BUFFER OVERFLOWOverviewWhy Study Buffer Overflow?Basics of Buffer OverflowHow Does Buffer Overflow Happen?Possible causes of buffer overflowProcess Memory OrganizationSlide 8The StackSlide 10Example stack.cExample cont.. (1)Example cont.. (2)Example cont.. (3)Slide 15Principle of Stack OverflowsPrinciple of Stack Overflows cont..Stack Overflow ExampleThe HeapUser Exploits of Heap OverflowPrinciple of Heap OverflowsSlide 22Heap Overflow ExampleHeap Overflow Example ResultsWhy Not “Fix” Buffer Overflow?Buffer Overflow CountermeasuresCountermeasures cont..Case StudiesCode Red I/II, 2001 - EffectsHow Did Code Red Work?Blaster, 2003Microsoft ManhuntConclusionsReferencesBuffer overflow 1BUFFER OVERFLOWBUFFER OVERFLOWTsega GebreyonasSunny ChoiCS 265November 18, 2003Buffer overflow 2OverviewOverview• The Basics• Attacks exploiting buffer overflow• Prevention and countermeasures• Recent Case Studies• Conclusion and ObservationsBuffer overflow 3Why Study Buffer Overflow?Why Study Buffer Overflow?•Vulnerability since the 1970s•“Computer vulnerability of the decade” 1•Cause of at least half of all vulnerabilities found in Operating Systems•Code Red worm, 2001•Blaster worm, 2003Buffer overflow 4Basics of Buffer OverflowBasics of Buffer Overflow•A “stuffing” of more data into a buffer than the allocated size.•Two types:–corrupt the execution stack by writing past the end of an array (aka. smashing the stack/ stack overflow)–corrupt the heap (heap overflow)Buffer overflow 5How Does Buffer Overflow Happen?How Does Buffer Overflow Happen?•Careless use of buffer without bounds check•No automatic bounds checking for buffer in C/C++ programming languages•Unsafe library function calls•Off-by-one errors•Old code used for new purposes•Formatting and logic errorsBuffer overflow 6Possible causes of buffer overflowPossible causes of buffer overflow•Un-terminated strings can produce overflow•Segmentation fault, crashBuffer overflow 7Process Memory OrganizationProcess Memory OrganizationTextDataLowerMemoryaddressesHigherMemoryaddressesProcess Memory RegionsHeapStackBuffer overflow 8•Text region–Fixed by the program–Includes code (instructions)–Read-only•Data region–Contains initialized and un-initialized data–Static variables are stored here.TextDataHeapStackBuffer overflow 9The StackThe StackContains: –local variables for functions–Return address and local stack pointer–Used to•Dynamically allocate the local variables used in functions.•Pass parameters to functions.•Return values from functions.Buffer overflow 10–Stack pointer (SP) points to the top of the stack.–The bottom of the stack is at a fixed address.–Consists of logical stack frames that are pushed when calling a function and popped when returning.–Frame pointer (FP) points to a fixed location within a frame.TextDataHeapStackBuffer overflow 11Example stack.cExample stack.cvoid function(int a, int b, int c) {char buffer1[5]; char buffer2[10];}void main() {function(1,2,3);}Buffer overflow 12Example cont.. (1)Example cont.. (1)•After ‘gcc –S –o stack.s stack.c’–See notes below•Call function is translated topushl $3pushl $2pushl $1call functionBuffer overflow 13Example cont.. (2)Example cont.. (2)–Its pushes the 3 arguments backwards into the stack.–The instruction ‘call’ will push the EIP onto the stack.•Procedure prologpush %ebpmov %esp, %ebpsub $20, %espBuffer overflow 14Example cont.. (3)Example cont.. (3)•pushes the FP onto the stack.•Copies the current SP onto EBP, make it the new FP.•Allocates space for the local variables by subtracting their size from SP.–Memory can only be addressed in multiples of the word size.–5 byte buffer take 8 bytes (2 words).–10 byte buffer take 12 bytes (3 words).–SP is subtracted by 20Buffer overflow 15cbaretSFPbuffer1buffer2StackEBPBuffer overflow 16Principle of Stack OverflowsPrinciple of Stack Overflows•When a program is run:– the next instruction address, ret, is stored on the stack. – modifying this value in the stack forces the EIP to get new value. So when the function returns, the program may execute the code (e.g. some shellcode) at this new address specified by overflowing the stack.Buffer overflow 17Principle of Stack Overflows cont..Principle of Stack Overflows cont..•How to find where the ret is, to overwrite? –methods of improving chancesNOPsshellcode (or some code to execute)repeated return addressbuffer overflow with this – as long asret is overflowed with any part of this string,shellcode will be executedBuffer overflow 18Stack Overflow ExampleStack Overflow Example# include <stdio.h>void show_string(char * str2){ char buffer[5]; strcpy(buffer, str2); printf(“Your string is : %s\n”, buffer);}main (){ char str [10]; gets(str1); show_string(str1); exist (0);}Buffer overflow 19The HeapThe Heap•Definition: contains memory that is dynamically allocated by the application• Buffer overflow can happen here–Although more difficult to achieve than stack overflowsBuffer overflow 20User Exploits of Heap OverflowUser Exploits of Heap Overflow•Overwrite:- filenames- passwords- …Manipulate:- pointers- function pointersBuffer overflow 21Principle of Heap OverflowsPrinciple of Heap Overflows•Requires some preconditions to be met in the source code of the vulnerable binary: –a buffer must be declared (or defined) first.–a pointer must be declared. Example:... static char buf[BUFSIZE]; static char *ptr_to_something; ...Buffer overflow 22before overflowafter overflowsometmpfile.tmp/root/.rhostsBUFFERPOINTERBUFFERPOINTERBuffer overflow 23Heap Overflow ExampleHeap Overflow Example#define BUFSIZE 16 #define OVERSIZE 8 int main() { u_long diff; char *buf1 = (char *)malloc(BUFSIZE), char *buf2 = (char *)malloc(BUFSIZE); diff = (u_long)buf2 - (u_long)buf1; printf("buf1 = %p, buf2 = %p, diff = 0x%x bytes\n", buf1, buf2, diff); memset(buf2, 'A', BUFSIZE-1), buf2[BUFSIZE-1] = '\0'; printf("before overflow: buf2 = %s\n", buf2); memset(buf1, 'B', (u_int)(diff + OVERSIZE)); printf("after overflow: buf2 = %s\n", buf2); return 0;}Buffer overflow 24Heap Overflow Example ResultsHeap Overflow Example Results[root /w00w00/heap/examples/basic]# ./heap1 buf1 = 0x804e000, buf2 = 0x804eff0, diff = 0xff0 bytes before overflow: buf2 = AAAAAAAAAAAAAAA after overflow: buf2 = BBBBBBBBAAAAAAABuffer overflow 25Why Not “Fix” Buffer Overflow?Why Not “Fix” Buffer
View Full Document