Computer SecurityInteracting with the worldProtection mechanismsWhat prevents user process from directly accessing keyboard & disk?How attackers defeat protectionA nice little programWhy did this program crash?Stack frame layoutBuffer overrunInnocuous? buffer overrunBuffer overrunBuffer-overrun vulnerabilitiesAttacking a web serverAttacking a web browserAttacking everything in sightYour programming assignmentOK, that’s a B...How about an A?A simpler solutionThe file getAWhat value to use for new return address?Use gdb to find outDefenses against this attackDefenses against this attackDefenses against this attackSegment register defenseAt your service...How to get startedStart early1Computer SecurityProf. David AugustCOS 2172Interacting with the worldHardwareOS KernelUserProcessUserProcessInternetKeypress goesto OS kernelOS looks up which window has “keyboard focus,”routes to appropriate user process’s stdinUser process does fprintf (asks OS to write to disk)OS writes to diskTCP packet goes to OS kernelOS looks up which process is listening on that port, sends data to stdinUser process does fprintf (asks OS to write to disk)OS writes to disk3Protection mechanismsKeypress goesto OS kernelOS looks up which window has “keyboard focus,”routes to appropriate user process’s stdinUser process does fprintf (asks OS to write to disk)OS writes to diskTCP packet goes to OS kernelOS looks up which process is listening on that port, sends data to stdinUser process does fprintf (asks OS to write to disk)OS writes to disk• Not to user process directly!•Not to unauthorized user process!• User process can’t access disk directly!• OS writes only to files that user process has privileges to open!4What prevents user process from directly accessing keyboard & disk?• Input/output instructions are privileged instructions, attempting to execute them in unprivileged mode will result in trap to operating system• Input/output device registers may be memory-mapped; virtual-memory system doesn’t map those pages into user space• Virtual-memory system prevents user process from modifying OS memory (can’t fool OS into performing unauthorized services)• Virtual-memory prevents user processes from modifying each others’ memory (can’t fool other process into writing bad data to its files on disk)5How attackers defeat protection• Make the protection mechanism failo (exploit bugs in protection software)• Operate politely through the protection mechanism, manipulate semantics of application to obtain serviceso (exploit bad design of application)6A nice little program% a.outWhat is your name?John SmithThank you, John Smith.%#include <stdio.h>int main(int argc, char **argv) {char buffer[30]; int i;printf(“What is your name?\n”);for (i=0; ; i++) {int c = getchar();if (c==‘\n’ || c ==EOF) break;a[i] = c;}a[i]=’\0’;printf(“Thank you, %s.\n”,a);return 0;}7Why did this program crash?% a.outWhat is your name?adsli57asdkhj5jklds;ahj5;klsaduj5klysdukl5aujksd5ukals;5uj;akuklaSegmentation fault%#include <stdio.h>int main(int argc, char **argv) {char buffer[30]; int i;printf(“What is your name?\n”);for (i=0; ; i++) {int c = getchar();if (c==‘\n’ || c ==EOF) break;a[i] = c;}a[i]=‘\0’;printf(“Thank you, %s.\n”,a);return 0;}8Stack frame layout%EBP2%ESPSavedRegistersargcargvanhoJimS_? \0 htLocal variablesParameters10i% a.outWhat is your name?John SmithThank you, John Smith.%#include <stdio.h>int main(int argc, char **argv) {char buffer[30]; int i;printf(“What is your name?\n”);for (i=0; ; i++) {int c = getchar();if (c==‘\n’ || c ==EOF) break;a[i] = c;}a[i]=‘\0’;printf(“Thank you, %s.\n”,a);return 0;}Old EBPOld EIP9Buffer overrun%EBP117%ESPSavedRegistersargcargvadcbahgfelkjiLocal variablesParameters21i% a.outWhat is your name?abcdefghijklmnopqrstuSegmentation fault%#include <stdio.h>int main(int argc, char **argv) {char buffer[30]; int i;printf(“What is your name?\n”);for (i=0; ; i++) {int c = getchar();if (c==‘\n’ || c ==EOF) break;a[i] = c;}a[i]=‘\0’;printf(“Thank you, %s.\n”,a);return 0;}Old EBPOld EIPponmtsrqu10Innocuous? buffer overrun%EBP1%ESPSavedRegistersargcargvadcbahgfelkjiLocal variablesParameters21i% a.outWhat is your name?abcdefghijkl????!!!!^A%#include <stdio.h>int main(int argc, char **argv) {char buffer[30]; int i;printf(“What is your name?\n”);for (i=0; ; i++) {int c = getchar();if (c==‘\n’ || c ==EOF) break;a[i] = c;}a[i]=‘\0’;printf(“Thank you, %s.\n”,a);return 0;}Old EBPOld EIP????!!!!^A11Buffer overrun%EBPexecutablemachinecode. . .argcargvadcbahgfelkjiLocal variablesParameters21i% a.outWhat is your name?abcdefghijkl????&&&&executable-machine-code...How may I serve you, master?%Old EBPOld EIP????&&&&Cleverly malicious?Maliciously clever?#include <stdio.h>int main(int argc, char **argv) {char buffer[30]; int i;printf(“What is your name?\n”);for (i=0; ; i++) {int c = getchar();if (c==‘\n’ || c ==EOF) break;a[i] = c;}a[i]=‘\0’;printf(“Thank you, %s.\n”,a);return 0;}12Buffer-overrun vulnerabilitiesHardwareOS KernelE-mailclientWeb BrowserInternetKeypress goesto OS kernelOS looks up which window has “keyboard focus,”routes to appropriate user process’s stdinUser process does fprintf (asks OS to write to disk)OS writes to diskTCP packet goes to OS kernelOS looks up which process is listening on that port, sends data to stdinUser process does fprintf (asks OS to write to disk)OS writes to disk13Attacking a web serverWeb ServerClient PCfor(i=0;p[i];i++)url[i]=p[i];•URLs• Input in web forms• Crypto keys for SSL•etc.14Attacking a web browserWeb Server@ badguy.comClient PCfor(i=0;p[i];i++)gif[i]=p[i];• HTML keywords•Images• Image names•URLs•etc.www.badguy.comEarn $$$ Thousandsworking at home!15Attacking everything in sightThe Internet@ badguy.comClient PCfor(i=0;p[i];i++)gif[i]=p[i];• E-mail client•PDF viewer• Operating-system kernel•TCP/IP stack• Any application that ever sees input directly from the outside16Your programming assignment% a.outWhat is your name?John SmithThank you, John Smith.I recommend that you get a grade of D on this assignment%char grade = 'D';int main(void) {printf("What is your name?\n");readString(Name);if (strcmp(Name,"Andrew Appel")==0) grade='B';printf("Thank you, %s.\n\I recommend that you get a grade of %c \on this assignment.\n", Name, grade);exit(0);}17OK, that’s a B...% a.outWhat is your name?John
View Full Document