Transcription
Mitigations and Secure CodingSecurity 1 2018-19Università Ca’ Foscari Veneziawww.dais.unive.it/ focardisecgroup.dais.unive.it
Stack overflowA buffer overflow occurring on the stack, also known asstack smashingRight after the local variables, the stack contains The old base pointer (EBP) The return addressA stack overflow can overwrite these control data to runarbitrary code2
MitigationsA number of mitigations have been added in compilersand operating systems to make buffer overflowexploitation harder Non eXecutable stack (NX)Support: hardware (NX bit)/operating system Address space layout randomization (ASLR)Support: operating system Stack protector (canary)Support: operating system3
Limitations of NXNX prevents execution of injected code on the stack(Programs might disable it if they need to execute codeon the stack)Even with NX enabled, an attacker can: Return to program code Return to library codeIn general, NX does not prevent returning to code insegments that are (necessarily) executable!4
Example: return to systembuffer- old EBP- return ADDR- stack.overwrite&systemret addrfirst prm (for system) -- “/bin/sh”NOTE: system “thinks” it has been called and looks forits parameter on the stack (“/bin/sh”)5
Address space layout randomizationASLR randomizes the address space of stack library functionsThis requires brute-forcing to get useful addressesLimitations: It does NOT prevent jumping to program code (forexample ROP, described later) If addresses are leaked (e.g. recent timingside-channels attacks) it becomes void6
Examples1.2.Brute-forcing with ASLRJumping to a particular instruction in a program7
Return Oriented Programming (ROP)ROP “composes” a shellcode by putting together smallpieces of code (gadgets) that ends with retbuffer- old EBP- return ADDR- stack.overwrite&gadget1&gadget2&gadget3. xor eax, eaxretmov al, 1ret.8
Stack protector (canary)Stack protector Re-arranges variable layout on the stack to mitigateoverflow (see previous class) Adds a random value (the canary) to check whetheran overflow occurredThe canary mechanism requires support from theoperating system that provides a random value when aprocess is started9
The canarystackbuffer- . . .canary- 0018a4fdold EBP- .return ADDR- . 10
The canarystackbuffer- canary- old EBP- return ADDR- NOPsNOPsshellcodeoverwriteoverwriteoverwrite Aborts before return if canary value has changed!11
Example: canary in gccOS canary value0x0804850a 26 :moveax,gs:0x140x08048510 32 :movDWORD PTR [ebp-0xc],eax.Position on the stack0x0804857d 141 :movedx,DWORD PTR [ebp-0xc]0x08048580 144 :xoredx,DWORD PTR gs:0x140x08048587 151 :je0x804858e main 158 0x08048589 153 :call0x8048360 stack chk fail@plt .0x08048597 167 :ret12
LimitationsCanary is a very effective mitigation techniqueHowever, similarly to ASLR Canary is void if its value isleaked because of another vulnerability because the program spontaneously dumps the stack(unlikely but not impossible)Canary is also void in case of “random” access to thestack (eg. overflowing a buffer index)13
More protections Fortify: the compiler replaces unsafe functions with“fortified” ones when possible PIE (Position Independent Executable): makes itpossible ASLR also for program code RELRO (RELocation Read-Only): makes it impossibleto overwrite relocation address of library functions(that would cause control-flow modification)14
Secure CodingThe SEI CERT C Coding Standard provides rules andrecommendation from the security coding community Rules provide normative requirements for codeRecommendations provide guidance to improve thesafety, reliability, and security of software systems.A violation of a recommendation does not necessarilyindicate the presence of a defect in the code.15
Risk assessmentAn indication of potential consequences of not addressing a particularrule or recommendation the expected remediation costsEach rule and recommendation has an assigned priorityThree values are assigned for each rule on a scale of 1 to3 for severity, likelihood, and remediation cost16
SeverityHow serious are the consequences of the rule beingignored?ValueMeaning Examples of Vulnerability1LowDenial-of-service attack, abnormaltermination2MediumData integrity violation, unintentionalinformation disclosure3HighRun arbitrary code17
LikelihoodHow likely is it that a flaw introduced by violating therule can lead to an exploitable vulnerability?Value Meaning1Unlikely2Probable3Likely18
Remediation costHow expensive is it to comply with the ual2MediumAutomaticManual3LowAutomaticAutomatic19
Priorities and levelsSeverity, likelihood, and remediation cost aremultiplied20
Rule 06. Arrays (ARR)Do not form or use out-of-bounds pointers or arraysubscriptsIt is crucial that array indexes are always checked21
Rule 06. Arrays (ARR)Previous code is noncompliant!What if index becomes negative?22
Rule 06. Arrays (ARR)Evaluation of this rule ighLikelyMediumP18L123
Rule 07. Characters and Strings(STR)Do not pass a non-null-terminated character sequence to alibrary function that expects a stringWrong:Correct:24
Rule 07. Characters and Strings(STR)Evaluation of this rule is:Severity Likelihood Remediation PriorityCostLevelHighL1ProbableMediumP1225
More examples Rule 07. Characters and Strings (STR): Guaranteethat storage for strings has sufficient space for characterdata and the null terminatorRec. 07. Characters and Strings (STR): Use thebounds-checking interfaces for string manipulation. Forexample BSD strlcpy and strlcat (strncpyand strncat might leave the string unterminated)Rule 10. Environment (ENV): Do not call system().Use of the system() function can result inexploitable vulnerabilities26
Vulnerabilities due to system() When passing an unsanitized or improperly sanitizedcommand string originating from a tainted sourceIf a command is specified without a path name andthe command processor path name resolutionmechanism is accessible to an attackerIf a relative path to an executable is specified andcontrol over the current working directory isaccessible to an attackerIf the specified executable program can be spoofedby an attacker 27
ExerciseAnalyse the compliance to rules and recommendationsof the program at the bottom of the notes, and rewrite itto make it compliant(NOTE: one of the vulnerabilities in the code will bepresented tomorrow!)28
Secure Coding The SEI CERT C Coding Standard provides rules and recommendation from the security coding community Rules provide normative requirements for code Recommendations provide guidance to improve the safety, reliability, and security of software systems. A violation of a recommendation does not necessarily
