![BUFFER OVERFLOW ATTACKS
• The term buffe r refers to an allocated chunk of memory, such as a pointer,
array or string.
• Ex:
void f() {
int a[10] ;
a[20] = 3;
}
• Two conditions must be fulfilled:
•The attacker must be able to control the data written into the buffer.
•There must be security sensitive variables stored after the buffer in memory.](https://image.slidesharecdn.com/ehpresentation-160919175701/85/Buffer-Overflow-Countermeasures-DEP-Security-Assessment-3-320.jpg)
![VARIABLE ATTACKS
int main(int argc, char *argv[]) {
char passwd_ok = 0;
char passwd[8];
strcpy(passwd, argv[1]);
if (strcmp(passwd, “amar”) == 0)
passwd_ok = 1;
if (passwd_ok) {
…
}
•The strcpy function makes no check that argv[1] contains at most 8 chars, so an
attacker that passes a longer string can overflow the passwd buffer.
The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.](https://image.slidesharecdn.com/ehpresentation-160919175701/85/Buffer-Overflow-Countermeasures-DEP-Security-Assessment-4-320.jpg)
![STACK & HEAP OVERFLOW
• When a function is called in C, the caller begins by pushing the
function parameters to the stack. Thereafter, the caller pushes the
address of its next instruction --- the address where execution should
continue when the function returns --- to the stack and jumps to the
function. The callee, in turn, makes room on the stack for its local
variables.
• The attacker can in fact call any function in the program or in the
libraries used by it.
The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.](https://image.slidesharecdn.com/ehpresentation-160919175701/85/Buffer-Overflow-Countermeasures-DEP-Security-Assessment-5-320.jpg)
![COUNTERMEASURES
• Prevent use of dangerous functions: gets, strcpy, etc.
• Stack Based
• Adding redundant information/routines to protect the stack or parts of stack.
• Ex: StackGuard
The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.](https://image.slidesharecdn.com/ehpresentation-160919175701/85/Buffer-Overflow-Countermeasures-DEP-Security-Assessment-6-320.jpg)
![STACK GUARD
• A simple approach to protect programs against stack smashing and
with little modification against EBP overflows.
• This is achieved by a compiler extension that adds so called canary
values before the EIP saved at the function.
The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.](https://image.slidesharecdn.com/ehpresentation-160919175701/85/Buffer-Overflow-Countermeasures-DEP-Security-Assessment-7-320.jpg)
![LIBSAFE & LIBVERIFY
The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.
• LIBSAFE
• A transparent approach set up in a DLL that replaces standard(vulnerable)
functions by standard bounds checked functions
• Ex: strcpy could be replaced by strncpy
• The upper limit of the bounds is calculated based on the EBP, so the maximm
amount written to a buffer is the size of the stackframe.
• LIBVERIFY
• Similar to Stackguard
• It implements a wrapper function that saves the copy of the canaries to a canary
stack.](https://image.slidesharecdn.com/ehpresentation-160919175701/85/Buffer-Overflow-Countermeasures-DEP-Security-Assessment-8-320.jpg)
![OTHER PROTECTION MECHANISM
• Use static or dynamic source code analyzers at the source code level
to check the code for buffer overflow problems
• Change the compiler at the compiler level that does bounds checking
or protect addresses from overwriting
• Change the rules at that operating system level for which the memory
pages are allowed to hold executable data.
The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.](https://image.slidesharecdn.com/ehpresentation-160919175701/85/Buffer-Overflow-Countermeasures-DEP-Security-Assessment-9-320.jpg)
![DATA EXECUTION PREVENTION
• Data Execution Prevention (DEP) is a set of hardware and software
technologies that perform additional checks on memory to help
prevent malicious code from running on a system.
• The primary benefit of DEP is to help prevent code execution from
data pages.
• HARDWARE ENFORCED DEP
• Hardware-enforced DEP marks all memory locations in a process as non-
executable unless the location explicitly contains executable code.
• Hardware-enforced DEP relies on processor hardware to mark memory with an
attribute that indicates that code should not be executed from that memory.
The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.](https://image.slidesharecdn.com/ehpresentation-160919175701/85/Buffer-Overflow-Countermeasures-DEP-Security-Assessment-10-320.jpg)
![DEP
• Beginning with Windows XP SP2, the 32-bit version of Windows uses one of the
following:
• The no-execute page-protection (NX) processor feature as defined by AMD.
• The Execute Disable Bit (XD) feature as defined by Intel.
• SOFTWARE ENFORCED DEP
• Software-enforced DEP runs on any processor.
• By default, software-enforced DEP helps protect only limited system binaries,
regardless of the hardware-enforced DEP capabilities of the processor.
• BENEFITS
• DEP can help block a class of security intrusions. Specifically, DEP can help
block a malicious program in which a virus or other type of attack has injected a
process with additional code and then tries to run the injected code.
The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.](https://image.slidesharecdn.com/ehpresentation-160919175701/85/Buffer-Overflow-Countermeasures-DEP-Security-Assessment-11-320.jpg)
![SECURITY ASSESSMENT
• Every organization uses different types of security assessments to
validate the level of security on its network resources.
• Security assessment is broadly divided into three categories:
• SECURITY AUDITs
• Focus on the people and processes used to design, implement, and manage
security on a network.
• You can perform a manual assessment by using the following techniques:
• Interviewing the staff
• Reviewing application and operating systems access controls
• Analyzing physical access to the systems.
The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.](https://image.slidesharecdn.com/ehpresentation-160919175701/85/Buffer-Overflow-Countermeasures-DEP-Security-Assessment-12-320.jpg)
![SECURITY ASSESSMENT
• You can perform an automatic assessment by using the following techniques:
• Generating audit reports
• Monitoring and reporting the changes in the files
• VULNERABILITY ASSESSMENTs
• Helps in identifying known security vulnerabilities by scanning a network
• Vulnerability scanners can test systems and network devices for exposure to
common attacks.
• Attacks on security related information and denial of service attacks.
• Host-based scanners look for features such as weak file access permissions,
poor passwords, and logging faults.
The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.](https://image.slidesharecdn.com/ehpresentation-160919175701/85/Buffer-Overflow-Countermeasures-DEP-Security-Assessment-13-320.jpg)
![SECURITY ASSESSMENT
• PENETRATION TESTING
• A penetration test will not only point out vulnerabilities, it will also document how
the weaknesses can be exploited and how several minor vulnerabilities can be
escalated by an attacker to compromise a computer or network.
• Penetration tests can reveal whether employees routinely allow people without
identification to enter company facilities and where they would have physical
access to computers.
• Reveal process problems ( Not applying security updates )
The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.](https://image.slidesharecdn.com/ehpresentation-160919175701/85/Buffer-Overflow-Countermeasures-DEP-Security-Assessment-14-320.jpg)
![THANK YOU!
The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.](https://image.slidesharecdn.com/ehpresentation-160919175701/85/Buffer-Overflow-Countermeasures-DEP-Security-Assessment-15-320.jpg)
Buffer Overflow Countermeasures, DEP, Security Assessment
- 1. COUNTERMEASURES AGAINST BUFFER OVERFLOW ATTACKS DATA EXECUTION PREVENTION (DEP) SECURITY ASSESSMENT BY AMAR MYANA
- 2. TOPICS OF DISCUSSION • Buffer Overflow Attacks • Stack Smashing • Heap Overflows • Off-By-One ( a classic programmers error ) • Countermeasures against buffer overflow attacks • Language Level • Source Code Level • Compiler Level • Operating System Level • DEP || Executable Space Protection || ( NX || XD ) bit • Security Audits, Vulnerability Assessments and Penetration Testing
- 3. BUFFER OVERFLOW ATTACKS • The term buffe r refers to an allocated chunk of memory, such as a pointer, array or string. • Ex: void f() { int a[10] ; a[20] = 3; } • Two conditions must be fulfilled: •The attacker must be able to control the data written into the buffer. •There must be security sensitive variables stored after the buffer in memory.
- 4. VARIABLE ATTACKS int main(int argc, char *argv[]) { char passwd_ok = 0; char passwd[8]; strcpy(passwd, argv[1]); if (strcmp(passwd, “amar”) == 0) passwd_ok = 1; if (passwd_ok) { … } •The strcpy function makes no check that argv[1] contains at most 8 chars, so an attacker that passes a longer string can overflow the passwd buffer. The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.
- 5. STACK & HEAP OVERFLOW • When a function is called in C, the caller begins by pushing the function parameters to the stack. Thereafter, the caller pushes the address of its next instruction --- the address where execution should continue when the function returns --- to the stack and jumps to the function. The callee, in turn, makes room on the stack for its local variables. • The attacker can in fact call any function in the program or in the libraries used by it. The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.
- 6. COUNTERMEASURES • Prevent use of dangerous functions: gets, strcpy, etc. • Stack Based • Adding redundant information/routines to protect the stack or parts of stack. • Ex: StackGuard The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.
- 7. STACK GUARD • A simple approach to protect programs against stack smashing and with little modification against EBP overflows. • This is achieved by a compiler extension that adds so called canary values before the EIP saved at the function. The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.
- 8. LIBSAFE & LIBVERIFY The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer. • LIBSAFE • A transparent approach set up in a DLL that replaces standard(vulnerable) functions by standard bounds checked functions • Ex: strcpy could be replaced by strncpy • The upper limit of the bounds is calculated based on the EBP, so the maximm amount written to a buffer is the size of the stackframe. • LIBVERIFY • Similar to Stackguard • It implements a wrapper function that saves the copy of the canaries to a canary stack.
- 9. OTHER PROTECTION MECHANISM • Use static or dynamic source code analyzers at the source code level to check the code for buffer overflow problems • Change the compiler at the compiler level that does bounds checking or protect addresses from overwriting • Change the rules at that operating system level for which the memory pages are allowed to hold executable data. The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.
- 10. DATA EXECUTION PREVENTION • Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. • The primary benefit of DEP is to help prevent code execution from data pages. • HARDWARE ENFORCED DEP • Hardware-enforced DEP marks all memory locations in a process as non- executable unless the location explicitly contains executable code. • Hardware-enforced DEP relies on processor hardware to mark memory with an attribute that indicates that code should not be executed from that memory. The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.
- 11. DEP • Beginning with Windows XP SP2, the 32-bit version of Windows uses one of the following: • The no-execute page-protection (NX) processor feature as defined by AMD. • The Execute Disable Bit (XD) feature as defined by Intel. • SOFTWARE ENFORCED DEP • Software-enforced DEP runs on any processor. • By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor. • BENEFITS • DEP can help block a class of security intrusions. Specifically, DEP can help block a malicious program in which a virus or other type of attack has injected a process with additional code and then tries to run the injected code. The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.
- 12. SECURITY ASSESSMENT • Every organization uses different types of security assessments to validate the level of security on its network resources. • Security assessment is broadly divided into three categories: • SECURITY AUDITs • Focus on the people and processes used to design, implement, and manage security on a network. • You can perform a manual assessment by using the following techniques: • Interviewing the staff • Reviewing application and operating systems access controls • Analyzing physical access to the systems. The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.
- 13. SECURITY ASSESSMENT • You can perform an automatic assessment by using the following techniques: • Generating audit reports • Monitoring and reporting the changes in the files • VULNERABILITY ASSESSMENTs • Helps in identifying known security vulnerabilities by scanning a network • Vulnerability scanners can test systems and network devices for exposure to common attacks. • Attacks on security related information and denial of service attacks. • Host-based scanners look for features such as weak file access permissions, poor passwords, and logging faults. The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.
- 14. SECURITY ASSESSMENT • PENETRATION TESTING • A penetration test will not only point out vulnerabilities, it will also document how the weaknesses can be exploited and how several minor vulnerabilities can be escalated by an attacker to compromise a computer or network. • Penetration tests can reveal whether employees routinely allow people without identification to enter company facilities and where they would have physical access to computers. • Reveal process problems ( Not applying security updates ) The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.