Professional Documents
Culture Documents
and Defenses
Dr. Cong Wang
CS Department
City University of Hong Kong
Slides partially adapted from lecture notes by M. Goodrich&R. Tamassia,
W. Stallings&L. Brown, Dan Boneh, and Dawn Song.
CS4293 Topics on Cybersecurity 1
More Hijacking Opportunities
Double Free:
Can cause memory mgr to write data to specific location
free(ptr);
free(ptr);
printf("Everything is fine.\n");
return 0;
}
3 printf
Guidelines("The magic number is: %d\n", 1911);
The text to be printed is “The magic number is:”, followed by a format
3.1 What is a format string?
parameter ‘%d’, which is replaced with the parameter (1911) in the output.
Therefore the printf
output("The magic number is: %d\n", 1911);
looks like:
The text to be printed isThe magic
“The magic number
number is:
is:”, followed 1911.parameter ‘%d’, which is replaced
by a format
with the parameter (1911) in the output. Therefore the output looks like: The magic number is: 1911. In
addition to %d, there are several other format parameters, each having different meaning. The following
common format parameters
table summarizes these format parameters:
Format String
Adress of c
Value of b
Value of a
Address of
printf()’s internal
pointer
CS4293 Topics on Cybersecurity 8
ED Labs – Format String Vulnerability Lab 5
Format String
Adress of c
Value of b
Value of a
Address of
printf()’s internal
pointer
CS4293 Topics on Cybersecurity 9
What if there is a miss-match
printf ("a has value %d, b has value %d, c is at
address: %08x\n", a, b);
– Sometimes, the format string is not a constant string, it is generated during the
execution of the program. Therefore, there is no way for the compiler to find the
miss-match in this case.
– The function printf()fetches the arguments from the stack. If the format
string needs 3 arguments, it will fetch 3 data items from the stack. Unless the
stack is marked with a boundary, printf()does not know that it runs out of
the arguments that are provided to it.
void foo(int x) {
int a = 1, b = 2, c = 3;
return 0;
}
CS4293 Topics on Cybersecurity 17
Exploit Details
• If we use printf(%s) without specifying a memory address, the target addres
from the stack anyway by the printf() function. The function maintains an in
so it knows the location of the parameters in the stack.
• Observation: the format string is usually located on the stack. If
we can encode
• Observation: the formatthestring
target address
is usually in the
located onformat string,
the stack. If we the
can target
encode th
the address will the
format string, be target
in theaddress
stack.will
In the
be infollowing
the stack. example, the format
In the following example, t
stored in a is
string buffer,
storedwhich
in aisbuffer,
located which
on the stack.
is located on the stack...
int main(int argc, char *argv[])
{
char user_input[100];
... ... /* other variable definitions and statements */
return 0;
}
• If we can force the printf to obtain the address from the format
string (also on the stack), we can control the address.
• If we can force the printf to obtain the address from the format string (also on t
printf("\x10\x01\x48\x08_%x_%x_%x_%x_%s");
control the address.
CS4293 Topics on Cybersecurity 18
Exploit Details
• Consequence: we use four %x to move the printf()’s pointer towards the
ED Labs – Format String Vulnerability Lab 7
address that we stored in the format string. Once we reach the destination, we
abs – Format String Vulnerability Lab 7
will give %s to printf(), causing it to print out the contents in the memory
address 0x10014808. The function printf()will treat the contents as a
Print out the contents at the address 0x10014808 using format-string vlunerability
Printstring,
out the and print
contents at out the string
the address until reaching
0x10014808 the endvlunerability
using format-string of the string (i.e. 0).
user_input [ ]
user_input [ ]
Address of user_input [ ]
Address of user_input [ ]
0x10014808
0x10014808
%s
%x
%x
%x
%x
...
%s
%x
%x
%x
%x
...
Address of user_input [ ]
Address of user_input [ ]
0x10014808
0x10014808
%s
%x
%x
%x
%x
...
%s
%x
%x
%x
%x
...
printf(“%08x.%08x.%08x.%08x.%n”)
• Limitations:
– Some apps need executable heap (e.g. JITs).
– Does not defend against `return-to-libc’ exploits
CS4293 Topics on Cybersecurity 25
Examples: DEP controls in Windows
stack libc.so
args
ret-addr exec()
sfp printf()
*: when applicable
CS4293 Topics on Cybersecurity 32
Control Hijacking
Run-time Defenses
• Solution 1: StackGuard
– Run time tests for stack integrity.
– Embed “canaries” in stack frames and verify their integrity
prior to function return.
Frame 2 Frame 1
top
local canary sfp ret str local canary sfp ret str of
stack
args
String
Growth ret addr
Canary protects ret-addr and
SFP exception handler frame
exception handlers
CANARY
*: when applicable
CS4293 Topics on Cybersecurity 40
=avoid
Evading /GS with exception handlers
• When exception is thrown, dispatcher walks up exception list
until handler is found (else use default handler)
high
next handler buf next handler next handler mem
high
ptr to mem
next handler buf next
next handler next handler
attack code
CS4293 Topics on Cybersecurity 42
Defense IV: SAFESEH and SEHOP
• /SAFESEH: linker flag
– Linker produces a binary with a table of safe exception handlers
– System will not jump to exception handler not on list
*: when applicable
CS4293 Topics on Cybersecurity 44
Summary: Canaries are not full proof
• Canaries are an important defense tool, but do not prevent all
control hijacking attacks:
– Heap-based attacks still possible
– Integer overflow attacks still possible
– /GS by itself does not prevent Exception Handling attacks
(also need SAFESEH and SEHOP)
top
sfp ret-addr dest src buf sfp ret-addr of
stack
low high
memory sfp ret-addr dest src buf sfp ret-addr memory
Advanced
Hijacking Attacks
FP1
method #1
Object T
data
buf[256] vtable
ptr
CS4293 Topics on Cybersecurity 53
object T
Heap-based control hijacking
• Compiler generated function pointers (e.g. C++ code)
FP1
method #1
Object T
shell
code
• After overflow of buf we have:
data
buf[256] vtable
ptr
CS4293 Topics on Cybersecurity 54
object T
A reliable exploit?
<SCRIPT language="text/javascript">
shellcode = unescape("%u4343%u4343%...");
overflow-string = unescape(“%u2332%u4276%...”);
cause-overflow( overflow-string ); // overflow buf[ ]
</SCRIPT>
???
data
buf[256] vtable
ptr
shellcode
CS4293 Topics on Cybersecurity 55
Heap Spraying [SkyLined 2004]
heap
vtable
non-writable pages