vbrandl/WIS-SEC-BOF
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

New version

Browse Source
This commit is contained in:
Valentin Brandl 2019-11-19 21:18:50 +01:00
parent 8ffcea4add
commit 80fb96ff6b
No known key found for this signature in database
GPG Key ID: 30D341DD34118D7D
2 changed files with 95 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
work/01paper.pdf
View File

Binary file not shown.

144
work/01paper.tex
View File

@ -13,6 +13,13 @@
\usepackage{textcomp} \usepackage{textcomp}
\usepackage{xcolor} \usepackage{xcolor}
% code listings
\usepackage{minted}
\usepackage{relsize}
% acronyms
\usepackage{acro}
\acsetup{list-long-format=\capitalisewords}
%additional packages %additional packages
%\usepackage[ngerman]{babel} %\usepackage[ngerman]{babel}
\usepackage[utf8]{inputenc} \usepackage[utf8]{inputenc}
@ -32,6 +39,8 @@
\input{glossary} \input{glossary}
%%fuer abkuerzungen end %%fuer abkuerzungen end
\include{acronyms}
\begin{document} \begin{document}
\title{Overview Over Attack Vectors and Countermeasures for Buffer Overflows} \title{Overview Over Attack Vectors and Countermeasures for Buffer Overflows}
@ -77,35 +86,44 @@ bounds writes are almost always critical and result in code execution
vulnerabilities or at least application crashes. vulnerabilities or at least application crashes.
\section{Main Part, TODO}\label{ref:main} %TODO!!!! % \section{Main Part, TODO}\label{ref:main} %TODO!!!!
\subsection{Background}\label{ref:background} \section{Background}\label{ref:background}
% TODO: many references % TODO: many references
\subsubsection{Technical Details} \subsection{Technical Details}
Exploitation of buffer overflow vulnerabilities almost always works by Exploitation of buffer overflow vulnerabilities almost always works by
overriding the return address in the current stack frame, so when the `ret` overriding the return address in the current stack frame, so when the
instruction is executed, an attacker controlled address is moved into the \mintinline{ASM}{RET} instruction is executed, an attacker controlled address is
instruction pointer register and the code pointed to by this address is moved into the instruction pointer register and the code pointed to by this
executed. Other ways include overriding addresses in the PLT of a binary so address is executed. Other ways include overriding addresses in the \ac{plt} of
that, if a linked function is called, an attacker controlled function is called a binary so that, if a linked function is called, an attacker controlled
instead, or (in C++) overriding the vtable where the pointers to an object's function is called instead, or (in C++) overriding the vtable where the pointers
methods are stored. to an object's methods are stored.
\subsubsection{Implications} \subsection{Implications}
\subsection{Concept and Methods}\label{ref:concept} \section{Concept and Methods}\label{ref:concept}
\subsubsection{Runtime Bounds Checks} \subsection{Methods}
This paper will describe several techniques that have been proposed to fix the
problems introduced by buffer overflows. The performance impact, effectiveness
(e.g.\ did the technique actually prevent exploitation of buffer overflows?) and
how realistic it is for the technique to be used in real-world code (e.g.\ can
it be introduced into an existing codebase incrementally?). In the end, the
current state will be discussed.
\subsection{Runtime Bounds Checks}
The easiest and maybe single most effective method to prevent buffer overflows The easiest and maybe single most effective method to prevent buffer overflows
is to check, if a write or read operation is out of bounds. This requires is to check, if a write or read operation is out of bounds. This requires
storing the size of a buffer together with the pointer to the buffer and check storing the size of a buffer together with the pointer to the buffer and check
for each read or write in the buffer, if it is in bounds at runtime. for each read or write in the buffer, if it is in bounds at runtime.
\subsubsection{Prevent/Detect Overriding Return Address} \subsection{Prevent/Detect Overriding Return Address}
Since most traditional buffer overflow exploits work by overriding the return Since most traditional buffer overflow exploits work by overriding the return
address in the current stack frame, preventing or at least detecting this, can address in the current stack frame, preventing or at least detecting this, can
@ -115,8 +133,7 @@ secure memory area that is guarded by read-only memory, so it cannot be
overwritten by overflows. When returning, the copy of the return address is overwritten by overflows. When returning, the copy of the return address is
compared to the one in the current stack frame and only, if it matches, the ret compared to the one in the current stack frame and only, if it matches, the ret
instruction is actually executed\cite{Rad2001}. While this is effective against instruction is actually executed\cite{Rad2001}. While this is effective against
return oriented programming based exploits, it does not protect against vtable \ac{rop} based exploits, it does not protect against vtable overrides.
overrides.
An older technique from 1998 proposes to put a canary word between the data of a An older technique from 1998 proposes to put a canary word between the data of a
stack frame and the return address\cite{Stackguard1998}. When returning, the stack frame and the return address\cite{Stackguard1998}. When returning, the
@ -126,53 +143,78 @@ but can be defeted, if there is an information leak that leaks the cannary to
the attacker. The attacker is then able to construct a payload, that keeps the the attacker. The attacker is then able to construct a payload, that keeps the
canary intact. canary intact.
\subsubsection{Restricting Language Features to a Secure Subset} \subsection{Restricting Language Features to a Secure Subset}
\subsubsection{Static Analysis} \subsection{Static Analysis}
\subsubsection{Type System Solutions} \subsection{Type System Solutions}
\citeauthor{Dep2007} propose an extension to the C type system that extends it \citeauthor{Dep2007} propose an extension to the C type system that extends it
with dependent types. These types have an associated value, e.g. a pointer type with dependent types. These types have an associated value, e.g.\ a pointer type
can have the buffer size associated to it. This prevents indexing into a buffer can have the buffer size associated to it. This prevents indexing into a buffer
with out of bounds values. with out-of-bounds values. This extension is a superset of C so any valid C code
can be compiled using the extension and the codebase can be improved
incrementally. If the type extension is advanced enough, the additional
information can even be used as the base of a formal verification.
\subsubsection{ASLR} \subsection{Address Space Layout Randomization}
ASLR aims to prevent exploitatoin of buffer overflows by placing code at random \Ac{aslr} aims to prevent exploitatoin of buffer overflows by placing code at
locations in memory. That way, it is not trivial to set the return address to random locations in memory. That way, it is not trivial to set the return
point to the payload in memory. This is effective against generic exploits but address to point to the payload in memory. This is effective against generic
can still be exploited in combination with information leaks or other techniques exploits but can still be exploited in combination with information leaks or
like heap spraying. Also on 32 bit systems, the address space is small enough to other techniques like heap spraying. Also on 32 bit systems, the address space
try a brute-force attempt until the payload in memory is hit. is small enough to try a brute-force attempt until the payload in memory is hit.
\subsubsection{w\^{}x Memory} \subsection{w\^{}x Memory}
This mitigation makes memory either writable or executable. That way, an w\^{}x (also known as \ac{nx}) makes memory either writable or executable. That
attacker cannot place arbitiary payloads in memory. There are still techniques way, an attacker cannot place arbitiary payloads in memory. There are still
to exploit this by reusing existing executable code. The ret-to-libc exploiting techniques to exploit this by reusing existing executable code. The ret-to-libc
technique uses existing calls to the libc with attacker controlled parameters, exploiting technique uses existing calls to the libc with attacker controlled
e.g.\ if the programm uses the "system" command, the attacker can plant parameters, e.g.\ if the programm uses the \mintinline{shell}{system} command,
"/bin/sh" as parameter on the stack, followed by the address of "system" and get the attacker can plant \mintinline{shell}{/bin/sh} as parameter on the stack,
a shell on the system. Return oriented programming (a superset of ret-to-libc followed by the address of \mintinline{shell}{system} and get a shell on the
exploits) uses so called ROP gadgets, combinations of memory modifying system. \ac{rop} (a superset of ret-to-libc exploits) uses so called ROP
instructions followed by the ret instruction to build instruction chains, that gadgets, combinations of memory modifying instructions followed by the ret
execute the desired shellcode. This is done by placing the desired return instruction to build instruction chains, that execute the desired shellcode.
addresses in the right order on the stack and reuses the existing code to This is done by placing the desired return addresses in the right order on the
circumvent the w\^{}x protection. stack and reuses the existing code to circumvent the w\^{}x protection.
\subsection{Discussion}\label{ref:discussion} \section{Discussion}\label{ref:discussion}
\subsubsection{Ineffective or Inefficient} \subsection{Ineffective or Inefficient}
Methods that have been shown to be ineffective (e.g. can be circumvented easily) \subsubsection{\ac{aslr}}
or inefficient (to much runtime overhead)...
\subsubsection{State of the Art} \Ac{aslr} has been really effective and is included in all major operating
systems. Some even use kernel \ac{aslr}. Since this mechanism is active at %TODO
runtime, it does not require any changes in the code itself, the programm only
has to be compiled as a \ac{pie}.
\subsubsection{w\^{}x}
With the rise of \ac{rop} techniques, w\^{}x protection has been shown to be
ineffective. It makes vulnerabilities harder to exploit but does not prevent
anything.
\subsubsection{Runtime Bounds Checks}
Checking for overflows at runtime is very effective but can have a huge
performance impact so it is not feasible in every case. It also comes with other
footguns. There might be integer overflows when calculating the bounts which
might introduce other problems.
Methods that have been shown to be ineffective (e.g.\ can be circumvented
easily) or inefficient (to much runtime overhead)\ldots
\subsection{State of the Art}
What techniques are currently used? What techniques are currently used?
\subsection{Outlook}
\section{Conclusion and Outlook}\label{ref:conclusion}
\section{Conclusion}\label{ref:conclusion}
While there are many techniques, that protect against different types of buffer While there are many techniques, that protect against different types of buffer
overflows, none of them is effctive in every situation. Maybe we've come to a overflows, none of them is effctive in every situation. Maybe we've come to a
@ -190,7 +232,7 @@ unsafe C.
\begin{itemize} \begin{itemize}
\item RAD:\ A Compile-Time Solution to Buffer Overflow Attacks\cite{Rad2001} \item RAD:\ A Compile-Time Solution to Buffer Overflow Attacks\cite{Rad2001}
(might not protect against e.g.\ vtable overrides, PLT address changes, (might not protect against e.g.\ vtable overrides, \ac{plt} address changes,
\dots) \dots)
\item Dependent types for low-level programming\cite{Dep2007} \item Dependent types for low-level programming\cite{Dep2007}
@ -201,12 +243,16 @@ unsafe C.
\item Type-Assisted Dynamic Buffer Overflow Detection\cite{TypeAssisted2002} \item Type-Assisted Dynamic Buffer Overflow Detection\cite{TypeAssisted2002}
\item On the Effectiveness of NX, SSP, RenewSSP, and \ac{aslr} against Stack
Buffer Overflows\cite{Effectiveness2014}
\end{itemize} \end{itemize}
\printbibliography \printbibliography{}
% \bibliographystyle{IEEEtran} % \bibliographystyle{IEEEtran}
% \bibliography{bibliography} % \bibliography{bibliography}
\printacronyms{}
\end{document} \end{document}
% vim: set filetype=tex ts=2 sw=2 tw=80 et spell : % vim: set filetype=tex ts=2 sw=2 tw=80 et spell :