CS 161 Discussion 2
Logistics
Discussion worksheet posted on cs161.org!
Use the chat! Ask questions, discuss, etc.
Feel free to unmute + ask a question!
These slides are at https://shomil.me/cs161-fa20/ (also on Piazza).
Please turn on your camera if you feel comfortable doing so :)
Announcements
Project 1 has been released (due 9/25)
HW 1 has been released (due 9/11)
Today:
Software Security
Advanced Buffer Overflow Techniques
Whiteboard!
Do #2 on Worksheet
Memory Safety
Buffer Overflow & Stack Smashing
Format String Vulnerabilities
Integer Conversion Vulnerabilities
Integer Conversion Vulnerabilities
void vulnerable(char *input, int len) {
char buf[64];
if (len > 64) return;
/* len is converted to unsigned! -1 => 2^32 - 1 */
memcpy(buf, input, len);
}
Credit to Nicholas Ngai for this example!
Integer Overflow Vulnerabilities
void vulnerable(char *input, size_t len) {
/* len + 2 == 1 if len is 2^32 - 1 */
char *buf = malloc(len + 2); we allocate len + 2 bytes
if (!buf) return;
memcpy(buf, input, len); ...but we copy len bytes
buf[len] = '\n';
buf[len + 1] = '\0';
}
Credit to Nicholas Ngai for this example!
Format String Vulnerabilities
void vulnerable(char *input) {
printf(input); we can insert arbitrary %d, %n, …
}
Attackers can use "%x:%x" to read from stack memory, "%x:%s" to read the next word of memory as an address, and even write to any value using "%n" and other tricks! Details of this are out of scope.
Takeaway: If a format string vulnerability exists, assume that the attacker can learn all secrets stored in memory, and assume the attacker can take control of the program!
Do #1 on Worksheet
Trusted Computing Base
We use the notion of a trusted computing base (TCB) to design secure systems.
TCB: the part of the system that has to operate correctly in order for the security goals of the system to be assured.
Press F to record attendance