SlideShare uma empresa Scribd logo

1.Buffer Overflows

P
phanleson

Course : Introduction to Big Data with Apache Spark : http://ouo.io/Mqc8L5 Course : Spark Fundamentals I : http://ouo.io/eiuoV Course : Functional Programming Principles in Scala : http://ouo.io/rh4vv

Tecnologia
1 de 52
Baixar para ler offline
Course 2: Programming Issues, Section 1 Pascal Meunier, Ph.D., M.Sc., CISSP Updated September 28, 2004 Developed thanks to the support of Symantec Corporation, NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center Copyright (2004) Purdue Research Foundation. All rights reserved.
Course 2 Learning Plan Buffer Overflows Format String Vulnerabilities Code Injection and Input Validation Cross-site Scripting Vulnerabilities Links and Race Conditions Temporary Files and Randomness Canonicalization and Directory Traversal
Learning objectives Understand the definition of a buffer overflow Learn the importance of buffer overflows Know how buffer overflows happen Know how to handle strings safely with regular "C" functions Learn safer ways to manipulate strings and buffers
"C" Programming Issues: Outline Definition Importance Examples Fundamental "C" problems Survey of unsafe functions Related Issues: Truncation, Character Encoding Safe string libraries Preventing buffer overflows without programming Lab: Write string manipulation functions
Buffer Overflows a.k.a. "Buffer Overrun" A buffer overflow happens when a program attempts to read or write data outside of the memory allocated for that data – Usually affects buffers of fixed size Special case of memory management and input validation
An Important Vulnerability Type Most Common (over 60% of CERT advisories) Well understood Easy to avoid in principle – Dont use "C" family languages, or be thorough – Can be tricky (off-by-one errors) – Tedious to do all the checks properly Temptation: "I don't need to because I control this data and I *know* that it will never be larger than this" – Until a hacker figures out how to change it
Example Overflow char B[10]; B[10] = x; Array starts at index zero So [10] is 11th element One byte outside buffer was referenced Off-by-one errors are common and can be exploitable!
Other Example function do_stuff(char * a) { char b[100]; ... strcpy(b, a); // (dest, source) ... } What is the size of the string located at “a”? Is it even a null-terminated string? What if it was "strcpy(a, b);" instead? – What is the size of the buffer pointed to by "a"?
What happens when memory outside a buffer is accessed? If memory doesn't exist: – Bus error If memory protection denies access: – Segmentation fault – General protection fault If access is allowed, memory next to the buffer can be accessed – Heap – Stack – Etc...
Real Life Example: efingerd.c, v. 1.6.2 int get_request (int d, char buffer[], u_short len) { u_short i; for (i=0; i< len; i++) { ... } buffer[i] = ‘0’; return i; } What is the value of "i" at the end of the loop? Which byte just got zeroed? It's tricky even if you try to get things right...
Real Life Example: efingerd.c, v. 1.5 CAN-2002-0423 static char *lookup_addr(struct in_addr in) { static char addr[100]; struct hostent *he; he = gethostbyaddr(...) strcpy (addr, he->h_name); return addr; } How big is he->h_name? Who controls the results of gethostbyaddr? How secure is DNS? Can you be tricked into looking up a maliciously engineered value?
A Typical Stack Exploit The stack contains: High Addresses Arguments – Parameters (arguments) to function Return Address – Return Address addr[99] – Local variables – Anything pushed on the stack addr[100+] overwrites the return address Stack grows addr[0] typically this way contains exploit addr[0] code Return address is chosen to point at exploit Low Addresses code!
Fundamental "C" Problems You can't know the length of buffers just from a pointer – Partial solution: pass the length as a separate argument "C" string functions aren't safe – No guarantees that the new string will be null-terminated! – Doing all checks completely and properly is tedious and tricky
Strlen What happens when you call strlen on an improperly terminated string? Strlen scans until a null character is found – Can scan outside buffer if string is not null-terminated – Can result in a segmentation fault or bus error Strlen is not safe to call! – Unless you positively know that the string is null- terminated... Are all the functions you use guaranteed to return a null- terminated string?
Strcpy char * strcpy(char * dst, const char * src); How can you use strcpy safely? – Set the last character of src to NUL According to the size of the buffer pointed to by src or a size parameter passed to you Not according to strlen(src)! Wide char array: sizeof(src)/sizeof(src[0]) -1 is the index of the last element – Check that the size of the src buffer is smaller than or equal to that of the dst buffer – Or allocate dst to be at least equal to the size of src
Strncpy char * strncpy(char * dst, const char * src, size_t len); "len" is maximum number of characters to copy – What is the correct value for len? Initial answer by most people: size of dst – If dst is an array, sizeof(dst) What if src is not NUL-terminated? – Don't want to read outside of src buffer – What is the correct value for "len" given that? Minimum buffer size of dst and src, -1 for NUL byte If arrays, – MIN(sizeof(dst), sizeof(src)) - 1
Strncpy (Cont.) Other issue: "dst" is NUL-terminated only if less than "len" characters were copied! – All calls to strncpy must be followed by a NUL-termination operation
Question What’s wrong with this? function do_stuff(char * a) { char b[100]; ... strncpy(b, a, strlen(a)); ... }
Question Answer What’s wrong with this? function do_stuff(char * a) { char b[100]; ... strncpy(b, a, strlen(a)); ... } The string pointed to by "a" could be larger than the size of "b"!
Question What’s wrong with this? function do_stuff(char * a) { char *b; ... b = malloc(strlen(a)+1); strncpy(b, a, strlen(a)); ... }
Question Answer What’s wrong with this? function do_stuff(char * a) { char *b; ... b = malloc(strlen(a)+1); strncpy(b, a, strlen(a)); ... } Are you absolutely certain that the string pointed to by "a" is NUL-terminated?
Strlcpy size_t strlcpy(char *dst, const char *src, size_t size); Guarantees to null-terminate string pointed to by "dst" if "size">0 The rest of the destination buffer is not zeroed as for strncpy, so better performance is obtained "size" can simply be size of dst (sizeof if an array) – If all functions are guaranteed to null-terminate strings, then it is safe to assume src is null-terminated – Not safe if src is not null-terminated! See http://www.courtesan.com/todd/papers/strlcpy.html for benchmarks and more info – Used in MacOS X, OpenBSD and more (but not Linux)
Note on Strlcpy As the remainder of the buffer is not zeroed, there could be information leakage
Corrected Efinger.c (v.1.6) sizeof is your friend, when you can use it (if an array) static char addr[100]; he = gethostbyaddr(...); if (he == NULL) strncpy(addr, inet_ntoa(in), sizeof(addr)); else strncpy(addr, he->h_name, sizeof(addr)); What is still wrong?
Corrected Efinger.c (v.1.6) Notice that the last byte of addr is not zeroed, so this code can produce non-NUL-terminated strings! static char addr[100]; he = gethostbyaddr(...); if (he == NULL) strncpy(addr, inet_ntoa(in), sizeof(addr)); else strncpy(addr, he->h_name, sizeof(addr));
Strcat char * strcat(char * s, const char * append); String pointed to by "append" is added at the end of the string contained in buffer "s" No check for size! – Need to do all checks beforehand – Example with arrays: if (sizeof(s)-strlen(s)-1 >= strlen(append)) strcat(s, append); Need to trust that "s" and "append" are NUL- terminated – Or set their last byte to NUL before the checks and call
Strncat char * strncat(char * s, const char * append, size_t count); No more than "count" characters are added, and then a NUL is added Correct call is complex: – strncat(s, append, sizeof(s)-strlen(s)-1) Not a great improvement on strcat, because you still need to calculate correctly the count – And then figure out if the string was truncated Need to trust that "s" and "append" are NUL- terminated – Or set their last byte to NUL before the checks and call
Strlcat size_t strlcat(char *dst, const char *src, size_t size); Call semantics are simple: – Strlcat(dst, src, dst_len); – If an array: strlcat(dst, src, sizeof(dst)); Safety: safe even if dst is not properly terminated – Won't read more than size characters from dst when looking for the append location Not safe if src is not properly terminated! – If dst is large and the buffer for src is small, then it could cause a segmentation fault or bus error, or copy confidential values
Issues with Truncating Strings Subsequent operations may fail or open up vulnerabilities – If string is a path, then it may not refer to the same thing, or be an invalid path Truncation means you weren't able to do what you wanted – You should handle that error instead of letting it go silently
Truncation Detection Truncation detection was simplified by strlcpy and strlcat, by changing the return value – The returned value is the size of what would have been copied if the destination had an infinite size if this is larger than the destination size, truncation occurred Source still needs to be NUL-terminated Inspired by snprintf and vsprintf, which do the same However, it still takes some consideration to make sure the test is correct: – if (strlcpy(dest, src, sizeof(dest)) >= sizeof(dest)) goto toolong;
Multi-Byte Character Encodings Handling of strings using variable-width encodings or multi-byte encodings is a problem – e.g., UTF-8 is 1-4 bytes long How long is the string? – In bytes – In characters Overflows are possible if size checks do not properly account for character encoding! .NET: System.String supports UTF-16 – Strings are immutable - no overflow possible there!
Safestr Free library available at: http://zork.org Features: – Works on UNIX and Windows – Buffer overflow protection – String format protection – "Taint-tracking" (à la Perl's taint mode) Limitations and differences: – Does not handle multi-byte characters – License: binaries must reproduce a copyright notice – NUL characters have no special meaning – Must use their library functions all the time (but conversion to regular "C" strings is easy)
Microsoft Strsafe Null-termination guaranteed Option for using either number of characters or bytes (for Unicode character encoding), and disallowing the other Option to treat truncation as a fatal error Define behavior upon error – Output buffer set to "" or filled Option to prevent information leaks – Pad rest of buffer However, correct calculations still needed – e.g., wcsncat requires calculating the remaining space in the destination string...
Future Microsoft Visual Studio 2005 will have a new series of safe string manipulation functions – strcpy_s() – strncpy_s() – strncat_s() – strlen_s() – etc... http://msdn.microsoft.com/library/default.asp?url=/li brary/en-us/dncode/html/secure05202002.asp Visual Studio 2005 (as of Beta 1) by default issues deprecation warnings on strcpy, strncpy, etc… Say goodbye to your old friends, they're too dangerous!
Other Unsafe Functions: sprintf family int sprintf(char *s, const char *format, /* args*/ ...); – Buffer "s" can be overflowed int snprintf(char *s, size_t n, const char *format, /* args*/ ...); – Does not guarantee NUL-termination of s on some platforms (Microsoft, Sun) – MacOS X: NUL-termination guaranteed – Which is it on the class server? Check with "man sprintf" int vsprintf(char * str, const char * format, va_list ap); – Buffer "str" can be overflowed
Gets, fgets char * gets(char *str); – Buffer "str" can be overflowed char * fgets(char * str, int size, FILE * stream); – Buffer "str" is not NUL-terminated if an I/O error occurs – If an error occurs, returns NULL – If end-of-file occurs before any characters are read, returns NULL also (and buffer is unchanged) – Callers must use feof(3) and ferror(3) to determine which occurred.
Conclusion Buffer sizes should be passed as a parameter with every pointer – Applies to other buffer manipulations besides strings Need simple truncation detection
Preventing Buffer Overflows Without Programming Idea: make the heap and stack non-executable – Because many buffer overflow attacks aim at executing code in the data that overflowed the buffer Doesn't prevent "return into libc" overflow attacks – Because the return address of the function on the stack points to a standard "C" function (e.g., "system"), this attack doesn't execute code on the stack e.g., ExecShield for Fedora Linux (used to be RedHat Linux)
Canaries on a Stack Add a few bytes containing special values between variables on the stack and the return address. Before the function returns, check that the values are intact. – If not, there's been a buffer overflow! Terminate program If the goal was a Denial-of-Service then it still happens – At least the machine is not compromised If the canary can be read by an attacker, then a buffer overflow exploit can be made to rewrite them – e.g., see string format vulnerabilities
Canary Implementations StackGuard Stack-Smashing Protector (SSP) – Formerly ProPolice – gcc modification – Used in OpenBSD – http://www.trl.ibm.com/projects/security/ssp/ Windows: /GS option for Visual C++ .NET These can be useful when testing too!
Protection Using Virtual Memory Pages Page: A chunk (unit) of virtual memory POSIX systems have three permissions for each page. – PROT_READ – PROT_WRITE – PROT_EXEC Idea: manipulate and enforce these permissions correctly to defend against buffer overflows – Make injected code non-executable
OpenBSD PROT_* purity (correct enforcement of permissions for pages in VM system; i386 and PowerPC architectures limit this) W^X (write permission is exclusive of execute) – Data shouldn't need to be executed! – Limits also self-modifying (machine) code .rodata (read-only data is enforced to be read-only on a separate page)
Windows Execution Protection "NX" (No Execute) Windows XP service pack 2 feature – Somewhat similar to POSIX permissions Requires processor support – AMD64 – Intel Itanium
Question A buffer overflow is not exploitable if: a) It happens in the heap b) It happens in the stack c) It happens where memory is not executable d) None of the above
Question A buffer overflow is not exploitable if: a) It happens in the heap b) It happens in the stack c) It happens where memory is not executable d) None of the above
Question Making some memory locations non-executable protects against which variants of buffer overflow attacks? a) Code in the overwritten data b) Return into libc c) Variable corruption
Question Making some memory locations non-executable protects against which variants of buffer overflow attacks? a) Code in the overwritten data b) Return into libc c) Variable corruption
Buffer Overflow Lab Create your own safe version of the strlen, strcpy, strcat – Name them mystrlen, mystrcpy and mystrcat – Pass buffer sizes for each pointer argument – Return 0 if successful, and 1 if truncation occurred Other error codes if you wish – Make your implementation pass all test cases int mystrlen(const char *s, size_t s_len); – In this case, return the string length, not zero or one. int mystrcpy(char * dst, const char * src, size_t dst_len, size_t src_len); int mystrcat(char * s, const char * append, size_t s_len, size_t a_len);
Things to Ponder What about 0 as source size? Error or not? What if “s” is NULL? What about overlapping buffers? Undefined everytime, or only in certain cases? What if reach the end in mystrlen? How efficient to make it -- how many passes at source string are made? What to check first? Reuse mystrlen within mystrcpy or mystrcat? Compare your implementations to strl*, strsafe, safestr, str*_s.
Questions or Comments?
About These Slides You are free to copy, distribute, display, and perform the work; and to make derivative works, under the following conditions. – You must give the original author and other contributors credit – The work will be used for personal or non-commercial educational uses only, and not for commercial activities and purposes – For any reuse or distribution, you must make clear to others the terms of use for this work – Derivative works must retain and be subject to the same conditions, and contain a note identifying the new contributor(s) and date of modification – For other uses please contact the Purdue Office of Technology Commercialization. Developed thanks to the support of Symantec Corporation
Pascal Meunier pmeunier@purdue.edu Contributors: Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera

Recomendados

Format String Vulnerability
Format String VulnerabilityFormat String Vulnerability
Format String Vulnerability
Jian-Yu Li
 
Workshop NGS data analysis - 3
Workshop NGS data analysis - 3Workshop NGS data analysis - 3
Workshop NGS data analysis - 3
Maté Ongenaert
 
Workshop NGS data analysis - 2
Workshop NGS data analysis - 2Workshop NGS data analysis - 2
Workshop NGS data analysis - 2
Maté Ongenaert
 
Encrypted message transmitter on public network
Encrypted message transmitter on public networkEncrypted message transmitter on public network
Encrypted message transmitter on public network
Rowshina Nikzad
 
LZ77 and LZ78 Compression Algorithms
LZ77 and LZ78 Compression AlgorithmsLZ77 and LZ78 Compression Algorithms
LZ77 and LZ78 Compression Algorithms
Mustafa GÖKÇE
 
Huffman coding
Huffman codingHuffman coding
Huffman coding
George Ang
 
Lec32
Lec32Lec32
Lec32
anithabalaprabhu
 
Huffman Code Decoding
Huffman Code DecodingHuffman Code Decoding
Huffman Code Decoding
Rex Yuan
 

Recomendados

Format String Vulnerability
Format String VulnerabilityFormat String Vulnerability
Format String Vulnerability
Jian-Yu Li
 
Workshop NGS data analysis - 3
Workshop NGS data analysis - 3Workshop NGS data analysis - 3
Workshop NGS data analysis - 3
Maté Ongenaert
 
Workshop NGS data analysis - 2
Workshop NGS data analysis - 2Workshop NGS data analysis - 2
Workshop NGS data analysis - 2
Maté Ongenaert
 
Encrypted message transmitter on public network
Encrypted message transmitter on public networkEncrypted message transmitter on public network
Encrypted message transmitter on public network
Rowshina Nikzad
 
LZ77 and LZ78 Compression Algorithms
LZ77 and LZ78 Compression AlgorithmsLZ77 and LZ78 Compression Algorithms
LZ77 and LZ78 Compression Algorithms
Mustafa GÖKÇE
 
Huffman coding
Huffman codingHuffman coding
Huffman coding
George Ang
 
Lec32
Lec32Lec32
Lec32
anithabalaprabhu
 
Huffman Code Decoding
Huffman Code DecodingHuffman Code Decoding
Huffman Code Decoding
Rex Yuan
 
Lossless
LosslessLossless
Lossless
anithabalaprabhu
 
CSMR10c.ppt
CSMR10c.pptCSMR10c.ppt
CSMR10c.ppt
Ptidej Team
 
Cryptography for developers
Cryptography for developersCryptography for developers
Cryptography for developers
Kai Koenig
 
Attention mechanisms with tensorflow
Attention mechanisms with tensorflowAttention mechanisms with tensorflow
Attention mechanisms with tensorflow
Keon Kim
 
Huffman Algorithm By Shuhin
Huffman Algorithm By ShuhinHuffman Algorithm By Shuhin
Huffman Algorithm By Shuhin
suhin4000
 
Lz77 (sliding window)
Lz77 (sliding window)Lz77 (sliding window)
Lz77 (sliding window)
MANISH T I
 
Huffman Coding
Huffman CodingHuffman Coding
Huffman Coding
anithabalaprabhu
 
Nagios Conference 2013 - BOF Nagios Plugins New Threshold Specification Syntax
Nagios Conference 2013 - BOF Nagios Plugins New Threshold Specification SyntaxNagios Conference 2013 - BOF Nagios Plugins New Threshold Specification Syntax
Nagios Conference 2013 - BOF Nagios Plugins New Threshold Specification Syntax
Nagios
 
Topics:LZ77 & LZ78
Topics:LZ77 & LZ78Topics:LZ77 & LZ78
Topics:LZ77 & LZ78
MUHAMMAD AAMIR
 
Huffman Coding
Huffman CodingHuffman Coding
Huffman Coding
Muhammad Saqib Rehan
 
Huffman and Arithmetic coding - Performance analysis
Huffman and Arithmetic coding - Performance analysisHuffman and Arithmetic coding - Performance analysis
Huffman and Arithmetic coding - Performance analysis
Ramakant Soni
 
Huffman Coding
Huffman CodingHuffman Coding
Huffman Coding
Ehtisham Ali
 
Ch02
Ch02Ch02
Ch02
Joe Christensen
 
Ch02 classic nemo
Ch02 classic nemoCh02 classic nemo
Ch02 classic nemo
Samia Elsayed
 
An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...
Claudio Capobianco
 
C# - What's next
C# - What's nextC# - What's next
C# - What's next
Christian Nagel
 
C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...
C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...
C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...
corehard_by
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
Moabi.com
 
Huffman coding
Huffman codingHuffman coding
Huffman coding
Nihal Gupta
 
Rust Intro @ Roma Rust meetup
Rust Intro @ Roma Rust meetup Rust Intro @ Roma Rust meetup
Rust Intro @ Roma Rust meetup
Claudio Capobianco
 
EQUITY MARKET INTEGRATION IN SELECTED MARKETS: EVIDENCE FROM UNIT ROOT AND CO...
EQUITY MARKET INTEGRATION IN SELECTED MARKETS: EVIDENCE FROM UNIT ROOT AND CO...EQUITY MARKET INTEGRATION IN SELECTED MARKETS: EVIDENCE FROM UNIT ROOT AND CO...
EQUITY MARKET INTEGRATION IN SELECTED MARKETS: EVIDENCE FROM UNIT ROOT AND CO...
akjsk10
 
Design patterns
Design patternsDesign patterns
Design patterns
Jason Austin
 

Mais conteúdo relacionado

Mais procurados

Cryptography for developers
Cryptography for developersCryptography for developers
Cryptography for developers
Kai Koenig
 
An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...
Claudio Capobianco
 
C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...
C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...
C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...
corehard_by
 

Mais procurados (20)

Lossless
LosslessLossless
Lossless
 
CSMR10c.ppt
CSMR10c.pptCSMR10c.ppt
CSMR10c.ppt
 
Cryptography for developers
Cryptography for developersCryptography for developers
Cryptography for developers
 
Attention mechanisms with tensorflow
Attention mechanisms with tensorflowAttention mechanisms with tensorflow
Attention mechanisms with tensorflow
 
Huffman Algorithm By Shuhin
Huffman Algorithm By ShuhinHuffman Algorithm By Shuhin
Huffman Algorithm By Shuhin
 
Lz77 (sliding window)
Lz77 (sliding window)Lz77 (sliding window)
Lz77 (sliding window)
 
Huffman Coding
Huffman CodingHuffman Coding
Huffman Coding
 
Nagios Conference 2013 - BOF Nagios Plugins New Threshold Specification Syntax
Nagios Conference 2013 - BOF Nagios Plugins New Threshold Specification SyntaxNagios Conference 2013 - BOF Nagios Plugins New Threshold Specification Syntax
Nagios Conference 2013 - BOF Nagios Plugins New Threshold Specification Syntax
 
Topics:LZ77 & LZ78
Topics:LZ77 & LZ78Topics:LZ77 & LZ78
Topics:LZ77 & LZ78
 
Huffman Coding
Huffman CodingHuffman Coding
Huffman Coding
 
Huffman and Arithmetic coding - Performance analysis
Huffman and Arithmetic coding - Performance analysisHuffman and Arithmetic coding - Performance analysis
Huffman and Arithmetic coding - Performance analysis
 
Huffman Coding
Huffman CodingHuffman Coding
Huffman Coding
 
Ch02
Ch02Ch02
Ch02
 
Ch02 classic nemo
Ch02 classic nemoCh02 classic nemo
Ch02 classic nemo
 
An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...An introduction to Rust: the modern programming language to develop safe and ...
An introduction to Rust: the modern programming language to develop safe and ...
 
C# - What's next
C# - What's nextC# - What's next
C# - What's next
 
C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...
C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...
C++ CoreHard Autumn 2018. Text Formatting For a Future Range-Based Standard L...
 
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...
 
Huffman coding
Huffman codingHuffman coding
Huffman coding
 
Rust Intro @ Roma Rust meetup
Rust Intro @ Roma Rust meetup Rust Intro @ Roma Rust meetup
Rust Intro @ Roma Rust meetup
 

Destaque

Purchasing power parity a unit root, cointegration and var analysis in emergi...
Purchasing power parity a unit root, cointegration and var analysis in emergi...Purchasing power parity a unit root, cointegration and var analysis in emergi...
Purchasing power parity a unit root, cointegration and var analysis in emergi...
Giwrgos Loukopoulos
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
FFRI, Inc.
 
Representational State Transfer (REST)
Representational State Transfer (REST)Representational State Transfer (REST)
Representational State Transfer (REST)
David Krmpotic
 
Xcode, Basics and Beyond
Xcode, Basics and BeyondXcode, Basics and Beyond
Xcode, Basics and Beyond
rsebbe
 

Destaque (20)

EQUITY MARKET INTEGRATION IN SELECTED MARKETS: EVIDENCE FROM UNIT ROOT AND CO...
EQUITY MARKET INTEGRATION IN SELECTED MARKETS: EVIDENCE FROM UNIT ROOT AND CO...EQUITY MARKET INTEGRATION IN SELECTED MARKETS: EVIDENCE FROM UNIT ROOT AND CO...
EQUITY MARKET INTEGRATION IN SELECTED MARKETS: EVIDENCE FROM UNIT ROOT AND CO...
 
Design patterns
Design patternsDesign patterns
Design patterns
 
Connect.Tech- Enhancing Your Workflow With Xcode Source Editor Extensions
Connect.Tech- Enhancing Your Workflow With Xcode Source Editor ExtensionsConnect.Tech- Enhancing Your Workflow With Xcode Source Editor Extensions
Connect.Tech- Enhancing Your Workflow With Xcode Source Editor Extensions
 
Lampiran unit root test
Lampiran unit root testLampiran unit root test
Lampiran unit root test
 
Purchasing power parity a unit root, cointegration and var analysis in emergi...
Purchasing power parity a unit root, cointegration and var analysis in emergi...Purchasing power parity a unit root, cointegration and var analysis in emergi...
Purchasing power parity a unit root, cointegration and var analysis in emergi...
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyA Hypervisor IPS based on Hardware Assisted Virtualization Technology
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
 
How to create a jQuery Modal Window
How to create a jQuery Modal WindowHow to create a jQuery Modal Window
How to create a jQuery Modal Window
 
Representational State Transfer (REST)
Representational State Transfer (REST)Representational State Transfer (REST)
Representational State Transfer (REST)
 
Creational pattern
Creational patternCreational pattern
Creational pattern
 
Intrinsic Encounter - Cognitive Load Theory
Intrinsic Encounter - Cognitive Load TheoryIntrinsic Encounter - Cognitive Load Theory
Intrinsic Encounter - Cognitive Load Theory
 
Web design trends for 2010
Web design trends for 2010Web design trends for 2010
Web design trends for 2010
 
Minimize Cognitive Load + Maximize Conversions : 10 Tips
Minimize Cognitive Load + Maximize Conversions : 10 TipsMinimize Cognitive Load + Maximize Conversions : 10 Tips
Minimize Cognitive Load + Maximize Conversions : 10 Tips
 
Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...Buffer overflow and other software vulnerabilities: theory and practice of pr...
Buffer overflow and other software vulnerabilities: theory and practice of pr...
 
Representational State Transfer (REST)
Representational State Transfer (REST)Representational State Transfer (REST)
Representational State Transfer (REST)
 
Lecture 13
Lecture 13Lecture 13
Lecture 13
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Hardware support for efficient virtualization
Hardware support for efficient virtualizationHardware support for efficient virtualization
Hardware support for efficient virtualization
 
Xcode, Basics and Beyond
Xcode, Basics and BeyondXcode, Basics and Beyond
Xcode, Basics and Beyond
 
How to Run a 1,000,000 VU Load Test using Apache JMeter and BlazeMeter
How to Run a 1,000,000 VU Load Test using Apache JMeter and BlazeMeterHow to Run a 1,000,000 VU Load Test using Apache JMeter and BlazeMeter
How to Run a 1,000,000 VU Load Test using Apache JMeter and BlazeMeter
 
Load-testing 101 for Startups with Artillery.io
Load-testing 101 for Startups with Artillery.ioLoad-testing 101 for Startups with Artillery.io
Load-testing 101 for Startups with Artillery.io
 

Semelhante a 1.Buffer Overflows

2.Format Strings
2.Format Strings2.Format Strings
2.Format Strings
phanleson
 
Lecture 15_Strings and Dynamic Memory Allocation.pptx
Lecture 15_Strings and Dynamic Memory Allocation.pptxLecture 15_Strings and Dynamic Memory Allocation.pptx
Lecture 15_Strings and Dynamic Memory Allocation.pptx
JawadTanvir
 
C aptitude questions
C aptitude questionsC aptitude questions
C aptitude questions
Srikanth
 
C - aptitude3
C - aptitude3C - aptitude3
C - aptitude3
Srikanth
 
Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235
Rajivarnan (Rajiv)
 

Semelhante a 1.Buffer Overflows (20)

Common mistakes in C programming
Common mistakes in C programmingCommon mistakes in C programming
Common mistakes in C programming
 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Strings
 
Lecture 15_Strings and Dynamic Memory Allocation.pptx
Lecture 15_Strings and Dynamic Memory Allocation.pptxLecture 15_Strings and Dynamic Memory Allocation.pptx
Lecture 15_Strings and Dynamic Memory Allocation.pptx
 
Pepe Vila - Cache and Syphilis [rooted2019]
Pepe Vila - Cache and Syphilis [rooted2019]Pepe Vila - Cache and Syphilis [rooted2019]
Pepe Vila - Cache and Syphilis [rooted2019]
 
Getting started with Perl XS and Inline::C
Getting started with Perl XS and Inline::CGetting started with Perl XS and Inline::C
Getting started with Perl XS and Inline::C
 
Finding similar items in high dimensional spaces locality sensitive hashing
Finding similar items in high dimensional spaces locality sensitive hashingFinding similar items in high dimensional spaces locality sensitive hashing
Finding similar items in high dimensional spaces locality sensitive hashing
 
Дмитрий Селиванов, OK.RU. Finding Similar Items in high-dimensional spaces: L...
Дмитрий Селиванов, OK.RU. Finding Similar Items in high-dimensional spaces: L...Дмитрий Селиванов, OK.RU. Finding Similar Items in high-dimensional spaces: L...
Дмитрий Селиванов, OK.RU. Finding Similar Items in high-dimensional spaces: L...
 
Software Security
Software SecuritySoftware Security
Software Security
 
The Next Best String
The Next Best StringThe Next Best String
The Next Best String
 
C programming day#3.
C programming day#3.C programming day#3.
C programming day#3.
 
C aptitude questions
C aptitude questionsC aptitude questions
C aptitude questions
 
C - aptitude3
C - aptitude3C - aptitude3
C - aptitude3
 
Mathematicians: Trust, but Verify
Mathematicians: Trust, but VerifyMathematicians: Trust, but Verify
Mathematicians: Trust, but Verify
 
Best C++ Programming Homework Help
Best C++ Programming Homework HelpBest C++ Programming Homework Help
Best C++ Programming Homework Help
 
100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects100 bugs in Open Source C/C++ projects
100 bugs in Open Source C/C++ projects
 
Arrays & Strings.pptx
Arrays & Strings.pptxArrays & Strings.pptx
Arrays & Strings.pptx
 
Ghost
GhostGhost
Ghost
 
Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235Ghost Vulnerability CVE-2015-0235
Ghost Vulnerability CVE-2015-0235
 
C101 – Intro to Programming with C
C101 – Intro to Programming with CC101 – Intro to Programming with C
C101 – Intro to Programming with C
 
Strings in c++
Strings in c++Strings in c++
Strings in c++
 

Mais de phanleson

Lecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLLecture 1 - Getting to know XML
Lecture 1 - Getting to know XML
phanleson
 

Mais de phanleson (20)

Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
 
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacks
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
HBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table designHBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table design
 
HBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - OperationsHBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - Operations
 
Hbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBaseHbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBase
 
Learning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlibLearning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlib
 
Learning spark ch10 - Spark Streaming
Learning spark ch10 - Spark StreamingLearning spark ch10 - Spark Streaming
Learning spark ch10 - Spark Streaming
 
Learning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQLLearning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQL
 
Learning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a ClusterLearning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a Cluster
 
Learning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark ProgrammingLearning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark Programming
 
Learning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your DataLearning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your Data
 
Learning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value PairsLearning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value Pairs
 
Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
 
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about LibertagiaHướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
 
Lecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLLecture 1 - Getting to know XML
Lecture 1 - Getting to know XML
 
Lecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the WebLecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the Web
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

1.Buffer Overflows

  • 1. Course 2: Programming Issues, Section 1 Pascal Meunier, Ph.D., M.Sc., CISSP Updated September 28, 2004 Developed thanks to the support of Symantec Corporation, NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center Copyright (2004) Purdue Research Foundation. All rights reserved.
  • 2. Course 2 Learning Plan Buffer Overflows Format String Vulnerabilities Code Injection and Input Validation Cross-site Scripting Vulnerabilities Links and Race Conditions Temporary Files and Randomness Canonicalization and Directory Traversal
  • 3. Learning objectives Understand the definition of a buffer overflow Learn the importance of buffer overflows Know how buffer overflows happen Know how to handle strings safely with regular "C" functions Learn safer ways to manipulate strings and buffers
  • 4. "C" Programming Issues: Outline Definition Importance Examples Fundamental "C" problems Survey of unsafe functions Related Issues: Truncation, Character Encoding Safe string libraries Preventing buffer overflows without programming Lab: Write string manipulation functions
  • 5. Buffer Overflows a.k.a. "Buffer Overrun" A buffer overflow happens when a program attempts to read or write data outside of the memory allocated for that data – Usually affects buffers of fixed size Special case of memory management and input validation
  • 6. An Important Vulnerability Type Most Common (over 60% of CERT advisories) Well understood Easy to avoid in principle – Dont use "C" family languages, or be thorough – Can be tricky (off-by-one errors) – Tedious to do all the checks properly Temptation: "I don't need to because I control this data and I *know* that it will never be larger than this" – Until a hacker figures out how to change it
  • 7. Example Overflow char B[10]; B[10] = x; Array starts at index zero So [10] is 11th element One byte outside buffer was referenced Off-by-one errors are common and can be exploitable!
  • 8. Other Example function do_stuff(char * a) { char b[100]; ... strcpy(b, a); // (dest, source) ... } What is the size of the string located at “a”? Is it even a null-terminated string? What if it was "strcpy(a, b);" instead? – What is the size of the buffer pointed to by "a"?
  • 9. What happens when memory outside a buffer is accessed? If memory doesn't exist: – Bus error If memory protection denies access: – Segmentation fault – General protection fault If access is allowed, memory next to the buffer can be accessed – Heap – Stack – Etc...
  • 10. Real Life Example: efingerd.c, v. 1.6.2 int get_request (int d, char buffer[], u_short len) { u_short i; for (i=0; i< len; i++) { ... } buffer[i] = ‘0’; return i; } What is the value of "i" at the end of the loop? Which byte just got zeroed? It's tricky even if you try to get things right...
  • 11. Real Life Example: efingerd.c, v. 1.5 CAN-2002-0423 static char *lookup_addr(struct in_addr in) { static char addr[100]; struct hostent *he; he = gethostbyaddr(...) strcpy (addr, he->h_name); return addr; } How big is he->h_name? Who controls the results of gethostbyaddr? How secure is DNS? Can you be tricked into looking up a maliciously engineered value?
  • 12. A Typical Stack Exploit The stack contains: High Addresses Arguments – Parameters (arguments) to function Return Address – Return Address addr[99] – Local variables – Anything pushed on the stack addr[100+] overwrites the return address Stack grows addr[0] typically this way contains exploit addr[0] code Return address is chosen to point at exploit Low Addresses code!
  • 13. Fundamental "C" Problems You can't know the length of buffers just from a pointer – Partial solution: pass the length as a separate argument "C" string functions aren't safe – No guarantees that the new string will be null-terminated! – Doing all checks completely and properly is tedious and tricky
  • 14. Strlen What happens when you call strlen on an improperly terminated string? Strlen scans until a null character is found – Can scan outside buffer if string is not null-terminated – Can result in a segmentation fault or bus error Strlen is not safe to call! – Unless you positively know that the string is null- terminated... Are all the functions you use guaranteed to return a null- terminated string?
  • 15. Strcpy char * strcpy(char * dst, const char * src); How can you use strcpy safely? – Set the last character of src to NUL According to the size of the buffer pointed to by src or a size parameter passed to you Not according to strlen(src)! Wide char array: sizeof(src)/sizeof(src[0]) -1 is the index of the last element – Check that the size of the src buffer is smaller than or equal to that of the dst buffer – Or allocate dst to be at least equal to the size of src
  • 16. Strncpy char * strncpy(char * dst, const char * src, size_t len); "len" is maximum number of characters to copy – What is the correct value for len? Initial answer by most people: size of dst – If dst is an array, sizeof(dst) What if src is not NUL-terminated? – Don't want to read outside of src buffer – What is the correct value for "len" given that? Minimum buffer size of dst and src, -1 for NUL byte If arrays, – MIN(sizeof(dst), sizeof(src)) - 1
  • 17. Strncpy (Cont.) Other issue: "dst" is NUL-terminated only if less than "len" characters were copied! – All calls to strncpy must be followed by a NUL-termination operation
  • 18. Question What’s wrong with this? function do_stuff(char * a) { char b[100]; ... strncpy(b, a, strlen(a)); ... }
  • 19. Question Answer What’s wrong with this? function do_stuff(char * a) { char b[100]; ... strncpy(b, a, strlen(a)); ... } The string pointed to by "a" could be larger than the size of "b"!
  • 20. Question What’s wrong with this? function do_stuff(char * a) { char *b; ... b = malloc(strlen(a)+1); strncpy(b, a, strlen(a)); ... }
  • 21. Question Answer What’s wrong with this? function do_stuff(char * a) { char *b; ... b = malloc(strlen(a)+1); strncpy(b, a, strlen(a)); ... } Are you absolutely certain that the string pointed to by "a" is NUL-terminated?
  • 22. Strlcpy size_t strlcpy(char *dst, const char *src, size_t size); Guarantees to null-terminate string pointed to by "dst" if "size">0 The rest of the destination buffer is not zeroed as for strncpy, so better performance is obtained "size" can simply be size of dst (sizeof if an array) – If all functions are guaranteed to null-terminate strings, then it is safe to assume src is null-terminated – Not safe if src is not null-terminated! See http://www.courtesan.com/todd/papers/strlcpy.html for benchmarks and more info – Used in MacOS X, OpenBSD and more (but not Linux)
  • 23. Note on Strlcpy As the remainder of the buffer is not zeroed, there could be information leakage
  • 24. Corrected Efinger.c (v.1.6) sizeof is your friend, when you can use it (if an array) static char addr[100]; he = gethostbyaddr(...); if (he == NULL) strncpy(addr, inet_ntoa(in), sizeof(addr)); else strncpy(addr, he->h_name, sizeof(addr)); What is still wrong?
  • 25. Corrected Efinger.c (v.1.6) Notice that the last byte of addr is not zeroed, so this code can produce non-NUL-terminated strings! static char addr[100]; he = gethostbyaddr(...); if (he == NULL) strncpy(addr, inet_ntoa(in), sizeof(addr)); else strncpy(addr, he->h_name, sizeof(addr));
  • 26. Strcat char * strcat(char * s, const char * append); String pointed to by "append" is added at the end of the string contained in buffer "s" No check for size! – Need to do all checks beforehand – Example with arrays: if (sizeof(s)-strlen(s)-1 >= strlen(append)) strcat(s, append); Need to trust that "s" and "append" are NUL- terminated – Or set their last byte to NUL before the checks and call
  • 27. Strncat char * strncat(char * s, const char * append, size_t count); No more than "count" characters are added, and then a NUL is added Correct call is complex: – strncat(s, append, sizeof(s)-strlen(s)-1) Not a great improvement on strcat, because you still need to calculate correctly the count – And then figure out if the string was truncated Need to trust that "s" and "append" are NUL- terminated – Or set their last byte to NUL before the checks and call
  • 28. Strlcat size_t strlcat(char *dst, const char *src, size_t size); Call semantics are simple: – Strlcat(dst, src, dst_len); – If an array: strlcat(dst, src, sizeof(dst)); Safety: safe even if dst is not properly terminated – Won't read more than size characters from dst when looking for the append location Not safe if src is not properly terminated! – If dst is large and the buffer for src is small, then it could cause a segmentation fault or bus error, or copy confidential values
  • 29. Issues with Truncating Strings Subsequent operations may fail or open up vulnerabilities – If string is a path, then it may not refer to the same thing, or be an invalid path Truncation means you weren't able to do what you wanted – You should handle that error instead of letting it go silently
  • 30. Truncation Detection Truncation detection was simplified by strlcpy and strlcat, by changing the return value – The returned value is the size of what would have been copied if the destination had an infinite size if this is larger than the destination size, truncation occurred Source still needs to be NUL-terminated Inspired by snprintf and vsprintf, which do the same However, it still takes some consideration to make sure the test is correct: – if (strlcpy(dest, src, sizeof(dest)) >= sizeof(dest)) goto toolong;
  • 31. Multi-Byte Character Encodings Handling of strings using variable-width encodings or multi-byte encodings is a problem – e.g., UTF-8 is 1-4 bytes long How long is the string? – In bytes – In characters Overflows are possible if size checks do not properly account for character encoding! .NET: System.String supports UTF-16 – Strings are immutable - no overflow possible there!
  • 32. Safestr Free library available at: http://zork.org Features: – Works on UNIX and Windows – Buffer overflow protection – String format protection – "Taint-tracking" (à la Perl's taint mode) Limitations and differences: – Does not handle multi-byte characters – License: binaries must reproduce a copyright notice – NUL characters have no special meaning – Must use their library functions all the time (but conversion to regular "C" strings is easy)
  • 33. Microsoft Strsafe Null-termination guaranteed Option for using either number of characters or bytes (for Unicode character encoding), and disallowing the other Option to treat truncation as a fatal error Define behavior upon error – Output buffer set to "" or filled Option to prevent information leaks – Pad rest of buffer However, correct calculations still needed – e.g., wcsncat requires calculating the remaining space in the destination string...
  • 34. Future Microsoft Visual Studio 2005 will have a new series of safe string manipulation functions – strcpy_s() – strncpy_s() – strncat_s() – strlen_s() – etc... http://msdn.microsoft.com/library/default.asp?url=/li brary/en-us/dncode/html/secure05202002.asp Visual Studio 2005 (as of Beta 1) by default issues deprecation warnings on strcpy, strncpy, etc… Say goodbye to your old friends, they're too dangerous!
  • 35. Other Unsafe Functions: sprintf family int sprintf(char *s, const char *format, /* args*/ ...); – Buffer "s" can be overflowed int snprintf(char *s, size_t n, const char *format, /* args*/ ...); – Does not guarantee NUL-termination of s on some platforms (Microsoft, Sun) – MacOS X: NUL-termination guaranteed – Which is it on the class server? Check with "man sprintf" int vsprintf(char * str, const char * format, va_list ap); – Buffer "str" can be overflowed
  • 36. Gets, fgets char * gets(char *str); – Buffer "str" can be overflowed char * fgets(char * str, int size, FILE * stream); – Buffer "str" is not NUL-terminated if an I/O error occurs – If an error occurs, returns NULL – If end-of-file occurs before any characters are read, returns NULL also (and buffer is unchanged) – Callers must use feof(3) and ferror(3) to determine which occurred.
  • 37. Conclusion Buffer sizes should be passed as a parameter with every pointer – Applies to other buffer manipulations besides strings Need simple truncation detection
  • 38. Preventing Buffer Overflows Without Programming Idea: make the heap and stack non-executable – Because many buffer overflow attacks aim at executing code in the data that overflowed the buffer Doesn't prevent "return into libc" overflow attacks – Because the return address of the function on the stack points to a standard "C" function (e.g., "system"), this attack doesn't execute code on the stack e.g., ExecShield for Fedora Linux (used to be RedHat Linux)
  • 39. Canaries on a Stack Add a few bytes containing special values between variables on the stack and the return address. Before the function returns, check that the values are intact. – If not, there's been a buffer overflow! Terminate program If the goal was a Denial-of-Service then it still happens – At least the machine is not compromised If the canary can be read by an attacker, then a buffer overflow exploit can be made to rewrite them – e.g., see string format vulnerabilities
  • 40. Canary Implementations StackGuard Stack-Smashing Protector (SSP) – Formerly ProPolice – gcc modification – Used in OpenBSD – http://www.trl.ibm.com/projects/security/ssp/ Windows: /GS option for Visual C++ .NET These can be useful when testing too!
  • 41. Protection Using Virtual Memory Pages Page: A chunk (unit) of virtual memory POSIX systems have three permissions for each page. – PROT_READ – PROT_WRITE – PROT_EXEC Idea: manipulate and enforce these permissions correctly to defend against buffer overflows – Make injected code non-executable
  • 42. OpenBSD PROT_* purity (correct enforcement of permissions for pages in VM system; i386 and PowerPC architectures limit this) W^X (write permission is exclusive of execute) – Data shouldn't need to be executed! – Limits also self-modifying (machine) code .rodata (read-only data is enforced to be read-only on a separate page)
  • 43. Windows Execution Protection "NX" (No Execute) Windows XP service pack 2 feature – Somewhat similar to POSIX permissions Requires processor support – AMD64 – Intel Itanium
  • 44. Question A buffer overflow is not exploitable if: a) It happens in the heap b) It happens in the stack c) It happens where memory is not executable d) None of the above
  • 45. Question A buffer overflow is not exploitable if: a) It happens in the heap b) It happens in the stack c) It happens where memory is not executable d) None of the above
  • 46. Question Making some memory locations non-executable protects against which variants of buffer overflow attacks? a) Code in the overwritten data b) Return into libc c) Variable corruption
  • 47. Question Making some memory locations non-executable protects against which variants of buffer overflow attacks? a) Code in the overwritten data b) Return into libc c) Variable corruption
  • 48. Buffer Overflow Lab Create your own safe version of the strlen, strcpy, strcat – Name them mystrlen, mystrcpy and mystrcat – Pass buffer sizes for each pointer argument – Return 0 if successful, and 1 if truncation occurred Other error codes if you wish – Make your implementation pass all test cases int mystrlen(const char *s, size_t s_len); – In this case, return the string length, not zero or one. int mystrcpy(char * dst, const char * src, size_t dst_len, size_t src_len); int mystrcat(char * s, const char * append, size_t s_len, size_t a_len);
  • 49. Things to Ponder What about 0 as source size? Error or not? What if “s” is NULL? What about overlapping buffers? Undefined everytime, or only in certain cases? What if reach the end in mystrlen? How efficient to make it -- how many passes at source string are made? What to check first? Reuse mystrlen within mystrcpy or mystrcat? Compare your implementations to strl*, strsafe, safestr, str*_s.
  • 51. About These Slides You are free to copy, distribute, display, and perform the work; and to make derivative works, under the following conditions. – You must give the original author and other contributors credit – The work will be used for personal or non-commercial educational uses only, and not for commercial activities and purposes – For any reuse or distribution, you must make clear to others the terms of use for this work – Derivative works must retain and be subject to the same conditions, and contain a note identifying the new contributor(s) and date of modification – For other uses please contact the Purdue Office of Technology Commercialization. Developed thanks to the support of Symantec Corporation
  • 52. Pascal Meunier pmeunier@purdue.edu Contributors: Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera