Buffer Overflow Attacks and Defenses: Types, Methods, and Tools, Slides of Advanced Operating Systems

An overview of buffer overflow attacks, their methods, and the techniques used to prevent them. Topics include stack smashing attacks, function pointers, longjmp buffers, finding buffer overflows, and preventing them through type-safe languages, marking the stack as non-execute, run-time checking, and more. Also covered are viruses and worms, mobile code security, and java security.

Typology: Slides

2011/2012

Uploaded on 08/06/2012

dharmesh
dharmesh 🇮🇳

4.1

(9)

87 documents

1 / 20

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Lecture No.
43
docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14

Partial preview of the text

Download Buffer Overflow Attacks and Defenses: Types, Methods, and Tools and more Slides Advanced Operating Systems in PDF only on Docsity!

Lecture No.

Overview of today’s lecture

 Types of buffer overflow attacks

 Methods for fighting buffer overflows

 StackGuard and PointGuard

 Libsafe

 Address obfuscation

 Viruses and worms

 Mobile code security & sandboxing

 Java security

Finding buffer overflows

 Hackers find buffer overflows as follows:  Run web server on local machine.  Issue requests with long tags. All long tags end with “$$$$$”.  If web server crashes, search core dump for “$$$$$” to find overflow location.

 Some automated tools exist. (eEye Retina, ISIC).

Preventing buf overflow attacks

 Main problem:  strcpy(), strcat(), sprintf() have no range checking.  “Safe” versions strncpy(), strncat() are misleading  strncpy() may leave buffer unterminated.  Defenses:  Type safe languages (Java, ML). Legacy code?  Mark stack as non-execute.  Static source code analysis.  Run time checking: StackGuard, Libsafe, SafeC, (Purify).  Black box testing (e.g. eEye Retina, ISIC ).

Run time checking: StackGuard

 Many many run-time checking techniques …

 Solutions 1: StackGuard (WireX)  Run time tests for stack integrity.  Embed “canaries” in stack frames and verify their integrity prior to function return.

local sfp ret^ str

top of local canary sfp ret str canary stack

Frame 2 Frame 1

Canary Types

 Random canary:  Choose random string at program startup.  Insert canary string into every stack frame.  Verify canary before returning from function.  To corrupt random canary, attacker must learn current random string.

 Terminator canary: Canary = 0, newline, linefeed, EOF  String functions will not copy beyond terminator.  Hence, attacker cannot use string functions to corrupt stack.

Run time checking: Libsafe

 Solutions 2: Libsafe (Avaya Labs)  Dynamically loaded library.  Intercepts calls to strcpy (dest, src)  Validates sufficient space in current stack frame: |frame-pointer – dest| > strlen(src)  If so, does strcpy. Otherwise, terminates application.

More methods …

 Address obfuscation. (Stony Brook ’03)  Encrypt return address on stack by XORing with random string. Decrypt just before returning from function.  Attacker needs decryption key to set return address to desired value.

 Randomize location of functions in libc.  Attacker cannot jump directly to exec function.

How Viruses Work (1)

 Virus written in assembly language

 Inserted into another program

 use tool called a “dropper”

 Virus dormant until program executed

 then infects other programs

 eventually executes its “payload”

How Viruses Work

 An executable program  With a virus at the front  With the virus at the end  With a virus spread over free space within program

Antivirus and Anti-Antivirus Techniques

 Signature based  Integrity checkers  Behavioral checkers  Virus avoidance  good OS  install only shrink-wrapped software  use antivirus software  do not click on attachments to email  frequent backups  Recovery from virus attack  halt computer, reboot from safe disk, run antivirus

Mobile Code (1) Sandboxing

(a) Memory divided into 1-MB sandboxes (b) One way of checking an instruction for validity

Mobile Code (3)

How code signing works

Java Security (1)

 A type safe language  compiler rejects attempts to misuse variable

 Checks include …

  1. Attempts to forge pointers
  2. Violation of access restrictions on private class members
  3. Misuse of variables by type
  4. Generation of stack over/underflows
  5. Illegal conversion of variables to another type