Buffer Overflows: Understanding Attacks and Defenses, Lab Reports of Electrical and Electronics Engineering

An in-depth analysis of buffer overflow vulnerabilities, their exploitation, and countermeasures. Buffer overflow vulnerabilities are the most common way to gain unauthorized access to a remote host, and understanding how they work is crucial for securing internetwork systems. The concept of exploits, their injection vector and payload, and the impact of buffer overflows on computer memory.

Typology: Lab Reports

Pre 2010

Uploaded on 08/05/2009

koofers-user-t10
koofers-user-t10 🇺🇸

10 documents

1 / 16

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
ECE 4883 - Internetwork Security 1
Buffer Overflows: Attack and Defense
Buffer overflow vulnerabilities are the most common way to
gain control of a remote host
Most common security vulnerability
Buffer overflow vulnerabilities are common and easy to
exploit
Attacker can insert and execute attack code
Error is made at program creation, is invisible to user
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download Buffer Overflows: Understanding Attacks and Defenses and more Lab Reports Electrical and Electronics Engineering in PDF only on Docsity!

ECE 4883 - Internetwork Security

Buffer Overflows: Attack and Defense^ •

Buffer overflow vulnerabilities are the most common way togain control of a remote host

-^

Most common security vulnerability

-^

Buffer overflow vulnerabilities are common and easy toexploit

-^

Attacker can insert and execute attack code

-^

Error is made at program creation, is invisible to user

ECE 4883 - Internetwork Security

Definition: Exploit^ • An exploit is code that takes advantage of a bug

in other code

  • Exploits can cause:

!^

Crash of machine and denial of service !^

Crash of just the program that is running

  • Exploits have two halves

!^

Injection vector – uses the bug itself to get in !^

Payload – not related to the bug at all, can do justabout anything an attacker wants to do

ECE 4883 - Internetwork Security

Exploit Payload^ • Independent of Exploit Injection Vector• Dependent upon hardware platform, operating

system

  • Much like a virus• Can cause remote shell, can cause rootkit to be

installed, can cause worm or virus activity, cancause a denial of service

ECE 4883 - Internetwork Security

Buffer Overflow Principle^ • Overwrite parts of memory that are not

intended to be overwritten

  • Make process execute this overwritten memory

ECE 4883 - Internetwork Security

Computer Memory Usage

Buffer

Local Variables

Attack CodeReturn AddressLocal Variables

String fillsThis way

Stack fillsthis way

ECE 4883 - Internetwork Security

Example Code^ void function(char *str) {

char buffer[16];strcpy(buffer,str); } void main() {

char

large_string[256];

int i;for(

i = 0; i <

255; i++)

large_string[i] = 'A'; function(large_string); } (Source:

“Smashing

the

Stack”)

ECE 4883 - Internetwork Security

Attacker Goals^ • To put or to use “opportunistic” code into

program’s address space

  • Cause the execution of the program to jump to

the “opportunistic” code

ECE 4883 - Internetwork Security

Putting or Using “Opportunistic” code^ • Insert the “opportunistic” code by string input to

program which is written to buffer

  • Use “opportunistic” code that already exists and

executes functions like exec(argument) whereone can pass the argument /bin/sh to causeexec(“/bin/sh”)

ECE 4883 - Internetwork Security

Defense one^ • Correct the source code in the programs

!^

Check the source code for fgets, gets, getws,memcpy, memmove, scanf, sprintf, strcat, strncpywhere the length of the arguments are not checked !^

Use fault injection tools and/or static analysis tools

ECE 4883 - Internetwork Security

Defense 2^ • Make the data segment of the victim program

address space non-executable

  • Kernel patches exist to do this• “almost” no programs have code in the stack

segment

ECE 4883 - Internetwork Security

Defense 4^ • Code Pointer Integrity Checking – check to see

if a return value has been corrupted beforeusing it^!

Example is StackGuard which puts a “canary” wordnext to the return address in the stack(Source: “Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade”http://www.immunix.org/StackGuard/discex00.pdf)