62 \noindent This statistics shows that in the last seven years or so the |
62 \noindent This statistics shows that in the last seven years or so the |
63 number of buffer overflow attacks is around 10\% of all attacks |
63 number of buffer overflow attacks is around 10\% of all attacks |
64 (whereby the absolute numbers of attacks grow each year). So you can |
64 (whereby the absolute numbers of attacks grow each year). So you can |
65 see buffer overflow attacks are very relevant today. For example, very |
65 see buffer overflow attacks are very relevant today. For example, very |
66 recently (February 2016) a buffer overflow attack was discovered in the glibc |
66 recently (February 2016) a buffer overflow attack was discovered in the glibc |
67 library:\footnote{\url{http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/}} |
67 library:\footnote{See \url{goo.gl/De2mA8}} |
68 |
68 |
69 \begin{quote}\it |
69 \begin{quote}\it |
70 ``Since 2008, vulnerability has left apps and hardware open to remote |
70 ``Since 2008, vulnerability has left apps and hardware open to remote |
71 hijacking: Researchers have discovered a potentially catastrophic flaw in |
71 hijacking: Researchers have discovered a potentially catastrophic flaw in |
72 one of the Internet's core building blocks that leaves hundreds or |
72 one of the Internet's core building blocks that leaves hundreds or |
141 grows from higher addresses to lower addresses (i.e.~from the |
141 grows from higher addresses to lower addresses (i.e.~from the |
142 back to the front). That means that older items on the stack |
142 back to the front). That means that older items on the stack |
143 are stored behind, or after, newer items. Let's look a bit |
143 are stored behind, or after, newer items. Let's look a bit |
144 closer what happens with the stack when a program is running. |
144 closer what happens with the stack when a program is running. |
145 Consider the following simple C program. |
145 Consider the following simple C program. |
146 |
146 |
|
147 \begin{minipage}{\textwidth} |
147 \lstinputlisting[language=C]{../progs/example1.c} |
148 \lstinputlisting[language=C]{../progs/example1.c} |
148 |
149 \end{minipage} |
|
150 |
149 \noindent The \code{main} function calls in Line 7 the |
151 \noindent The \code{main} function calls in Line 7 the |
150 function \code{foo} with three arguments. \code{Foo} creates |
152 function \code{foo} with three arguments. \code{Foo} creates |
151 two (local) buffers, but does not do anything interesting with |
153 two (local) buffers, but does not do anything interesting with |
152 them. The only purpose of this program is to illustrate what |
154 them. The only purpose of this program is to illustrate what |
153 happens behind the scenes with the stack. The interesting |
155 happens behind the scenes with the stack. The interesting |
569 payload. Lines 14 and 15 write the address of the buffer into |
571 payload. Lines 14 and 15 write the address of the buffer into |
570 \code{large\_string}. The payload is copied in Lines 17 and 18. Line |
572 \code{large\_string}. The payload is copied in Lines 17 and 18. Line |
571 20 copies the (too large) string into the buffer.\label{C3}} |
573 20 copies the (too large) string into the buffer.\label{C3}} |
572 \end{figure} |
574 \end{figure} |
573 |
575 |
574 By the way you might naw have the question how do attackers |
576 By the way you might now have the question how do attackers |
575 find out about vulnerable systems in the first place? Well, |
577 find out about vulnerable systems in the first place? Well, |
576 the automated version uses \emph{fuzzers}, which throw |
578 the automated version uses \emph{fuzzers}, which throw |
577 randomly generated user input at applications and observe the |
579 randomly generated user input at applications and observe the |
578 behaviour. If an application segfaults (throws a segmentation |
580 behaviour. If an application segfaults (throws a segmentation |
579 error) then this is a good indication that a buffer overflow |
581 error) then this is a good indication that a buffer overflow |
629 variant of the program above |
631 variant of the program above |
630 |
632 |
631 \lstinputlisting[language=C]{../progs/C5.c} |
633 \lstinputlisting[language=C]{../progs/C5.c} |
632 |
634 |
633 \noindent Here the programmer actually tried to take extra |
635 \noindent Here the programmer actually tried to take extra |
634 care to not fall pray to a buffer overflow attack, but in the |
636 care to not fall prey to a buffer overflow attack, but in the |
635 process made the program susceptible to a format string |
637 process made the program susceptible to a format string |
636 attack. Clearly the \pcode{printf} function in Line 7 contains |
638 attack. Clearly the \pcode{printf} function in Line 7 contains |
637 now an explicit format string, but because the commandline |
639 now an explicit format string, but because the commandline |
638 input is copied using the function \pcode{snprintf} the result |
640 input is copied using the function \pcode{snprintf} the result |
639 will be the same---the string can be exploited by embedding |
641 will be the same---the string can be exploited by embedding |
841 Debugger: |
843 Debugger: |
842 |
844 |
843 \begin{itemize} |
845 \begin{itemize} |
844 \item \texttt{(l)ist n} -- lists the source file from line |
846 \item \texttt{(l)ist n} -- lists the source file from line |
845 \texttt{n}, the number can be omitted |
847 \texttt{n}, the number can be omitted |
846 \item \texttt{disassemble fun-name} -- show the assembly code |
848 \item \texttt{disassemble fun-name} -- shows the assembly code |
847 of a function |
849 of a function |
848 \item \texttt{info registers} -- prints out the current |
850 \item \texttt{info registers} -- prints out the current |
849 content of all registers |
851 content of all registers |
850 \item \texttt{run args} -- starts the program, potential |
852 \item \texttt{run args} -- starts the program, potential |
851 arguments can be given |
853 arguments can be given |