Thursday, February 18, 2016

Buffer Overflow Vulnerability Discovered in glibc

There's a report out today from Google that their security team discovered a buffer overflow vulnerability in the GNU implementation of getaddrinfo.  Readers of Chapter 11 of CS:APP3e know this function as a very general tool for converting string representations of network parameters into the data structures used by other networking functions.  Engineers at Google and Red Hat were able to demonstrate that the program error could be exploited with a buffer overflow attack.

It's instructive to read the bug tracking reports at the Google post on their discovery:

https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

as well as the bug tracking log covering the actual error:

https://sourceware.org/bugzilla/show_bug.cgi?id=18665

There are several important insights to be gained from this report:


  • Buffer overflows are still a key source of software vulnerabilities.  Although they can be mitigated by address space randomization and other techniques, they still show up.
  • This bug was introduced in with glib 2.9 in May, 2008.  It was first reported in July, 2015 and fixed in February, 2016.  That's a long time for a security vulnerability to lie undetected.
  • It only happens when a string is given that exceeds the 2048-byte limit of the regular buffer size.  The code is then allocates more memory, but it does not correctly update some of the size information properly.  Apparently, this part of the code was not tested very carefully.  It's an unfortunate reality of program testing that it's hard to reach all of the corner cases in a program.  It seems like using code coverage tools could have been beneficial here.


Tuesday, February 9, 2016

Updated the CS:APP Proxy Lab

We've updated the CS:APP Proxy Lab with a new autograder that checks for basic proxy behavior, concurrent execution, and file caching. We've been using this autograder at CMU for several years now and are happy to make it available to the CS:APP community.

Tuesday, January 12, 2016

Updated the CS:APP Bomb Lab

We've released an update to the Bomb Lab on the CS:APP site. An authentication key associated with each bomb prevents spoofing(from Zaheer Chothia, ETH, Switzerland). And a configurable timeout in the request daemon prevents it from hanging while interacting with clients under heavy loads (from Len Hamy, Macquarie University, Australia).

Monday, January 11, 2016

New x86-64 Attack Lab is Available!

We are pleased to announce that the new Attack Lab is available on the CS:APP site.

The Attack Lab was first offered to CMU students in Fall 2015. It is the 64-bit successor to the 32-bit Buffer Lab and was designed for CS:APP3e. In this lab, students are given a pair of unique custom-generated x86-64 binary executables, called targets, that have buffer overflow bugs. One target is vulnerable to code injection attacks. The other is vulnerable to return-oriented programming attacks. Students are asked to modify the behavior of the targets by developing exploits based on either code injection or return-oriented programming.