Language SecurityLecture OutlinePlatitudesC Design PrinciplesArrays in CC Array OperationsWhat’s Wrong with this Picture?Indexing Out of BoundsWhy?Code Generation for ArraysC vs. JavaBuffer OverrunsStack SmashingAn Overrun VulnerabilityAn Interesting IdeaDiscussionThe Rest of the StoryThe PlanSlide 19Guess the Location of the Injected CodeMore ProblemsEven More ProblemsThe State of C ProgrammingThe State of HackingThe Sad RealityCan Dataflow Analysis Help?What about Java?Memory ErrorsOverview of AttackSpecial Classes For AttackStep 1 (Exploiting The Memory Error)Step 2 (Writing arbitrary memory)Putting It All TogetherResults (Govindavajhala and Appel)SummaryProf. Bodik CS 164 Lecture 26 1Language SecurityLecture 26Prof. Bodik CS 164 Lecture 26 2Lecture Outline•Beyond compilers–Looking at other issues in programming language design and tools•C–Arrays–Exploiting buffer overruns•Java–Is type safety enough?Prof. Bodik CS 164 Lecture 26 3Platitudes•Language design has influence on–Safety–Efficiency–SecurityProf. Bodik CS 164 Lecture 26 4C Design Principles•Small language•Maximum efficiency•Safety less important•Designed for the world in 1972–Weak machines–Trusted networksProf. Bodik CS 164 Lecture 26 5Arrays in Cchar buffer[100];Declares and allocates an array of 100 chars100 *sizeof(char)0 12 99Prof. Bodik CS 164 Lecture 26 6C Array Operationschar buf1[100], buf2[100];Write: buf1[0] = ‘a’;Read:return buf2[0];Prof. Bodik CS 164 Lecture 26 7What’s Wrong with this Picture?int i;for(i = 0; buf1[i] != ‘\0’; i++) { buf2[i] = buf1[i]; }buf2[i] = ‘\0’;Prof. Bodik CS 164 Lecture 26 8Indexing Out of BoundsThe following are all legal C and may generate no run-time errorschar buffer[100];buffer[-1] = ‘a’;buffer[100] = ‘a’;buffer[100000] = ‘a’;Prof. Bodik CS 164 Lecture 26 9Why?•Why does C allow out of bounds array references?–Proving at compile-time that all array references are in bounds is very difficult (impossible in C)–Checking at run-time that all array references are in bounds is expensiveProf. Bodik CS 164 Lecture 26 10Code Generation for Arrays•The C code: buf1[i] = 1; /* buf1 has type int[] */C with bounds checksr1 = &buf1;r2 = load i;r3 = r2 * 4;if r3 < 0 then error;r5 = load limit of buf1;if r3 >= r5 then error;r4 = r1 + r3store r4, 1Regular Cr1 = &buf1;r2 = load i;r3 = r2 * 4;r4 = r1 + r3store r4, 1•The assembly code: Costly!Finding the array limits is non-trivialProf. Bodik CS 164 Lecture 26 11C vs. Java•C array reference typical case–Offset calculation–Memory operation (load or store)•Java array reference typical case–Offset calculation–Memory operation (load or store)–Array bounds check–Type compatibility check (for stores)Prof. Bodik CS 164 Lecture 26 12Buffer Overruns•A buffer overrun writes past the end of an array•Buffer usually refers to a C array of char–But can be any array•So who’s afraid of a buffer overrun?–Cause a core dump–Can damage data structures–What else?Prof. Bodik CS 164 Lecture 26 13Stack SmashingBuffer overruns can alter the control flow of your program!char buffer[100]; /* stack allocated array */100 *sizeof(char)0 1299return addressProf. Bodik CS 164 Lecture 26 14An Overrun Vulnerabilityvoid foo(char in[]) {char buffer[100];int i = 0;for(i = 0; in[i] != ‘\0’; i++) { buffer[i] = in[i]; }buffer[i] = ‘\0’;}Prof. Bodik CS 164 Lecture 26 15An Interesting Ideachar in[104] = { ‘ ‘,…,’ ‘, magic 4 chars }foo(in); (**)100 *sizeof(char)0 1299return addressfoo entry(**)100 *sizeof(char)0 1299return addressfoo exitmagic 4 charsProf. Bodik CS 164 Lecture 26 16Discussion•So we can make foo jump wherever we like.•How is this possible? •Unanticipated interaction of two features:–Unchecked array operations–Stack-allocated arrays•Knowledge of frame layout allows prediction of where array and return address are stored–Note the “magic cast” from char’s to an addressProf. Bodik CS 164 Lecture 26 17The Rest of the Story•Say that foo is part of a network server and the in originates in a received message–Some remote user can make foo jump anywhere !•But where is a “useful” place to jump?–Idea: Jump to some code that gives you control of the host system (e.g. code that spawns a shell)•But where to put such code?–Idea: Put the code in the same buffer and jump there!Prof. Bodik CS 164 Lecture 26 18The Plan•We’ll make the code jump to the following code: •In C: exec(“/bin/sh”);•In assembly (pretend): mov $a0, 15 ; load the syscall code for “exec” mov $a1, &Ldata ; load the command syscall ; make the system call Ldata: .byte ‘/’,’b’,’i’,’n’,’/’,’s’,’h’,0 ; null-terminated•In machine code: 0x20, 0x42, 0x00, …Prof. Bodik CS 164 Lecture 26 19The Planchar in[104] = { 104 magic chars }foo(in);0 1299return addressfoo exit0x20, 0x42, 0x00, …• The last 4 bytes in “in” must equal the start address of buffer• Its position might depend on many factors !Prof. Bodik CS 164 Lecture 26 20Guess the Location of the Injected Code•Trial & error: gives you a ballpark•Then pad the injected code with NOP–E.g. add $0, $1, 0x2020 •stores result in $0 which is hardwired to 0 anyway•Encoded as 0x20202020 0 1299return addressfoo exit0x20, …, 0x20, 0x20, 0x42, 0x00, …• Works even with an approximate address of buffer !The bad codeProf. Bodik CS 164 Lecture 26 21More Problems•We do not know exactly where the return address is–Depends on how the compiler chose to allocate variables in the stack frame•Solution: pad the buffer at the end with many copies of the “magic return address X”0 1299return addressfoo exit0x20, …, 0x20, 0x20, 0x42, 0x00, …, X, X, X, X, …, X , X, …The bad codeProf. Bodik CS 164 Lecture 26 22Even More Problems•The most common way to copy the bad code in a stack buffer is using string functions: strcpy, strcat, etc.•This means that buf cannot contain 0x00 bytes–Why?•Solution: –Rewrite the code carefully–Instead of “addiu $4,$0,0x0015 (code 0x20400015)–Use “addiu $4,$0,0x1126; subiu $4, $4, 0x1111”Prof. Bodik CS 164 Lecture 26 23The State of C Programming•Buffer overruns are common–Programmers must do their own bounds checking–Easy to forget or be off-by-one or more–Program still appears to work correctly•In C w.r.t. to buffer overruns–Easy to
View Full Document
Unlocking...