Give two reasons as to why buffer overflow attacks are still problematic
- Legacy code
- Careless programming
Explain the “basics” of buffer overflow, why it is possible and how it works on the memory-level
- Caused by programming error
- Allows more data stored than capacity
- Reads more data than capacity
- Overwriting adjacent memory locations
- Corruption of program data
- Unexpected transfer of control
- Memory access violation
- Execution of code chosen by attacker
Give some examples of differences between C and Python, with regards to buffer overflow
• C/C++
o Have high-level control structures
o But allow direct access to memory, hence are vulnerable to buffer overflow
• Java / Python / ML / Modern high-level languages
o Have a strong notion of type and valid operations
o Not vulnerable to buffer overflows
o Utilizes garbage collectors
o Has overhead, some limits on use
Give some examples of ways in which an attacker can find opportunities for buffer overflow attacks
♣ Source code inspection (e.g. on GitHub log)
♣ Binary code inspection
♣ Tracing execution
♣ Fuzzing tools (random inputs)
Explain what a “Stack Buffer overflow” is, and how it works
- Occurs when buffer is located on stack
- Local variables below saved frame pointer and return address
- Hence overflow of a local buffer can potentially overwrite these key control elements
Explain what a “Return attack” is, one prerequisite for the attacker in order for it to work, and how the attack works
• Attacker needs o Know where the function is loaded ♣ (the address is used to override the return pointer) ♣ use debugger o know space below the frame pointer ♣ inspection o know valid value for overwriting frame pointer o consider little-Endian vs big-Endian
Give some examples of possible effects of a “buffer overflow” attack
- Victim secret exposed
- Victim data changed
- Victim control flow changed
- Victim program changed
- DOS (victim crashes)
Explain what “Shellcode” is, in the context of “Buffer overflow” attacks
• Code supplied by attacker
o Often saved in buffer that is overflowed
o Traditionally transfer control to a shell
Explain what “Global data overflow” is, and briefly describe some of its features
- Can attack buffer located in global data
o May be located above program code - No return address
o Hence no easy transfer of control - May have function pointers (e.g. C++ virtual tables)
- Or manipulate management data structures
Explain what “Heap overflow” is, how it works, and shortly describe why it’s possible
- Attack buffer located in heap
o Typically located above program code
o Memory requested by programs to use in dynamic data structures (e.g. linked lists, malloc) - Also, possible due to dangling pointers
- No return address
- May have function pointers (e.g. C++ virtual pointers)
- Or manipulate management data structures
Explain what “Return to System Call” attack is, and how it works
- Attacker gains control of the system call-stack
- System-call control flow (OS) hijacked to execute arbitrary program
- Non-privileged SW executed as privileged
- Rootkit/auto-rooter
Explain what “Return Oriented Programming” attacks are, and how they work
- Attacker gains control of the call stack
- Hijacks program control flow
- Executes chosen machine instruction sequences
o Called “gadgets” - Each gadget ends in a return instruction
- Gadgets are located within the existing program
- Chained together, gadgets allow to perform arbitrary operations
Explain what “Code reuse” attacks are, and how they work
- ROP (return oriented programming) and JOP (jump-oriented programming) attacks are usually not defeated by ISR
- Use of memory errors to subvert victim’s control flow
- Chain together gadgets to execute arbitrary computations
What are “dangling pointers”, and how can they occur?
• Dangling pointers: do not point to a valid object of the appropriate type
o Wrong dynamic cast of pointers
o Missing update of pointers when memory is released (explicitly with free, implicitly by destroying the stack frame)
o Missing initialization of pointers
Explain what an “Arithmetic Overflow” is, and some possible effects of it
• An integer, which has not been properly checked, is incremented past the maximum possible value
• It may wrap to become a very small, or negative number
• Can lead to buffer overflows, if the integer is used to compute memory offsets, array indexes etc.
Can lead to violation of security policies
• Can lead to failures
• Can lead to data corruption
Give some examples of countermeasures to prevent “Arithmetic overflow”
- Static analysis (e.g. symbolic execution)
- Use of special values (e.g. NaN in Java)
- Exceptions (e.g. Math.addExact(x,y) and ArithmeticException in Java)
- Numbers with arbitrary precision (e.g. Python)
Explain what “Virtual Memory” is
- Modern systems do not use directly physical addresses
- SW uses virtual addresses
- HW configuration maps virtual addresses to physical addresses
- HW configuration updatable
- HW configuration is called page tables
- HW mechanism is called Memory Management Unit
Explain how operating systems use virtual memory to function
- Memory divided in pages o Page tables sets memory attributes per page - OS configures Virtual Memory o Isolates processes o Mediate communications o Mediate access to HW and File System - OS executes in privileged mode o All other processes are executed unprivileged
What are the possible effects of “buffer overflow”, remembered by the rule of thumb: “SDCVX”?
- [S] Access to Secret data
- [D] Corruption of program Data
- [C] Unexpected transfer of Control
- [V] Memory access Violation
- [X] EXecution of code chosen by attacker
Give some examples of “Compile-time defenses” against buffer overflow
- Language
- Safe coding
- Language Extension, Safe Libraries
- Polymorphic code
Describe how programming language can be used to defend against buffer overflow attacks
- Use a modern high-level program with strong typing
o You cannot access un-typed memory
o Not vulnerable to buffer overflow - Compiler enforces range checks and allowed operations on variables
- Do have cost in resource
- And restrictions on access to hardware
- So still need some code in C like languages
- There can be a buffer overflow if there is a bug in the language interpreter or JIT compiler
SDCVX
Describe how “safe coding” can be used to defend against buffer overflow attacks
- If using a potentially unsafe language, e.g. C
- Programmer must explicitly write safe code
o E.g. justify why a buffer can receive in bytes - Code review
- Check pointers yield by allocations
o E.g. when allocation fails - Check to have sufficient space in all buffers
o Use fixed size buffers
SDCVX
Explain what “Verification” is, in the context of writing code, how it works, one reason why it isn’t always used, and give an example of where it often is used
• Code verification o Using mathematical model o Proving absence of bugs • Expensive: ~ $2000 per line of code • Verified execution platforms o Isolation kernels o Software fault isolation
Describe how “Language extension” and “Safe libraries” can be used to defend against buffer overflow attacks, and what some drawbacks are
- Use safer standard library variants
o New functions, e.g. strncpy()
o Safer re-implementation of standard functions as a library, e.g. Libsafe
o Performance penalties
o Must compile programs with special compilers
SDCVX
-
Lecture 1 and 2: Intro16
-
Lecture 3: User authentication7
-
Lecture 4: Denial of Service17
-
Lecture 5: Firewalls, intrusion detection28
-
Lecture 6 & 7: Buffer Overflow30
-
Lecture 8: Web Security11
-
Lecture 9: Human Factors and Social Engineering5
-
Lecture 10: Malware29
-
Lecture 11: Side Channel Attacks and Countermeasures15
