2017Fall:Software Security Lecture 3:Buffer Overflow Attack Bing Mao maobingOnju.edu.cn Department of Computer Science
2017Fall:Software Security Lecture 3 : Buffer Overflow Attack Bing Mao maobing@nju.edu.cn Department of Computer Science
Outline Buffer Overflow:The Essentials Soltware Security Vulnerability Metrics What are Buffer Overflow? Bufler Overflow;The Essentials Basic Example Shellcode 五4eE Definition Shellcode Basic Example Dafieien Shell-Spawning Shellcode Shali-Spamning A Real World Buffer Overflow Attack A Real Word Butter Overflow Attac比 Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program 学■n Integer Overflow Inleger Overfiow Owerve Overview AAd出E A Real World Example lrtagar Diuifen Common Patterns in Integer Overflow Hesp Overflow mt士sM年到 Heap Overflow Ahgad Ex=年 What is the Heap? An Abstract Example Naning Ueivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Outline Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example
Illustrate Soltware Security Bufler Overflow;The Essentials 五4eE Shellcode Credit:a portion of the slides in this lecture are compiled from Shali-Spamning Dr.David Brumley and also from book CSAPP. A Real Waric时Buie Overflow Attac比 学■n Inleger Overfiow Overveu AdM出En litagar Diaife Hesp Overflaw m过士aM年 M Ahgad Ea=年 Nanjng Uivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Illustrate Credit:a portion of the slides in this lecture are compiled from Dr.David Brumley and also from book CSAPP
Buffer Overflow:The Essentials Vulnerability Metrics Soltware Security Vulnerability Metrics Essentials Mungrublzy Matrica 400 Banc Elurnphe 350 Shellcode Dufincien 250 Shali-Spamning A Real Word Butter 200 Overflow Attac比 150 学■n 50 Inleger Overfiow Overvie 2011 2012 2013 2014 2015 Aah出E -◆-Windows PC Mac 0S X Windows server ◆-Android Hesp Overflow mt士sM年到 M Ahgtad Exapi Nanjng Uivarsiy
83 Software Security Buffer Overflow:The Essentials 4 Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Buffer Overflow:The Essentials Vulnerability Metrics Vulnerability Metrics
Buffer Overflow:The Essentials Vulnerability Metrics Soltware Security Vulnerability Metrics:Buffer Overflow Essentials 5 Mungrublzy Matrica 1100 Banc Elurnphe 1000 Shellcode Dufincien Shali-Spamning A Real Word Butter Overflow Attac比 学■n Inleger Overfiow Overvie 2010 2011 2012 201 2014 2015 Aah出E Butfer overflow -Input validation Resource mangement etror Code inocoon SOL injection Hesp Overflaw mt士sM年到 M Ahead E-年 Naning Ueivarsiy
83 Software Security Buffer Overflow:The Essentials 5 Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Buffer Overflow:The Essentials Vulnerability Metrics Vulnerability Metrics:Buffer Overflow
Buffer Overflow:The Essentials Vulnerability Metrics Soltware Security Buffer Overfow;The Essentials Vunarbliy Matres Banc Elurnphe Exploits vs.Buffer Overflows Shellcode Dufincien Given the amount of vulnerabilities associated with buffer overflows,we felt it necessary to have a look at the principle of Shali-Spanmning A Real Word Butter buffer overflow.As you have probably come to realize already, Overflow Attac比 buffer overflows are a specific type of vulnerability and the process of leveraging or utilizing that vulnerability to penetrate a vulnerable system is referred to as exploiting a system. 字■n Inleger Overfiow Owerve AA:dM出E ttagar Oiaife Hesp Overflow m过士aM年 Ahgad Ex-年 Naning Ueivarsity
83 Software Security Buffer Overflow:The Essentials 6 Vulnerability Metrics What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Buffer Overflow:The Essentials Vulnerability Metrics Exploits vs. Buffer Overflows Given the amount of vulnerabilities associated with buffer overflows, we felt it necessary to have a look at the principle of buffer overflow. As you have probably come to realize already, buffer overflows are a specific type of vulnerability and the process of leveraging or utilizing that vulnerability to penetrate a vulnerable system is referred to as exploiting a system
Buffer Overflow:The Essentials What are Buffer Overflow? Soltware Security In computer security and programming,a buffer overflow,or Bufler Overfow:The buffer overrun,is an anomaly where a program,while writing data to a buffer,overruns the buffer's boundary and overwrites Wihat are Butur Ovetow? adjacent memory locations.This is a special case of the Banc Eluntha Shellcode violation of memory safety. Dulineisn C/C++does not check that the writes are in-bound Shali-Spamning A Real Word Butter Recently,Intel offered a new set of instructions (MPX)that Overflow Attac比 allow fast-bounds check of memory writes. 时内国 og每shmt 学■n Inleger Overfiow Owerve Ad出E Hesp Overflow mt士sM年到 Angad Ex-年 Naning Ueivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics 7 What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Buffer Overflow:The Essentials What are Buffer Overflow? In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations. This is a special case of the violation of memory safety. I C/C++ does not check that the writes are in-bound I Recently, Intel offered a new set of instructions (MPX) that allow fast-bounds check of memory writes. Stack-based I Heavily covered in this class Heap-based I More advanced I Very dependent on system and library version
Buffer Overflow:The Essentials What are Buffer Overflow? Soltware Security In computer security and programming,a buffer overflow,or Bufler Overfow:The buffer overrun,is an anomaly where a program,while writing data to a buffer,overruns the buffer's boundary and overwrites What are Buter Oveetiow? adjacent memory locations.This is a special case of the Banc Eluntha Shellcode violation of memory safety. Dufincien C/C++does not check that the writes are in-bound Shali-Spamning A Real Word Butter Recently,Intel offered a new set of instructions (MPX)that Overflow Attac比 allow fast-bounds check of memory writes. 时内国 Stack-based o每shm山ht 学■n Heavily covered in this class Inleger Overfiow Owerve Heap-based AAd出E More advanced Hesp Overflow Very dependent on system and library version m过士aM年 Angad Ex=年 Naning Ueivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics 7 What are Buffer Overflow? Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Buffer Overflow:The Essentials What are Buffer Overflow? In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations. This is a special case of the violation of memory safety. I C/C++ does not check that the writes are in-bound I Recently, Intel offered a new set of instructions (MPX) that allow fast-bounds check of memory writes. Stack-based I Heavily covered in this class Heap-based I More advanced I Very dependent on system and library version
Buffer Overflow:The Essentials Basic Example Soltware Security Basic Example Essentials 8 Basic Etimple ainclude int main(int argc,char argv)( Shellcode char buf[64]; Dulincisn strcpy(buf,argv[1]); y arge Shali-Spamning retum addr A Real Word Butter callers ebp Overflow Attac比 。一%ebp buf (64bt) a位匀snm 学■n Inleger Overfiow Overveu Aah出E argv 1] 巴nmon Fanimta litagar Diaifes buf esp Hesp Overflow m过士aM年 Ahead Ex=年 Nanjng Uivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? 8 Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Buffer Overflow:The Essentials Basic Example Basic Example
Buffer Overflow:The Essentials Basic Example Soltware Security Basic Example Essentials Winclude Basic Etimple int nain(int argc,char *"argv){ Shellcode char buf[64]; Dulincisn strcpy(buf,srgv(1]); w型 g Shali-Spamning returi adur Dunp of asserblor code for function nain: caller's ebp A Real Word Butter 8x080483e4;push Xebp 一%0bp Overflow Attac比 buf 0a88483e5《+1):oy Xesp,ebp (64 bytes) 0080483e7:5ub 72,e5p a位匀snm 8B08e483e1(t6):roy 12(%ebp),%eax 8x880483ed:r0v 4(ea×),ea× 学■n ex888483fe:rov Xeax,(Xesp) Owerve Aah出E 8x380483fa :call 0x8048300 argv 1] 8u880483ff:1eave bul lrtagar Diuifen e08848408《+28):ret 。一%tsp Hesp Overflow m过士aM年 Ahead Ex=年 Naning Ueivarsiy
83 Software Security Buffer Overflow:The Essentials Vulnerability Metrics What are Buffer Overflow? 9 Basic Example Shellcode Definition Basic Example Shell-Spawning Shellcode A Real World Buffer Overflow Attack Key Point A vulnerability in Easy RM to MP3 Conversion How to hack the vulnerable program Integer Overflow Overview A Real World Example Common Patterns in Integer Overflow Heap Overflow What is the Heap? An Abstract Example Dept. of Computer Science, Nanjing University Buffer Overflow:The Essentials Basic Example Basic Example