Stack-Based Buffer Overflows
-
Upload
daniel-tumser -
Category
Documents
-
view
98 -
download
1
Transcript of Stack-Based Buffer Overflows
Stack-Based Buffer Overflows
Joni Hall and Daniel Tumser
Overview
=>
Table of Contents● Introduction● Related Works● Technical Aspects● Careers and Jobs● Social Impact● Ethical Impact● Conclusion● References
Introduction
● occurs when a program writes to a memory address outside of (usually) a
fixed-length buffer
● results in data corruption, the stopping of a program, or the program to
operate incorrectly
● deliberately overflowing a buffer is an attack known as stack smashing
● can be exploited to inject executable code into the running program and
take control of the process
o gain unauthorized access to a computer
Related Works
● 1962 - Burroughs B5000 designed first implementation of memory segmentation
● 1978 - x86 Instruction Set Architecture memory segmentation introduced on Intel 8086
● 1996 - “Smashing the Stack for Fun and Profit” by Elias Levy published in Phrack issue 49
● 2001 - Code Red Worm exploits buffer overflow in Microsoft’s Internet Information Services
● 2003 - SQL Slammer Worm compromises machines running Microsoft SQL Server 2000
● 2003 - Buffer overflows in Xbox games allow unlicensed software to run on console
o followed by PS2
o followed by Nintendo Wii (this one specifically a Stack-Based Buffer Overflow)
Technical Aspects
● A logical stack● Variable size memory
segment containing function variables, parameters, and context
● Grows from higher memory addresses to lower addresses
● Divided into Stack Frames via pointers stored in CPU registers
The Stack & Stack Frames
Technical Aspects
● Instruction Pointer (32-bit EIP or 64-bit RIP)o Holds address of the next instruction to be executedo Next address after a function call is pushed onto the
stack as the Return Address to continue execution when the function completes/returns.
o Overwriting this is the danger of a stack buffer overflow
● Stack Frame pointers
o EBP points to the address at the base of the stack frame just above the return address
o ESP points to the top memory address of the stack frame● There are more registers but not necessarily relevant in this
case
x86 Registers
eg.EIP: 004013C2
EBP: 0028FEB8
ESP: 0028FE80
Technical Aspects
● A buffer is a block of memory for storing some data
● A buffer on Youtube stores a portion of the video that can be watched, and loads more as you go, as well as makes sure enough has loaded to compensate for some lost packets (ex. “buffering”)
● In this case it’s a block of memory (character arrays) for storing user input
● Buffers declared with Malloc(), Calloc(), Realloc() will be stored in the Heap.
● The buffers created in this example go in the Stack.
What’s a buffer?
Technical Aspects
With input strings of the proper length the program executes as normal and returns without error.
With a 2nd string input of length 22(+1 for string terminator) it is overflowed and overwrites what is immediately below that buffer in the stack. In this case it overflows the 1st string input.
Function context (base pointer, return address) isn’t overwritten, so program returns without an exception thrown.
Examples’ Output
Technical Aspects
● OllyDbg with Vuln2.exe loaded and execution paused
● Window divided into 4 paneso Top-left is the Code
memory segmento Top-Right are CPU
registerso Bottom-Reft is the
Data segmento Bottom-Right is the
Stack
OllyDbg of Example
Technical AspectsStack Frame (no overflow)
Technical AspectsStack Frame (with overflow)
Technical AspectsContrastNo Overflow Overflowed
Technical Aspects
Same exact buffer overflow as in previous examples but with user input instead of hardcoded strcpy()
Stack pane shows 10 bytes between end of our overflowed buffer to the beginning of Return Address.
Return Addr is a pointer, x86 is 32-bit, so it’s a 4 byte address. The 4 characters (8 hex digits) after the 10th additional character will become the new return addr.
When function returns Return Addr is loaded into the Instruction pointer
Overwriting Return Addr
Technical Aspects
EIP successfully overwritten with user input, in this case four A characters, or hex-41.
User can now control program execution flow with the Instruction pointer and execute code with this process’s privileges.
Overwriting Return Addr
Career Impact & Job Outlook
Information Security Analyst● 2012 - 2022 job growth
o +37% o more than 2x the total of all occupations
● Median Salaryo $86, 170o 2.4x total of all occupations
Vulnerability Analyst
Career Impact & Job Outlook
● Skills
o security risk management
o security intrusion detection
o IT security infrastructure
o security testing and auditing
o x86/x86_64 & Fuzzing*
● Minimum Qualifications
o Bachelor’s in CS, Engineering or Programming
o CompTIA Security+ Certification
Vulnerability Analyst
Career Impact & Job Outlook
Software Developer● Job Growth 2012-2022
o +22%o +222,600 jobs
● Median Salaryo $93,350o x2.69 national median
Software Engineer
Career Impact & Job OutlookSoftware Engineer
● Skills○ Python○ C○ C++○ UNIX○ Linux
● Minimum Requirements○ Bachelor’s Degree in
Computer Science or Software Engineering
○ Programming experience
Social Impact● Too esoteric for widespread social
impact● Should affect coding practices of
CS and IT professionals
Write secure code.
Make your coworkers write secure code
Bounds check all the buffers
Ethical Impact
Code you produce is the responsibility of yourself and the organization you produce it for.
Both have an ethical obligation to customers to provide secure code.
To write secure code you need to understand the vulnerability and how it’s exploited
Patch vulnerabilities that are discovered in development or in the wild.
Vulnerability discovery and proofs of concept are not illegal, and obtaining a Common Vulnerabilities and Exposures (CVE) number for your work looks great on a resume.
Vulnerability disclosure often negotiated and timed with the software vendor for patching.
Exploiting vulnerabilities for unauthorized access of computer systems still very illegal. Don’t do it unless you’re cool with the risk of fines and prison time.
Coding Vulnerability Analysis
Conclusion● Overflowing a buffer may result in a program crash, program errors, or
data corruption
● CS and IT professionals should write more secure code to prevent it from happening
● Exploiting a buffer overflow is one of the oldest ways to gain unauthorized access to a computer
● Don’t do it unless you are okay with fines and prison time!
References1. Erickson, Jon. Hacking: the Art of Exploitation. 2nd ed. San Francisco, Calif.: No Starch, 2008.
Print. 2. Koziol, Jack. The Shellcoder's Handbook: Discovering and Exploiting Security Holes.
Indianapolis, IN: Wiley Pub., 2004. Print. 3. Levy, Elias. "Smashing the Stack for Fun and Profit." Phrack 49 (1996). Phrack. Web. 1 July
2015. <http://phrack.org/issues/49/14.html#article>.4. "Information Security Analyst Salary (United States)." Information Security Analyst Salary
(United States). Web. 5 July 2015. <http://www.payscale.com/research/US/Job=Information_Security_Analyst/Salary>.
5. "Software Engineer Salary (United States)." Software Engineer Salary (United States). Web. 5 July 2015. <http://www.payscale.com/research/US/Job=Software_Engineer/Salary>.
6. Staff Contributor. "Sourcefire VRT Unveils Research on 25 Years of Vulnerabilities: 1988-2012 | | Sourcefire Blog." Sourcefire, 5 Mar. 2013. Web. 5 July 2015. <http://blog.sourcefire.com/Post/2013/03/05/1362499920-sourcefire-vrt-unveils-research-on--years-of-vulnerabilities-/>.
Stack-Based Buffer Overflows
Joni Hall and Daniel Tumser