Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns

About This Presentation

Title:

Description:

Number of Views:155

Avg rating:3.0/5.0

Slides: 17

Provided by: Carl1179

Learn more at: https://home.cs.colorado.edu

Category:

more less

Transcript and Presenter's Notes

Title: Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns

1
Beyond Stack SmashingRecent Advances in
ExploitingBuffer Overruns

Carl Hartung CSCI 7143 Secure Sensor Networks
2
Overview

3
What is a Buffer Overrun?

When a program attempts to read or write beyond
the end of a bounded array (also known as a
buffer)
Typically, attackers use this to modify a return
address saved on the stack to point to code
residing in a stack buffer at a known location

4
Examples

5
How does it work?

bottom of stack
top of stack
buffer sfp ret str

6
How does it work? contd

bottom of stack
top of stack
buffer sfp ret str sssssssssssssss
0xD8.
7
Stack Smashing

void f1a (void arg, size_t len)
char buff100
memcpy(buf, arg, len) / buffer
overrun if len gt 100 /
return
Attacker must provide a value for arg that
contains an executable payload and the address
here the payload will be loaded into memory (the
address of buff).
Program control transferred to buff rather than
return to the calling procedure.

8
Stack Smashing -- Enhancements

Trampolining
If buffs absolute address is not known ahead of
time, an attacker can use a program register R
containing a value relative to buff by first
transferring control to a sequence of
instructions that indirectly transfers via R.
Find the address on the stack using instructions
pop/pop/return
Separating payload (attackers code) from the
buffer overrun operation.
Storing code in an environment variable
Good for overrunning small buffers

9
Arc Injection

Attacker supplies data that, when a program
operates on that data, causes a desired (by the
attacker) effect.
Uses a stack buffer overrun to modify return
address to point to a location already in the
programs address space.
Usually the system function in the C stdlib.
Useful when the program has non-executable stacks

10
Pointer Subterfuge

11
Function-pointer Clobbering

12
Data-pointer modification

13
Exception-handler hijacking

When an exception is generated, Windows examines
a linked list of exception handlers (registered
by program when it starts) and invokes one or
more of them via function pointers stored in the
list. Because the list entries are stored on the
stack, it is possible to replace the
exception-handler function pointer with a buffer
overflow.
The known variations of this vulnerability are
supposedly fixed in WindowsXP SP2.

14
VPTR smashing

VTBL (associated with each class) is an array of
function pointers used at runtime to implement
dynamic dispatch.
Objects point to appropriate VTBL with virtual
pointers (VPTR) stored as part of the objects
header. Replacing the VPTR with a pointer to an
attacker supplied VTBL transfers control when the
next virtual function is invoked.
Can apply to both stack and heap overruns

15
Heap smashing

Allocators keep headers for each heap block
chained together in a doublely linked list of
allocated and freed blocks.
If you have three adjacent blocks X, Y, Z an
overrun of X into Y can corrupt pointers in Ys
header, and lead to modification of arbitrary
memory locations when Y is freed.
More complicated because
Attacker typically doesnt know the heap blocks
location ahead of time
Difficult to predict when heap-free operation
will occur.
Difficult (especially in with multiple threads)
to predict whether the next block has been
allocated at time of overrun.