#1Language SecurityLanguage SecurityOr: bringing a knife to a gun fight#2One-Slide Summary• A language’s design principles and features have a strong influence on the security of programs written in that language. •C’s legacy of null-terminated, stack-allocated and non-sized buffers leads directly to one of the most common sorts of security vulnerabilities: the buffer overrun. •What can be done?#3Today: Hacking For Dummies?#4Lecture Outline• Currently: beyond compilers– Looking at other issues in programming language design and tools• C– Arrays– Exploiting buffer overruns– Detecting buffer overruns#5Duck-billed Platitudes• Language design has profound influence on– Safety– Efficiency– Security#6C Design Principles• Small language•Maximum efficiency•Safety less important•Designed for the world in 1972– Weak machines– Trusted networks– Tell me: how did those two factors influence C?#7Arrays in Cchar buffer[100];Declares and allocates an array of 100 chars100*sizeof(char)0 12 99#8C Array Operationschar buf1[100], buf2[100];Write: buf1[0] = ‘a’;Read:return buf2[0];#9What’s Wrong with this Picture?/* strcpy buf1 into buf2 */int i;for (i = 0; buf1[i] != ‘\0’; i++) { buf2[i] = buf1[i]; }buf2[i] = ‘\0’;#10Indexing Out of BoundsThe following are all legal C (no parse errors, no type errors, etc.) and may generate no immediate run-time errorschar buffer[100];buffer[-1] = ‘a’;buffer[100] = ‘a’;buffer[100000] = ‘a’;#11Why Ask Why?•Why does C allow out of bounds array references?– Proving at compile-time that all array references are in bounds is very difficult (why?)– Checking at run-time that all array references are in bounds is expensive (why? who does this?)#12Code Generation for Arrays• The C code:buf1[i] = 1; /* buf1 has type int[] */C with bounds checksr1 = &buf1;r2 = load i;r3 = r2 * 4;if r3 < 0 then error;r5 = load limit of buf1;if r3 >= r5 then error;r4 = r1 + r3store r4, 1Regular Cr1 = &buf1;r2 = load i;r3 = r2 * 4;r4 = r1 + r3store r4, 1• The assembly code: Costly!Finding the array limits is non-trivial#13C vs. Java• Typical work for a C array reference – Offset calculation– Memory operation (load or store)•Typical work for a Java array reference – Offset calculation– Memory operation (load or store)– Array bounds check– Type compatibility check (for stores) (why?)#14Buffer Overruns• A buffer overrun writes past the end of an array•Buffer usually refers to a C array of char– But can be any array•So who’s afraid of a buffer overrun?–Cause a core dump– Can damage data structures– What else?#15Stack SmashingBuffer overruns can alter the control flow of your program!char buffer[100]; /* stack-allocated array */100 *sizeof(char)0 1299return address#16An Overrun Vulnerabilityvoid foo(char in[]) {char buffer[100];int i = 0;for(i = 0; in[i] != ‘\0’; i++) buffer[i] = in[i];buffer[i] = ‘\0’;}#17An Interesting Ideachar in[104] = { 0,…,0, magic 4 chars }foo(in); (**)100 *sizeof(char)0 1299return addressfoo entry(**)100 *sizeof(char)0 1299return addressfoo exitmagic 4 chars#18Discussion• So we can make foo jump wherever we like!•How is this possible? •Unanticipated interaction of two features:– Unchecked array operations– Stack-allocated arrays• Knowledge of frame layout allows prediction of where array and return address are stored– Note the “magic cast” from char to an address#19The Rest of the Story• Say that foo is part of a network server and the in originates in a received message– Some remote user can make foo jump anywhere!• But where is a “useful” place to jump?– Idea: Jump to some code that gives you control of the host system (e.g. code that spawns a shell)•But where to put such code?– Idea: Put the code in the same buffer and jump there!#20Useful Jumps• Where to jump?• We want to take control of the program• How about to a system call?#21The Plan• Force a jump to the following code: •In C: exec(“/bin/sh”);• In x86 assembly: movl $LC0, (%esp) call _execLC0: .ascii “/bin/sh\0” •In machine code: 0x20, 0x42, 0x00, …#22The Planchar in[104] = { 104 magic chars }foo(in);0 1299return addressfoo exit0x20, 0x42, 0x00, …• The last 4 bytes in “in” must equal the start of buffer• That position might depend on many factors !#23Guess the Location of the Injected Code• Trial and error: gives you a ballpark•Then pad the injected code with NOP– e.g. add r0, r1, 0x2020 •stores result in r0 which is hardwired to 0 anyway•Encoded as 0x20202020 0 1299return addressfoo exit0x20, …, 0x20, 0x20, 0x42, 0x00, …• Works even with an approximate address of buffer!The bad code#24More Problems• We do not know exactly where the return address is–Depends on how the compiler chose to allocate variables in the stack frame• Solution: pad the buffer at the end with many copies of the “magic return address X”0 1299return addressfoo exit0x20, …, 0x20, 0x20, 0x42, 0x00, …, X, X, X, X, …, X , X, …The bad code#25Even More Problems• The most common way to copy the bad code in a stack buffer is using string functions: strcpy, strcat, etc.• This means that buf cannot contain 0x00 bytes–Why?• Solution: –Rewrite the injected code carefully– Instead of “addiu r4,r0,0x0015”(code 0x20400015)– Use “addiu r4,r0,0x1126; subiu r4, r4,0x1111”Q: Games (557 / 842) •Name the company that manufactures Barbie (a $1.9 billion dollar a year industry in 2005 with two dolls being bought every second).Q: General (447 / 842) •This is a three-part deductive argument with an unstated assumption which must be true for the premises to lead to the conclusion. Examples include: "There is no law against composing music when one has no ideas whatsoever. The music of Wagner, therefore, is perfectly legal." or advertisements in which cars are draped with beautiful people.Q: Music (132 / 842) •This landmark 1986 metal album by Metallica includes the song Welcome Home (Sanitarium). The Parents Music Resource Center pointed to the title song, which includes the lyrics "Obey your master / Your life burns faster" , as an explicit example of harmful content.Q: Events (597 / 842) •Identify the speaker: "This is a court of law, young man, not a court of justice." and "I have no respect for the passion of equality, which seems to me merely idealizing envy."Q: Games