1 / 15

Stack-Based Buffer Overflows

Stack-Based Buffer Overflows. Attacker Can take over a system remotely across a network. local malicious users To elevate their privileges and gain super user access to a system. Exploit the way OS handle their

aleta
Download Presentation

Stack-Based Buffer Overflows

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stack-Based Buffer Overflows • Attacker • Can take over a system remotely across a network. • local malicious users • To elevate their privileges and gain super user access to a system. • Exploit the way OS handle their • Stack:an internal data structure used by running programs to store data temporarily. • Pushing on the stack. • Local variables – used by the function • Return address – used by the system to resume execution

  2. Stack Lower Memory Addresses Heap Data Executable Code Stack-Based Buffer Overflows

  3. Stack-Based Buffer Overflows • OS: UNIX + Windows systems • Have a stack that can hold data and executable code. • Poor Code • Exploited to overrun the boundaries of the local variables on the stack. • Input length • Not examined by the code • A particular variable on the stack may exceed the memory allocated to it on the stack • Overwriting • variables • return address. • Smashing the stack • Allows an attacker to overflow the local variables to insert executable code (usually a shell routine) and another return address on the stack.

  4. Example void function(int a, int b, int c){ char buffer1[5]; char buffer2[10]; } int main(){ function(1,2,3); }

  5. Function Parameters Return Address Saved Frame Pointer Local Variables Activation Record

  6. 10 5 4 4 4 4 4 Top of memory Bottom of stack Bottom of memory Top of stack buffer2 buffer1 sfp ret a b c Liner Form

  7. Example Buffer overflows take advantage of the fact that bounds checking is not performed (not strongly typed language) void function(char *str){ char buffer[16]; strcpy(buffer, str); } int main(){ char large_string[256]; inti; for (i = 0; i < 255; i++){ large_string[i] = ‘A’; } function(large_string); }

  8. A A A A A A A A A A A A A A A A A A A A A A A A A A A A No boundary check 16 4 4 4 Top of memory Bottom of stack A A A A A A A A A A A A A A A A A A A Bottom of memory Top of stack buffer sfp ret *str The return address is overwritten with ‘AAAA’ (0x41414141) Function exits and goes to execute instruction at 0x41414141…..

  9. Example void function(int a, int b, int c){ char buffer1[5]; char buffer2[10]; int *r; r = buffer1 + 9; (*r) += 8; } int main(){ int x = 0; function(1,2,3); x = 1; printf(“%d\n”, x); }

  10. 4 10 5 4 4 4 4 4 Top of memory Bottom of stack Bottom of memory Top of stack r buffer2 buffer1 sfp ret a b c Set value buffer1 + 12 +8 This causes it to skip the assignment of 1 to x, and prints out 0 for the value of x Note: modern implementations have extra info in the stack between the local variables and sfp. This would slightly impact the value added to the address of buffer1.

  11. Result • We have seen how • We can overwrite the return address of our own program to crash it or skip a few instructions. • Can these principles be used by an attacker to hijack the execution of a program? • If we want to go to the buffer, how do we know where the buffer starts? (Basically just guess until you get it right)

  12. Stack-Based Buffer Overflows • Attacker • Enter information as a user into a program • Information • Consists of executable code and a new return address. • The buggy program will • Not analyze the length of this input, • Place it on the stack, and actually begin to execute the attacker’s code. • If running with superuser privileges (e.g., SUID root on a UNIX system), the attacker has taken over the machine with a buffer overflow.

  13. Stack-Based Buffer Overflow Defenses • Programmers: • Properly code software so that it cannot be used to smash the stack. • All programs should validate all input from users and other programs, ensuring that it fits into allocated memory structures. • Security practitioners and system administrators: • Should carefully control and minimize the number of SUID programs on a system that users can run and have permissions of other users (such as root).

  14. Stack-Based Buffer Overflow Defenses • Configuring the systems: to not execute code from the stack. (many) • Solaris and Linux offer this option. • For example, to secure a Solaris system against stack-based buffer overflows, the following lines should be added: /etc/system: set noexec_user_stack=1 set noexec_user_stack_log=1

  15. Stack-Based Buffer Overflow Defenses • /etc/system: will prevent execution on a stack, • set noexec_user_stack=1will log any attempt to do so. • Some programs legitimately try to run code off the stack. Such programs will crash if this option is implemented. • If the system is single purpose and needs to be secure (e.g., a Web server) • This option should be used to prevent stack-based buffer overflow.

More Related