Buffer Overflow - Integrated Computer Security - Lecture Slides, Slides of Computer Security

These lecture slides are very easy to understand the ntegrated Computer Security system.The major points in these lecture slides are:Cryptographic Tools, Message Authentication, Active Attacks, Verifies Received, Authentic, Contents, Authentic Source, Conventional, Sender, Receiver

Typology: Slides

2012/2013

Uploaded on 04/25/2013

bageshri
bageshri 🇮🇳

4.3

(24)

175 documents

1 / 30

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Lecture 16
Buffer Overflow
Docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e

Partial preview of the text

Download Buffer Overflow - Integrated Computer Security - Lecture Slides and more Slides Computer Security in PDF only on Docsity!

Lecture 16

Buffer Overflow

Buffer Overflow

• a very common attack mechanism

  • first wide use by the Morris Worm in 1988

• prevention techniques known

• still of major concern

  • legacy of buggy code in widely deployed operating

systems and applications

  • continued careless programming practices by

programmers

Buffer Overflow/Buffer Overrun

  • A buffer overflow, also known as a buffer

overrun, is defined in the NIST:

“A condition at an interface under which more

input can be placed into a buffer or data holding

area than the capacity allocated, overwriting

other information. Attackers exploit such a

condition to crash a system or to insert specially

crafted code that allows them to gain

control of the system.”

Buffer Overflow Basics

  • programming error when a process attempts to store

data beyond the limits of a fixed-sized buffer

  • overwrites adjacent memory locations
    • locations could hold other program variables, parameters, or program control flow data
    • buffer could be located on the stack, in the heap, or in the data section of the process
  • consequences:
    • corruption of program data
    • unexpected transfer of control
    • memory access violations
    • execution of code chosen by attacker

Basic Buffer Overflow Stack Values

Buffer Overflow Attacks

  • to exploit a buffer overflow an attacker needs:
    • to identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attacker’s control
    • to understand how that buffer is stored in memory and determine potential for corruption
  • identifying vulnerable programs can be done by:
    • inspection of program source
    • tracing the execution of programs as they process oversized input
    • using tools such as fuzzing to automatically identify potentially vulnerable programs

Stack Buffer Overflows

• occur when buffer is located on stack

  • also referred to as stack smashing
  • exploits included an unchecked buffer overflow

• are still being widely exploited

• stack frame

  • when one function calls another it needs somewhere

to save the return address

  • also needs locations to save the parameters to be

passed in to the called function and to possibly

save register values

Stack Frame with Functions P and Q

Classic stack overflow

Classic stack overflow (Stack)

Common Unsafe C Standard Library Routines

Shellcode

  • code supplied by attacker
    • often saved in buffer being overflowed
    • traditionally transferred control to a user command-line interpreter (shell)
  • machine code
    • specific to processor and operating system
    • traditionally needed good assembly language skills to create
    • more recently a number of sites and tools have been developed that automate this process
    • Metasploit Project
      • provides useful information to people who perform penetration, IDS signature development, and exploit research

Stack Overflow Attack

Stack Overflow Variants

  • target program can be:
    • a trusted system utility
    • network service daemon
    • commonly used library code
  • shellcode functions
    • launch a remote shell when connected to
    • create a reverse shell that connects back to the hacker
    • use local exploits that establish a shell
    • flush firewall rules that currently block other attacks
    • break out of a chroote (restricted execution) environment, giving full access to the system