sen-material: comparison handouts/ho03.tex

equal deleted inserted replaced

-:2f4296a0ab21
+:93affa1ebd6f
 function \code{foo} with three arguments. \code{Foo} creates
 two (local) buffers, but does not do anything interesting with
 them. The only purpose of this program is to illustrate what
 happens behind the scenes with the stack. The interesting
 question is what will the stack look like after Line 3 has
-been executed? The answer can be illustrated as follows:
+been executed? The answer is illustrated in Figure~\ref{stack}.
+\begin{figure}
 \begin{center}
 \begin{tikzpicture}[scale=0.65]
 \draw[gray!20,fill=gray!20] (-5, 0) rectangle (-3,-1);
 \draw[line width=1mm] (-5,-1.2) -- (-5,0.2);
 \draw[line width=1mm] (-3,-1.2) -- (-3,0.2);
 \draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5) -- (1.8, 0) -- (1.1,0);
 \draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
 \draw (2.6,3.1) node[anchor=south west] {\tt back to main()};
 \end{tikzpicture}
 \end{center}
+\caption{The stack layout for a program where the main
-\noindent On the left is the stack before \code{foo} is
+function calls an auxiliary function with three arguments
-called; on the right is the stack after \code{foo} finishes.
+(1,2 and 3). The auxiliary function has two local
-The function call to \code{foo} in Line 7 pushes the arguments
+buffer variables {\tt buf}$_1$ and {\tt buf}$_2$.\label{stack}}
-onto the stack in reverse order---shown in the middle.
+\end{figure}
-Therefore first 3 then 2 and finally 1. Then it pushes the
-return address onto the stack where execution should resume
+On the left is the stack before \code{foo} is called; on the
-once \code{foo} has finished. The last stack pointer
+right is the stack after \code{foo} finishes. The function
+call to \code{foo} in Line 7 (in the C program above) pushes
+the arguments onto the stack in reverse order---shown in the
+middle. Therefore first 3 then 2 and finally 1. Then it pushes
+the return address onto the stack where execution should
+resume once \code{foo} has finished. The last stack pointer
 (\code{sp}) is needed in order to clean up the stack to the
 last level---in fact there is no cleaning involved, but just
 the top of the stack will be set back to this address. So the
 last stack pointer also needs to be stored. The two buffers
 inside \pcode{foo} are on the stack too, because they are
 local data within \code{foo}. Consequently the stack in the
-middle is a snapshot after Line 3 has been executed. In case
+middle of Figure~\ref{stack} is a snapshot after Line 3 has
-you are familiar with assembly instructions you can also read
+been executed.
-off this behaviour from the machine code that the \code{gcc}
-compiler generates for the program above:\footnote{You can
+In case you are familiar with assembly instructions you can
-make \pcode{gcc} generate assembly instructions if you call it
+also read off this behaviour from the machine code that the
-with the \pcode{-S} option, for example \pcode{gcc -S out
+\code{gcc} compiler generates for the program
-in.c}\;. Or you can look at this code by using the debugger.
+above:\footnote{You can make \pcode{gcc} generate assembly
-How to do this will be explained in the last section.}
+instructions if you call it with the \pcode{-S} option, for
+example \pcode{gcc -S out in.c}\;. Or you can look at this
+code by using the debugger. How to do this will be explained
+in the last section.} It generates the following code for the
+\pcode{main} and \pcode{foo} functions.
 \begin{center}\small
 \begin{tabular}[t]{p{11cm}}
 {\lstinputlisting[language={[x86masm]Assembler},
 morekeywords={movl},xleftmargin=5mm]
 {../progs/example1a.s}}
 \end{tabular}
 \end{center}
+\noindent Again you can see how the function \pcode{main}
+prepares in Lines 2 to 7 the stack before calling the function
+\pcode{foo}. You can see that the numbers 3, 2, 1 are stored
+on the stack (the register \code{\%esp} refers to the top of
+the stack; \pcode{$0x1}, \pcode{$0x2} \pcode{$0x3} are the
+hexadecimal encodings for \pcode{1} to \pcode{3}). The code
+for the foo function is as follows:
 \begin{center}\small
 \begin{tabular}[t]{p{11cm}}
 {\lstinputlisting[language={[x86masm]Assembler},
 morekeywords={movl,movw},xleftmargin=5mm]
 {../progs/example1b.s}}
 \end{tabular}
 \end{center}
-\noindent On the left you can see how the function
+\noindent You can see how the function \pcode{foo} stores
-\pcode{main} prepares in Lines 2 to 7 the stack before calling
+first the last stack pointer onto the stack and then
-the function \pcode{foo}. You can see that the numbers 3, 2, 1
+calculates the new stack pointer to have enough space for the
-are stored on the stack (the register \code{$esp} refers to
+two local buffers (Lines 2 - 4). Then it puts the two local
-the top of the stack; \pcode{$0x1}, \pcode{$0x2} \pcode{$0x3}
-are the encodings for \pcode{1} to \pcode{3}). On the right
-you can see how the function \pcode{foo} stores the two local
 buffers onto the stack and initialises them with the given
-data (Lines 2 to 9). Since there is no real computation going
+data (Lines 5 to 9). Since there is no real computation going
 on inside \pcode{foo}, the function then just restores the
-stack to its old state and crucially sets the return address
+stack to its old state (Line 10) and crucially sets the return
-where the computation should resume (Line 9 in the code on the
+address where the computation should resume (Line 10). The
-right-hand side). The instruction \code{ret} then transfers
+instruction \code{ret} then transfers control back to the
-control back to the function \pcode{main} to the
+function \pcode{main} to the instruction just after the call
-instruction just after the call to \pcode{foo}, that is Line
+to \pcode{foo}, that is Line 10.
-9.
 Another part of the ``conspiracy'' of buffer overflow attacks
 is that library functions in C look typically as follows:
 \begin{center}
 corresponding stack of such a function will look as follows
 \begin{center}
 \begin{tikzpicture}[scale=0.65]
 %\draw[step=1cm] (-3,-1) grid (3,8);
-\draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
+\draw[line width=1mm] (-1,1.2) -- (-1,6.4);
-\draw[line width=1mm] (-1,-1.2) -- (-1,6.4);
+\draw[line width=1mm] ( 1,1.2) -- ( 1,6.4);
-\draw[line width=1mm] ( 1,-1.2) -- ( 1,6.4);
+\draw (0,2) node[anchor=south] {\ldots};
-\draw (0,-1) node[anchor=south] {\tt main};
-\draw[line width=1mm] (-1,0) -- (1,0);
-\draw (0,0) node[anchor=south] {\tt arg$_3$=3};
-\draw[line width=1mm] (-1,1) -- (1,1);
-\draw (0,1) node[anchor=south] {\tt arg$_2$=2};
-\draw[line width=1mm] (-1,2) -- (1,2);
-\draw (0,2) node[anchor=south] {\tt arg$_1$=1};
 \draw[line width=1mm] (-1,3) -- (1,3);
 \draw (0,3.1) node[anchor=south] {\tt ret};
 \draw[line width=1mm] (-1,4) -- (1,4);
 \draw (0,4) node[anchor=south] {\small\tt last sp};
 \draw[line width=1mm] (-1,5) -- (1,5);
 that the string internally will automatically be terminated by
 a zero-byte. If the programmer uses functions like
 \pcode{strcpy} for filling the buffer \pcode{buf}, then we can
 be sure it will overwrite the stack in this manner---since it
 will copy everything up to the zero-byte. Notice that this
-overwriting of the buffer only works since the newer item, the
+overwriting of the buffer only works since the newer
-buffer, is stored on the stack before the older items, like
+item---the buffer---is stored on the stack before the older
-return address and arguments. If it had be the other way
+items, like return address and arguments. If it had be the
-around, then such an overwriting by overflowing a local buffer
+other way around, then such an overwriting by overflowing a
-would just not work. Had the designers of C had just been able
+local buffer would just not work. Had the designers of C
-to foresee what headaches their way of arranging the stack
+been able to foresee what headaches their way of
-caused in the time where computers are accessible from
+arranging the stack will cause, how different could be
-everywhere?
+the IT-World today?
 What the outcome of such an attack is can be illustrated with
 the code shown in Figure~\ref{C2}. Under ``normal operation''
 this program ask for a login-name and a password. Both of
 which are stored in \code{char} buffers of length 8. The
 the same content. If yes, then the function lets you ``in''
 (by printing \pcode{Welcome}). If not, it denies access (by
 printing \pcode{Wrong identity}). The vulnerable function is
 \code{get_line} in Lines 11 to 19. This function does not take
 any precautions about the buffer of 8 characters being filled
-beyond its 8-character-limit. Let us suppose the login name
+beyond its 8-character-limit. Let us suppose the login name is
-is \pcode{test}. Then the buffer overflow can be triggered
+\pcode{test}. Then the buffer overflow can be triggered with a
-with a specially crafted string as password:
+specially crafted string as password (remember
+\pcode{get\_line} requires a \pcode{\\n} at the end of the
+input):
 \begin{center}
 \code{AAAAAAAABBBB\\x2c\\x85\\x04\\x08\\n}
 \end{center}
 Unfortunately, much more harm can be caused by buffer overflow
 attacks. This is achieved by injecting code that will be run
 once the return address is appropriately modified. Typically
 the code that will be injected starts a shell. This gives the
 attacker the ability to run programs on the target machine and
-to have a good look around, provided the attacked process was not
+to have a good look around in order to obtain also full root
-already running as root.\footnote{In that case the attacker
+access (normally the program that is attacked would run with
-would already congratulate him or herself to another
+lesser rights and any shell injected would also only run with
-computer under full control.} In order to be send as part of
+these lesser access rights). If the attacked program was
-the string that is overflowing the buffer, we need the code to
+already running as root, then the attacker can congratulate
-be represented as a sequence of characters. For example
+him or herself to another computer under full control\ldots
+no more work to be done.
+In order to be send as part of the string that is overflowing
+the buffer, we need the code for starting the shell to be
+represented as a sequence of characters. For example
 \lstinputlisting[language=C,numbers=none]{../progs/o1.c}
 \noindent These characters represent the machine code for
 opening a shell. It seems obtaining such a string requires
-``higher-education'' in the architecture of the target system. But
+``higher-education'' in the architecture of the target system.
-it is actually relatively simple: First there are many such
+But it is actually relatively simple: First there are many
-string ready-made---just a quick Google query away. Second,
+such strings ready-made---just a quick Google query away.
-tools like the debugger can help us again. We can just write
+Second, tools like the debugger can help us again. We can just
-the code we want in C, for example this would be the program
+write the code we want in C, for example this would be the
-for starting a shell:
+program for starting a shell:
 \lstinputlisting[language=C,numbers=none]{../progs/shell.c}
 \noindent Once compiled, we can use the debugger to obtain
 the machine code, or even the ready-made encoding as character
 sequence.
-While easy, obtaining this string is not entirely trivial
+While not too difficult, obtaining this string is not entirely
-using \pcode{gdb}. Remember the functions in C that copy or
+trivial using \pcode{gdb}. Remember the functions in C that
-fill buffers work such that they copy everything until the
+copy or fill buffers work such that they copy everything until
-zero byte is reached. Unfortunately the ``vanilla'' output
+the zero byte is reached. Unfortunately the ``vanilla'' output
 from the debugger for the shell-program above will contain
 such zero bytes. So a post-processing phase is needed to
 rewrite the machine code in a way that it does not contain any
 zero bytes. This is like some works of literature that have
 been written so that the letter e, for example, is avoided.
 The technical term for such a literature work is
 \emph{lipogram}.\footnote{The most famous example of a
 lipogram is a 50,000 words novel titled Gadsby, see
 \url{https://archive.org/details/Gadsby}, which avoids the
-letter `e' throughout.} For rewriting the
+letter `e' throughout.} For rewriting the machine code, you
-machine code, you might need to use clever tricks like
+might need to use clever tricks like
 \begin{lstlisting}[numbers=none,language={[x86masm]Assembler}]
 xor %eax, %eax
 \end{lstlisting}
 \draw ( 2,-0.9) node[anchor=west] {\LARGE\color{codegreen}{''}};
 \end{tikzpicture}
 \end{center}
 \noindent where we need to be very precise with the address
-with which we will overwrite the buffer. It has to be
+with which we will overwrite the buffer (indicated as a black
-precisely the first byte of the shellcode. While this is easy
+rectangle). It has to be precisely the first byte of the
-with the help of a debugger (as seen before), we typically
+shellcode. While this is easy with the help of a debugger (as
-cannot run anything, including a debugger, on the machine yet
+seen before), we typically cannot run anything, including a
-we target. And the address is very specific to the setup of
+debugger, on the machine yet we target. And the address is
-the target machine. One way of finding out what the right
+very specific to the setup of the target machine. One way of
-address is is to try out one by one every possible
+finding out what the right address is is to try out one by one
-address until we get lucky. With the large memories available
+every possible address until we get lucky. With the large
-today, however, the odds are long. And if we try out too many
+memories available today, however, the odds are long. And if
-possible candidates too quickly, we might be detected by the
+we try out too many possible candidates too quickly, we might
-system administrator of the target system.
+be detected by the system administrator of the target system.
-We can improve our odds considerably by following a clever
+We can improve our odds considerably by making use of a very
-trick. Instead of adding the shellcode at the beginning of the
+clever trick. Instead of adding the shellcode at the beginning
-string, we should add it at the end, just before we overflow
+of the string, we should add it at the end, just before we
-the buffer, for example
+overflow the buffer, for example
 \begin{center}
 \begin{tikzpicture}[scale=0.6]
 \draw[gray!50,fill=gray!50] (-2,0.3) rectangle (2,3);
 \draw[line width=1mm] (-2, -1) rectangle (2,3);
 \end{tikzpicture}
 \end{center}
 \noindent Then we can fill up the grey part of the string with
 \pcode{NOP} operations. The code for this operation is
-\code{\\0x90}. It is available on every architecture and its
+\code{\\0x90} on Intel CPUs. It is available on every
-purpose in a CPU is to do nothing apart from waiting a small
+architecture and its purpose in a CPU is to do nothing apart
-amount of time. If we now use an address that lets us jump to
+from waiting a small amount of time. If we now use an address
-any address in the grey area we are done. The target machine
+that lets us jump to any address in the grey area we are done.
-will execute these \pcode{NOP} operations until it reaches the
+The target machine will execute these \pcode{NOP} operations
-shellcode. That is why this NOP-part is often called
+until it reaches the shellcode. That is why this NOP-part is
-\emph{NOP-sledge}. A moment of thought should convince you
+often called \emph{NOP-sledge}. A moment of thought should
-that this trick can hugely improve our odds of finding the
+convince you that this trick can hugely improve our odds of
-right address---depending on the size of the buffer, it might
+finding the right address---depending on the size of the
-only take a few tries to get the shellcode to run. And then we
+buffer, it might only take a few tries to get the shellcode to
-are in. The code for such an attack is shown in
+run. And then we are in. The code for such an attack is shown
-Figure~\ref{C3}. It is directly taken from the original paper
+in Figure~\ref{C3}. It is directly taken from the original
-about ``Smashing the Stack for Fun and Profit'' (see pointer
+paper about ``Smashing the Stack for Fun and Profit'' (see
-given at the end).
+pointer given at the end).
 \begin{figure}[p]
 \lstinputlisting[language=C]{../progs/C3.c}
 \caption{Overwriting a buffer with a string containing a
 payload.\label{C3}}
 \end{figure}
-By the way you might have the question how do attackers find
+By the way you might naw have the question how do attackers
-out about vulnerable systems? Well, the automated version uses
+find out about vulnerable systems in the first place? Well,
-\emph{fuzzers}, which throw randomly generated user input at
+the automated version uses \emph{fuzzers}, which throw
-applications and observe the behaviour. If an application
+randomly generated user input at applications and observe the
-seg-faults (throws a segmentation error) then this is a good
+behaviour. If an application segfaults (throws a segmentation
-indication that a buffer overflow vulnerability can be
+error) then this is a good indication that a buffer overflow
-exploited.
+vulnerability can be exploited.
 \subsubsection*{Format String Attacks}
 Another question might arise, where do we get all this
 therefore an easy target. Let us look at the simplest version
 of a vulnerable program.
 \lstinputlisting[language=C]{../progs/C4.c}
-\noindent The intention is to print out the first argument
+\noindent The intention of this program is to print out the
-given on the command line. The ``secret string'' is never to
+first argument given on the command line. The ``secret
-be printed. The problem is that the C function \pcode{printf}
+string'' is never to be printed. The problem is that the C
-normally expects a format string---a schema that directs how a
+function \pcode{printf} normally expects a format string---a
-string should be printed. This would be for example a proper
+schema that directs how a string should be printed. This would
-invocation of this function:
+be for example a proper invocation of this function:
 \begin{lstlisting}[numbers=none,language=C]
 long n = 123456789;
 printf("This is a long %lu!", n);
 \end{lstlisting}
 How can we defend against these attacks? Well, a reflex could
 be to blame programmers. Precautions should be taken by them
 so that buffers cannot been overfilled and format strings
 should not be forgotten. This might actually be slightly
-simpler nowadays since safe versions of the library functions
+simpler to achieve by programmers nowadays since safe versions
-exist, which always specify the precise number of bytes that
+of the library functions exist, which always specify the
-should be copied. Compilers also nowadays provide warnings
+precise number of bytes that should be copied. Compilers also
-when format strings are omitted. So proper education of
+nowadays provide warnings when format strings are omitted. So
-programmers is definitely a part of a defence against such
+proper education of programmers is definitely a part of a
-attacks. However, if we leave it at that, then we have the
+defence against such attacks. However, if we leave it at that,
-mess we have today with new attacks discovered almost daily.
+then we have the mess we have today with new attacks
+discovered almost daily.
 There is actually a quite long record of publications
 proposing defences against buffer overflow attacks. One method
 is to declare the stack data as not executable. In this way it
 is impossible to inject a payload as shown above which is then
 developed \emph{return-to-lib-C} attacks. The idea is to not
 inject code, but already use the code that is present at the
 target computer. The lib-C library, for example, already
 contains the code for spawning a shell. With
 \emph{return-to-lib-C} one just has to find out where this
-code is located. But attackers can make good guesses. In my
+code is located. But attackers can make good guesses.
-examples I took a shortcut and always made the stack
-executable.
+Another defence is called \emph{stack canaries}. The advantage
-Another defence is called \emph{stack canaries}. The advantage
 is that they can be automatically inserted into compiled code
 and do not need any hardware support. Though they will make
 your program run slightly slower. The idea behind \emph{stack
 canaries} is to push a random number onto the stack just
-before local data is stored. For our very first function the
+before local data is stored. For our very first function
-stack would with a \emph{stack canary} look as follows
+\pcode{foo} the stack would with a \emph{stack canary} look as
+follows
 \begin{center}
 \begin{tikzpicture}[scale=0.65]
 %\draw[step=1cm] (-3,-1) grid (3,8);
 \draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
 \end{center}
 \noindent The idea behind this random number is that when the
 function finishes, it is checked that this random number is
 still intact on the stack. If not, then a buffer overflow has
-occurred. Although this is quite effective, but requires
+occurred. Although this is quite effective, it requires
 suitable support for generating random numbers. This is always
 hard to get right and attackers are happy to exploit the
 resulting weaknesses.
 Another defence is \emph{address space randomisation}. This
 place where programs are stored mitigates this problem
 somewhat.
 As mentioned before, modern operating systems have these
 defences enabled by default and make buffer overflow attacks
-harder, but not impossible. Indeed, I as an amateur attacker
+harder, but not impossible. Indeed, I---as an amateur
-had to explicitly switch off these defences. I run my example
+attacker---had to explicitly switch off these defences.
-under an Ubuntu version ``Maverick Meerkat'' from October
+A real attacker would be more knowledgeable and not need this
-2010 and the gcc 4.4.5. I have not tried whether newer versions
+shortcut.
-would work as well. I tested all examples inside a virtual
-box\footnote{\url{https://www.virtualbox.org}} insulating my main
+To work I run my example under an Ubuntu version ``Maverick
-system from any harm. When compiling the programs I called
+Meerkat'' from October 2010 and the gcc 4.4.5. I have not
-the compiler with the following options:
+tried whether newer versions would work as well. I tested all
+examples inside a virtual
+box\footnote{\url{https://www.virtualbox.org}} insulating my
+main system from any harm. When compiling the programs I
+called the compiler with the following options:
 \begin{center}
 \begin{tabular}{l@{\hspace{1mm}}l}
 \pcode{/usr/bin/gcc} & \pcode{-ggdb -O0}\\
 & \pcode{-fno-stack-protector}\\
 \noindent The first two are innocent as they instruct the
 compiler to include debugging information and also produce
 non-optimised code (the latter makes the output of the code a
 bit more predictable). The third is important as it switches
-off defences like the stack canaries. The fourth again makes it
+off defences like the stack canaries. The fourth again makes
-a bit easier to read the code. The final option makes the
+it a bit easier to read the code. The final option makes the
-stack executable, thus the example in Figure~\ref{C3}
+stack executable, thus the example in Figure~\ref{C3} works as
-works as intended. While this might be considered
+intended. While this might be considered cheating....since I
-cheating....since I explicitly switched off all defences, I
+explicitly switched off all defences, I hope I was able convey
-hope I was able convey the point that this is actually not too far from
+the point that this is actually not too far from realistic
-realistic scenarios. I have shown you the classic version of
+scenarios. I have shown you the classic version of the buffer
-the buffer overflow attacks. Updated variants do exist. Also
+overflow attacks. Updated and more advanced variants do exist.
-one might argue buffer-overflow attacks have been solved on
-computers (desktops or servers) but the computing landscape of today
+With the standard defences switched on, you might want to
-is much wider than that. The main problem today are
+argue buffer-overflow attacks have been solved on computers
-embedded systems against which attacker can equally cause a
+(desktops and servers) but the computing landscape of today is
-lot of harm and which are much less defended. Anthony Bonkoski
+much wider than that. The main problem today are embedded
-makes a similar argument in his security blog:
+systems against which attacker can equally cause a lot of harm
+and which are much less defended. Anthony Bonkoski makes a
+similar argument in his security blog:
 \begin{center}
 \url{http://jabsoft.io/2013/09/25/are-buffer-overflows-solved-yet-a-historical-tale/}
 \end{center}

changeset 397	93affa1ebd6f
parent 396	2f4296a0ab21
child 399	6d552ef3b435