Buffer Overflows Flashcards
Buffer overflow ,overrun, overwrite
A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information
Attackers exploit to crash system or insert specially crafted code to gain control of the system
Any unchecked copying of data into a buffer could result in corruption of adjacent memory locations
Consequences
data corruption, unexpected transfer of control, memory access violation, eventual program termination
if done by attacker transfer of control could be to code of the attacker with privileges of the process
Identifying
inspection of source code, tracing executino with oversized inputs or fuzzing
Assembly, register or memory does not have type constraints -> programmer
high-level programs, very strong notion of the type of variables -> cost at compile/run time to impose buffer limit checks. Access to some sw/hw is lost
C -> access to low-level resources, high-level control and data structures and portability
Stack buffer overflow
Targeted buffer in stack, local variable in a function’s stack frame (stack smashing)
functions saves may information into the stack frame -> return address, parameters passed in called function (reverse order), register values.
As variables are saved below saved frame pointer and return address, it can be modified to affect these function linkage values
Possibility of overwriting the saved frame pointer and return address forms the core
if input is overwritten by extending the data beyond the end it can affect overwriting the saved frame pointer and return address with garbage values
jumping to another address when it reaches the point of return
It can also make the program crash by overrunning the program’s buffer
Code is always placed at same location in virtual address space. This can be determined running a debugger on the target program and disassemble the target function
succesful attacks -> loss of function/service due to corrupted location/return location
Shellcode
transfer of execution to code supplied by the attacker
traditionally it gave transfer control to a user shell with processes privileges
it is a series of binary values directly related to machine instructions -> it’s specific to processor architecture and operating system
execve -> marshals arguments into machine registers and triggers software interrupt to perform system call
NOP sled -> attacker can pad the space in buffer to move code to the end with NOP operations
Defenses
Compile-time
prevent or detect buffer overflows by instrumenting programs when they are compiled
safe coding strategies/standards
detect corruption of the stack frame
augment compilers -> but need to recompile all libraries and third-party apps
provision safer functions -> but rewrite
stack protection -> instrument the function entry/exit to check its stack frame for corruption if there is abort
(Stackguard) -> inserts canary before old frame pointer, if return pointer was modified canary must have been as well / canary should be unpredictable -> but all programs must be recompiled + problems with debuggers that analyze stack frames
Return Address Defender (RAD) StackShield -> on function entry they write a copy of the return address to a safe memory region, checks if it was modified -> but needs programs to be recompiled
Run-time
provided without re-compilation
alter properties of regions of memory or make predicting the location of targeted buffers difficult
Executable address space protection -> block executable code in stack, heap requires hardware tag pages of virtual memory as nonexec
Memory Management Unit (MMU)
Issue -> support for programs that need exec code in stack/heap. JIT compilers, nested funcitons in C or Linux signal handlers
Address Space Randomization -> manipulation of the location of key data structures in a process address space
Moving the stack memory around by a megabyte makes harder to predict even with NOP sledding
if corrupted the program will abort due to invalid memory reference
Randomizing the allocation of memory on the heap makes the possibility of predicting the address of targeted buffers extremely difficult
Guard Pages -> placing gaps between the ranges of addresses used for each of the components flagged as illegal. Any attempt to access them results in the process being aborted.
Replacement Stack Frame
Overwrites the buffer and saved frame pointer address changing part of it to point to a dummy stack in a shellcode lower in the buffer
When it returns it goes to the dummy frame, control is transferred to the shellcode in the overwritten buffer
off-by-one, allows one more byte to be copied than there is space available. Change can be from one-byte to few tens of bytes
more difficult attacker needs to know exact address and dummy frame can cause a crash if old-scope variables are used
randomization of the stack in memory and of system libraries hinders the success
Return to System Call
Jump to existing code on the system and build program based on these
fills the buffer, places function parameters and a return address pointing to the system function
the system function believes to have been called and executes with given parameters as it would expect them above the return address in the stack
Countermeasures
stack protection mechanisms and randomization of the stackH
Heap overflow
bugger located in memory dynamically allocated from the heap
if allocated space includes pointer to function, an attacker can arrange for this address to be modified to point to shellcode in the overwritten buffer (processing input/outpu decoding a compressed image/video)
making the heap also nonexecutable or randomization of memory regions
Global Data Area Overflows
buffers located in the program’s global/static data area
defenses -> global data area nonexec, function pointers located below other types of data, using guard pages between global data area and any other mgmt areas
