\documentclass[dvipsnames,14pt,t]{beamer}
\usepackage{../slides}
\usepackage{../graphics}
\usepackage{../langs}
\usepackage{../data}
\setmonofont[Scale=.88]{Consolas}
\newfontfamily{\consolas}{Consolas}
\hfuzz=220pt
% beamer stuff
\renewcommand{\slidecaption}{SEN 03, King's College London}
\begin{document}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{%
\begin{tabular}{@ {}c@ {}}
\\
\LARGE Security Engineering (3)\\[-3mm]
\end{tabular}}\bigskip\bigskip\bigskip
\normalsize
\begin{center}
\begin{tabular}{ll}
Email: & christian.urban at kcl.ac.uk\\
Office: & N7.07 (North Wing, Bush House)\\
Slides: & KEATS (also home work is there)
\end{tabular}
\end{center}
\begin{textblock}{7}(2.4,10.8)
\begin{bubble}[9cm]
\rm ``We took a network that was designed to be resilient to nuclear war and
we made it vulnerable to toasters.''\\\mbox{}\hfill\small --- Eben Upton, 2017, RPi co-founder
\end{bubble}
\end{textblock}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Homework, Slides etc}
\begin{itemize}
\item homework, slides, programs, handouts are on KEATS
\item include the question text
\item please send the homework as PDF (or txt)\bigskip
\item exam 90\%, questions will be from homeworks (work in pairs for hws)
\item coursework 10\% \bigskip
\item short survey at KEATS; to be answered until Sunday
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Buffer Overflow Attacks}
\begin{center}
\begin{columns}[b]
\begin{column}{.4\textwidth}
\centering
\includegraphics[scale=0.3]{../pics/barrier.jpg}\\
lectures so far
\end{column}
\begin{column}{.4\textwidth}
\centering
\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\
today
\end{column}
\end{columns}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{@{}c@{}}According to\\ US Vulnerability DB\end{tabular}}
\begin{center}
\mbox{}\hspace{-8mm}\begin{tikzpicture}
\begin{axis}[
xlabel={year},
xlabel style={yshift=-1em},
ylabel={\% of total attacks},
ylabel style={yshift=-0em},
enlargelimits=false,
xtick={1997,1999,2001,...,2017},
xmin=1996.5,
xmax=2018,
ymax=23,
ytick={0,5,...,20},
scaled ticks=false,
axis lines=left,
width=11.5cm,
height=5cm,
ybar,
x tick label style={text height=1ex,font=\footnotesize,/pgf/number format/1000 sep={}},
nodes near coords=
{\footnotesize
$\pgfmathprintnumber[fixed,fixed zerofill,precision=1,use comma]{\pgfkeysvalueof{/data point/y}}$}
]
\addplot
table [x=Year,y=Percentage] {bufferoverflows.data};
\end{axis}
\end{tikzpicture}
\end{center}
from the US National Vulnerability Database\\
\small\url{http://web.nvd.nist.gov/view/vuln/statistics}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Smash the Stack for Fun\ldots}
\begin{itemize}
\item \alert{\bf Buffer Overflow Attacks (BOAs)} or\\
{\bf Smashing the Stack Attacks}\medskip
\item unfortunately one of the most popular attacks\\
($>$ 50\% of security incidents reported at CERT are related
to buffer overflows)
\begin{flushright}
\small\url{http://www.kb.cert.org/vuls}
\end{flushright}
\medskip
\item made popular by an article from 1996 by Elias Levy
(also known as Aleph One):\\
\begin{center}
{\bf ``Smashing The Stack For Fun and Profit''}
\end{center}\medskip
\begin{flushright}
\small\url{http://phrack.org/issues/49/14.html}
\end{flushright}
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A Long Printed ``Twice''}
\mbox{}\\[-6mm]
\footnotesize
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C0.c}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Printing Out ``Zombies''}
\mbox{}\\[-6mm]
\footnotesize
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C1.c}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Login'' Function (1)}
\mbox{}\\[-6mm]
\footnotesize
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/C2a.c}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{A ``Login'' Function (2)}
\mbox{}\\[-6mm]
\footnotesize
\lstinputlisting[language=C,xleftmargin=-3mm]{../progs/C2b.c}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{What the Hell Is Going On?}
\begin{itemize}
\item Let's start with a very simple program:
\end{itemize}
\lstinputlisting[language=C,xleftmargin=4mm]{../progs/example1.c}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Memory}
\begin{itemize}
\item each process will get a chunk of memory that is
organised as follows:
\end{itemize}
\begin{center}
\begin{tikzpicture}[scale=0.8]
%\draw[step=1cm] (-3,-3) grid (3,3);
\draw[line width=1mm] (-2, -3) rectangle (2,3);
\draw[line width=1mm] (-2,1) -- (2,1);
\draw[line width=1mm] (-2,-1) -- (2,-1);
\draw (0,2) node {\large\tt text};
\draw (0,0) node {\large\tt heap};
\draw (0,-2) node {\large\tt stack};
\draw (-2.7,3) node[anchor=north east] {\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}};
\draw (-2.7,-3) node[anchor=south east] {\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}};
\draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3);
\draw (2.7,-2) node[anchor=west] {\tt grows};
\draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older};
\draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer};
\draw[|->, line width=1mm] (2.5,-3) -- (2.5,-1);
\end{tikzpicture}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{The Stack}
\begin{textblock}{7}(1,1)
\begin{tikzpicture}[scale=0.8]
%\draw[step=1cm] (-3,-1) grid (3,8);
\draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
\draw[line width=1mm] (-1,-1.2) -- (-1,7.4);
\draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4);
\draw (0,-1) node[anchor=south] {\tt main};
\draw[line width=1mm] (-1,0) -- (1,0);
\draw (0,0) node[anchor=south] {\tt arg$_3$=3};
\draw[line width=1mm] (-1,1) -- (1,1);
\draw (0,1) node[anchor=south] {\tt arg$_2$=2};
\draw[line width=1mm] (-1,2) -- (1,2);
\draw (0,2) node[anchor=south] {\tt arg$_1$=1};
\draw[line width=1mm] (-1,3) -- (1,3);
\draw (0,3.1) node[anchor=south] {\tt ret};
\draw[line width=1mm] (-1,4) -- (1,4);
\draw (0,4) node[anchor=south] {\small\tt last sp};
\draw[line width=1mm] (-1,5) -- (1,5);
\draw (0,5) node[anchor=south] {\tt buf$_1$};
\draw[line width=1mm] (-1,6) -- (1,6);
\draw (0,6) node[anchor=south] {\tt buf$_2$};
\draw[line width=1mm] (-1,7) -- (1,7);
\draw (2,6.1) node[anchor=south] {\code{$esp}};
\draw[<-,line width=0.5mm] (1.1,7) -- (2.5,7);
\draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5) -- (1.8, 0) -- (1.1,0);
\draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
\draw (2.6,3.1) node[anchor=south west] {\tt back to main()};
\draw[->,red,line width=2mm] (2.5,0.1) -- (4.2,0.1);
\end{tikzpicture}
\end{textblock}
\begin{textblock}{7}(6.4,8)
\begin{bubble}[6.8cm]
\footnotesize
\lstinputlisting[language=C,xleftmargin=5mm]{../progs/example1.c}
\end{bubble}
\end{textblock}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Behind the Scenes}
\only<1>{
\begin{textblock}{7}(3,3)
\begin{bubble}[6.8cm]
\footnotesize
\lstinputlisting[language=C,
xleftmargin=5mm,
belowskip=-1mm,
aboveskip=-1mm]{../progs/example1.c}
\end{bubble}
\end{textblock}}
\only<2->{
\begin{textblock}{7}(1,0.6)
\begin{bubble}[6.8cm]
\footnotesize
\lstinputlisting[language=C,
xleftmargin=5mm,
belowskip=-1mm,
aboveskip=-1mm]{../progs/example1.c}
\end{bubble}
\end{textblock}}
\only<2>{
\begin{textblock}{7}(0.5,6.6)
\footnotesize
\lstinputlisting[language={[x86masm]Assembler},morekeywords={movl},xleftmargin=5mm,numbers=none]{../progs/example1a.s}
\end{textblock}}
\only<3>{
\begin{textblock}{7}(0.5,6.6)
\footnotesize
\lstinputlisting[language={[x86masm]Assembler},morekeywords={movl,movw},xleftmargin=5mm,numbers=none]{../progs/example1b.s}
\end{textblock}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Overwriting the Stack}
\begin{textblock}{7}(1,2)
\begin{tikzpicture}[scale=0.8]
%\draw[step=1cm] (-3,-1) grid (3,8);
\draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
\draw[line width=1mm] (-1,-1.2) -- (-1,6.4);
\draw[line width=1mm] ( 1,-1.2) -- ( 1,6.4);
\draw (0,-1) node[anchor=south] {\tt main};
\draw[line width=1mm] (-1,0) -- (1,0);
\draw (0,0) node[anchor=south] {\tt arg$_3$=3};
\draw[line width=1mm] (-1,1) -- (1,1);
\draw (0,1) node[anchor=south] {\tt arg$_2$=2};
\draw[line width=1mm] (-1,2) -- (1,2);
\draw (0,2) node[anchor=south] {\tt arg$_1$=1};
\draw[line width=1mm] (-1,3) -- (1,3);
\draw (0,3.1) node[anchor=south] {\tt ret};
\draw[line width=1mm] (-1,4) -- (1,4);
\draw (0,4) node[anchor=south] {\small\tt last sp};
\draw[line width=1mm] (-1,5) -- (1,5);
\draw (0,5) node[anchor=south] {\tt buf};
\draw[line width=1mm] (-1,6) -- (1,6);
\draw (2,5.1) node[anchor=south] {\code{$esp}};
\draw[<-,line width=0.5mm] (1.1,6) -- (2.5,6);
\draw[->,line width=0.5mm] (1,4.5) -- (1.8,4.5);
\draw (2.5,4.1) node[anchor=south] {\code{BBBB}};
\draw[->,line width=0.5mm] (1,3.5) -- (2.5,3.5);
\draw (2.6,3.1) node[anchor=south west] {\tt jump to \code{\\x080483f4}};
\end{tikzpicture}
\end{textblock}
\begin{textblock}{7}(1,13.5)
\code{char buf[8] = "AAAAAAAABBBB\\xf4\\x83\\x04\\x08\\x00"}
\end{textblock}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\tikzset{alt/.code args={<#1>#2#3#4}{%
\alt<#1>{\pgfkeysalso{#2}}{\pgfkeysalso{#3}} % \pgfkeysalso doesn't change the path
}}
\begin{frame}[t]
\frametitle{Buffer Overflow Attacks}
\begin{itemize}
\item the problem arises from the way C/C++ organises its function calls\\[-8mm]\mbox{}
\end{itemize}
\begin{center}
\begin{tikzpicture}[scale=1]
%\draw[black!10,step=2mm] (0,0) grid (9,4);
%\draw[black!10,thick,step=10mm] (0,0) grid (9,4);
\node at (0.5,4.5) {\small\begin{tabular}{l}main\\[-2mm] prog.\end{tabular}};
\draw[line width=0mm, white, alt=<2->{fill=red}{fill=blue}] (0,2.5) rectangle (1,3.8);
\draw[line width=0mm, white, alt=<9->{fill=red}{fill=blue}] (0,0.2) rectangle (1,0.5);
\draw[line width=1mm, alt=<3->{fill=yellow}{fill=blue}] (0,2.0) rectangle (1,2.5);
\draw[line width=1mm, alt=<6->{fill=red}{fill=blue}] (0,1.0) rectangle (1,2.0);
\draw[line width=1mm, alt=<7->{fill=yellow}{fill=blue}] (0,0.5) rectangle (1,1.0);
\draw[line width=1mm] (0,0) -- (0,4);
\draw[line width=1mm] (1,0) -- (1,4);
\node at (3.5,3.5) {\small\begin{tabular}{l}fact(n)\end{tabular}};
\draw[line width=1mm, alt=<{4-5,8}>{fill=red}{fill=blue}] (3,1.0) rectangle (4,3.0);
\onslide<3-4>{\draw[->, line width=1mm,red] (1,2.3) to node [above,sloped,midway] {n=4} (3,3);}
\onslide<5>{\draw[<-, line width=1mm,red] (1,2.3) to node [above,sloped,midway] {res=24} (3,1);}
\onslide<7-8>{\draw[->, line width=1mm,red] (1,0.8) to node [above,sloped,midway] {n=3} (3,3);}
\onslide<9>{\draw[<-, line width=1mm,red] (1,0.8) to node [above,sloped,midway] {res=6} (3,1);}
\node at (7.75,3.9) {\small\begin{tabular}{l}stack\end{tabular}};
\draw[line width=1mm] (7,3.5) -- (7,0.5) -- (8.5,0.5) -- (8.5,3.5);
\onslide<3,4,7,8>{
\node at (7.75, 1.4) {ret};
\draw[line width=1mm] (7,1.1) -- (8.5,1.1);
\node at (7.75, 2.0) {sp};
\draw[line width=1mm] (7,2.3) -- (8.5,2.3);
}
\onslide<3,4>{
\node at (7.75, 0.8) {4};
\draw[line width=1mm] (7,1.7) -- (8.5,1.7);
}
\onslide<7,8>{
\node at (7.75, 0.8) {3};
\draw[line width=1mm] (7,1.7) -- (8.5,1.7);
}
\end{tikzpicture}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\begin{center}
\begin{tikzpicture}[scale=1]
%\draw[black!10,step=2mm] (0,0) grid (9,4);
%\draw[black!10,thick,step=10mm] (0,0) grid (9,4);
\node at (0.5,4.5) {\small\begin{tabular}{l}main\\[-2mm] prog.\end{tabular}};
\draw[line width=0mm, white, alt=<2->{fill=red}{fill=blue}] (0,2.5) rectangle (1,3.8);
\draw[line width=1mm, white, fill=blue] (0,1.0) rectangle (1,2.0);
\draw[line width=1mm, alt=<3->{fill=yellow}{fill=blue}] (0,2.0) rectangle (1,2.5);
\draw[line width=1mm] (0,0) -- (0,4);
\draw[line width=1mm] (1,0) -- (1,4);
\node at (3.5,3.5) {\small\begin{tabular}{l}fact(n)\end{tabular}};
\draw[line width=0mm, alt=<{4-}>{red, fill=red}{blue, fill=blue}] (3,2.8) rectangle (4,3.0);
\draw[line width=0mm, alt=<{5-}>{red, fill=red}{blue, fill=blue}] (3,2.8) rectangle (4,2.0);
\draw[line width=0mm, alt=<{7-}>{red, fill=red}{blue, fill=blue}] (3,2.0) rectangle (4,1.0);
\draw[line width=1mm] (3,1.0) rectangle (4,3.0);
\onslide<3->{\draw[->, line width=1mm,red] (1,2.3) to node [above,sloped,midway] {n=4} (3,3);}
\onslide<5->{\draw[<-, line width=2mm,red] (4,2) to node [above,sloped,midway]
{\begin{tabular}{l}user\\[-1mm] input\end{tabular}} (6,2);}
\onslide<8->{\draw[<-, line width=1mm,red] (1,-2) to (3,1);}
\node at (7.75,3.9) {\small\begin{tabular}{l}stack\end{tabular}};
\draw[line width=1mm] (7,3.5) -- (7,-0.1) -- (8.5,-0.1) -- (8.5,3.5);
\onslide<3->{
\node at (7.75, 0.2) {4};
\draw[line width=1mm,alt=<6->{fill=red}{fill=white}] (7,0.5) rectangle (8.5,1.1);
\node at (7.75, 0.8) {\alt<6->{@a\#}{ret}};
\draw[line width=1mm,alt=<6->{fill=red}{fill=white}] (7,1.1) rectangle (8.5,1.7);
\node at (7.75, 1.4) {\alt<6->{!?w;}sp};
}
\onslide<4->{
\draw[line width=1mm,fill=red] (7,1.7) rectangle (8.5,3.0);
\node[white] at (7.75, 2.4) {buffer};
}
\end{tikzpicture}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{C-Library Functions}
\begin{itemize}
\item copy everything up to the zero byte
\end{itemize}\medskip
{\small
\lstinputlisting[language=C,numbers=none]{../progs/app5.c}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Payloads}
\begin{itemize}
\item the idea is that you store some code in the buffer (the ``payload'')
\item you then override the return address to execute this payload\medskip
\item normally you want to start a shell\pause
\item difficulty is to guess the right place where to ``jump''
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{Starting a Shell}
\small
\lstinputlisting[language=C,numbers=none,xleftmargin=-6mm]{../progs/o2.c}
\begin{textblock}{7}(5,7.5)
\begin{bubble}[7cm]
\lstinputlisting[language=C,numbers=none,xleftmargin=-0mm]{../progs/shell.c}
\end{bubble}
\end{textblock}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Avoiding \texttt{$\backslash$x00}}
\begin{itemize}
\item another difficulty is that the code is not allowed to contain \texttt{$\backslash$x00}:
\begin{center}
\texttt{xorl \%eax, \%eax}
\end{center}
\end{itemize}\bigskip\bigskip
{\small
\lstinputlisting[language=C,numbers=none]{../progs/app5.c}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[t]
\frametitle{String from the Web}
{\small
\lstinputlisting[language=C,numbers=none,xleftmargin=-6mm]{../progs/o1.c}}
\bigskip\bigskip
\noindent
More ``interesting'' shell programs can be found at
\begin{center}
\url{http://shellblade.net/shellcode.html}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Overflow.c}
\mbox{}\\[-6mm]
\small
\lstinputlisting[language=C,xleftmargin=-4mm,numbers=none]{../progs/overflow.c}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Optimising Success}
\begin{center}
\begin{tabular}{l@{\hspace{2cm}}l}
\begin{tikzpicture}[scale=0.6]
\draw[line width=1mm] (-2, -1) rectangle (2,3);
\draw[line width=1mm,fill=blue!30] (-2, 1.9) rectangle (2,3);
\draw (0,2.5) node {\small\tt shell code};
\draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
\draw[->,line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
(-3,-1.7) -- (-3, 3.7) -- (-1.9, 3.7) -- (-1.9, 3.1);
\end{tikzpicture}
&
\onslide<2>{
\begin{tikzpicture}[scale=0.6]
\draw[gray!50,fill=red!30] (-2,0.3) rectangle (2,3);
\draw[line width=1mm] (-2, -1) rectangle (2,3);
\draw[line width=1mm,fill=blue!30] (-2, 0.3) rectangle (2, -0.7);
\draw (0,-0.2) node {\small\tt shell code};
\draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
\draw [line width=0.5,decoration={brace,amplitude=2mm},decorate]
(2.3,3) -- (2.3,0.3);
\draw[line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
(3,-1.7) -- (3,1.65) -- (2.6, 1.65);
\end{tikzpicture}}
\end{tabular}
\end{center}\bigskip
\onslide<2>{
fill up the red part of the string with \pcode{NOP} operations
(Intel \texttt{$\backslash$x90})}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Why BOAs Work?}
\begin{itemize}
\item stack grows from higher addresses to lower addresses
\item library functions copy memory until a zero-byte is
encountered
\end{itemize}
\begin{center}
\begin{tabular}{@{\hspace{-7mm}}c@{\hspace{2mm}}c@{}}
\small
\begin{tikzpicture}[scale=0.45]
%\draw[step=1cm] (-3,-3) grid (3,3);
\draw[line width=1mm] (-2, -3) rectangle (2,3);
\draw[line width=1mm] (-2,1) -- (2,1);
\draw[line width=1mm] (-2,-1) -- (2,-1);
\draw (0,2) node {\tt text};
\draw (0,0) node {\tt heap};
\draw (0,-2) node {\tt stack};
\draw (-2.7,3) node[anchor=north east]
{\tt\begin{tabular}{@{}l@{}}lower\\ address\end{tabular}};
\draw (-2.7,-3) node[anchor=south east]
{\tt\begin{tabular}{@{}l@{}}higher\\ address\end{tabular}};
\draw[->, line width=1mm] (-2.5,3) -- (-2.5,-3);
\draw (2.7,-3) node[anchor=south west] {\tt\footnotesize older};
\draw (2.7,-1) node[anchor=north west] {\tt\footnotesize newer};
\draw[|->, line width=1mm] (2.5,-3.09) -- (2.5,-1);
\end{tikzpicture}
&
\raisebox{1.3cm}{\footnotesize
\lstinputlisting[language=C,numbers=none]{../progs/app5.c}}
\end{tabular}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Variants}
There are many variants:
\begin{itemize}
\item return-to-lib-C attacks
\item heap-smashing attacks\\
\textcolor{gray}{\small(Slammer Worm in 2003 infected 90\% of vulnerable systems within 10 minutes)}\bigskip
\item ``zero-days-attacks'' (new unknown vulnerability)
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\begin{tabular}{c}
Protections against\\
Buffer Overflow Attacks
\end{tabular}}
\begin{itemize}
\item use safe library functions
\item stack canaries
\item ensure stack data is not executable (can be defeated)
\item address space randomisation (makes one-size-fits-all more difficult)
\item choice of programming language (one of the selling points of Java)
\end{itemize}
\only<2>{
\begin{textblock}{7}(6,1)
\begin{bubble}[5.5cm]
\begin{tabular}{cp{2.9cm}}
\begin{tikzpicture}[baseline=40mm,scale=0.8]
%\draw[step=1cm] (-3,-1) grid (3,8);
\draw[gray!20,fill=gray!20] (-1, 0) rectangle (1,-1);
\draw[line width=1mm] (-1,-1.2) -- (-1,7.4);
\draw[line width=1mm] ( 1,-1.2) -- ( 1,7.4);
\draw (0,-1) node[anchor=south] {\tt main};
\draw[line width=1mm] (-1,0) -- (1,0);
\draw (0,0) node[anchor=south] {\tt arg$_3$=3};
\draw[line width=1mm] (-1,1) -- (1,1);
\draw (0,1) node[anchor=south] {\tt arg$_2$=2};
\draw[line width=1mm] (-1,2) -- (1,2);
\draw (0,2) node[anchor=south] {\tt arg$_1$=1};
\draw[line width=1mm] (-1,3) -- (1,3);
\draw (0,3.1) node[anchor=south] {\tt ret};
\draw[line width=1mm] (-1,4) -- (1,4);
\draw (0,4) node[anchor=south] {\small\tt last sp};
\draw[line width=1mm] (-1,5) -- (1,5);
\draw (0,5) node[anchor=south] {\tt\small\alert{\textbf{random}}};
\draw[line width=1mm] (-1,6) -- (1,6);
\draw (0,6) node[anchor=south] {\tt buf};
\draw[line width=1mm] (-1,7) -- (1,7);
\end{tikzpicture} &
\raggedright stack canary: a random value after the local variables
\end{tabular}
\end{bubble}
\end{textblock}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{In my Examples I Cheated}
I compiled the programs with
\begin{center}
\begin{tabular}{l@{\hspace{1mm}}l}
\pcode{/usr/bin/gcc} & \pcode{-ggdb -O0}\\
& \pcode{-fno-stack-protector}\\
& \pcode{-mpreferred-stack-boundary=2}\\
& \pcode{-z execstack}
\end{tabular}
\end{center}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% \begin{frame}[c]
%% \frametitle{NIST Statistics about BOA}
%% \begin{center}
%% \begin{tikzpicture}
%% \begin{axis}[
%% xlabel={year},
%% ylabel={\% of total attacks},
%% ylabel style={yshift=0em},
%% enlargelimits=false,
%% xtick={1997,1999,2001,...,2015},
%% xmin=1996.5,
%% xmax=2016,
%% ymax=21,
%% ytick={0,5,...,20},
%% scaled ticks=false,
%% axis lines=left,
%% width=11cm,
%% height=5cm,
%% ybar,
%% nodes near coords=
%% {\footnotesize
%% $\pgfmathprintnumber[fixed,fixed zerofill,precision=1,use comma]{\pgfkeysvalueof{/data point/y}}$},
%% x tick label style={font=\footnotesize,/pgf/number format/1000 sep={}}]
%% \addplot
%% table [x=Year,y=Percentage] {../handouts/bufferoverflows.data};
%% \end{axis}
%% \end{tikzpicture}
%% \end{center}
%% from the US National Vulnerability Database\\
%% \small\url{http://web.nvd.nist.gov/view/vuln/statistics}
%% \end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{D-Link Wifi Router, BOA}
\small
As a proof-of-concept, the following URL allows
attackers to control the return value saved on
the stack (the vulnerability is triggered when
executing \pcode{"/usr/sbin/widget"}):
\begin{center}\footnotesize
\pcode{curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB}
\end{center}
The value of the "hash" HTTP GET parameter consists of
292 occurrences of the \pcode{'A'} character, followed by four
occurrences of character \pcode{'B'}. In our lab setup, characters
\pcode{'B'} overwrite the saved program counter (\pcode{\%ra}).\bigskip
\begin{tabular}{@{}ll}
Discovery date: & 06/03/2013\\
Release date: & 02/08/2013
\end{tabular}\bigskip
\footnotesize
\hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{GHOST in Glibc}
\small The GHOST vulnerability is a buffer overflow condition
that can be easily exploited locally and remotely. This
vulnerability is named after the GetHOSTbyname function
involved in the exploit.\medskip
The attack allows the attacker to execute arbitrary code and
take control of the victim’s vulnerable machine.
Unfortunately, the vulnerability exists in the GNU C Library
(glibc), a code library originally released in 2000, meaning
it has been widely distributed. Although an update released by
Linux in 2013 mitigated this vulnerability, most systems and
products have not installed the patch.\medskip
\begin{tabular}{@{}ll}
Release date: & 01/28/2015
\end{tabular}\smallskip
\footnotesize
\hfill\url{https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Format String Vulnerability}
\small
\texttt{string} is nowhere used:\bigskip
{\footnotesize\lstinputlisting[language=C]{../progs/C4.c}}\bigskip
this vulnerability can be used to read out the stack
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\end{document}
%%% Local Variables:
%%% mode: latex
%%% TeX-master: t
%%% End: