# HG changeset patch # User cu # Date 1507502980 -3600 # Node ID 3d1f65e43065f4e89428a063a1abae4de89edac5 # Parent 0697622fb1818e982ee477f7cc12b5333bf65135 updated diff -r 0697622fb181 -r 3d1f65e43065 handouts/ho03.pdf Binary file handouts/ho03.pdf has changed diff -r 0697622fb181 -r 3d1f65e43065 handouts/ho03.tex --- a/handouts/ho03.tex Tue Oct 03 22:43:03 2017 +0100 +++ b/handouts/ho03.tex Sun Oct 08 23:49:40 2017 +0100 @@ -41,7 +41,7 @@ take any precautions to prevent such attacks. The plot below shows the percentage of buffer overflow attacks listed in the US National Vulnerability Database.\footnote{Search for -``Buffer errors'' at +``Buffer errors'' in the advanced serach tab at \url{http://web.nvd.nist.gov/view/vuln/statistics}.} \begin{center} @@ -51,9 +51,9 @@ ylabel={\% of total attacks}, ylabel style={yshift=-1em}, enlargelimits=false, - xtick={1997,2000,2002,...,2016}, + xtick={1997,1999,2001,...,2017}, xmin=1996.5, - xmax=2017, + xmax=2018, ymax=21, ytick={0,5,...,20}, scaled ticks=false, @@ -76,10 +76,10 @@ (whereby the absolute numbers of attacks grow each year). So you can see buffer overflow attacks are very relevant today. For example, very recently (February 2016) a buffer overflow attack was discovered in the glibc -library:\footnote{See \url{goo.gl/De2mA8}} +library:\footnote{See \url{http://goo.gl/De2mA8}} \begin{quote}\it -``Since 2008, vulnerability has left apps and hardware open to remote +``Since 2008, a vulnerability has left apps and hardware open to remote hijacking: Researchers have discovered a potentially catastrophic flaw in one of the Internet's core building blocks that leaves hundreds or thousands of apps and hardware devices vulnerable to attacks that can take @@ -216,7 +216,9 @@ \end{figure} On the left is the stack before \code{foo} is called; on the -right is the stack after \code{foo} finishes. The function +right is the stack after \code{foo} finishes. The before and +after of the stack looks the same. +The function call to \code{foo} in Line 7 (in the C program above) pushes the arguments onto the stack in reverse order---shown in the middle. Therefore first 3 then 2 and finally 1. Then it pushes @@ -265,7 +267,7 @@ \end{tabular} \end{center} -\noindent You can see how the function \pcode{foo} stores +\noindent The code for function \pcode{foo} stores first the last stack pointer onto the stack and then calculates the new stack pointer to have enough space for the two local buffers (Lines 2 - 4). Then it puts the two local @@ -509,7 +511,7 @@ the shellcode we want to run. But as you can see this is only 47 bytes, which is a very low bar to jump over. Actually there are optimised versions which only need 24 bytes. More -formidable is the choice of finding the right address to jump +formidable is the problem of finding the right address to jump to. The string is typically of the form \begin{center} @@ -532,9 +534,9 @@ seen before), we typically cannot run anything, including a debugger, on the machine yet we target. And the address is very specific to the setup of the target machine. One way of -finding out what the right address is is to try out one by one +finding out what the right address is is to try out one-by-one every possible address until we get lucky. With the large -memories available today, however, the odds are long. And if +memories available today, however, the odds are long for this. And if we try out too many possible candidates too quickly, we might be detected by the system administrator of the target system. @@ -661,7 +663,7 @@ How can we defend against these attacks? Well, a reflex could be to blame programmers. Precautions should be taken by them -so that buffers cannot been overfilled and format strings +so that buffers cannot be overfilled and format strings should not be forgotten. This might actually be slightly simpler to achieve by programmers nowadays since safe versions of the library functions exist, which always specify the @@ -748,7 +750,7 @@ A real attacker would be more knowledgeable and not need this shortcut. -To work I run my example under an Ubuntu version ``Maverick +To explain BoAs, I run my examples under an Ubuntu version ``Maverick Meerkat'' from October 2010 and the gcc 4.4.5. I have not tried whether newer versions would work as well. I tested all examples inside a virtual @@ -765,15 +767,15 @@ \end{tabular} \end{center} -\noindent The first two are innocent as they instruct the +\noindent The first two options are innocent as they instruct the compiler to include debugging information and also produce non-optimised code (the latter makes the output of the code a bit more predictable). The third is important as it switches off defences like the stack canaries. The fourth again makes it a bit easier to read the code. The final option makes the stack executable, thus the example in Figure~\ref{C3} works as -intended. While this might be considered cheating....since I -explicitly switched off all defences, I hope I was able convey +intended. While this might be considered as a complete cheat....since I +explicitly switched off all defences; I hope I was able convey the point that this is actually not too far from realistic scenarios. I have shown you the classic version of the buffer overflow attacks. Updated and more advanced variants do exist. diff -r 0697622fb181 -r 3d1f65e43065 progs/C2.c --- a/progs/C2.c Tue Oct 03 22:43:03 2017 +0100 +++ b/progs/C2.c Sun Oct 08 23:49:40 2017 +0100 @@ -3,8 +3,8 @@ #include // Since gets() is insecure and produces lots -// of warnings, thereofre I use my own input -// function instead. +// of warnings, therefore I use my own input +// function instead...of course, why not? int i; char ch; diff -r 0697622fb181 -r 3d1f65e43065 progs/README --- a/progs/README Tue Oct 03 22:43:03 2017 +0100 +++ b/progs/README Sun Oct 08 23:49:40 2017 +0100 @@ -25,6 +25,11 @@ Backtick is key §/±. +example.c +========= +file to explain assembly code + + C0.c ==== diff -r 0697622fb181 -r 3d1f65e43065 slides/slides03.pdf Binary file slides/slides03.pdf has changed diff -r 0697622fb181 -r 3d1f65e43065 slides/slides03.tex --- a/slides/slides03.tex Tue Oct 03 22:43:03 2017 +0100 +++ b/slides/slides03.tex Sun Oct 08 23:49:40 2017 +0100 @@ -42,8 +42,10 @@ \begin{itemize} \item homework, slides, programs are on KEATS \item include the question text - \item please send the homework as PDF (or txt)\bigskip - \item survey at the end + \item please send the homework as PDF (or txt)\bigskip + \item exam 90\%, q's from homeworks (work in pairs) + \item coursework 10\% \bigskip + \item survey at KEATS; to be answered until Sunday \end{itemize} \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -281,6 +283,17 @@ \begin{frame}[c] \frametitle{Behind the Scenes} +\only<1>{ +\begin{textblock}{7}(3,3) +\begin{bubble}[6.8cm] +\footnotesize +\lstinputlisting[language=C, + xleftmargin=5mm, + belowskip=-1mm, + aboveskip=-1mm]{../progs/example1.c} +\end{bubble} +\end{textblock}} + \only<2->{ \begin{textblock}{7}(1,0.6) \begin{bubble}[6.8cm] @@ -480,7 +493,7 @@ \frametitle{Payloads} \begin{itemize} -\item the idea is that you store some code in the buffer (the payload) +\item the idea is that you store some code in the buffer (the ``payload'') \item you then override the return address to execute this payload\medskip \item normally you want to start a shell\pause \item difficulty is to guess the right place where to ``jump''