched vulnerabilities
Secunia SecurityFocus
Browser
Extremely critical Highly critical Moderately critical Less critical Not critical Total
(number / oldest) (number / oldest) (number / oldest) (number / oldest) (number / oldest) (number / oldest)
1
Google Chrome 16 0 0 0 0 0
13 December 2011
4 8 12 534
Internet Explorer 6 0 0
17 November 2004 27 February 2004 5 June 2003 20 November 2000
1 4 9 213
Internet Explorer 7 0 0
30 October 2006 6 June 2006 5 June 2003 15 August 2006
1 7 123
Internet Explorer 8 0 0 0
26 February 2007 5 June 2003 14 January 2009
1 26
Internet Explorer 9 0 0 0 0
6 December 2011 5 March 2011
1
Firefox 3.6 0 0 0 0 0
20 December 2011
Firefox 9 0 0 0 0 0 0
1 2
Opera 11 0 0 0 0
6 December 2011 6 December 2011
1 2
Safari 5 0 0 0 0
8 June 2010 13 December 2011
"Vulnerabilities." SecurityFocus. Web. 18 Jan. 2012. <http://www.securityfocus.com/>.
Dawn Song
"Advisories." Secunia. Web. 18 Jan. 2012. <https://secunia.com/community/advisories/>.
36
39. Intro
HTTP REQUEST
CLIENT HTTP RESPONSE
EXPLOIT
Remote
Shell
CLIENT ATTACKER SERVER
Dawn Song 39
40. Linux (32-bit) process memory layout
-0xFFFFFFFF
Reserved for Kernal
-0xC0000000
user stack
%esp
shared libraries
-0x40000000
brk
run time heap
static data segment
Loaded from exec
text segment (program)
-0x08048000
unused
-0x00000000
41. -0xC0000000 Stack Frame
To previous stack
frame pointer
user stack
arguments
return address
stack frame pointer
exception handlers
shared libraries To the point at which
-0x40000000
this function was called
local variables
run time heap
callee saved registers
static data
segment
text segment
(program)
-0x08048000
unused
-0x00000000
42. Stack Frame
1:void copy_lower (char* in, char* out) {
2: int i = 0;
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]);
5: i++;
6: }
7: buf[i] = ‘0’;
8:}
9:int parse(FILE *fp) {
10: char buf[5], *url, cmd[128];
11: fread(cmd, 1, 128, fp);
12: int header_ok = 0;
13: if (cmd[0] == ‘G’)
14: if (cmd[1] == ‘E’)
15: if (cmd[2] == ‘T’)
16: if (cmd[3] == ‘ ’)
17: header_ok = 1;
18: if (!header_ok) return -1;
19: url = cmd + 4;
20: copy_lower(url, buf);
21: printf(‚Location is %sn‛, buf);
22: return 0; }
A quick example to illustrate
multiple stack frames
43. Viewing Stack Frame with GDB
Our example modified to include
a main function
Compile: parse.c
gcc –g parse.c –o parse
1:void copy_lower (char* in, char* out) {
2: int i = 0;
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]);
Run: 5: i++;
6: }
./parse 7: buf[i] = ‘0’;
8:}
9:int parse(FILE *fp) {
10: char buf[5], *url, cmd[128];
Debug: 11: fread(cmd, 1, 128, fp);
We can debug using gdb. 12: int header_ok = 0;
13: if (cmd[0] == ‘G’)
gdb parse 14: if (cmd[1] == ‘E’)
15: if (cmd[2] == ‘T’)
16: if (cmd[3] == ‘ ’)
Then we can take a look at the stack. 17: header_ok = 1;
18: if (!header_ok) return -1;
(gdb) break 7 19: url = cmd + 4;
20: copy_lower(url, buf);
(gdb) run 21: printf(‚Location is %sn‛, buf);
(gdb) x/64x $esp 22: return 0; }
23: /** main to load a file and run parse */
44. Viewing Stack Frame with GDB
Our running example modified to
illustrate multiple stack frames
Debug: parse.c
(gdb) x/64x $esp
45. What are buffer overflows?
parse’s
parse.c frame
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008
args fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2
ret address return address
5: i++;
0xbffff758 0xbffff778
frame ptr stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf02224c
local variables buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c callee saved
0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; } registers
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
args
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac ret address return address
0x080485a2
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA frame ptr
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c local variables i
0x00000000
callee saved
registers copy_lower’s
(Unallocated) frame
46. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf022261 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000000 i
(Unallocated)
47. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf026161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000001 i
(Unallocated)
48. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000002 i
(Unallocated)
49. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000003 i
(Unallocated)
50. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef2061 buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000004 i
(Unallocated)
51. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef6161 buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000005 i
Uh oh….
(Unallocated)
52. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbf616161 buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000005 i
Uh oh….
(Unallocated)
53. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url
8:} 0xbffff748 0x61616161 header_ok
9:int parse(FILE *fp) { 0xbffff744 0x61616161 buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x0000000d i
Uh oh….
(Unallocated)
54. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x61616161 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x61616161 return address
5: i++;
0xbffff758 0x61616161 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url
8:} 0xbffff748 0x61616161 header_ok
9:int parse(FILE *fp) { 0xbffff744 0x61616161 buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000019 i
Uh oh….
(Unallocated)
55. What are buffer overflows?
0x61616161
parse.c 0x61616161
0x61616161
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x61616161 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x61616161 return address
5: i++;
0xbffff758 0x61616161 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url
8:} 0xbffff748 0x61616161 header_ok
9:int parse(FILE *fp) { 0xbffff744 0x61616161 buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000025 i
Uh oh….
(Unallocated)
56. What are buffer overflows?
0x61616161
parse.c 0x61616161
0x61616161
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x61616161 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x61616161 return address
5: i++;
0xbffff758 stack frame ptr
6: } 0x61616161
7: buf[i] = ‘0’; 0xbffff74c url
8:} 0x61616161
0xbffff748 header_ok
0x61616161
9:int parse(FILE *fp) { 0xbffff744 buf[4]
0x61616161
10: char buf[5], *url, cmd[128]; 0xbffff740 buf[3,2,1,0]
0x61616161
11: fread(cmd, 1, 256, fp); 0xbffff73c cmd[128,127,126,125]
. 0x00000000 .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 .
. 0x41414141 cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 cmd[3,2,1,0]
20: copy_lower(url, buf); 0x20544547
0xbffff74c url
21: printf(‚Location is %sn‛, buf); 0xbffff6c4
0xbffff748 header_ok
22: return 0; } 0x00000001
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000025 i
And when you try to return from parse…
… SEGFAULT, since 0x61616161 is not a
valid location to return to. (Unallocated)
57. Basic Stack Exploit
• Overwriting the return address allows an attacker to
redirect the flow of program control
• Instead of crashing, this can allow arbitrary code to be
executed
– Code segment called “shellcode”
• Example: the execve system call is used to execute a file
– With the correct permissions, execve(“/bin/sh”) can be used to
obtain a root-level shell.
Dawn Song 57
58. Shellcode of execve
• How to develop shellcode that runs as execve(“/bin/sh”)?
0x80002bc <__execve>: pushl %ebp
0x80002bd <__execve+1>: movl %esp,%ebp
void main() { 0x80002bf <__execve+3>: pushl %ebx
char *name[2]; The procedure prelude.
(disassembly of execve call)*
name[0] = "/bin/sh"; 0x80002c0 <__execve+4>: movl $0xb,%eax
name[1] = NULL; Copy 0xb (11 decimal) onto the stack. This is the
execve(name[0], name, NULL); index into the syscall table. 11 is execve.
} 0x80002c5 <__execve+9>: movl 0x8(%ebp),%ebx
Copy the address of "/bin/sh" into EBX.
(format instructions and data as characters)* 0x80002c8 <__execve+12>: movl 0xc(%ebp),%ecx
Copy the address of name[] into ECX.
0x80002cb <__execve+15>: movl 0x10(%ebp),%edx
Copy the address of the null pointer into %edx.
“xebx1fx5ex89x76x08x31xc0x88x46x46 0x80002ce <__execve+18>: int $0x80
x0cxb0x0bx89xf3x8dx4ex08x8dx56x0c
Change into kernel mode.
xcdx80x31xdbx89xd8x40xcdx80xe8xdcx
ffxffxff/bin/sh”
Dawn Song details, refer to Smashing the stack by aleph one
*For more 58
59. Basic Stack Exploit
So suppose we overflow with a string that looks like the assembly of:
Shell Code: exec(“/bin/sh”)
high
Program P ShellCode
To previous stack To previous stack
frame pointer frame pointer
arguments arguments
return address crafted return address
return address
return address
stack frame pointer stack frame pointer
To the instruction To the instruction at which
at which this this function was called
charbuffer
buf[128] function was called
buffer
low
Dan Boneh
“xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80
x31xdbx89xd8x40xcdx80xe8xdcxffxffxff/bin/sh”
When the function exits, the user gets shell !!! (exact shell code by Aleph One)
Note: shellcode runs in stack.
66. The NOP Slide
Shellcode
----------------------------------------
NOP
NOP
To previous stack .
.
frame pointer .
NOP
arguments
return address crafted return address
stack frame pointer
To the instruction
at which this
buffer function was called buffer
Problem: how does attacker Solution: NOP slide
determine ret-address? • Guess approximate stack state when the function
is called
• Insert many NOPs before Shell Code ‘/x90’
68. More on Stack Smashing
• Some complications on Shellcode:
– Shellcode should not contain the ‘0’ character.
– Overflow should not crash program before the
frame’s function exits
• Sample remote stack smashing overflows:
– (2007) Overflow in Windows animated cursors
(ANI). LoadAniIcon()
– (2005) Overflow in Symantic Virus Detection
test.GetPrivateProfileString “file”, [long string]
Dawn Song 68
69. Many unsafe libc functions
strcpy (char *dest, const char *src)
strcat (char *de st, const char *src)
gets (char *s)
scanf ( const char *format, … ) and many more.
• “Safe” libc versions strncpy(), strncat() are misleading
– e.g. strncpy() may leave string unterminated.
• Windows C run time (CRT):
– strcpy_s (*dest, DestSize, *src): ensures proper termination
70. General Control Hijacking: Return Address
ShellCode
To previous stack
frame pointer
arguments arguments
return address crafted return address
return address
stack frame pointer stack frame pointer
To the instruction at which
this function was called
buffer buffer
Overwrite Step: Overwrite return address to point to your code.
Activate Step: Return out of frame andDawn Song
into your code. 70
71. General Control Hijacking: Local Fn Ptr
ShellCode
arguments arguments
return address return address
stack frame pointer stack frame pointer
To instructions for a
function
local function pointer crafted local function pointer
local function pointer
buffer buffer
Overwrite Step: Overwrite local function pointer to point to your code.
Activate Step: Call that local function variable. Song
Dawn 71
72. General Control Hijacking:
Function Pointer in the Heap
Object T vtable Object T vtable
ptr FP1: method #1 ptr FP1:
crafted FP1: shellcode
method #1
FP2: method #2 FP2:
crafted FP2: method #2
shellcode
data FP3: method #3 data FP3:
crafted FP3: method #3
shellcode
buffer buffer
Overwrite Step: Overwrite entries in a vtable for Object T.
Activate Step: Call any method from Object T Song
Dawn 72
73. General Control Hijacking:
Function Pointer in the Heap
(crafted vtable) crafted FP1: shellcode
crafted FP2: shellcode
Object T vtable crafted FP3: shellcode
vtable
ptr FP1: method #1 crafted ptr
ptr FP1: method #1
FP2: method #2 FP2: method #2
data FP3: method #3 data FP3: method #3
buffer buffer
Overwrite Step: Overwrite pointer to vtable on heap to point to a crafted vtable.
Activate Step: Call any method from Object T Song
Dawn 73
74. Attack: return-to-libc (arc injection)
• Control hijacking without executing code
(stack)
(libc.so)
arguments
return address exec()
stack frame pointer printf()
buffer “/bin/shell”
Dawn Song 74
75. General Control Hijacking
Control Flow Pointer expected code
return address
frame pointer function pointer as
exception Handler local variable
shellcode, library
jump to address longjmp pointer
(return to libc)
function pointer in heap
Overwrite Step:
Find some way to modify a Control Flow Pointer to point to your shellcode, library
entry point, or other code of interest.
Activate Step:
Find some way to activate that modified Control Flow Pointer.
Dawn Song 75
76. Instances of Control Hijacking
Location in Control Flow How to activate
Memory
Pointer
Stack Return Address Return from
function
(stack frame)
Stack Frame Pointer Return from Ret Addr
function Frame Ptr
exception handers
Stack Function Pointers Reference and call local fn ptrs
as local variables function pointer
buf
Stack Exception Handler Trigger Exception
Heap Function pointer in Reference and call
Object T vtable Object T vtable
heap (i.e. method function pointer
ptr FP1: method #1 ptr FP1: method #1
of an object) FP2: method #2 FP2: method #2
data FP3: method #3 data FP3: method #3
buf buf
Anywhere setjmp and longjmp Call longjmp
program state longjmp saved pointer
buffer …
other data
buf
Dawn Song 76
77. Data Hijacking
Modifying data in a way not intended Example: Authentication variable
arguments arguments
arguments
return address return address
return address
stack frame pointer stack frame pointer
stack frame pointer
authentication_variable authentication_variable
authentication_variable
buffer buffer
buffer
Normal Situation:
Exploited Situation:
User types in a password which is stored in the to overflow if the user is successfully
long enough buffer, and buffer and into the
authenticated, the authentication_variableSong
authentication_variable. The user Dawn is set.
is now unintentionally authenticated. 77
78. Computer Security Course. Dawn Song
Software Security (II):
Other types of software vulnerabilities
Dawn Song 78
79. Common Coding Errors
• Input validation vulnerabilities
• Memory management vulnerabilities
• TOCTTOU vulnerabilities
Dawn Song 79
80. Input validation vulnerabilities
• Program requires certain assumptions on
inputs to run properly
• Without correct checking for inputs
– Program gets exploited
• Example:
– Buffer overflow
– Format string
Dawn Song 80
81. Example I
unsigned int size;
Data **datalist;
size = GetUntrustedSizeValue();
datalist = (data **)malloc(size * sizeof(Data *));
for(int i=0; i<size; i++) {
datalist[i] = InitData();
}
datalist[size] = NULL;
...
Dawn Song 81
82. Example II
• char buf[80];
void vulnerable() {
int len = read_int_from_network();
char *p = read_string_from_network();
if (len > sizeof buf) {
error("length too large, nice try!");
return;
}
memcpy(buf, p, len);
}
• What's wrong with this code?
• Hint – memcpy() prototype:
– void *memcpy(void *dest, const void *src, size_t n);
• Definition of size_t: typedef unsigned int size_t;
• Do you see it now?
Dawn Song 82
83. Implicit Casting Bug
• Attacker provides a negative value for len
– if won’t notice anything wrong
– Execute memcpy() with negative third arg
– Third arg is implicitly cast to an unsigned int, and
becomes a very large positive int
– memcpy() copies huge amount of memory into buf,
yielding a buffer overrun!
• A signed/unsigned or an implicit casting bug
– Very nasty – hard to spot
• C compiler doesn’t warn about type mismatch
between signed int and unsigned int
– Silently inserts an implicit cast
Dawn Song 83
84. Example III (Integer Overflow)
• size_t len = read_int_from_network();
char *buf;
buf = malloc(len+5);
read(fd, buf, len);
...
• What’s wrong with this code?
– No buffer overrun problems (5 spare bytes)
– No sign problems (all ints are unsigned)
• But, len+5 can overflow if len is too large
– If len = 0xFFFFFFFF, then len+5 is 4
– Allocate 4-byte buffer then read a lot more than 4
bytes into it: classic buffer overrun!
• Know programming language’s semantics well to
avoid pitfalls Dawn Song 84
85. Example IV
char* ptr = (char*)malloc (SIZE);
if (err) {
abrt = 1;
free(ptr);
}
...
if (abrt) {
logError("operation aborted before commit", ptr);
}
• Use-after-free
• Corrupt memory
http://cwe.mitre.org Dawn Song 85
86. Example IV
char* ptr = (char*)malloc (SIZE);
...
if (abrt) {
free(ptr);
}
...
free(ptr);
• Double-free error
• Corrupts memory-management data structure
http://owasp.org Dawn Song 86
87. What are software vulnerabilities?
• Flaws in software
• Break certain assumptions important for security
– What assumptions broken in buffer overflow?
Dawn Song 87
88. Why does software have vulnerabilities?
• Programmers are humans!
– Humans make mistakes!
• Programmers were not security aware
• Programming languages are not designed well for
security
Dawn Song 88
89. What can you do?
• Programmers are humans!
– Humans make mistakes!
– Use tools! (next lecture)
• Programmers were not security aware
– Learn about different common classes of coding errors
• Programming languages are not designed well for
security
– Pick better languages
Dawn Song 89
93. Defense I: non-execute (W^X)
Prevent attack code execution by marking stack and
heap as non-executable
• NX-bit on AMD Athlon 64, XD-bit on Intel P4
Prescott
– NX bit in every Page Table Entry (PTE)
• Deployment:
– Linux (via PaX project); OpenBSD
– Windows: since XP SP2 (DEP)
• Boot.ini : /noexecute=OptIn or AlwaysOn
• Visual Studio: /NXCompat[:NO]
Dawn Song 93
94. Effectiveness and Limitations
• Limitations:
– Some apps need executable heap (e.g. JITs).
– Does not defend against `return-to-libc’ exploits
Code Injection Arc Injection
Stack Non-Execute (NX)*
Heap Non-Execute (NX)*
Exception Non-Execute (NX)*
Handlers
* When Applicable Dawn Song 94
95. Defense II: Address Randomization
ASLR: (Address Space Layout Randomization)
-0xFFFFFFFF
– Start stack at a random location
Reserved for Kernal
– Start heap at a random locatioin -0xC0000000
– Map shared libraries to rand location in process unused
user stack -0xBFF9AB20
memory user stack
Attacker cannot jump directly to exec
function
– Deployment: (/DynamicBase)
shared libraries
• Windows Vista: 8 bits of randomness for DLLs shared libraries -0x40000000
– aligned to 64K page in a 16MB region
256 choices
run time heap
• Linux (via PaX): 16 bits of randomness for run time heap
libraries
static data segment
– More effective on 64-bit architectures
text segment (program)
-0x08048000
Other randomization methods: unused
– Sys-call randomization: randomize sys-call id’s -0x00000000
Dawn Song
– Instruction Set Randomization (ISR) 95
96. Effectiveness and Limitations
• Limitations
– Randomness is limited
– Some vulnerabilities can allow secret to be leaked
Code Injection Arc Injection
Stack Non-Execute (NX)* ASLR
ASLR
Heap Non-Execute (NX)* ASLR
ASLR
Exception Non-Execute (NX)* ASLR
ASLR
Handlers
* When Applicable Dawn Song 96
97. Defense III: StackGuard
• Run time tests for stack integrity
arguments
• Embed “canaries” in stack frames return address
stack frame pointer
and verify their integrity prior to CANARY
function return local variables
Dawn Song 97
98. Canary Types
• Random canary:
– Random string chosen at program startup.
– Insert canary string into every stack frame.
– Verify canary before returning from function.
• Exit program if canary changed. Turns potential exploit into DoS.
– To exploit successfully, attacker must learn current random string.
• Terminator canary: Canary = {0, newline, linefeed, EOF}
– String functions will not copy beyond terminator.
– Attacker cannot use string functions to corrupt stack.
Dawn Song 98
99. StackGuard (Cont.)
• StackGuard implemented as a GCC patch.
– Program must be recompiled.
• Low performance effects: 8% for Apache.
• Note: Canaries don’t provide full proof protection.
– Some stack smashing attacks leave canaries unchanged
• Heap protection: PointGuard.
– Protects function pointers and setjmp buffers by
encrypting them: e.g. XOR with random cookie
– Less effective, more noticeable performance effects
Dawn Song 99
100. StackGuard enhancements: ProPolice
• ProPolice (IBM) - gcc 3.4.1. (-fstack-protector)
– Rearrange stack layout to prevent ptr overflow.
String
Growth arguments
Protects pointer args and local
return address pointers from a buffer overflow
stack frame pointer
CANARY
local string buffers
local string variables
Stack
Growth
local non-buffer
variables
pointers, but no arrays
copy of pointer args
Dawn Song 100
101. MS Visual Studio /GS [since 2003]
Compiler /GS option:
– Combination of ProPolice and Random canary.
– If cookie mismatch, default behavior is to call _exit(3)
Function prolog: Function epilog:
sub esp, 8 // allocate 8 bytes for cookie mov ecx, DWORD PTR [esp+8]
mov eax, DWORD PTR ___security_cookie xor ecx, esp
xor eax, esp // xor cookie with current esp call @__security_check_cookie@4
mov DWORD PTR [esp+8], eax // save in stack add esp, 8
Enhanced /GS in Visual Studio 2010:
– /GS protection added to all functions, unless can be proven unnecessary
Dawn Song 101
102. /GS stack frame
String
arguments
Growth
return address
stack frame pointer
Canary protects ret-addr and
exception handlers
exception handler frame
CANARY
local string buffers
local string variables
Stack local non-buffer
pointers, but no arrays
variables
Growth
Dawn Song 102
103. Effectiveness and Limitations
• Limitation:
– Evasion with exception handler * When Applicable
Code Injection Arc Injection
Stack Non-Execute (NX)* ASLR
ASLR StacKGuard(Canaries)
StacKGuard(Canaries) ProPolice
ProPolice /GS
/GS
Heap Non-Execute (NX)* ASLR
ASLR PointGuard
PointGuard
Exception Non-Execute (NX)* ASLR
ASLR
Handlers
Dawn Song 103
104. Evading /GS with exception handlers
• When exception is thrown, dispatcher walks handler
up exception list until handler is found
next
(else use default handler)
After overflow: handler points to attacker’s code
handler
exception triggered ⇒ control hijack
next
crafted
ptr
Main point: exception is triggered buffer
buffer
before canary is checked
handler
handler
SEH frame
next
next
105. Defense III: SAFESEH and SEHOP
• /SAFESEH: linker flag
– Linker produces a binary with a table of safe exception handlers
– System will not jump to exception handler not on list
• /SEHOP: platform defense (since win vista SP1)
– Observation: SEH attacks typically corrupt the “next” entry in SEH list.
– SEHOP: add a dummy record at top of SEH list
– When exception occurs, dispatcher walks up list and verifies dummy
record is there. If not, terminates process.
Dawn Song 105
Notas do Editor
Example 1: EmailAllow users to send desirable email, delivered to recipients Prevent delivery of bulk unwanted email (spam)Example 2: Web browsingAllow web users to visit many sites, in different browser tabsPrevent one visited site from interfering with session at anotherExample 3: Network infrastructureAllow hosts to communicate over the networkPrevent malicious hosts from causing denial of service
Dawn: CIA
Dawn: add graphics online banking
Dawn: CIA
Dawn: graphics
Dawn: add graphics
Dawn: add graphics
Dawn: add graphics, house + attackers
Dawn:Add graphics
Dawn: add animation & graphs for 2nd bullet
Dawn: add graphics
Dawn: add graphics * systems, security goals, threat model
Dawn: add graphics; network eavesdropper, active network attacker who can modify traffic, 0-day exploit, physical access to hardware, break crypto using quantum computersMax: it was pretty difficult to find images of all of these- I’ve included (from left to right) an image of a DOS attack, network eavesdropping (top), a MITM attack (bottom), and a “DES Cracker circuit board fitted with 32 Deep Crack chips and some control chips.” (images are taken from OWASP and Wikipedia)
Dawn: add graphics & animation
Dawn: add the same graphics for bullet 2 as before
Dawn: add graphics: C vs. Java, Chrome,
Chart w/ info fromwikipedia regarding browser vulnerabilities
Add figure: server and browser, http request & response
There was one more automated software audit tool…what was it…
ANI bug happened because /GS was not applied to function LoadAniIcon() since it did not contain string buffers. Visual Studio 2010 applies /GS protection more aggressively.
SAFESEH: safe structured exception handlingSEHOP: structured exception handling overwrite protection. Enabled with a regkeyDisableExceptionChainValidation.