New version page

SJSU CS 265 - Buffer Overflow

Documents in this Course
Stem

Stem

9 pages

WinZip

WinZip

6 pages

Rsync

Rsync

7 pages

Hunter

Hunter

11 pages

SSH

SSH

16 pages

RSA

RSA

7 pages

Akenti

Akenti

17 pages

Blunders

Blunders

51 pages

Captcha

Captcha

6 pages

Radius

Radius

8 pages

Firewall

Firewall

10 pages

SAP

SAP

6 pages

SECURITY

SECURITY

19 pages

Rsync

Rsync

18 pages

MDSD

MDSD

9 pages

honeypots

honeypots

15 pages

VPN

VPN

6 pages

Wang

Wang

18 pages

TKIP

TKIP

6 pages

ESP

ESP

6 pages

Dai

Dai

5 pages

Load more
Upgrade to remove ads

This preview shows page 1-2-16-17-18-33-34 out of 34 pages.

Save
View Full Document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience

Upgrade to remove ads
Unformatted text preview:

BUFFER OVERFLOWOverviewWhy Study Buffer Overflow?Basics of Buffer OverflowHow Does Buffer Overflow Happen?Possible causes of buffer overflowProcess Memory OrganizationSlide 8The StackSlide 10Example stack.cExample cont.. (1)Example cont.. (2)Example cont.. (3)Slide 15Principle of Stack OverflowsPrinciple of Stack Overflows cont..Stack Overflow ExampleThe HeapUser Exploits of Heap OverflowPrinciple of Heap OverflowsSlide 22Heap Overflow ExampleHeap Overflow Example ResultsWhy Not “Fix” Buffer Overflow?Buffer Overflow CountermeasuresCountermeasures cont..Case StudiesCode Red I/II, 2001 - EffectsHow Did Code Red Work?Blaster, 2003Microsoft ManhuntConclusionsReferencesBuffer overflow 1BUFFER OVERFLOWBUFFER OVERFLOWTsega GebreyonasSunny ChoiCS 265November 18, 2003Buffer overflow 2OverviewOverview• The Basics• Attacks exploiting buffer overflow• Prevention and countermeasures• Recent Case Studies• Conclusion and ObservationsBuffer overflow 3Why Study Buffer Overflow?Why Study Buffer Overflow?•Vulnerability since the 1970s•“Computer vulnerability of the decade” 1•Cause of at least half of all vulnerabilities found in Operating Systems•Code Red worm, 2001•Blaster worm, 2003Buffer overflow 4Basics of Buffer OverflowBasics of Buffer Overflow•A “stuffing” of more data into a buffer than the allocated size.•Two types:–corrupt the execution stack by writing past the end of an array (aka. smashing the stack/ stack overflow)–corrupt the heap (heap overflow)Buffer overflow 5How Does Buffer Overflow Happen?How Does Buffer Overflow Happen?•Careless use of buffer without bounds check•No automatic bounds checking for buffer in C/C++ programming languages•Unsafe library function calls•Off-by-one errors•Old code used for new purposes•Formatting and logic errorsBuffer overflow 6Possible causes of buffer overflowPossible causes of buffer overflow•Un-terminated strings can produce overflow•Segmentation fault, crashBuffer overflow 7Process Memory OrganizationProcess Memory OrganizationTextDataLowerMemoryaddressesHigherMemoryaddressesProcess Memory RegionsHeapStackBuffer overflow 8•Text region–Fixed by the program–Includes code (instructions)–Read-only•Data region–Contains initialized and un-initialized data–Static variables are stored here.TextDataHeapStackBuffer overflow 9The StackThe StackContains: –local variables for functions–Return address and local stack pointer–Used to•Dynamically allocate the local variables used in functions.•Pass parameters to functions.•Return values from functions.Buffer overflow 10–Stack pointer (SP) points to the top of the stack.–The bottom of the stack is at a fixed address.–Consists of logical stack frames that are pushed when calling a function and popped when returning.–Frame pointer (FP) points to a fixed location within a frame.TextDataHeapStackBuffer overflow 11Example stack.cExample stack.cvoid function(int a, int b, int c) {char buffer1[5]; char buffer2[10];}void main() {function(1,2,3);}Buffer overflow 12Example cont.. (1)Example cont.. (1)•After ‘gcc –S –o stack.s stack.c’–See notes below•Call function is translated topushl $3pushl $2pushl $1call functionBuffer overflow 13Example cont.. (2)Example cont.. (2)–Its pushes the 3 arguments backwards into the stack.–The instruction ‘call’ will push the EIP onto the stack.•Procedure prologpush %ebpmov %esp, %ebpsub $20, %espBuffer overflow 14Example cont.. (3)Example cont.. (3)•pushes the FP onto the stack.•Copies the current SP onto EBP, make it the new FP.•Allocates space for the local variables by subtracting their size from SP.–Memory can only be addressed in multiples of the word size.–5 byte buffer take 8 bytes (2 words).–10 byte buffer take 12 bytes (3 words).–SP is subtracted by 20Buffer overflow 15cbaretSFPbuffer1buffer2StackEBPBuffer overflow 16Principle of Stack OverflowsPrinciple of Stack Overflows•When a program is run:– the next instruction address, ret, is stored on the stack. – modifying this value in the stack forces the EIP to get new value. So when the function returns, the program may execute the code (e.g. some shellcode) at this new address specified by overflowing the stack.Buffer overflow 17Principle of Stack Overflows cont..Principle of Stack Overflows cont..•How to find where the ret is, to overwrite? –methods of improving chancesNOPsshellcode (or some code to execute)repeated return addressbuffer overflow with this – as long asret is overflowed with any part of this string,shellcode will be executedBuffer overflow 18Stack Overflow ExampleStack Overflow Example# include <stdio.h>void show_string(char * str2){ char buffer[5]; strcpy(buffer, str2); printf(“Your string is : %s\n”, buffer);}main (){ char str [10]; gets(str1); show_string(str1); exist (0);}Buffer overflow 19The HeapThe Heap•Definition: contains memory that is dynamically allocated by the application• Buffer overflow can happen here–Although more difficult to achieve than stack overflowsBuffer overflow 20User Exploits of Heap OverflowUser Exploits of Heap Overflow•Overwrite:- filenames- passwords- …Manipulate:- pointers- function pointersBuffer overflow 21Principle of Heap OverflowsPrinciple of Heap Overflows•Requires some preconditions to be met in the source code of the vulnerable binary: –a buffer must be declared (or defined) first.–a pointer must be declared. Example:... static char buf[BUFSIZE]; static char *ptr_to_something; ...Buffer overflow 22before overflowafter overflowsometmpfile.tmp/root/.rhostsBUFFERPOINTERBUFFERPOINTERBuffer overflow 23Heap Overflow ExampleHeap Overflow Example#define BUFSIZE 16 #define OVERSIZE 8 int main() { u_long diff; char *buf1 = (char *)malloc(BUFSIZE), char *buf2 = (char *)malloc(BUFSIZE); diff = (u_long)buf2 - (u_long)buf1; printf("buf1 = %p, buf2 = %p, diff = 0x%x bytes\n", buf1, buf2, diff); memset(buf2, 'A', BUFSIZE-1), buf2[BUFSIZE-1] = '\0'; printf("before overflow: buf2 = %s\n", buf2); memset(buf1, 'B', (u_int)(diff + OVERSIZE)); printf("after overflow: buf2 = %s\n", buf2); return 0;}Buffer overflow 24Heap Overflow Example ResultsHeap Overflow Example Results[root /w00w00/heap/examples/basic]# ./heap1 buf1 = 0x804e000, buf2 = 0x804eff0, diff = 0xff0 bytes before overflow: buf2 = AAAAAAAAAAAAAAA after overflow: buf2 = BBBBBBBBAAAAAAABuffer overflow 25Why Not “Fix” Buffer Overflow?Why Not “Fix” Buffer


View Full Document
Download Buffer Overflow
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Buffer Overflow and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Buffer Overflow 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?