29-01-2024
Buffer Overflow
• Buffer: contiguous allocated chunk of memory, such as an
array or a pointer in C.
• Buffer overflow occurs when a user or a program writes
past the buffer, intruding into memory locations not
allocated for the buffer.
• Programming languages like C and C++ provide no
automatic bound checking on buffers thereby allowing
user to write past the buffer. 2
1
29-01-2024
Anatomy of a Buffer Overflow
• Buffer: memory used to
store user input, has fixed
maximum size
• Buffer overflow: when user
input exceeds max buffer
size
– Extra input goes into
unexpected memory
locations
3
A Small Example
• Malicious user enters >
1024 chars, but buf can
only store 1024 chars;
extra chars overflow
buffer
void get_input() {
char buf[1024];
gets(buf);
}
void main(int argc, char*argv[]){
get_input();
}
4
2
29-01-2024
The Problem
void try1(char *s) {
char buf[10];
strcpy(buf,s);
printf(“buf is %s\n”,s);
}
…
try1(“thisstringistolong”);
Continued…
int main()
{ Writing past the buffer
int buffer[10];
buffer[20]=10;
}
• Any C compiler will compile the above 6
segment with no errors.
3
29-01-2024
Buffer Overflows
• Applications running on the host in Internet have certain
privileges.
• They can access part of the system resources like system
variables, system files and even execute certain commands
that a remote user/application cannot.
• From an attacker’s view point if he can take control of a
vulnerable application running on target on a target
computer he can misuse the privileges of victim
application.
• This happens in buffer overflow. 7
Types of Buffer Overflows
• Stack Overflows
• Format String Overflows
• Heap Overflows
• Integer Overflows
4
29-01-2024
. A More Detailed Example
1 int checkPassword() {
2 char pass[16];
3 bzero(pass, 16); // Initialize
4 printf ("Enter password: ");
5 gets(pass);
6 if (strcmp(pass, "opensesame") == 0)
7 return 1;
8 else
9 return 0;
10 }
11
12 void openVault() {
13 // Opens the vault
checkPassword()
14 } pass[16] Return pass[16]
15
16 main() {
main() Addr. openVault()
17 if (checkPassword()) { main()
18 openVault();
19 printf ("Vault opened!");
20 } “Normal” Compromised
9
21 } Stack Stack
checkPassword() Bugs
• Execution stack: maintains current function state
and address of return function
• Stack frame: holds vars and data for function
• Extra user input (> 16 chars) overwrites return
address
– Attack string: 17-20th chars can specify address of
openVault() to bypass check
– Address can be found with source code or binary
10
5
29-01-2024
The safe_gets() Function
#define EOLN '\n'
void safe_gets (char *input, int max_chars) {
if ((input == NULL) || (max_chars < 1))) return;
if (max_chars == 1) { input[0] = 0; return; }
int count = 0;
char next_char;
do {
next_char = getchar(); // one character at a time
if (next_char != EOLN)
input[count++] = next_char;
} while ((count < max_chars-1) && // leave space for null
(next_char != EOLN));
input[count]=0;
}
• Unlike gets(), takes parameter specifying max chars to
insert in buffer
• Use in checkPassword() instead of gets() to eliminate
buffer overflow vulnerability
11
Safe String Libraries
• C – Avoid (no bounds checks): strcpy(),
strcat(), sprintf(), scanf()
• Use safer versions (with bounds checking):
strncpy(), strncat(), fgets()
• Must pass the right buffer size to functions!
• C++: STL string class handles allocation
• Unlike compiled languages (C/C++),
interpreted ones (Java/C#) enforce type
safety, raise exceptions for buffer overflow
12
6
29-01-2024
StackGuard
• Canary: random value, unpredictable to attacker
• Compiler technique: inserts canary before return
address on stack
• Corrupt Canary: code halts
program to thwart a
possible attack
• Not comprehensive
protection
Source: C. Cowan et. al., StackGuard,
13
Stack Direction
• On Linux (x86) the stack grows from high
addresses to low.
• Pushing something on the stack moves the
Top Of Stack towards the address 0.
14
7
29-01-2024
A Stack Frame
Parameters
Return Address
Calling Frame Pointer
SP+offset
Local Variables
SP
Addresses
00000000
15
18
addressof(y=3) return address
Sample saved stack pointer
y
Stack x
buf
x=2; void test1(int j) {
test1(18); int x,y;
y=3; char buf[100];
x=j;
…
}
16
8
29-01-2024
9
29-01-2024
NOPs
• Most CPUs have a No-Operation
instruction – it does nothing but advance the
instruction pointer.
• Usually we can put a bunch of these ahead
of our program (in the string).
• As long as the new return-address points to
a NOP we are OK.
20
10
29-01-2024
Using NOPs
new return address
Real program
(exec /bin/ls or whatever)
nop instructions
21
for stack smashing
Overflow!!
22
11
29-01-2024
Solutions
• The reason behind stack smashing is mismanagement of
memory and lazy programming.
• The main reason behind stack smashing is that no bound
checking is performed.
• Instead of using functions like strcpy, strcat use strncpy
and strncat which performs bound checking.
23
Solution with strncpy
Checking of
bounds
24
12
29-01-2024
Format string overflows
• This type of vulnerability occurs while using the
format functions in C.
• Examples for format functions are:
– printf- printing to stdout
– fprint- printing to a file
– sprintf- printing to a string pointer
Format functions typically have 2 arguments:
– Format string like %d, %s, %x representing the type
and no: of parameters that are to follow.
25
– Data that is to be sent to the output stream
– Eg: printf(“%d”,input_decimal)
Vulnerability!!
26
13
29-01-2024
Continued…
• Instead of giving a string if we give a
format string as below for the input of the
vulnfun() function:
“%08x.%08x.%08x.%08x.%08x”
• The printf below prints the values of five
consecutive words in the stack (as eight-
digit padded hexadecimal numbers). We
can walk up the stack this way and view the
27
contents of the stack.
Countermeasure…
Allow printf to print
only string values
28
14
29-01-2024
Countermeasures
• Secure coding:
– Bound checking mandatory
– File access and user permissions must be kept in mind.
– Access permissions of even temporary files should be
restricted to prevent any malicious modifications in
between two consecutive executions
29
– All user inputs should be checked or validated for
malicious code.
Stop execution of malicious commands :
– Designate the data segment of an applications buffer
space as non executable zone.
– Unfortunately latest versions of unix & windows do not
have such a facility .
– Depending on the platform it is possible to download a
patch from your vendor.
– But this has the disadvantage that it stops legitimate
appliactions from offering there full fledged feauters. 30
It is a matter of balance between security &
functionality.
15
29-01-2024
Conclusion
• Buffer Overflow attacks are not only very
dangerous but once executed,they are also quite
easy to execute.
• It is very important to take adequate security
countermeasures against buffer overflows.
• It is suggested to use programming languages like
java which do not give direct access on addresses.
• Buffer Overflow attacks can be countered by
Programming Applications efficiently & securely. 31
References
• Network Security: A Hacker’s Perspective-Ankit Fadia
• https://www.owasp.org/index.php/Buffer_Overflow
• www.linuxjournal.com/article/6701
• www.windowsecurity.com/.../analysis_of_buffer_overflow
_attacks
• Operating System #37 Buffer Overflow Attacks Explained
in Detail Best Programming Courses @
https://goo.gl/MVVDXR Complete Operating Systems
Lecture/ Tutorials from IIT @ https://goo.gl/GMr3if
32
16