Download Buffer Overflow - Integrated Computer Security - Lecture Slides and more Slides Computer Security in PDF only on Docsity!
Lecture 16
Buffer Overflow
Buffer Overflow
• a very common attack mechanism
- first wide use by the Morris Worm in 1988
• prevention techniques known
• still of major concern
- legacy of buggy code in widely deployed operating
systems and applications
- continued careless programming practices by
programmers
Buffer Overflow/Buffer Overrun
- A buffer overflow, also known as a buffer
overrun, is defined in the NIST:
“A condition at an interface under which more
input can be placed into a buffer or data holding
area than the capacity allocated, overwriting
other information. Attackers exploit such a
condition to crash a system or to insert specially
crafted code that allows them to gain
control of the system.”
Buffer Overflow Basics
- programming error when a process attempts to store
data beyond the limits of a fixed-sized buffer
- overwrites adjacent memory locations
- locations could hold other program variables, parameters, or program control flow data
- buffer could be located on the stack, in the heap, or in the data section of the process
- consequences:
- corruption of program data
- unexpected transfer of control
- memory access violations
- execution of code chosen by attacker
Basic Buffer Overflow Stack Values
Buffer Overflow Attacks
- to exploit a buffer overflow an attacker needs:
- to identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attacker’s control
- to understand how that buffer is stored in memory and determine potential for corruption
- identifying vulnerable programs can be done by:
- inspection of program source
- tracing the execution of programs as they process oversized input
- using tools such as fuzzing to automatically identify potentially vulnerable programs
Stack Buffer Overflows
• occur when buffer is located on stack
- also referred to as stack smashing
- exploits included an unchecked buffer overflow
• are still being widely exploited
• stack frame
- when one function calls another it needs somewhere
to save the return address
- also needs locations to save the parameters to be
passed in to the called function and to possibly
save register values
Stack Frame with Functions P and Q
Classic stack overflow
Classic stack overflow (Stack)
Common Unsafe C Standard Library Routines
Shellcode
- code supplied by attacker
- often saved in buffer being overflowed
- traditionally transferred control to a user command-line interpreter (shell)
- machine code
- specific to processor and operating system
- traditionally needed good assembly language skills to create
- more recently a number of sites and tools have been developed that automate this process
- Metasploit Project
- provides useful information to people who perform penetration, IDS signature development, and exploit research
Stack Overflow Attack
Stack Overflow Variants
- target program can be:
- a trusted system utility
- network service daemon
- commonly used library code
- shellcode functions
- launch a remote shell when connected to
- create a reverse shell that connects back to the hacker
- use local exploits that establish a shell
- flush firewall rules that currently block other attacks
- break out of a chroote (restricted execution) environment, giving full access to the system