Computer SecurityInteracting With the WorldProtection MechanismsUser Processes Can’t Directly Access I/OHow Attackers Defeat ProtectionA Nice Little ProgramWhy Did This Program Crash?Stack Frame Layout: Local VariablesStack Frame: Modifying Local VariableStack Frame: Returning From FunctionBuffer OverrunInnocuous? Buffer OverrunBuffer overrunBuffer-Overrun VulnerabilitiesAttacking a Web ServerAttacking a Web BrowserAttacking everything in sightYour Programming AssignmentThree Ways to Change the GradeOK, That’s a B...How About an A?A Simpler SolutionThe File getAWhat Value to Use for New Return Address?Use gdb to Find OutDefenses Against This AttackSlide 27Slide 28Segment Register DefenceAt Your Service...How to Get StartedStart Early1Computer SecurityProfessor Jennifer RexfordCS 2172Interacting With the WorldHardwareOS KernelUserProcessUserProcessInternetKeypress goesto OS kernelOS looks up which window has “keyboard focus,” routes to appropriate user process’s stdinUser process does fprintf (asks OS to write to disk)OS writes to diskTCP packet goes to OS kernelOS looks up which process is listening on that port, sends data to stdinUser process does fprintf (asks OS to write to disk)OS writes to disk3Protection MechanismsKeypress goesto OS kernelOS looks up which window has “keyboard focus,” routes to appropriate user process’s stdinUser process does fprintf (asks OS to write to disk)OS writes to diskTCP packet goes to OS kernelOS looks up which process is listening on that port, sends data to stdinUser process does fprintf (asks OS to write to disk)OS writes to disk• Not to user process directly!• Not to unauthorized user process!• User process can’t access disk directly!• OS writes only to files that user process has privileges to open!User Processes Can’t Directly Access I/O•Input/output instructions are privileged instructionsTrying to run them in unprivileged mode triggers trap to OS•Input/output device registers may be memory-mappedVirtual-memory system doesn’t map those pages into user space•Virtual-memory system prevents user process from modifying OS memoryCan’t fool OS into performing unauthorized services•Virtual-memory prevents user processes from modifying each others’ memoryCan’t fool other processes into writing bad data to its files on disk5How Attackers Defeat Protection•Make the protection mechanism failBy exploiting bugs in protection software•Operate politely through the protection mechanism Manipulating application semantics to obtain servicesBy exploiting bad design of applications•Example: buffer overflow attacksExploit a program that doesn’t perform bounds checkingBy presenting large input that runs past the array bounds… and craft that input to be executed as machine code6A Nice Little Program% a.outWhat is your name?John SmithThank you, John Smith.%#include <stdio.h>int main(int argc, char **argv) { char a[12]; int i; printf(“What is your name?\n”); for (i=0; ; i++) { int c = getchar(); if (c ==‘\n’|| c == EOF) break; a[i] = c; } a[i]=’\0’; printf(“Thank you, %s.\n”,a); return 0;}7Why Did This Program Crash?% a.outWhat is your name?adsli57asdkhj5jklds;ahj5;klsaduj5klysdukl5aujksd5ukals;5uj;akuklaSegmentation fault%#include <stdio.h>int main(int argc, char **argv) { char a[12]; int i; printf(“What is your name?\n”); for (i=0; ; i++) { int c = getchar(); if (c ==‘\n’|| c == EOF) break; a[i] = c; } a[i]=’\0’; printf(“Thank you, %s.\n”,a); return 0;}8Stack Frame Layout: Local Variables•Allocates 12 bytes on the stack for array a[]•Uses registers for integers i and c(compiled with “gcc –O”)2Saved RegistersargcargvParametersOld EIP%EBPOld EBP#include <stdio.h>int main(int argc, char **argv) { char a[12]; int i; printf(“What is your name?\n”); for (i=0; ; i++) { int c = getchar(); if (c ==‘\n’|| c == EOF) break; a[i] = c; } a[i]=’\0’; printf(“Thank you, %s.\n”,a); return 0;}%ESPaLocal variables? ? ? ?? ? ??? ???9Stack Frame: Modifying Local Variable%EBP2%ESPSaved Registersargcargvan h o Ji m S_?\0h tLocal variablesParameters% a.outWhat is your name?John SmithThank you, John Smith.%Old EBPOld EIP#include <stdio.h>int main(int argc, char **argv) { char a[12]; int i; printf(“What is your name?\n”); for (i=0; ; i++) { int c = getchar(); if (c ==‘\n’|| c == EOF) break; a[i] = c; } a[i]=’\0’; printf(“Thank you, %s.\n”,a); return 0;}10Stack Frame: Returning From Function•Discard the stack frame by setting ESP to EBPmovl %ebp, %esp•Pop the old base pointer (EBP) to restore the valuepopl %ebp•Pop instruction pointer (EIP) to return control to calling functionret%EBP2%ESPSaved Registersargcargvan h o Ji m S_?\0h tLocal variablesParametersOld EBPOld EIP11Buffer Overrun%EBP117%ESPSaved Registersargcargvad c b ah g f el k j iLocal variablesParameters% a.outWhat is your name?abcdefghijklmnopqrstuSegmentation fault%Old EBPOld EIPp o n mt s r qu#include <stdio.h>int main(int argc, char **argv) { char a[12]; int i; printf(“What is your name?\n”); for (i=0; ; i++) { int c = getchar(); if (c ==‘\n’|| c == EOF) break; a[i] = c; } a[i]=’\0’; printf(“Thank you, %s.\n”,a); return 0;}12Innocuous? Buffer Overrun%EBP1%ESPSaved Registersargcargvad c b ah g f el k j iLocal variablesParameters% a.outWhat is your name?abcdefghijkl????!!!!^A%Old EBPOld EIP? ? ? ?! ! ! !^A#include <stdio.h>int main(int argc, char **argv) { char a[12]; int i; printf(“What is your name?\n”); for (i=0; ; i++) { int c = getchar(); if (c ==‘\n’|| c == EOF) break; a[i] = c; } a[i]=’\0’; printf(“Thank you, %s.\n”,a); return 0;}After “return”, the computer starts running the “code” stored at this address!!!13Buffer overrun%EBPexecutablemachinecode. . .argcargvad c b ah g f el k j iLocal variablesParameters% a.outWhat is your name?abcdefghijkl????&&&&executable-machine-code...How may I serve you, master?%Old EBPOld EIP? ? ? ?& & & &Cleverly malicious?Maliciously clever?#include <stdio.h>int main(int argc, char **argv) { char a[12]; int i; printf(“What is your name?\n”); for (i=0; ; i++) { int c = getchar(); if (c ==‘\n’|| c == EOF) break; a[i] = c; } a[i]=’\0’; printf(“Thank you, %s.\n”,a); return 0;}%ESP14Buffer-Overrun VulnerabilitiesHardwareOS KernelE-mailclientWeb
View Full Document
Unlocking...