Transcript Last words on Buffer

Agenda

Last words on buffer overflows



Overview of a few more techniques
Defenses
Attacks on network protocols
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
1
Stack-based overflow: more techniques

Injected code can be in




Intrusion detection systems



The overflowed buffer itself
An environment variable
Another buffer (which is not overflowed)
Check for non-ASCII bytes in buffers
Attackers then use polymorphic shellcodes
Non-executable stack



“Return to libc” technique
Point return address to, say, system(), execve()
Feed system() with a string pointing to a shell
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
2
Other Overflow Attacks

Heap and BSS overflow




Format string vulnerabilities


I need more time on this
Use one dynamically allocated variable to overflow
another
This will change the way the program behaves
Printf() …
Off-by-one overflow
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
3
Buffer-overflow defenses






Write correct code
Code auditing (by humans)
Static code analysis: quite effective
Use fault-injection tools, Non-executable stack
Array-bound checking (with compiler)
Code pointer integrity checking


StackShield, StackGuard, PointGuard
Read Phrack Magazine 56 (5), May 2000
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
4
Other things

Password cracking





Dictionary attacks
Exhaustive brute-force attacks
Hash lookup tables
Password probability matrix
WEP attacks




Offline brute-force attacks
Keystream reuse
IP redirection
Fluhrer, Mantin, and Shamir (FMS) attack
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
5
Some network protocol attacks & techniques


SYN-flooding
TCP/IP Hijacking




The ping of death
Ping flooding, amplification attacks
Port scanning





RST hijacking
Stealth SYN scan
FIN, X-mas, Null scans
Spoofing decoys
Idle scanning
IP Spoofing and defenses against it
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo
6