1 / 18

Non Malicious Program Errors (Buffer Overflows)

Non Malicious Program Errors (Buffer Overflows). Gabe Kanzelmeyer CS 450 4/14/10. Overview. What is buffer overflow? How memory is processed and the stack The threat Stack overrun attack Dangers Prevention. What is buffer overflow?. A buffer (array/string) that holds data

chandra
Download Presentation

Non Malicious Program Errors (Buffer Overflows)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Non Malicious Program Errors (Buffer Overflows) Gabe Kanzelmeyer CS 450 4/14/10

  2. Overview What is buffer overflow? How memory is processed and the stack The threat Stack overrun attack Dangers Prevention

  3. What is buffer overflow? • A buffer (array/string) that holds data • Buffer stored in memory (finite) • Example. • char buffer[10] (sets aside buffer[0] – buffer[9]) • Consider: buffer[10] = ‘A’; • What will happen?

  4. Compiler detects out of bounds • Consider: • buffer[i] = ‘A’; • What happens then? • Depends, cant identify problem until execution.

  5. First two only effect the user. Malicious programmer focuses on accessing the second two .

  6. How memory is processed and the stack Text – program code Data – global data Stack and Heap – allocate at run-time Stack - stores function arguments, local variables, values of selected registers

  7. When a procedure is called, the return address for function call, is put into the stack Key importance for attacker Overwrite the return address stored on the stack, upon termination of the procedure, it would be loaded into the EIP register (instruction counter), potentially allowing any overflow code to be executed.

  8. void f(int a, int b) { char buf[10]; } void main() { f(1, 2); }

  9. The Threat • How to recognize where an attack may occur? • Return address on stack • Data on stack With this in mind lets consider the following…

  10. -Frame address -Return address -overwritten Modified return address is pushed into instruction counter #include char *code = "AAAABBBBCCCCDDD"; //including the character '\0‘ //size = 16 bytes void main() { char buf[8]; strcpy(buf, code); }

  11. Stack Overrun Attack 1. Discovering a code, which is vulnerable to a buffer overflow. 2. Determining the number of bytes to be long enough to overwrite the return address. 3. Calculating the address to point the alternate code. 4. Writing the code to be executed. 5. Linking everything together and testing

  12. Victims code (victim.exe) #include #define BUF_LEN 40 void main(intargc, char **argv) { char buf[BUF_LEN]; if (argv > 1) { printf(„\buffer length: %d\nparameter length: %d”, BUF_LEN, strlen(argv[1]) ); strcpy(buf, argv[1]); } }

  13. The Attack • Consider: • victim.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAA If access violation error Try: • victim.exe AAAABBBBCCCCDDDDEEEEFFFFGGGG………

  14. If successful, error message: • “The instruction at “0x4b4b4b4b” referenced memory at “0x4b4b4b4b”. The memory could not be read. • 0x4b is ASCII“K” • Return address has been overwritten with KKKK

  15. From here you can do whatever you want • Inject shell code to gain “super user” access • Inject address to malicious code • Use vulnerable system to exploit Denial of service attack

  16. Dangers • Poor programming practices • Text/string manipulation functions • strcpy() • strcat() • sprintf() • gets() • Etc…

  17. Preventing buffer overflow • Library based defenses • Re-implemented unsafe functions (Libsafe) • Detects illegitimate code on the stack (SecureWave) Compiler based runtime boundaries

  18. Questions?

More Related