Buffer Overflow Countermeasures, DEP, Security Assessment

COUNTERMEASURES AGAINST BUFFER OVERFLOW ATTACKS

DATA EXECUTION PREVENTION (DEP)

SECURITY ASSESSMENT

BY AMAR MYANA

TOPICS OF DISCUSSION

• Buffer Overflow Attacks• Stack Smashing• Heap Overflows• Off-By-One ( a classic programmers error )

• Countermeasures against buffer overflow attacks• Language Level• Source Code Level• Compiler Level• Operating System Level

• DEP || Executable Space Protection || ( NX || XD ) bit

• Security Audits, Vulnerability Assessments and Penetration Testing

BUFFER OVERFLOW ATTACKS

• The term buffe r refers to an allocated chunk of memory, such as a pointer, array or string.

• Ex:void f() {

int a[10] ;a[20] = 3;

}

• Two conditions must be fulfilled:•The attacker must be able to control the data written into the buffer.•There must be security sensitive variables stored after the buffer in memory.

VARIABLE ATTACKS

int main(int argc, char *argv[]) {

char passwd_ok = 0;

char passwd[8];

strcpy(passwd, argv[1]);

if (strcmp(passwd, “amar”) == 0)

passwd_ok = 1;

if (passwd_ok) { …

}

•The strcpy function makes no check that argv[1] contains at most 8 chars, so an attacker that passes a longer string can overflow the passwd buffer.

The strcpy function makes no check that argv[1] contains at most 8 characters, so an attacker that passes a longer string can overflow the passwd buffer.

STACK & HEAP OVERFLOW

• When a function is called in C, the caller begins by pushing the function parameters to the stack. Thereafter, the caller pushes the address of its next instruction --- the address where execution should continue when the function returns --- to the stack and jumps to the function. The callee, in turn, makes room on the stack for its local variables.

• The attacker can in fact call any function in the program or in the libraries used by it.


COUNTERMEASURES

• Prevent use of dangerous functions: gets, strcpy, etc.

• Stack Based• Adding redundant information/routines to protect the stack or parts of stack.

• Ex: StackGuard


STACK GUARD

• A simple approach to protect programs against stack smashing and with little modification against EBP overflows.

• This is achieved by a compiler extension that adds so called canary values before the EIP saved at the function.


LIBSAFE & LIBVERIFY


• LIBSAFE• A transparent approach set up in a DLL that replaces standard(vulnerable)

functions by standard bounds checked functions• Ex: strcpy could be replaced by strncpy• The upper limit of the bounds is calculated based on the EBP, so the maximm

amount written to a buffer is the size of the stackframe.

• LIBVERIFY• Similar to Stackguard• It implements a wrapper function that saves the copy of the canaries to a canary

stack.

OTHER PROTECTION MECHANISM

• Use static or dynamic source code analyzers at the source code level to check the code for buffer overflow problems

• Change the compiler at the compiler level that does bounds checking or protect addresses from overwriting

• Change the rules at that operating system level for which the memory pages are allowed to hold executable data.


DATA EXECUTION PREVENTION

• Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system.

• The primary benefit of DEP is to help prevent code execution from data pages.

• HARDWARE ENFORCED DEP• Hardware-enforced DEP marks all memory locations in a process as non-

executable unless the location explicitly contains executable code.

• Hardware-enforced DEP relies on processor hardware to mark memory with an attribute that indicates that code should not be executed from that memory.


DEP

• Beginning with Windows XP SP2, the 32-bit version of Windows uses one of the following:• The no-execute page-protection (NX) processor feature as defined by AMD.• The Execute Disable Bit (XD) feature as defined by Intel.

• SOFTWARE ENFORCED DEP• Software-enforced DEP runs on any processor.• By default, software-enforced DEP helps protect only limited system binaries,

regardless of the hardware-enforced DEP capabilities of the processor.

• BENEFITS• DEP can help block a class of security intrusions. Specifically, DEP can help

block a malicious program in which a virus or other type of attack has injected a process with additional code and then tries to run the injected code.


SECURITY ASSESSMENT

• Every organization uses different types of security assessments to validate the level of security on its network resources.

• Security assessment is broadly divided into three categories:

• SECURITY AUDITs• Focus on the people and processes used to design, implement, and manage

security on a network.

• You can perform a manual assessment by using the following techniques:• Interviewing the staff

• Reviewing application and operating systems access controls

• Analyzing physical access to the systems.


SECURITY ASSESSMENT

• You can perform an automatic assessment by using the following techniques:• Generating audit reports

• Monitoring and reporting the changes in the files

• VULNERABILITY ASSESSMENTs• Helps in identifying known security vulnerabilities by scanning a network

• Vulnerability scanners can test systems and network devices for exposure to common attacks.

• Attacks on security related information and denial of service attacks.

• Host-based scanners look for features such as weak file access permissions, poor passwords, and logging faults.


SECURITY ASSESSMENT

• PENETRATION TESTING• A penetration test will not only point out vulnerabilities, it will also document how

the weaknesses can be exploited and how several minor vulnerabilities can be escalated by an attacker to compromise a computer or network.

• Penetration tests can reveal whether employees routinely allow people without identification to enter company facilities and where they would have physical access to computers.

• Reveal process problems ( Not applying security updates )


THANK YOU!
