Software Security Fundamentals

This review delves into essential concepts of software security, covering topics such as basic execution models, parameter areas, control flow hijacking, channeling vulnerabilities, buffer overflows, and format strings. It explores stack diagrams and analysis, elucidating critical mechanisms like control and data manipulation, memory disclosures, and gaining control through overwriting. The content provides insights into key security risks and techniques for better protection in software development.

• Software Security
• Execution Models
• Buffer Overflows
• Control Flow Hijack
• Format Strings

kcor Follow

Uploaded on Oct 01, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University

2. Basic Execution Model Fetch, decode, execute Code Data Processor ... Stack Heap read and write Process Memory 2

3. cdecl the default for Linux & gcc b a int orange(int a, int b) { char buf[16]; int c, d; if(a > b) c = a; else c = b; d = red(c, buf); return d; } parameter area (caller) return addr caller s ebp callee-save locals (buf, c, d 28 bytes if stored on stack) caller-save buf c return addr orange s ebp %ebp frame orange s initial stack frame %esp stack to be created before calling red grow after red has been called 3

4. Be prepared to draw and analyze stack diagrams 4

5. Control Flow Hijack: Always Computation + Control shellcode (aka payload) padding &buf computation + control code injection return-to-libc Heap metadata overwrite return-oriented programming ... Same principle, different mechanism 5

6. Channeling Vulnerabilities ... arise when control and data are mixed into one channel. Situation Format Strings Data Channel Output string Control Channel Format parameters Heap metadata info Security Disclose or write to memory Control hijack/write to memory Control hijack Seize line control malloc buffers malloc data Stack Phreaking Stack data Voice or data Return address Operator tones 6

7. Buffer overflows Gaining control through... Overwriting saved return addresses Overwriting function pointers 7

8. format strings For non-variadic functions, the compiler: knows number and types of arguments emits instructions for caller to push arguments right to left emits instructions for callee to access arguments via frame pointer (or stack pointer [advanced]) For variadic functions, the compiler emits instructions for the program to walk the stack at runtime for arguments 8

9. format string exploits Occur when the user can control the format string specifier Can be used to: 1. View memory (e.g., information disclosure) 2. Write to specific addresses 3. sprintf: expand user input to cause a buffer overflow 9

10. Defenses shellcode (aka payload) padding &buf computation + control Primarily DEP Primarily ASLR 10

11. How to attack with ASLR? Attack Non- Brute Force Stack Juggling GOT randomized memory Hijacking ret2text ret2ret ret2got Func ptr ret2pop 11

12. Return-Oriented Programming (ROP) how it works and when it is needed a3 v2 a2 v1 a1 Mem[v2] = v1 argv argc Desired Shellcode return addr caller s ebp %ebp a1: pop eax; ret a2: pop ebx; ret a3: mov [ebx], eax buf (64 bytes) argv[1] buf Desired store executed! %esp 12

13. CFI Sound/Complete Sensitivity in program analysis CFI instrumentation CFI assumptions 13

14. Test In-class Timed Closed book, closed note, closed computer Good Luck! 14

15. Questions? 15

16. END

17. Thought 17