Buffer Overflow
Buffer Overflow
‹#›
A simple function
void f() {
int i;
int buf[9];
for (i=0; i < 5; i++)buf[4+i] = buf[4-i] = 0;}‹#›A simple functionvoid f() {int i;int buf[9];for (i=0; i < 10; i++)buf[4+i] = buf[4-i] = 0;}‹#›The call stackA data structure that stores information about function calls in a programIn X86 the stack is bottom-upThe stack bottom is at a high addressThe stack top is at a low addressThe stack grows towards lower addressesBottom of stackTop of stack‹#›ImplementationRegister %esp points to the top of the stackThe push instruction pushes a value onto the stackxorl %eax,%eaxpushl %eaxpop pops a valuepopl %eax%esp0%esp‹#›Calling a functionCalling a function pushes a stack frame onto the stackThe stack base pointer register (%ebp) points to the frame of the current functionReturn pops the stack frameStack frame%esp%ebp‹#›Calling conventionsCaller does:Save registersPush argumentsCall functionCallee doesSave %ebpSet new %ebpCreate space for local variablesCaller’s stack frame%esp%ebpSaved RegistersArgumentsReturn addressSaved %ebpLocal Variables%esp%esp%esp%esp%esp%ebp%esp, %ebp‹#›Exampleint g(int a, int b) {int x = a + 1;int y = b + 2;return x*y;}g:pushl %ebpmovl%esp, %ebpsubl$16, %espmovl8(%ebp), %eaxaddl$1, %eaxmovl%eax, -8(%ebp)movl12(%ebp), %eaxaddl$2, %eaxmovl%eax, -4(%ebp)movl-8(%ebp), %eaximull -4(%ebp), %eaxleaveretbaReturn addressSaved %ebpyx%ebp%esp%esp%esp%ebp%esp, %ebp%esp‹#›Back to a simple functionvoid f() {int i;char buf[9];for (i=0; i < 10; i++)buf[4+i] = buf[4-i] = 0;}i00buf1000200000300000004000000000500000000000000000000Saved %ebpReturn address‹#›05ibufSaved %ebpReturn address155255355455With a minor changevoid f() {int i;char buf[9];for (i=0; i < 10; i++)buf[4+i] = buf[4-i] = 5;}55556557‹#›bufStack smashingvoid f() {char buf[512];gets(buf);doSomething(buf);}The attacker diverts execution to data it injectedHow does the attacker know where to jump to?Caller’s stack frameReturn addressSaved %ebpgets stack framebufbufReturn addressSaved %ebpCaller’s stack frame‹#›NOP SledA sequence of NOP instructions leading to the attack codeNOPNOPNOP…NOPNOPAttackCode‹#›Problem patternsAny use of getsstrcpy, sprintf, strcat, etc.sprintf(buf, “https://%s/index.html”, argv[1])buf=new char[strlen(argv[1])]strcpy(buf, argv[1])wchar_t buf[MAXLEN];swprintf(buf, sizeof(buf), “%s”, argv[1]);Any low-level implementation of similar codewhile (*src != ‘;’)*dst++ = *src++;*dst = ‘�’;‹#›Avoiding buffer overflowsDo not use gets.Replace unsafe C string functions with safe versionRedefine unsafe functions to catch use, for example:char *strcpy(char *dst, const char *src) {fprintf(stderr, “Don’t use strcpy
“);abort();}May fail if library functions use strcpyReplace C strings with safe(r) C++ strings‹#›Avoiding buffer overflows – 2Abstract over array access to include bounds checkingFor example, use the C++ vector .at() methodWhat about performance?Code reviews and audits. Use static code analysis toolsSwitch to Java, C#, etc.‹#›Non-executable stacksThe stack is only used for data.There’s no need to run code from the stackThe memory management unit can prevent code execution based on the addressOnly protects against branching back to the stackDoes not prevent:Heap overflowReturn Oriented ProgrammingbufCaller’s stack frameReturn addressSaved %ebpgets stack framebufbufReturn addressSaved %ebpCaller’s stack frame‹#›ROP Illustrated‹#›StackGuard On function entry, calleeSaves %ebpSets new %ebpPushes the canaryCreates space for local variablesVerify the canary on function exitThe attacker has to overwrite the canary before changing the return addressThere are ways around the canaryDoes not protect from heap overflows, changing function pointers, etc.Caller’s stack frameSaved RegistersArgumentsReturn addressSaved %ebpLocal VariablesCanary‹#›STack Overwrite ProtectionPush a large buffer to the stack at process initialisationThe attacker does not know how to set the return addressA large enough NOP-sled has a non-negligible probability of a successOnly protects the stackASLR (Address Space Layout Randomization) extends protection to the heap and to librariesbufReturn addressSaved %ebpbufbufReturn addressSaved %ebpbufbufReturn addressSaved %ebpbuf‹#›SummaryBuffer overflow is a common vulnerabilityGood coding practices often prevent overflowsThere are some systematic defence mechanismsThere’s no silver bullet‹#›
Reviews
There are no reviews yet.