Language SecurityLecture OutlinePlatitudesC Design PrinciplesArrays in CC Array OperationsWhat’s Wrong with this Picture?Indexing Out of BoundsWhy?Code Generation for ArraysC vs. JavaBuffer OverrunsStack SmashingAn Overrun VulnerabilityAn Interesting IdeaDiscussionThe Rest of the StoryThe PlanSlide 19Guess the Location of the Injected CodeMore ProblemsEven More ProblemsThe State of C ProgrammingThe State of CrackingThe Sad RealityBlunt-Force SolutionsStatic Analysis to Detect Buffer OverrunsFocus on StringsIdea 1: Strings as an Abstract Data TypeIdea 2: The AbstractionThe StrategyThe ConstraintsConstraint SolvingUsing SolutionsResultsLimitationsSummary5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 1Language SecurityLecture 30A(from notes by G. Necula)5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 2Lecture Outline•Beyond compilers–Looking at other issues in programming language design and tools•C–Arrays–Exploiting buffer overruns–Detecting buffer overruns5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 3Platitudes•Language design has influence on–Efficiency–Safety–Security5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 4C Design Principles•Small language•Maximum efficiency•Safety less important•Designed for the world as it was in 1972–Weak machines–Superhuman programmers (or so they thought)–Trusted networks5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 5Arrays in Cchar buffer[100];Declares and allocates an array of 100 chars100 *sizeof(char)0 12 995/6/2009 Prof. Hilfinger CS 164 Lecture 30A 6C Array Operationschar buf1[100], buf2[100];Write: buf1[0] = ‘a’;Read:return buf2[0];5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 7What’s Wrong with this Picture?int i;for(i = 0; buf1[i] != ‘\0’; i++) { buf2[i] = buf1[i]; }buf2[i] = ‘\0’;5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 8Indexing Out of BoundsThe following are all well-typed C and may generate no run-time errorschar buffer[100];buffer[-1] = ‘a’;buffer[100] = ‘a’;buffer[100000] = ‘a’;5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 9Why?•Why does C allow out-of-bounds array references?–Proving at compile-time that all array references are in bounds is impossible in most languages–Checking at run-time that all array references are in bounds is “expensive”•But it is even more expensive to skip the checks5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 10Code Generation for Arrays•The C code: buf1[i] = 1; /* buf1 has type int[] */C with bounds checksr1 = &buf1;r2 = load i;r3 = r2 * 4;if r3 < 0 then error;r5 = load limit of buf1;if r3 >= r5 then error;r4 = r1 + r3store r4, 1Regular Cr1 = &buf1;r2 = load i;r3 = r2 * 4;r4 = r1 + r3store r4, 1•The assembly code: Costly!Finding the array limits is non-trivial5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 11C vs. Java•C array reference typical case–Offset calculation–Memory operation (load or store)•Java array reference typical case–Offset calculation–Memory operation (load or store)–Array bounds check–Type compatibility check (for some arrays)5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 12Buffer Overruns•A buffer overrun writes past the end of an array•Buffer usually refers to a C array of char–But can be any array•So who’s afraid of a buffer overrun?–Can cause a core dump–Can damage data structures–What else?5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 13Stack SmashingBuffer overruns can alter the control flow of your program!char buffer[100]; /* stack allocated array */100 *sizeof(char)0 1299return address5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 14An Overrun Vulnerabilityvoid foo(char in[]) {char buffer[100];int i = 0;for(i = 0; in[i] != ‘\0’; i++) { buffer[i] = in[i]; }buffer[i] = ‘\0’;}5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 15An Interesting Ideachar in[104] = { ‘ ‘,…,’ ‘, magic 4 chars }foo(in); /* Return here: LRET */100 *sizeof(char)0 1299return addressfoo entry(LRET)100 *sizeof(char)0 1299return addressfoo exitmagic 4 chars5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 16Discussion•So we can make foo jump wherever we like.•Result of unanticipated interaction of two features:–Unchecked array operations–Stack-allocated arrays and return addresses•Knowledge of frame layout allows prediction of where array and return address are stored–Note the “magic cast” from char’s to an address5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 17The Rest of the Story•Say that foo is part of a network server and the in originates in a received message–Some remote user can make foo jump anywhere !•But where is a “useful” place to jump?–Idea: Jump to some code that gives you control of the host system (e.g. code that spawns a shell)•But where to put such code?–Idea: Put the code in the same buffer and jump there!5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 18The Plan•We’ll make the code jump to the following code: •In C: exec(“/bin/sh”);•In assembly (pretend): mov $a0, 15 ; load the syscall code for “exec” mov $a1, &Ldata ; load the command syscall ; make the system call Ldata: .byte ‘/’,’b’,’i’,’n’,’/’,’s’,’h’,0 ; null-terminated•In machine code: 0x20, 0x42, 0x00, …5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 19The Planchar in[104] = { 104 magic chars }foo(in);0 1299return addressfoo exit0x20, 0x42, 0x00, …• The last 4 bytes in “in” must be address of start of buffer• Its position might depend on many factors !5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 20Guess the Location of the Injected Code•Trial & error: gives you a ballpark•Then pad the injected code with NOP–E.g. add $0, $1, 0x2020 •stores result in $0 which is hardwired to 0 anyway•Encoded as 0x20202020 0 1299return addressfoo exit0x20, …, 0x20, 0x20, 0x42, 0x00, …• Works even with an approximate address of buffer !The bad code5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 21More Problems•We do not know exactly where the return address is–Depends on how the compiler chose to allocate variables in the stack frame•Solution: pad the buffer at the end with many copies of the “magic return address X”0 1299return addressfoo exit0x20, …, 0x20, 0x20, 0x42, 0x00, …, X, X, X, X, …, X , X, …The bad code5/6/2009 Prof. Hilfinger CS 164 Lecture 30A 22Even More Problems•The most common way to copy the bad code in a stack buffer is using string functions: strcpy,
View Full Document
Unlocking...