The Attack and Defense of Computers

Dr.

Software and Host Attacks

Attack Types

Format string attacks: Integer overflow and integer sign attacks Buffer Overflow Attacks:
Stack

Smashing attacks Return-into-libc attacks Heap overflow attacks Function pointer attacks .dtors overflow attacks. setjump/longjump buffer overflow attacks.
3

Format String Attacks

Functions with a Variable Number of Parameters (FVNP)

In the C programming language it is possible to declare functions that have a variable number of parameters. On call, one fixed argument has to tell the function how many arguments there actually are. Among these kind of functions contained in the C standard library are fprintf(), printf(), sprintf(), snprintf(), vprintf(), vsprintf(), vsnprintf(), setproctitle(), and syslog().
5

Properties of FVNP
The first parameter of a FVNP is a so called format string. FVNPs convert all the arguments of possibly varying data types that follow the format string to an output stream.

Functions of a Format String

It tells how to convert the following arguments to a character string (type conversion, width, precision, padding etc.). It tells how many arguments are actually following the format string.

Example
int i=20; int j=10; char *format_string = The numbers are %d and %d; printf(format_string, i, j );

Output to stdout The number are 20 and 10

%d conversion specifier.

Conversion Specifier

Always begin with a % character. The characters following the %

designate

flags for the format of the output (alignment, width, padding, etc.) specify the arguments type (int, float, char, char *, etc.)

In the output stream every occurrence of a % format indicator is replaced by the value of the corresponding argument (except %% which simply results in a single %.)
9

Important Conversion Specifier Examples

%d integer (int) as decimal %x integer (int) as hex %s string (char *)

10

How Does The Problem Occur?

e.g. char user_supplied_input[100]; [] printf(user_supplied_input); or char user_supplied_input[100]; char some_string[100]; [] sprintf(some_string,%s,user_supplied_input); [] printf(some_string);

If an user inputs a character string that contains a %x, printf() will expect to find an integer argument behind the format string. But there is no such argument (PS: These kinds of mismatches cannot be recognized at compile time.)
11

Right Way to Write Previous Statements

printf(%s, user_supplied_input); printf(%s,some_string);

12

Reading Character Strings from (Nearly) Any Location in the Process Memory

13

Stack Snapshot: Activation Record for f(int i, int *j)

14

When Number of Conversion Specifier Is More Than the Number of Other Parameters,

All arguments for the call to printf() are put on the stack. printf() assumes that its activation record contains an arguments on the stack for every conversion specifier in the format string. For every % it reads the value on the stack in the corresponding location. This way it walks the stack downwards reading would-be arguments from the stack, printing them to the output stream while ignoring whether or not it has already left its actual activation record. There are no boundary checks for activation record. 15

Read the Contents of the Stack

Under normal conditions the format string contains the information about the size of the actual activation record as pushed on the stack by the caller. By manipulating the format string an attack is able to make printf() think that its activation record is much larger than it actual is. That way an attacker is able to read values on the stack if the output stream of printf() is passed back to her/him.
16

Reading Character Strings from (Nearly) Any Location in the Processs Memory

If the output of printf() is passed back to the user, the attacker may achieve even more than just reading the contents of the stack: Character strings at more or less arbitrary locations in the text or data segment or on the heap of the process may be read.

17

Character String Arguments

char dis_str[100]=Hello World; char format_string[5]=+%s printf(format_string,dis_str);

For character string arguments the activation record only contains a reference (i.e. a pointer) to the string. So in order to display a character string via %s, a corresponding pointer to the string has to be put into the activation record. e.g.

l
e H

%
+

pointer to the string to be displayed pointer to the format string

18

return address

Two Important Elements in an Attacking Format String

Assume the format string itself is stored on the stack. Attackers can NOT change the program code; however, if they can provide the format string to the attacked program, then in order to read a character string from (nearly) any location in the processs memory by utilizing format string, attackers need to put
conversion specifier - %s 2. address of the string that the attackers are interested in the format string.
1.
19

The Trick

By precisely prepending the %s with enough other conversion specifiers (e.g. %d or %x) printf() can be made into walking the stack downwards reading arguments form the stack just up to the beginning of the format string. The format string itself starts with some bytes (4 on 32-bit architectures) that constitute the pointer to the memory location containing the character string the attacker is interested in. When printf() arrives at interpreting the %s, it reads exactly these bytes from the stack taking them as pointer to the string. 20

Scenario of a Format Sting Attack

Assume the format string is stored above the printf()s activation record.

Format string
b bytes
address to the string of
interested

b %c

%s

output of printf()21

Writing an Integer to (Nearly) Any Location in the Process Memory

22

Conversion Specifiers %n

Definition of %n:
The

number of characters written so far is stored into the integer indicated by the [corresponding] int * (or variant) pointer argument.

For example,
int i; printf(12345%n,& i); Result i =5

%n causes printf() to write an integer value to any location in memory.

23

Assumption

The format string itself is stored somewhere on the stack; therefore, attackers can use the technique introduced in the previous slides in order to control the pointer to the integer.

24

Example
%c %c %c address to the place an where attacker plan to overwrite

4+b
address to the place an where attacker plan to
overwrite

b %c

%n

b
: : : :

pointer to the format string

return address

25

Targets to Overwrite
important program flags that control access privilege. return addresses on the stack internal linkage tables (e.g. ELF GOT or PLT entries) function pointers setjmp/longjmp buffers to force a control flow corruption and jump to injected code.

26

Tricks to Avoid Length Format String

Width field of conversion specifiers:

E.g.

%.8x

27

Integer Overflow and Integer Sign Attacks

28

Singed and Unsigned Integers

Singed integers store either a 1 or 0 in the most significant bit (MSB) of their first byte or storage.
If

the MSB is 1, the stored value is negative. If the MSB is 0, the value is positive.

Unsigned integers do not utilize this bit, so all unsigned integers are positive.
29

An Integer Overflow

Integer overflows exist because the values that can be stored within the numeric data type are limited by the size of the data type itself. For example, a 16-bit data type can only store a maximum value of 32767, whereas a 32-bit data type can store a maximum value of 2147483647 ( here both values are signed integers.) Therefore, if 60000 is assigned to a 16-bit signed data type. An integer overflow would occur, and the value actually stored within the variable would be -5536.
30

ISO C99 Standard

According to ISO C99, an integer overflow causes undefined behavior; therefore, each compiler vendor can handle an integer overflow however they choose. When facing an integer overflow, compiler venders could:

ignore

it. (adopted by most venders) attempt to correct the situation. abort the program.
31

Modulo-arithmetic (1)

Modulo-arithmetic defines the formula to decide the value of a numeric data type when placing a large value into a small data type. The formula looks something like:
stored_value=value%(max_value_for_datatype+1)

Most compiler venders that ignore an integer overflow use modulo-arithmetic to decide the final value of an overflowed data type.

32

Modulo-arithmetic (2)

Modulo-arithmetic is a fancy way of saying the most significant bytes are discarded up to the size of the data type and the least significant bits are stored.

33

Example
#include <stdio.h> int main() { long l= 0xdeadbeef; short s = l; char c = l; printf(long: %x\n,l); printf(short: %x\n,s); printf(char : %x\n,c); return(0); } long: deadbeef short:ffffbeef cahr: ffffffef

34

Explanation of the Example

In the example, the most significant bits were discarded, and the values assigned to short and char are what you have left. Because a short can only store 2 bytes, we only see beef, and a char can only hold 1 byte, so we only see ef. The truncation of the data cause the data type to store only part of the full value. This is why our value was -5536 instead of 60000 in previous slides.
35

Signed Attacks

Signedness bugs occur when an unsigned integer is assigned to a signed integer, or vice versa.

36

Example
typedef unsigned int size_t; extern void *memcpy(void *dest, const void *src, size_t n); static char data[256]; int store_data(char *buf, int len) { if (len > 256 ) return -1; return memcpy(data, buf, len); }

P.S.: memcpy requires an unsigned integer for the length parameter; therefore, the signed variable len would be promoted to an unsigned integer, lose its negative sign, and could wrap around and become a very large positive number, cause memcpy() to read past the bounds of buf.

37

Denial of Service (DoS) Attacks & Distributed Denial of Service (DDoS) Attacks

38

DoS/DDoS Attacks

A DoS/DDoS attack is a type of attack technique

by

saturating the victim system with enormous network traffic to the point of unresponsiveness to the legitimate users or by crashing the victim system so that it is no longer available to legitimate users
39

Categories of DoS/DDoS Attacks

Flood Attack:
Smurf

Flood Attack. TCP SYN Flood Attack. UDP Flood Attack. ICMP Flood Attack.

Malformed Packet Attack:

Ping

of Death Attack. Chargen Attack. TearDrop Attack. Land Attack.

40

Smurf Flood Attacks

An attacker sends forged ICMP echo packets to broadcast addresses of vulnerable networks. All the systems on these networks reply to the victim with ICMP echo replies. This attack rapidly exhausts the bandwidth available to the target, effectively denying its services to legitimate users.

41

host 1
host 2 host V
V

host 3

host 4

host A
42

TCP SYN Flood Attacks

Taking advantage of the flaw of TCP three way handshaking behavior, an attacker makes connection requests aimed at the victim server with packets with unreachable source addresses. The server is not able to complete the connection requests and, as a result, the victim wastes all of its network resources. A relatively small flood of bogus packets will tie up memory, CPU, and applications, resulting in shutting down a server .
43

Countermeasures of TCP SYN Flood Attacks

SYN Cookies.

44

UDP Flood Attacks

UDP is a connectionless protocol and it does not require any connection setup procedure to transfer data. A UDP Flood Attack is possible when an attacker sends a UDP packet to a random port on the victim system.

When the victim system receives a UDP packet, it will determine what application is waiting on the destination port. When it realizes that there is no application that is waiting on the port, it will generate an ICMP packet of destination unreachable to the forged source address. If enough UDP packets are delivered to ports on victim, the system will go down.

45

ICMP Flood Attacks

An attacker sends a huge number of ICMP echo request packets to a victim and, as a result, the victim cannot respond promptly since the volume of request packets is high and the victim has difficulty in processing all requests and responses rapidly. The attack will cause the performance degradation or system down.

46

DDoS Attacks

47

Principle of DDoS Attacks

A DDoS attack system has a complicated mechanism and entails an extreme cooperation between systems to maximize its attacking effectiveness.

48

Command Chains between DDoS Attack Components

The attack systems involved three system components:

Masters (Handlers). Slave (Agents). A victim.

A DDoS attack is possible by the coordination of many systems. To clog up the victim's network with enormous network traffic, the attacker need to use a number of systems as for handlers and agents. The attacker commands handlers and the handlers control a troop of agents to generate network traffic.

49

Snatch Attacking Hosts

To make a successful attack, an attacker first needs to have a number of systems to secure a bridgehead, usually large systems with highspeed network connection. To compromise such systems as many as possible and install DDoS tools on each of them, an attacker must find those systems with various techniques, such as network port scanning, OS fingerprinting, and other known infiltrating techniques.
50

Hide DDoS Tools

Also, to hide those DDoS tool's presence after installation, the attacker may use other techniques such as
IP

address spoofing or rootkit and so forth.

51

Prepare Handlers and Agents

The installed DDoS tools turn the compromised systems into attack zombies. Once the DDoS tools are installed on many compromised systems, the attacker is easy to launch an attack by controlling agents through handlers via commands. Once an attack begins, the target is not able to handle the tremendous volume of the bogus traffic.
52

A Simulated Case of DDoS Attack

attacker
master

master

master

slave

slave

slave

slave

slave

slave

slave

slave

victim
53

DDoS Tools

54

Malformed Packet Attack

55

Ping of Death Attacks

An attacker sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to victim. Since the received ICMP echo request packet is bigger than the normal IP packet size, the victim cannot reassemble the packets. The OS may be crashed or rebooted as a result.

56

Chargen Attacks

A variant of UDP Flood Attack. An attacker sends forged UDP echo request packets to intermediary system's UDP port 19 (chargen). Then the system receives the packets on its chargen service port and responds by generating a string of characters to victim system. The victim system receives the packets on its echo service port and responds back to the chargen service system with an echo of the character string. Once this loop begins then the loop rapidly exhausts the bandwidth between victim and intermediary system .
57

host V

host I

host A

58

TearDrop Attacks
An attacker sends two fragments that cannot be reassembled properly by manipulating the offset value of packet and cause reboot or halt of victim system. Many other variants such as targa, SYNdrop, Boink, Nestea Bonk, TearDrop2 and NewTear are available.

59

Land Attacks

An attacker sends a forged packet with the same source and destination IP address. The victim system will be confused and crashed or rebooted.

60

Countermeasures of DoS/DDoS Attacks

Disable unnecessary network services. Backtracking the attack paths of attack traffic, then install filters at the most upstream routers to filter out attack traffic as early as possible.

61