Computer Security and Software Vulnerabilities

Computer security, also known as cybersecurity or IT security, encompasses the protection of information systems from theft and damage. This overview delves into software security, control-flow attacks, memory vulnerabilities, and the historical impact of events like the Morris Worm. Various aspects such as encryption, access control, buffer overflow vulnerabilities, and the consequences of cyber threats are explored, shedding light on the critical importance of safeguarding digital assets.

• Computer Security
• Software Vulnerabilities
• Cybersecurity
• Memory Layout
• Morris Worm

chriss Follow

Uploaded on Sep 07, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Software Security Overview Mao Bing Department of Computer Science NanJing University

2. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 2

3. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 3

4. Computer Security Computer security, also known as cybersecurity or IT security, is the ...protection of information systems from theft (secrecy/confidentiality) or damage (integrity) to the hardware, the software, and to the information on them, ... Gasser, Morrie (1988) 4

5. How Many Vulnerabilities? 5

6. Before Morris Worm, Computer Security is: Encryption & Decryption Access Control DAC MAC Logic Bomb Back Door 6

7. Until 1988 Access Control Encryption & Decryption Computer Security Logic Bomb Back Door 7

8. Morris Worm Author: Robert Tappan Morris Generating IP address(Randomly) Address detection Attack, & Infection Y Y Is the Is the host real? Vulnerability exist? N N 8

9. Morris Worm Vulnerability: Buffer Overflow Attack & Infection Hijack control flow & execute SHELLCODE Add the virus to the head or tail of the program 9

10. Effect of Morris Worm The U.S. Government Accountability Office put the cost of the damage at $100,000 10,000,000. Around 6,000 major UNIX machines were infected by the Morris worm(about 60,000 computers attached to the Internet). Prompted DARPA to fund the establishment of the CERT/CC at Carnegie Mellon University. 10

11. What changes do Morris Worm bring to Computer Security? A real Buffer Overflow Attack Software Security 11

12. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 12

13. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 13

14. Anatomy of a Program in Memory support process execution (LIFO) 14

15. Stack The stack is used for: passing arguments, storing return information, saving registers, and for local storage. 15

16. Procedure Call The compiled code for a function has three parts: the setup where the stack frame is initialized; the body where the actual computation of the procedure is performed; and the finish where the stack state is restored and the procedure returns. Set up(real): push ebp movl esp, ebp set %ebp as frame pointer Call(virtual): push return addr. jump to func saved old ebp Finish(real): pop ebp ret Ret(virtual): pop return addr. jump to the addr. restore %ebp ret 16

17. Stack Frame Structure The key of the Buffer Overflow Attack!!! 17

18. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 18

19. Vulnerability Metrics: Buffer Overflow 19

20. Buffer Overflow & Morris Worm Aside from being the first computer worm to be distributed via the Internet, the worms attack was a classic stack smash against the fingerd daemon. char buf[512]; int is_authorized; func(){ ; gets(buf); } Morris recounts his thoughts on the overflow attack: I had heard of the potential for exploits via overflow of the data segment buffers overwriting the next variable. That is, people were worried about code like this: 20

21. Buffer Overflow large_string: AAAAAAAAAAA .. AAAAAA7c80dfdd0804874 . . . x argument Return addr shellcode \xdd\xdf\x80\x7c\xff\xff\xff\xff \xdb\x53\x87\x7c\x63\xce\x86\x7c \xc6\x3a\x87\x7c\xfa\x20\x87\x7c \xc6\x3a\x87\x7c\x63\x3e\x86\x7c \x44\x21\x86\x7c\xea\xd4\x83\x7c old %ebp Saved registers offset = x buffer Other data 21

22. Buffer Overflow Attack Step Find memory space to host the shellcode Determining the buffer size to write exactly int EIP Vulnerability program Success Get shellcode and finalize the exploit Jump to the shellcode in a reliable way 22

23. Defense Vulnerability Return Address Malicious code 23

24. Defense(Vulnerability): Writing Correct Code Writing correct code is a laudable but remarkably expensive proposition , especially when writing in a language such as C that has error-prone idioms such as null-terminated strings and a culture that favors performance over correctness. No Function 1 gets(char[]) 2 char *fgets(char *string, int n, FILE *stream) 3 char *strcpy( char *dest, const char *src ) 24

25. Defense(Return Address): StackGuard StackGuard is a compiler technique for providing code pointer integrity checking to the return address in function activation records. StackGuard is implemented as a small patch to gcc that enhances the code generator for emitting code to set up and tear down functions. The enhanced setup code places a canary 4 word next to the return address on the stack. 25

26. Defense(Malicious Code): Non-Executable Data DEP large_string: AAAAAAAAAAA .. AAAAAA7c80dfdd0804874 . . . No Executable x argument Return addr shellcode \xdd\xdf\x80\x7c\xff\xff\xff\xff \xdb\x53\x87\x7c\x63\xce\x86\x7c \xc6\x3a\x87\x7c\xfa\x20\x87\x7c \xc6\x3a\x87\x7c\x63\x3e\x86\x7c \x44\x21\x86\x7c\xea\xd4\x83\x7c old %ebp Saved registers offset = x buffer Other data 26

27. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 27

28. Return-to-libc(RILC) 28

29. Return-to-libc(RILC) large_string: AAAAAAAAAAA .. AAAAAA 7c80dfdd 0804874 . . . x argument Return addr abs_0 .text:7c80dfdd mov edx, edi .text:7c80dff0 mov eax, edi .text:7c80dff2 sar edx, 1Fh .text:7c80dff5 xor eax, edx .text:7c80dff7 sub eax, edx .text:7c80dff9 retn old %ebp Saved registers offset = x buffer Other data 29

30. Limitations 1. Expressive power 2. Easy to be defensive function2() function 1() Malicious Behavior An Exploit function3() . functionN() 30

31. Return Oriented Programming 31

32. Return Oriented Programming payload: Gadget4 0x7C80DFDD: pop ebx ret Gadget3: 0x7C8753DB: inc ebx dec ecx ret 0x7C80DFDD Gadget2: 0x7C86CE63 pop edi ESP 0x7C8753DB ret ESP data:edi ESP 0x7C83D4EA Gadget1: 0x7C8720FA: pop esi ESP data:esi ret ESP 0x7C8720FA ESP 32

33. Enough gadgets for attack? movl $0x0f000000, (%edi) xchg %ebp, %eax inc %ebp ret The set of gadgets described is Turing complete by inspection, so return-oriented programs can do anything possible with x86 code. (The Geometry of Innocent Flesh on the Bone:Return-into-libc without Function Calls (on the x86) Hovav Shacham, ACM CCS 2007) f7 c7 07 00 00 00 0f 95 45 c3 c7 07 00 00 00 0f 95 45 c3 test $0x00000007, %edi setnzb -61(%ebp) 33

34. ROP: Contribution 1. Describe an efficient algorithm for analyzing libc to recover the instruction sequences that can be used in attack 2. Bypass StackGuard & DEP 3. But 34

35. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 35

36. Address Space Layout Randomization High address Code Segment 0x7C80DFDD: pop ebx ret shellcode 0x7C83D4EA: pushad 0x7C83D4EA push edi ret 0x7C862144 0x7C863E63 0x7C863E63: pop ebp ret 0x7C86CE64 0x7C8720FA 0x7C86CE63: pop edi ret 0x7C86CE64 0x7C86CE63 0x7C8720FA: pop esi ret 0x7C8753DB 0x7C8753DB: inc ebx 0xFFFFFFFF dec ecx ret 0x7C80DFDD 36

37. Address Space Layout Randomization High address Randomization 0x8F7EDFDD: pop ebx ret shellcode 0x8F8AD4EA: pushad 0x7C83D4EA push edi ret 0x7C862144 0x7C863E63 0x8F9D3E63: pop ebp ret 0x7C86CE64 0x7C8720FA 0x8FA6CE63: pop edi ret 0x7C86CE64 0x7C86CE63 0x8FD320FA: pop esi ret 0x7C8753DB 0x8FD353DB: inc ebx 0xFFFFFFFF dec ecx ret 0x7C80DFDD 37

38. Just-in-time Code Reuse Re-Randomization Isomeron, NDSS 15 38

39. Control Flow Integrity CFI idea: During program execution, whenever a machine-code instruction transfers control, it targets a valid destination, as determined by a Control Flow Graph (CFG) created ahead of time. 1: sum = 0 2: i = 1 (1) (2) (3) (4) (5) (6) (7) sum = 0 i = 1 while (i<N) do i = i+1 if(i%2 == 0) 3: while (i<N) do 4: I = i+1 5: if(i%2==0) continue; sum = sum + i endwhile (8) print (sum) 7: sum=sum+i 8: print(sum) 39

40. Control Flow Integrity Jump to the destination only if the tag is equal to 12345678 40

41. Control Flow Integrity Control Flow Integrity provides: Provably correct mechanisms that prevent powerful attackers from succeeding by protecting against all control flow integrity attacks. Issues: Performance overhead(average/max: 15%/46%) Compatibility issues limit its adoption Build CFG statically Rewrite binary Verify CFI instrumentation Perform ID checks at run time 41

42. Practical Control Flow Integrity BinCFI(2013 s USENIX) CCFIR(2013 S&P) CCFIR(2013 S&P) CCFI(2015 CCS) 42

43. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 43

44. Outline Background Software Security: Control-flow Hijack Attack Memory Layout , Stack frame, & Procedure Buffer Overflow: Vulnerability, & Defenses RILC, Return-Oriented Programming ASLR & CFI Software Security: Non-control Data Attack Data Oriented Programming Summary 44

45. Source Code of do_authentication() 45

46. Data-Oriented Programming 46

47. DOP Example 1 2 3 4 5 6 7 8 9 struct server{ int total, *cur_max, typ;} *srv; int connect_limit = MAXCONN; int *size, *type; char buf[MAXLEN]; size = &buf[10]; type = &buf[14] ... while(connect_limit--) { readData(sockfd, buf); // stack bof if(*type == NONE ) break; if(*type == STREAM) // condition *size = *(srv->cur_max); // dereference else{ srv->typ = *type; // assignment srv->total += *size; // addition } ... (handling) ... } 10 11 12 12 13 13 14 Code 1: Vulnerable code with data-oriented gadgets 47

48. Target Code2: A function increments the integer field of a linked-list by a given value. It can be simulated by chaining data-oriented gadgets in Code 1. struct node { node int var; node *next; var node+4 } *list; next *node var *(node+4) next 48

49. DOP Example type &STREAM size &list srv &list type &list size &addend srv &srv - 8 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. } while(connect_limit--) { readData(sockfd, buf); if(*type == NONE ) break; if(*type == STREAM) *size = *(srv->cur_max); list = list->next; else { srv->typ = *type; srv->total += *size; } 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. } while(connect_limit--) { readData(sockfd, buf); if(*type == NONE ) if(list == NULL) break; break; if(*type == STREAM) *size = *(srv->cur_max); else { srv->typ = *type; srv = list; srv->total += *size; list->var += addend; } 49

50. DOP Example 1 2 3 4 5 struct node {int var; node *next;} void updateList(struct node *list, int addend) { for(; list != NULL; list = list->next) list->var += addend } 50

Load More ...