156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
1 |
\documentclass{article}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
2 |
\usepackage{../style}
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
3 |
\usepackage{../langs}
|
258
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
4 |
\usepackage{../graphics}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
5 |
\usepackage{../data}
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
6 |
|
455
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
7 |
%https://pentestn00b.wordpress.com/safe-to-hack-sites/
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
8 |
%http://pastebin.com/raw/0SNSvyjJ
|
456
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
9 |
%http://seclists.org/oss-sec/2016/q1/645
|
455
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
10 |
|
458
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
11 |
% relative new buffer-overflow attack
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
12 |
%https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
13 |
% using an exploit from 2010
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
14 |
% https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3333
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
15 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
16 |
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
17 |
\begin{document}
|
452
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
18 |
\fnote{\copyright{} Christian Urban, King's College London, 2014, 2015, 2016}
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
19 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
20 |
\section*{Handout 3 (Buffer Overflow Attacks)}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
21 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
22 |
By far the most popular attack method on computers are buffer
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
23 |
overflow attacks or variations thereof. The first Internet
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
24 |
worm (Morris) exploited exactly such an attack. The popularity
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
25 |
is unfortunate because we nowadays have technology in place to
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
26 |
prevent them effectively. But these kind of attacks are still
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
27 |
very relevant even today since there are many legacy systems
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
28 |
out there and also many modern embedded systems often do not
|
391
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
29 |
take any precautions to prevent such attacks. The plot below
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
30 |
shows the percentage of buffer overflow attacks listed in the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
31 |
US National Vulnerability Database.\footnote{Search for
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
32 |
``Buffer errors'' at
|
259
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
33 |
\url{http://web.nvd.nist.gov/view/vuln/statistics}.}
|
258
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
34 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
35 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
36 |
\begin{tikzpicture}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
37 |
\begin{axis}[
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
38 |
xlabel={year},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
39 |
ylabel={\% of total attacks},
|
259
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
40 |
ylabel style={yshift=-1em},
|
258
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
41 |
enlargelimits=false,
|
381
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
42 |
xtick={1997,1999,2001,...,2015},
|
259
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
43 |
xmin=1996.5,
|
381
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
44 |
xmax=2016,
|
259
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
45 |
ymax=21,
|
263
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
46 |
ytick={0,5,...,20},
|
258
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
47 |
scaled ticks=false,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
48 |
axis lines=left,
|
259
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
49 |
width=12cm,
|
258
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
50 |
height=5cm,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
51 |
ybar,
|
259
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
52 |
nodes near coords=
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
53 |
{\footnotesize
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
54 |
$\pgfmathprintnumber[fixed,fixed zerofill,precision=1,use comma]{\pgfkeysvalueof{/data point/y}}$},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
55 |
x tick label style={font=\footnotesize,/pgf/number format/1000 sep={}}]
|
258
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
56 |
\addplot
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
57 |
table [x=Year,y=Percentage] {bufferoverflows.data};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
58 |
\end{axis}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
59 |
\end{tikzpicture}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
60 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
61 |
|
451
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
62 |
\noindent This statistics shows that in the last seven years or so the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
63 |
number of buffer overflow attacks is around 10\% of all attacks
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
64 |
(whereby the absolute numbers of attacks grow each year). So you can
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
65 |
see buffer overflow attacks are very relevant today. For example, very
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
66 |
recently (February 2016) a buffer overflow attack was discovered in the glibc
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
67 |
library:\footnote{\url{http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/}}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
68 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
69 |
\begin{quote}\it
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
70 |
``Since 2008, vulnerability has left apps and hardware open to remote
|
467
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
71 |
hijacking: Researchers have discovered a potentially catastrophic flaw in
|
451
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
72 |
one of the Internet's core building blocks that leaves hundreds or
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
73 |
thousands of apps and hardware devices vulnerable to attacks that can take
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
74 |
complete control over them. The vulnerability was introduced in 2008 in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
75 |
GNU C Library, a collection of open source code that powers thousands of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
76 |
standalone applications and most distributions of Linux, including those
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
77 |
distributed with routers and other types of hardware. A function known as
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
78 |
getaddrinfo() that performs domain-name lookups contains a buffer overflow
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
79 |
bug that allows attackers to remotely execute malicious code. It can be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
80 |
exploited when vulnerable devices or apps make queries to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
81 |
attacker-controlled domain names or domain name servers or when they're
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
82 |
exposed to man-in-the-middle attacks where the adversary has the ability
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
83 |
to monitor and manipulate data passing between a vulnerable device and the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
84 |
open Internet. All versions of glibc after 2.9 are vulnerable.''
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
85 |
\end{quote}
|
259
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
86 |
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
87 |
|
211
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
88 |
To understand how buffer overflow attacks work, we have to have
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
89 |
a look at how computers work ``under the hood'' (on the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
90 |
machine level) and also understand some aspects of the C/C++
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
91 |
programming language. This might not be everyday fare for
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
92 |
computer science students, but who said that criminal hackers
|
374
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
93 |
restrict themselves to everyday fare? ...not to mention the
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
94 |
free-riding script-kiddies who use this technology without
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
95 |
even knowing what the underlying ideas are. If you want to be
|
374
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
96 |
a good security engineer who needs to defend against such attacks,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
97 |
then better you get to know the details too.
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
98 |
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
99 |
For buffer overflow attacks to work, a number of innocent
|
395
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
100 |
design decisions, which are really benign on their own, have
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
101 |
to come together. All these decisions were taken at a time
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
102 |
when there was no Internet: C was introduced around 1973; the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
103 |
Internet TCP/IP protocol was standardised in 1982 by which
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
104 |
time there were maybe 500 servers connected (and all users
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
105 |
were well-behaved, mostly academics); Intel's first 8086 CPUs
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
106 |
arrived around 1977. So nobody of the ``forefathers'' can
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
107 |
really be blamed, but as mentioned above we should already be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
108 |
way beyond the point that buffer overflow attacks are worth a
|
443
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
109 |
thought. Unfortunately, this is far from the reality. I let you
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
110 |
ponder why?
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
111 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
112 |
One such ``benign'' design decision is how the memory is laid
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
113 |
out into different regions for each process.
|
204
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
114 |
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
115 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
116 |
\begin{tikzpicture}[scale=0.7]
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
117 |
%\draw[step=1cm] (-3,-3) grid (3,3);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
118 |
\draw[line width=1mm] (-2, -3) rectangle (2,3);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
119 |
\draw[line width=1mm] (-2,1) -- (2,1);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
120 |
\draw[line width=1mm] (-2,-1) -- (2,-1);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
121 |
\draw (0,2) node {\large\tt text};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
122 |
\draw (0,0) node {\large\tt heap};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
123 |
\draw (0,-2) node {\large\tt stack};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
124 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
125 |
\draw (-2.7,3) node[anchor=north east] {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
126 |
\draw (-2.7,-3) node[anchor=south east] {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
127 |
\draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
128 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
129 |
\draw (2.7,-2) node[anchor=west] {\tt grows};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
130 |
\draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
131 |
\draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
132 |
\draw[|->, line width=1mm] (2.5,-3) -- (2.5,-1);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
133 |
\end{tikzpicture}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
134 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
135 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
136 |
\noindent The text region contains the program code (usually
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
137 |
this region is read-only). The heap stores all data the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
138 |
programmer explicitly allocates. For us the most interesting
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
139 |
region is the stack, which contains data mostly associated
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
140 |
with the control flow of the program. Notice that the stack
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
141 |
grows from higher addresses to lower addresses (i.e.~from the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
142 |
back to the front). That means that older items on the stack
|
395
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
143 |
are stored behind, or after, newer items. Let's look a bit
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
144 |
closer what happens with the stack when a program is running.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
145 |
Consider the following simple C program.
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
146 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
147 |
\lstinputlisting[language=C]{../progs/example1.c}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
148 |
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
149 |
\noindent The \code{main} function calls in Line 7 the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
150 |
function \code{foo} with three arguments. \code{Foo} creates
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
151 |
two (local) buffers, but does not do anything interesting with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
152 |
them. The only purpose of this program is to illustrate what
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
153 |
happens behind the scenes with the stack. The interesting
|
395
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
154 |
question is what will the stack look like after Line 3 has
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
155 |
been executed? The answer is illustrated in Figure~\ref{stack}.
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
156 |
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
157 |
\begin{figure}
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
158 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
159 |
\begin{tikzpicture}[scale=0.65]
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
160 |
\draw[gray!20,fill=gray!20] (-5, 0) rectangle (-3,-1);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
161 |
\draw[line width=1mm] (-5,-1.2) -- (-5,0.2);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
162 |
\draw[line width=1mm] (-3,-1.2) -- (-3,0.2);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
163 |
\draw (-4,-1) node[anchor=south] {\tt main};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
164 |
\draw[line width=1mm] (-5,0) -- (-3,0);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
165 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
166 |
\draw[gray!20,fill=gray!20] (3, 0) rectangle (5,-1);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
167 |
\draw[line width=1mm] (3,-1.2) -- (3,0.2);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
168 |
\draw[line width=1mm] (5,-1.2) -- (5,0.2);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
169 |
\draw (4,-1) node[anchor=south] {\tt main};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
170 |
\draw[line width=1mm] (3,0) -- (5,0);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
171 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
172 |
%\draw[step=1cm] (-3,-1) grid (3,8);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
173 |
\draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
174 |
\draw[line width=1mm] (-1,-1.2) -- (-1,7.4);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
175 |
\draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
176 |
\draw (0,-1) node[anchor=south] {\tt main};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
177 |
\draw[line width=1mm] (-1,0) -- (1,0);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
178 |
\draw (0,0) node[anchor=south] {\tt arg$_3$=3};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
179 |
\draw[line width=1mm] (-1,1) -- (1,1);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
180 |
\draw (0,1) node[anchor=south] {\tt arg$_2$=2};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
181 |
\draw[line width=1mm] (-1,2) -- (1,2);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
182 |
\draw (0,2) node[anchor=south] {\tt arg$_1$=1};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
183 |
\draw[line width=1mm] (-1,3) -- (1,3);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
184 |
\draw (0,3.1) node[anchor=south] {\tt ret};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
185 |
\draw[line width=1mm] (-1,4) -- (1,4);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
186 |
\draw (0,4) node[anchor=south] {\small\tt last sp};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
187 |
\draw[line width=1mm] (-1,5) -- (1,5);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
188 |
\draw (0,5) node[anchor=south] {\tt buf$_1$};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
189 |
\draw[line width=1mm] (-1,6) -- (1,6);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
190 |
\draw (0,6) node[anchor=south] {\tt buf$_2$};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
191 |
\draw[line width=1mm] (-1,7) -- (1,7);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
192 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
193 |
\draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5) -- (1.8, 0) -- (1.1,0);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
194 |
\draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
195 |
\draw (2.6,3.1) node[anchor=south west] {\tt back to main()};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
196 |
\end{tikzpicture}
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
197 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
198 |
\caption{The stack layout for a program where the main
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
199 |
function calls an auxiliary function with three arguments
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
200 |
(1,2 and 3). The auxiliary function has two local
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
201 |
buffer variables {\tt buf}$_1$ and {\tt buf}$_2$.\label{stack}}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
202 |
\end{figure}
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
203 |
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
204 |
On the left is the stack before \code{foo} is called; on the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
205 |
right is the stack after \code{foo} finishes. The function
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
206 |
call to \code{foo} in Line 7 (in the C program above) pushes
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
207 |
the arguments onto the stack in reverse order---shown in the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
208 |
middle. Therefore first 3 then 2 and finally 1. Then it pushes
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
209 |
the return address onto the stack where execution should
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
210 |
resume once \code{foo} has finished. The last stack pointer
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
211 |
(\code{sp}) is needed in order to clean up the stack to the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
212 |
last level---in fact there is no cleaning involved, but just
|
263
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
213 |
the top of the stack will be set back to this address. So the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
214 |
last stack pointer also needs to be stored. The two buffers
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
215 |
inside \pcode{foo} are on the stack too, because they are
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
216 |
local data within \code{foo}. Consequently the stack in the
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
217 |
middle of Figure~\ref{stack} is a snapshot after Line 3 has
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
218 |
been executed.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
219 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
220 |
In case you are familiar with assembly instructions you can
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
221 |
also read off this behaviour from the machine code that the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
222 |
\code{gcc} compiler generates for the program
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
223 |
above:\footnote{You can make \pcode{gcc} generate assembly
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
224 |
instructions if you call it with the \pcode{-S} option, for
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
225 |
example \pcode{gcc -S out in.c}\;. Or you can look at this
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
226 |
code by using the debugger. How to do this will be explained
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
227 |
in the last section.} It generates the following code for the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
228 |
\pcode{main} and \pcode{foo} functions.
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
229 |
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
230 |
\begin{center}\small
|
396
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
231 |
\begin{tabular}[t]{p{11cm}}
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
232 |
{\lstinputlisting[language={[x86masm]Assembler},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
233 |
morekeywords={movl},xleftmargin=5mm]
|
395
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
234 |
{../progs/example1a.s}}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
235 |
\end{tabular}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
236 |
\end{center}
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
237 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
238 |
\noindent Again you can see how the function \pcode{main}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
239 |
prepares in Lines 2 to 7 the stack before calling the function
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
240 |
\pcode{foo}. You can see that the numbers 3, 2, 1 are stored
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
241 |
on the stack (the register \code{\%esp} refers to the top of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
242 |
the stack; \pcode{$0x1}, \pcode{$0x2} \pcode{$0x3} are the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
243 |
hexadecimal encodings for \pcode{1} to \pcode{3}). The code
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
244 |
for the foo function is as follows:
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
245 |
|
395
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
246 |
\begin{center}\small
|
396
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
247 |
\begin{tabular}[t]{p{11cm}}
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
248 |
{\lstinputlisting[language={[x86masm]Assembler},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
249 |
morekeywords={movl,movw},xleftmargin=5mm]
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
250 |
{../progs/example1b.s}}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
251 |
\end{tabular}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
252 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
253 |
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
254 |
\noindent You can see how the function \pcode{foo} stores
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
255 |
first the last stack pointer onto the stack and then
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
256 |
calculates the new stack pointer to have enough space for the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
257 |
two local buffers (Lines 2 - 4). Then it puts the two local
|
263
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
258 |
buffers onto the stack and initialises them with the given
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
259 |
data (Lines 5 to 9). Since there is no real computation going
|
263
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
260 |
on inside \pcode{foo}, the function then just restores the
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
261 |
stack to its old state (Line 10) and crucially sets the return
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
262 |
address where the computation should resume (Line 10). The
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
263 |
instruction \code{ret} then transfers control back to the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
264 |
function \pcode{main} to the instruction just after the call
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
265 |
to \pcode{foo}, that is Line 10.
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
266 |
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
267 |
Another part of the ``conspiracy'' of buffer overflow attacks
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
268 |
is that library functions in C look typically as follows:
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
269 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
270 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
271 |
\lstinputlisting[language=C,numbers=none]{../progs/app5.c}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
272 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
273 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
274 |
\noindent This function copies data from a source \pcode{src}
|
209
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
275 |
to a destination \pcode{dst}. The important point is that it
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
276 |
copies the data until it reaches a zero-byte (\code{"\\0"}).
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
277 |
This is a convention of the C language which assumes all
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
278 |
strings are terminated by such a zero-byte.
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
279 |
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
280 |
The central idea of the buffer overflow attack is to overwrite
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
281 |
the return address on the stack. This address decides where
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
282 |
the control flow of the program should resume once the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
283 |
function at hand has finished its computation. So if we
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
284 |
can control this address, then we can modify the control
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
285 |
flow of a program. To launch an attack we need
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
286 |
somewhere in a function a local a buffer, say
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
287 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
288 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
289 |
\code{char buf[8];}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
290 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
291 |
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
292 |
\noindent which is filled by some user input. The
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
293 |
corresponding stack of such a function will look as follows
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
294 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
295 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
296 |
\begin{tikzpicture}[scale=0.65]
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
297 |
%\draw[step=1cm] (-3,-1) grid (3,8);
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
298 |
\draw[line width=1mm] (-1,1.2) -- (-1,6.4);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
299 |
\draw[line width=1mm] ( 1,1.2) -- ( 1,6.4);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
300 |
\draw (0,2) node[anchor=south] {\ldots};
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
301 |
\draw[line width=1mm] (-1,3) -- (1,3);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
302 |
\draw (0,3.1) node[anchor=south] {\tt ret};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
303 |
\draw[line width=1mm] (-1,4) -- (1,4);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
304 |
\draw (0,4) node[anchor=south] {\small\tt last sp};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
305 |
\draw[line width=1mm] (-1,5) -- (1,5);
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
306 |
\draw (0,5.1) node[anchor=south] {\tt buf};
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
307 |
\draw[line width=1mm] (-1,6) -- (1,6);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
308 |
\draw (2,5.1) node[anchor=south] {\code{$esp}};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
309 |
\draw[<-,line width=0.5mm] (1.1,6) -- (2.5,6);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
310 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
311 |
\draw[->,line width=0.5mm] (1,4.5) -- (2.5,4.5);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
312 |
\draw (2.6,4.1) node[anchor=south west] {\code{??}};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
313 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
314 |
\draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
315 |
\draw (2.6,3.1) node[anchor=south west] {\tt jump to \code{\\x080483f4}};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
316 |
\end{tikzpicture}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
317 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
318 |
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
319 |
\noindent We need to fill this buffer over its limit of 8
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
320 |
characters so that it overwrites the stack pointer and then
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
321 |
also overwrites the return address. If, for example, we want
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
322 |
to jump to a specific address in memory, say,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
323 |
\pcode{\\x080483f4} then we can fill the buffer with the data
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
324 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
325 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
326 |
\code{char buf[8] = "AAAAAAAABBBB\\xf4\\x83\\x04\\x08";}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
327 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
328 |
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
329 |
\noindent The first eight \pcode{A}s fill the buffer to the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
330 |
rim; the next four \pcode{B}s overwrite the stack pointer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
331 |
(with what data we overwrite this part is usually not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
332 |
important); then comes the address we want to jump to. Notice
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
333 |
that we have to give the address in the reverse order. All
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
334 |
addresses on Intel CPUs need to be given in this way. Since
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
335 |
the string is enclosed in double quotes, the C convention is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
336 |
that the string internally will automatically be terminated by
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
337 |
a zero-byte. If the programmer uses functions like
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
338 |
\pcode{strcpy} for filling the buffer \pcode{buf}, then we can
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
339 |
be sure it will overwrite the stack in this manner---since it
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
340 |
will copy everything up to the zero-byte. Notice that this
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
341 |
overwriting of the buffer only works since the newer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
342 |
item---the buffer---is stored on the stack before the older
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
343 |
items, like return address and arguments. If it had be the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
344 |
other way around, then such an overwriting by overflowing a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
345 |
local buffer would just not work. Had the designers of C
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
346 |
been able to foresee what headaches their way of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
347 |
arranging the stack will cause, how different could be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
348 |
the IT-World today?
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
349 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
350 |
What the outcome of such an attack is can be illustrated with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
351 |
the code shown in Figure~\ref{C2}. Under ``normal operation''
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
352 |
this program ask for a login-name and a password. Both of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
353 |
which are stored in \code{char} buffers of length 8. The
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
354 |
function \pcode{match} tests whether two such buffers contain
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
355 |
the same content. If yes, then the function lets you ``in''
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
356 |
(by printing \pcode{Welcome}). If not, it denies access (by
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
357 |
printing \pcode{Wrong identity}). The vulnerable function is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
358 |
\code{get_line} in Lines 11 to 19. This function does not take
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
359 |
any precautions about the buffer of 8 characters being filled
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
360 |
beyond its 8-character-limit. Let us suppose the login name is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
361 |
\pcode{test}. Then the buffer overflow can be triggered with a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
362 |
specially crafted string as password (remember
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
363 |
\pcode{get\_line} requires a \pcode{\\n} at the end of the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
364 |
input):
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
365 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
366 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
367 |
\code{AAAAAAAABBBB\\x2c\\x85\\x04\\x08\\n}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
368 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
369 |
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
370 |
\noindent The address at the end happens to be the one for the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
371 |
function \pcode{welcome()}. This means even with this input
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
372 |
(where the login name and password clearly do not match) the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
373 |
program will still print out \pcode{Welcome}. The only
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
374 |
information we need for this attack to work is to know where
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
375 |
the function \pcode{welcome()} starts in memory. This
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
376 |
information can be easily obtained by starting the program
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
377 |
inside the debugger and disassembling this function.
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
378 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
379 |
\begin{lstlisting}[numbers=none,language={[x86masm]Assembler},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
380 |
morekeywords={movl,movw}]
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
381 |
$ gdb C2
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
382 |
GNU gdb (GDB) 7.2-ubuntu
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
383 |
(gdb) disassemble welcome
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
384 |
\end{lstlisting}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
385 |
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
386 |
\noindent \pcode{C2} is the name of the program and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
387 |
\pcode{gdb} is the name of the debugger. The output will be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
388 |
something like this
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
389 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
390 |
\begin{lstlisting}[numbers=none,language={[x86masm]Assembler},
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
391 |
morekeywords={movl,movw}]
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
392 |
0x0804852c <+0>: push %ebp
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
393 |
0x0804852d <+1>: mov %esp,%ebp
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
394 |
0x0804852f <+3>: sub $0x4,%esp
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
395 |
0x08048532 <+6>: movl $0x8048690,(%esp)
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
396 |
0x08048539 <+13>: call 0x80483a4 <puts@plt>
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
397 |
0x0804853e <+18>: movl $0x0,(%esp)
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
398 |
0x08048545 <+25>: call 0x80483b4 <exit@plt>
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
399 |
\end{lstlisting}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
400 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
401 |
\noindent indicating that the function \pcode{welcome()}
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
402 |
starts at address \pcode{0x0804852c} (top address in the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
403 |
left column).
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
404 |
|
213
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
405 |
\begin{figure}[p]
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
406 |
\lstinputlisting[language=C]{../progs/C2.c}
|
403
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
407 |
\caption{A vulnerable login implementation. The use of the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
408 |
`own' \pcode{get\_line} function makes this program
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
409 |
vulnerable. The developer should have used \emph{safe}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
410 |
library functions instead.\label{C2}}
|
213
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
411 |
\end{figure}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
412 |
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
413 |
This kind of attack was very popular with commercial programs
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
414 |
that needed a key to be unlocked. Historically, hackers first
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
415 |
broke the rather weak encryption of these locking mechanisms.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
416 |
After the encryption had been made stronger, hackers used
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
417 |
buffer overflow attacks as shown above to jump directly to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
418 |
the part of the program that was intended to be only available
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
419 |
after the correct key was typed in.
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
420 |
|
238
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
421 |
\subsection*{Payloads}
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
422 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
423 |
Unfortunately, much more harm can be caused by buffer overflow
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
424 |
attacks. This is achieved by injecting code that will be run
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
425 |
once the return address is appropriately modified. Typically
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
426 |
the code that will be injected starts a shell. This gives the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
427 |
attacker the ability to run programs on the target machine and
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
428 |
to have a good look around in order to obtain also full root
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
429 |
access (normally the program that is attacked would run with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
430 |
lesser rights and any shell injected would also only run with
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
431 |
these lesser access rights). If the attacked program was
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
432 |
already running as root, then the attacker can congratulate
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
433 |
him or herself to another computer under full control\ldots
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
434 |
no more work to be done.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
435 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
436 |
In order to be send as part of the string that is overflowing
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
437 |
the buffer, we need the code for starting the shell to be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
438 |
represented as a sequence of characters. For example
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
439 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
440 |
\lstinputlisting[language=C,numbers=none]{../progs/o1.c}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
441 |
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
442 |
\noindent These characters represent the machine code for
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
443 |
opening a shell. It seems obtaining such a string requires
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
444 |
``higher-education'' in the architecture of the target system.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
445 |
But it is actually relatively simple: First there are many
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
446 |
such strings ready-made---just a quick Google query away.
|
399
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
447 |
A nice selection of ready-made shell-codes can be found
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
448 |
for example at
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
449 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
450 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
451 |
\url{http://shellblade.net/shellcode.html}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
452 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
453 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
454 |
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
455 |
Second, tools like the debugger can help us again. We can just
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
456 |
write the code we want in C, for example this would be the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
457 |
program for starting a shell:
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
458 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
459 |
\lstinputlisting[language=C,numbers=none]{../progs/shell.c}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
460 |
|
400
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
461 |
\noindent Once compiled, we can use the debugger to obtain the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
462 |
machine code, or even get the ready-made encoding as character
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
463 |
sequence.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
464 |
|
400
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
465 |
\lstinputlisting[language=C,numbers=none]{../progs/o2.c}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
466 |
|
403
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
467 |
\noindent
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
468 |
While not too difficult, obtaining this string is not entirely
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
469 |
trivial using \pcode{gdb}. Remember the functions in C that
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
470 |
copy or fill buffers work such that they copy everything until
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
471 |
the zero byte is reached. Unfortunately the ``vanilla'' output
|
400
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
472 |
from the debugger for the shell-program above contains such
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
473 |
zero bytes. So a post-processing phase is needed to rewrite
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
474 |
the machine code in a way that it does not contain any zero
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
475 |
bytes. This is like some works of literature that have been
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
476 |
written so that the letter e, for example, is avoided. The
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
477 |
technical term for such a literature work is
|
263
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
478 |
\emph{lipogram}.\footnote{The most famous example of a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
479 |
lipogram is a 50,000 words novel titled Gadsby, see
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
480 |
\url{https://archive.org/details/Gadsby}, which avoids the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
481 |
letter `e' throughout.} For rewriting the machine code, you
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
482 |
might need to use clever tricks like
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
483 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
484 |
\begin{lstlisting}[numbers=none,language={[x86masm]Assembler}]
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
485 |
xor %eax, %eax
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
486 |
\end{lstlisting}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
487 |
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
488 |
\noindent This instruction does not contain any zero-byte when
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
489 |
encoded as string, but produces a zero-byte on the stack when
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
490 |
run.
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
491 |
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
492 |
Having removed the zero-bytes we can craft the string that
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
493 |
will be send to the target computer. This of course requires
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
494 |
that the buffer we are trying to attack can at least contain
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
495 |
the shellcode we want to run. But as you can see this is only
|
399
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
496 |
47 bytes, which is a very low bar to jump over. Actually there
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
497 |
are optimised versions which only need 24 bytes. More
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
498 |
formidable is the choice of finding the right address to jump
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
499 |
to. The string is typically of the form
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
500 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
501 |
\begin{center}
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
502 |
\begin{tikzpicture}[scale=0.6]
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
503 |
\draw[line width=1mm] (-2, -1) rectangle (2,3);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
504 |
\draw[line width=1mm] (-2,1.9) -- (2,1.9);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
505 |
\draw (0,2.5) node {\large\tt shell code};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
506 |
\draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
507 |
\draw[->,line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
508 |
(-3,-1.7) -- (-3, 3.7) -- (-1.9, 3.7) -- (-1.9, 3.1);
|
228
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
509 |
\draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
510 |
\draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}};
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
511 |
\end{tikzpicture}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
512 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
513 |
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
514 |
\noindent where we need to be very precise with the address
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
515 |
with which we will overwrite the buffer (indicated as a black
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
516 |
rectangle). It has to be precisely the first byte of the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
517 |
shellcode. While this is easy with the help of a debugger (as
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
518 |
seen before), we typically cannot run anything, including a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
519 |
debugger, on the machine yet we target. And the address is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
520 |
very specific to the setup of the target machine. One way of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
521 |
finding out what the right address is is to try out one by one
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
522 |
every possible address until we get lucky. With the large
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
523 |
memories available today, however, the odds are long. And if
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
524 |
we try out too many possible candidates too quickly, we might
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
525 |
be detected by the system administrator of the target system.
|
228
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
526 |
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
527 |
We can improve our odds considerably by making use of a very
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
528 |
clever trick. Instead of adding the shellcode at the beginning
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
529 |
of the string, we should add it at the end, just before we
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
530 |
overflow the buffer, for example
|
228
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
531 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
532 |
\begin{center}
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
533 |
\begin{tikzpicture}[scale=0.6]
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
534 |
\draw[gray!50,fill=gray!50] (-2,0.3) rectangle (2,3);
|
228
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
535 |
\draw[line width=1mm] (-2, -1) rectangle (2,3);
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
536 |
\draw[line width=1mm] (-2,0.3) -- (2,0.3);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
537 |
\draw[line width=1mm] (-2,-0.7) -- (2,-0.7);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
538 |
\draw (0,-0.2) node {\large\tt shell code};
|
228
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
539 |
\draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
|
232
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
540 |
\draw [line width=0.5,decoration={brace,amplitude=2mm},decorate]
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
541 |
(2.3,3) -- (2.3,0.3);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
542 |
\draw[line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
543 |
(3,-1.7) -- (3,1.65) -- (2.6, 1.65);
|
228
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
544 |
\draw (-2, 3) node[anchor=north east] {\LARGE \color{codegreen}{``}};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
545 |
\draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
546 |
\end{tikzpicture}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
547 |
\end{center}
|
227
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
548 |
|
238
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
549 |
\noindent Then we can fill up the grey part of the string with
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
550 |
\pcode{NOP} operations. The code for this operation is
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
551 |
\code{\\0x90} on Intel CPUs. It is available on every
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
552 |
architecture and its purpose in a CPU is to do nothing apart
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
553 |
from waiting a small amount of time. If we now use an address
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
554 |
that lets us jump to any address in the grey area we are done.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
555 |
The target machine will execute these \pcode{NOP} operations
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
556 |
until it reaches the shellcode. That is why this NOP-part is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
557 |
often called \emph{NOP-sledge}. A moment of thought should
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
558 |
convince you that this trick can hugely improve our odds of
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
559 |
finding the right address---depending on the size of the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
560 |
buffer, it might only take a few tries to get the shellcode to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
561 |
run. And then we are in. The code for such an attack is shown
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
562 |
in Figure~\ref{C3}. It is directly taken from the original
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
563 |
paper about ``Smashing the Stack for Fun and Profit'' (see
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
564 |
pointer given at the end).
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
565 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
566 |
\begin{figure}[p]
|
232
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
567 |
\lstinputlisting[language=C]{../progs/C3.c}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
568 |
\caption{Overwriting a buffer with a string containing a
|
400
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
569 |
payload. Lines 14 and 15 write the address of the buffer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
570 |
into \pcode{large\_string}. The payload is copied in
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
571 |
Lines 17 and 18. Line 20 copies the (too large) string
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
572 |
into the buffer.\label{C3}}
|
230
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
573 |
\end{figure}
|
229
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
574 |
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
575 |
By the way you might naw have the question how do attackers
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
576 |
find out about vulnerable systems in the first place? Well,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
577 |
the automated version uses \emph{fuzzers}, which throw
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
578 |
randomly generated user input at applications and observe the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
579 |
behaviour. If an application segfaults (throws a segmentation
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
580 |
error) then this is a good indication that a buffer overflow
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
581 |
vulnerability can be exploited.
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
582 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
583 |
|
232
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
584 |
\subsubsection*{Format String Attacks}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
585 |
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
586 |
Another question might arise, where do we get all this
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
587 |
information about addresses necessary for mounting a buffer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
588 |
overflow attack without having yet access to the system? The
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
589 |
answer are \emph{format string attacks}. While technically
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
590 |
they are programming mistakes (and they are pointed out as
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
591 |
warning by modern compilers), they can be easily made and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
592 |
therefore an easy target. Let us look at the simplest version
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
593 |
of a vulnerable program.
|
232
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
594 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
595 |
\lstinputlisting[language=C]{../progs/C4.c}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
596 |
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
597 |
\noindent The intention of this program is to print out the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
598 |
first argument given on the command line. The ``secret
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
599 |
string'' is never to be printed. The problem is that the C
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
600 |
function \pcode{printf} normally expects a format string---a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
601 |
schema that directs how a string should be printed. This would
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
602 |
be for example a proper invocation of this function:
|
233
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
603 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
604 |
\begin{lstlisting}[numbers=none,language=C]
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
605 |
long n = 123456789;
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
606 |
printf("This is a long %lu!", n);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
607 |
\end{lstlisting}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
608 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
609 |
\noindent In the program above, instead, the format string
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
610 |
has been forgotten and only \pcode{argv[1]} is printed.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
611 |
Now if we give on the command line a string such as
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
612 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
613 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
614 |
\code{"foo \%s"}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
615 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
616 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
617 |
\noindent then \pcode{printf} expects a string to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
618 |
follow. But there is no string that follows, and how
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
619 |
the argument resolution works in C will in fact print out
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
620 |
the secret string! This can be handily exploited by
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
621 |
using the format string \code{"\%x"}, which reads out the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
622 |
stack. So \code{"\%x....\%x"} will give you as much
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
623 |
information from the stack as you need and over the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
624 |
Internet.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
625 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
626 |
While the program above contains clearly a programming
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
627 |
mistake (forgotten format string), things are not as simple
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
628 |
when the application reads data from the user and prompts
|
236
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
629 |
responses containing the user input. Consider the slight
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
630 |
variant of the program above
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
631 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
632 |
\lstinputlisting[language=C]{../progs/C5.c}
|
233
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
633 |
|
263
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
634 |
\noindent Here the programmer actually tried to take extra
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
635 |
care to not fall pray to a buffer overflow attack, but in the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
636 |
process made the program susceptible to a format string
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
637 |
attack. Clearly the \pcode{printf} function in Line 7 contains
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
638 |
now an explicit format string, but because the commandline
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
639 |
input is copied using the function \pcode{snprintf} the result
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
640 |
will be the same---the string can be exploited by embedding
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
641 |
format strings into the user input. Here the programmer really
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
642 |
cannot be blamed (much) because by using \pcode{snprintf} he
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
643 |
or she tried to make sure only 10 characters get copied into
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
644 |
the local buffer---in this way avoiding the obvious buffer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
645 |
overflow attack.
|
236
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
646 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
647 |
\subsubsection*{Caveats and Defences}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
648 |
|
263
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
649 |
How can we defend against these attacks? Well, a reflex could
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
650 |
be to blame programmers. Precautions should be taken by them
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
651 |
so that buffers cannot been overfilled and format strings
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
652 |
should not be forgotten. This might actually be slightly
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
653 |
simpler to achieve by programmers nowadays since safe versions
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
654 |
of the library functions exist, which always specify the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
655 |
precise number of bytes that should be copied. Compilers also
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
656 |
nowadays provide warnings when format strings are omitted. So
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
657 |
proper education of programmers is definitely a part of a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
658 |
defence against such attacks. However, if we leave it at that,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
659 |
then we have the mess we have today with new attacks
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
660 |
discovered almost daily.
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
661 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
662 |
There is actually a quite long record of publications
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
663 |
proposing defences against buffer overflow attacks. One method
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
664 |
is to declare the stack data as not executable. In this way it
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
665 |
is impossible to inject a payload as shown above which is then
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
666 |
executed once the stack is smashed. But this needs hardware
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
667 |
support which allows one to declare certain memory regions to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
668 |
be not executable. Such a feature was not introduced before
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
669 |
the Intel 386, for example. Also if you have a JIT
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
670 |
(just-in-time) compiler it might be advantageous to have
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
671 |
the stack containing executable data. So it is definitely a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
672 |
trade-off.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
673 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
674 |
Anyway attackers have found ways around this defence: they
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
675 |
developed \emph{return-to-lib-C} attacks. The idea is to not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
676 |
inject code, but already use the code that is present at the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
677 |
target computer. The lib-C library, for example, already
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
678 |
contains the code for spawning a shell. With
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
679 |
\emph{return-to-lib-C} one just has to find out where this
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
680 |
code is located. But attackers can make good guesses.
|
232
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
681 |
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
682 |
Another defence is called \emph{stack canaries}. The advantage
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
683 |
is that they can be automatically inserted into compiled code
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
684 |
and do not need any hardware support. Though they will make
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
685 |
your program run slightly slower. The idea behind \emph{stack
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
686 |
canaries} is to push a random number onto the stack just
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
687 |
before local data is stored. For our very first function
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
688 |
\pcode{foo} the stack would with a \emph{stack canary} look as
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
689 |
follows
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
690 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
691 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
692 |
\begin{tikzpicture}[scale=0.65]
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
693 |
%\draw[step=1cm] (-3,-1) grid (3,8);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
694 |
\draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
695 |
\draw[line width=1mm] (-1,-1.2) -- (-1,7.4);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
696 |
\draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
697 |
\draw (0,-1) node[anchor=south] {\tt main};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
698 |
\draw[line width=1mm] (-1,0) -- (1,0);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
699 |
\draw (0,0) node[anchor=south] {\tt arg$_3$=3};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
700 |
\draw[line width=1mm] (-1,1) -- (1,1);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
701 |
\draw (0,1) node[anchor=south] {\tt arg$_2$=2};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
702 |
\draw[line width=1mm] (-1,2) -- (1,2);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
703 |
\draw (0,2) node[anchor=south] {\tt arg$_1$=1};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
704 |
\draw[line width=1mm] (-1,3) -- (1,3);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
705 |
\draw (0,3.1) node[anchor=south] {\tt ret};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
706 |
\draw[line width=1mm] (-1,4) -- (1,4);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
707 |
\draw (0,4) node[anchor=south] {\small\tt last sp};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
708 |
\draw[line width=1mm] (-1,5) -- (1,5);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
709 |
\draw (0,5.1) node[anchor=south] {\tt\small\textcolor{red}{\textbf{random}}};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
710 |
\draw[line width=1mm] (-1,6) -- (1,6);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
711 |
\draw (0,6) node[anchor=south] {\tt buf};
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
712 |
\draw[line width=1mm] (-1,7) -- (1,7);
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
713 |
\end{tikzpicture}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
714 |
\end{center}
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
715 |
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
716 |
\noindent The idea behind this random number is that when the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
717 |
function finishes, it is checked that this random number is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
718 |
still intact on the stack. If not, then a buffer overflow has
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
719 |
occurred. Although this is quite effective, it requires
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
720 |
suitable support for generating random numbers. This is always
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
721 |
hard to get right and attackers are happy to exploit the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
722 |
resulting weaknesses.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
723 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
724 |
Another defence is \emph{address space randomisation}. This
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
725 |
defence tries to make it harder for an attacker to guess
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
726 |
addresses where code is stored. It turns out that addresses
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
727 |
where code is stored is rather predictable. Randomising the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
728 |
place where programs are stored mitigates this problem
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
729 |
somewhat.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
730 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
731 |
As mentioned before, modern operating systems have these
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
732 |
defences enabled by default and make buffer overflow attacks
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
733 |
harder, but not impossible. Indeed, I---as an amateur
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
734 |
attacker---had to explicitly switch off these defences.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
735 |
A real attacker would be more knowledgeable and not need this
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
736 |
shortcut.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
737 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
738 |
To work I run my example under an Ubuntu version ``Maverick
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
739 |
Meerkat'' from October 2010 and the gcc 4.4.5. I have not
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
740 |
tried whether newer versions would work as well. I tested all
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
741 |
examples inside a virtual
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
742 |
box\footnote{\url{https://www.virtualbox.org}} insulating my
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
743 |
main system from any harm. When compiling the programs I
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
744 |
called the compiler with the following options:
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
745 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
746 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
747 |
\begin{tabular}{l@{\hspace{1mm}}l}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
748 |
\pcode{/usr/bin/gcc} & \pcode{-ggdb -O0}\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
749 |
& \pcode{-fno-stack-protector}\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
750 |
& \pcode{-mpreferred-stack-boundary=2}\\
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
751 |
& \pcode{-z execstack}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
752 |
\end{tabular}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
753 |
\end{center}
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
754 |
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
755 |
\noindent The first two are innocent as they instruct the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
756 |
compiler to include debugging information and also produce
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
757 |
non-optimised code (the latter makes the output of the code a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
758 |
bit more predictable). The third is important as it switches
|
397
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
759 |
off defences like the stack canaries. The fourth again makes
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
760 |
it a bit easier to read the code. The final option makes the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
761 |
stack executable, thus the example in Figure~\ref{C3} works as
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
762 |
intended. While this might be considered cheating....since I
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
763 |
explicitly switched off all defences, I hope I was able convey
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
764 |
the point that this is actually not too far from realistic
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
765 |
scenarios. I have shown you the classic version of the buffer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
766 |
overflow attacks. Updated and more advanced variants do exist.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
767 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
768 |
With the standard defences switched on, you might want to
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
769 |
argue buffer-overflow attacks have been solved on computers
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
770 |
(desktops and servers) but the computing landscape of today is
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
771 |
much wider than that. The main problem today are embedded
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
772 |
systems against which attacker can equally cause a lot of harm
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
773 |
and which are much less defended. Anthony Bonkoski makes a
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
774 |
similar argument in his security blog:
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
775 |
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
776 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
777 |
\url{http://jabsoft.io/2013/09/25/are-buffer-overflows-solved-yet-a-historical-tale/}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
778 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
779 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
780 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
781 |
There is one more rather effective defence against buffer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
782 |
overflow attacks: Why not using a safe language? Java at its
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
783 |
inception was touted as a safe language because it hides
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
784 |
all explicit memory management from the user. This definitely
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
785 |
incurs a runtime penalty, but for bog-standard user-input
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
786 |
processing applications, speed is not of such an essence
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
787 |
anymore. There are of course also many other programming
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
788 |
languages that are safe, i.e.~immune to buffer overflow
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
789 |
attacks.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
790 |
\bigskip
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
791 |
|
263
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
792 |
\subsubsection*{Further Reading}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
793 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
794 |
If you want to know more about buffer overflow attacks, the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
795 |
original Phrack article ``Smashing The Stack For Fun And
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
796 |
Profit'' by Elias Levy (also known as Aleph One) is an
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
797 |
engaging read:
|
196
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
798 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
799 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
800 |
\url{http://phrack.org/issues/49/14.html}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
801 |
\end{center}
|
206
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
802 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
803 |
\noindent This is an article from 1996 and some parts are
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
804 |
not up-to-date anymore. The article called
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
805 |
``Smashing the Stack in 2010''
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
806 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
807 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
808 |
\url{http://www.mgraziano.info/docs/stsi2010.pdf}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
809 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
810 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
811 |
\noindent updates, as the name says, most information to 2010.
|
240
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
812 |
There is another Phrack article about return-into-lib(c) exploits
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
813 |
from 2012:
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
814 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
815 |
\begin{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
816 |
\url{http://phrack.org/issues/58/4.html}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
817 |
\end{center}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
818 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
819 |
\noindent
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
820 |
The main topic is about getting around the non-executability of stack
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
821 |
data (in case it is protected). This article gives some further
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
822 |
pointers into the recent literature about buffer overflow attacks.
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
823 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
824 |
Buffer overflow attacks are not just restricted to Linux and
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
825 |
``normal'' computers. There is a book
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
826 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
827 |
\begin{quote}\rm
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
828 |
``iOS Hacker's Handbook'' by Miller et al, Wiley, 2012
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
829 |
\end{quote}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
830 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
831 |
\noindent
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
832 |
which seem to describe buffer overflow attacks on iOS. A book from the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
833 |
same publisher exists also for Android (from 2014) which seem to also
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
834 |
feature buffer overflow attacks. Alas I do not own copies of these
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
835 |
books.
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
836 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
837 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
838 |
\subsubsection*{A Crash-Course for GDB}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
839 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
840 |
If you want to try out the examples from KEATS it might be
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
841 |
helpful to know about the following commands of the GNU
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
842 |
Debugger:
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
843 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
844 |
\begin{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
845 |
\item \texttt{(l)ist n} -- lists the source file from line
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
846 |
\texttt{n}, the number can be omitted
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
847 |
\item \texttt{disassemble fun-name} -- show the assembly code
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
848 |
of a function
|
400
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
849 |
\item \texttt{info registers} -- prints out the current
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
850 |
content of all registers
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
851 |
\item \texttt{run args} -- starts the program, potential
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
852 |
arguments can be given
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
853 |
\item \texttt{(b)reak line-number} -- sets break point
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
854 |
\item \texttt{(c)ontinue} -- continue execution until next
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
855 |
breakpoint
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
856 |
\item \texttt{x/nxw addr} -- prints out \texttt{n} words starting
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
857 |
from address \pcode{addr}, the address could be \code{$esp}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
858 |
for looking at the content of the stack
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
859 |
\item \texttt{x/nxb addr} -- prints out \texttt{n} bytes
|
400
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
860 |
\item \texttt{q} -- quits the debugger
|
461
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
861 |
\item \texttt{tui enable} or \texttt{C-x C-a} --- switches into
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
862 |
TUI mode
|
237
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
863 |
\end{itemize}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
864 |
|
196
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
865 |
|
443
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
866 |
\end{document}
|
156
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
867 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
868 |
%%% Local Variables:
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
869 |
%%% mode: latex
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
870 |
%%% TeX-master: t
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
diff
changeset
|
871 |
%%% End:
|