Vous êtes sur la page 1sur 19


CST233: Information Security and Assurance Academic Session: 2011/2012 Assignment 1 Lecturer Name: Dr. Aman Jantan

Name: Lim Chin Nei Matrix No.: 107592 Topic: Buffer overflows attack

Buffer overflows attack Contents

1. Table of contents ---------------------------------------------------------------------------- 1 2. Introduction ----------------------------------------------------------------------------------- 2 3. Definition of buffer overflows --------------------------------------------------------------- 3 4. Mechanism of buffer overflow -------------------------------------------------------------- 4 4.1. Stack based buffer overflow --------------------------------------------------------- 6 4.2. Heap based buffer overflow --------------------------------------------------------- 8 5. Countermeasure of buffer overflow ------------------------------------------------------- 11 5.1. Canary based stack protection mechanism -------------------------------------- 11 5.2. Safe language and library -------------------------------------------------------------- 12 5.3. Non- executable buffers ---------------------------------------------------------------- 14 6. How to determine program code is vulnerable ------------------------------------------ 14 7. Real case of buffer overflows attack ------------------------------------------------------ 15 8. Conclusion ------------------------------------------------------------------------------------- 17 9. Reference -------------------------------------------------------------------------------------- 18

Page | 1

Buffer overflows attack Introduction

Buffers overflows have been the most common form of security vulnerability in the last ten years. According to the research which done by Kelly Jackson Higgins, an Internet Service Provider (ISP) company which provides vulnerability research analysis to the most of the top 20 security threat in the world show that buffer overflow is still retaining a top threat based on the report for enterprise class product category.

Buffer overflow shows an increase of 23% compared to last year (2006) in Table 1.1. Besides that, almost all the security threat had show decrementing trends except buffer overflow and software fault. By having this result, we can assume that the problem of buffer overflow is getting serious nowadays.

Page | 2

Buffer overflows attack

Table 1.1 Hence, we have to fix this problem by knowing mechanism of buffer overflow and tools that can fix this problem.

Definition of buffer overflows

In computer security and programming, a buffer overflow or call as buffer overrun is a condition where data transfer to a buffer which exceeds the storage capacity of the buffer. Since the capacity of buffer is finite, the extra information has to flow somewhere else, typically into another buffer (adjacent buffers) which can corrupt or overwrite the valid data held in them. It can be occur accidentally through programming error or become a security attack on data integrity. An anonymous internet user design codes for trigger specific actions, in effect sending new instruction to the attacked computer that could be damage users files through buffer overflows. Buffer overflows attacker can gain partial or total control of victims computer through this attack method. Buffer overflow can be present in everywhere. For instance, own program, web server or application server products that serve the static and dynamic aspects of the site or web application.
Page | 3

Buffer overflows attack Mechanisms of buffer overflows

Normally, buffer overflow occur when the program write more data into the buffer in the capacity that it has allocated in the memory. When the data exceeds the size of the buffer, the extra data can overflow into adjacent memory location such as buffer, constant, flags or variables for corrupting valid data of the adjacent memory and possibly changing the execution path and instruction of that memory location. Buffer overflow attackers uses this ability to attack computer system by inject malicious code into the execution path. Below is the basic example of buffer overflow. 8 byte long string buffer has been initialized by user to store a string. (As shown in Figure 1.1)

variable name


[null string]


hex value

00 00 00 00 00 00 00 00 07 BB Figure 1.1

Then, the user store the null terminated string excessive in the A buffer as shown in Figure 1.2.

Page | 4

Buffer overflows attack

variable name A B












65 78 63 65 73 73 69 76 65 00 Figure 1.2

Buffer overflow occurs because the string excessive has exceeds the capacity of buffer. The character e is not shown in the buffer and overflow to adjacent memory. Usually buffer overflow occurs in programs which written in C language. This is because program which write in C language more focus on the programming efficiency and code length than security aspect. C language is a language which considered very flexible and powerful, but it can become a headache for beginner programmers because it do not perform automatic array bound checking. For instance, the pointer based call by direct memory reference mode or a text string approach. This latter implies situation which even among library functions working on text string, there are indeed those that cannot control the length of the real buffer. Hence, it becomes susceptible to an overflow of the declared length.

Type of buffer overflows attack

Buffer overflows are generally divided into multiple categories based on the ease of exploitation and historical discovery of the technique. There are two main types of

Page | 5

Buffer overflows attack

buffer overflow attacks: stack based and heap based. Both stack and heap are allocated at run time. The stack is used to store function call by arguments, local variables and values of selected registers allowing it to retrieve the program state while heap holds dynamic variables. Heap uses malloc function or new operator to allocate memory. In short word, stack is used to store temporary data and it needs to be initialized first while heap is used in dynamic form. Normally, buffer overflows attacker use stack based buffer overflow if compare with heap based buffer overflows. Stack based buffer overflows Stack works according to a LIFO (Last In First Out) model and it used to stores a temporary information. In a stack based buffer overflow, attacker adds more data than expected to the stack and overwrite data in adjacent memory. For instance, a web application program is executing and it requires user to input his identity card number. Normally, the programmer will expect total character that user input is 12 and he put buffer size of that input is 15 characters. In this case, attackers use buffer overflow to attack this program by typing letter of A 300 times instead of IC number and followed by some commands. Then, when program receive such over long input, the nonsensical data overflow the buffer which allocated for the identity cards input. Hence, it make that attackers command (300 times A) fall into adjacent memory. If the command is change to malicious code, attackers may gain control of host of victims computer.

Page | 6

Buffer overflows attack

The program of application normally works by sequentially executing CPU instructions. Hence, CPU has the Extended Instruction Counter (EIP register) to maintain the sequence order. It functions as the instruction pointer which point to the next command or instruction. When a procedure is called, the return address of function call (program need to be execute) is put into the stack. If attackers overwrite return address, it would be loaded into the EIP register and hence the overflow code is allowed to be executed without the permission of victim. EBP register (basic register that points to the stack bottom) also play an important role to enable buffer overflow attacks. When the allocated memory space has been exceeded the limited capacity, the data at the stack bottom (data in EBP) is overwritten. This show that stack overflow grow downward. Hence, upon returning from the function, a modified return address has been pushed into EIP and the stack execution error is occurred. Below is the example of stack based buffer overflow occur: Buffer [256] Old EBP = 0x0012FFF0 Ret EIP = 0x00401000

Assume that the size of input buffer is 256 bytes long. The program begins to fill the buffer with attackers code.

Malicious code here Old EBP = 0x0012FFF0 Ret EIP = 0x00401000

After 256 bytes, the capacity of buffer is full and remaining bytes will begin to overflow into adjacent memory.

Page | 7

Buffer overflows attack

Malicious code here Old EBP = 0x00414141 Ret EIP = 0x00401000
Then, the first base pointers address is overwritten since the remaining byte has overflow to this address.

Malicious code here Old EBP = 0x00414141 Ret EIP = 0x0012FDF8

After the base pointers address had been changed, the instruction pointer is overwritten with the address which point to malicious code. This action make program will begin run the malicious code.

Heap based buffer attack Unlike other data areas, the buffers on heap are dynamic. There are some examples of operator or functions (new, malloc, delete ) which use heap to allocate memory. A call to these functions reserves memory in the virtual address space of the execution programs and returns an address to the process for that allocated memory. Unlike stack overflow, attacker could not overflow a buffer by changing EIP content in heap based buffer attack. Attackers have to know which heap implementation the program is currently using to prepare management information with the right manipulated values. Attackers have to make sure that the location of victims system overwrites memory which it will later load a jump address to ensure that their own code to be executed. Hence, it makes attackers hard to cause heap overflow unless attackers have found the vulnerability of that system.

Page | 8

Buffer overflows attack

This kind of attack has some precondition to occur. There should be a buffer declared and the pointer in program. The arrangement of pointer and buffer in memory allocation also play important role to enable heap overflow. This is because heap grows upward. Thus, pointer should be located after the overflowed buffer. (As shown in figure 1.3)

Figure 1.3 For instance, a locked down system may not be able to write auto run file (C:\AUTOEXEC.BAT). Attackers can write to C:\AUTOEXEC.BAT by using heap buffer overflow. Attackers could change the pointer to a temporary file name to instead point to the string C:\AUTOEXEC.BAT. If the attackers run C:\AUTOEXEC.BAT by using heap based buffer overflow attack, memory allocation will appear as below: Address 0x00300ECB . 0x00407034 Variable argv[1] . *szFilename Value . C:\harmless.txt

Page | 9

Buffer overflows attack

. 0x00407680 0x00407690 . Buffer szFilename 0x00407034 .

The szFilename is the filename which declare in the program and it contain of harmless.txt (C:\AUTOEXEC.BAT). The address of that infected file is 0x00407034. From the table, we can know that buffer is close to szFilename. Hence, if attackers can overflow buffer, they also can overwrite the szFilename pointer. For instance, change it to address of argv[1] which allows one to change the filename to any arbitrary filename passed in on the command line. By knowing the exact dynamic memory allocation, attackers can execute auto run program by input XXXXXXXXXXXXXXXX0X00300ECB (which the point to the address of argv[1]) in buffer. Hence, after insert this input, the memory appear as below: Address 0x00300ECB . 0x00407034 . 0x00407680 0x00407690 Variable argv[1] . *szFilename . Buffer szFilename Value C:\AUTOEXEC.BAT . C:\harmless.txt . XXXXXXXXXXXXXXXX 0x00300ECB

Page | 10

Buffer overflows attack

Besides that, heap buffer overflows also result in a denial of service which allows one to crash an application. The way of crash application is same as above (open a file name).

Countermeasures of buffer overflow

Mostly, buffer overflow occur because of vulnerability of the program as mention just now. There are several ways developed by programmers to enhance the security of their products. It can mainly divide into two general classes: modifying compilers to change the structure of data in memory and provide additional protection of memory. Those methods cannot prevent all possible buffer attack but it can make it more difficult to access buffer attacks. Canary based stack protection mechanism Some mechanisms had been proposed to prevent buffer overflow attacks. The common type of mechanism is Canary based stack protection mechanisms. Canary based mechanisms do not prevent all buffer overflow attack (protect only the stack). It works by inserting a known value (canary) onto the runtime stack below the return address of the executing function. (As shown in Figure 1.5)

Figure 1.5

Page | 11

Buffer overflows attack

The canary warns user when something has gone wrong. It checks before and after program compile to make sure the canary values does not change. If attackers overwrite the return address, the value of canary will probably change. When a function prepares to return, canary compares this random value with a saved copy located elsewhere. If the values do not match, the return address is considered to be invalid and the system will not use this infected value. Hence, the program which infected will be halt immediately and avoid execution of any instruction after the program. But, there still have some weakness in this mechanism. Attackers still can gain control with stack canaries by overwriting the value of canary. Of course, it requires more effort to gain control in a process with stack canaries. Hence, programmer can choose a random canary word on process startup (e.g. on exec) which is infeasible to guess to prevent canary value being change by attackers. Along with stack protection canaries, variation of canaries also used to protect against heap based buffer overflows. Canary values are stored in each chunk (memory) information structure by placing canary values at both beginning and the end of each chunk information. The function of canary values in chunk is same as the function of canary values in stack. The canaries in front of each chunk info frame are checked with the value at the end of the chunk info frame to ensure everything is correct and unaltered. By checking these canaries values, buffer overflow attacks can be detected.

Page | 12

Buffer overflows attack

Safe language and library Programs that write in C and C++ are vulnerable to buffer overflow attacks. This is because these languages do not perform automatic array bound checking. Thus, both stack based and heap based overflow can be prevent by using type safe language such as Java. Java completely eliminates the possibility of buffer overflow attack by perform additional checking at runtime to ensure that all array operations does not exceed its size. Besides that, library files are normally included with programming language. If hacker found the vulnerability of a particular library file, any application which includes that library file also has its weakness. Some tools and techniques have evolved to solve this problem instead of teaching programmers how to write a program code well.

Libsafe can used to protect a process against the exploitation of buffer overflow
vulnerabilities. Libsafe is a library that intercepts calls to vulnerable functions in the standard C library at runtime. It replaces those vulnerable functions with safer function that prevent buffer overflow attacks. This allows it to handle precompiled executables which mean that it can edit the source and recompile it. For instance, gets (string) is an unsafe calls. When the program is run with libsafe, it will intercept the call to its own version of gets (). The new version of gets () will compute the length of buffer (string) and will recompile again (which is much safer than gets) as below source:

fgets(string, max_size, stdin);

Page | 13

Buffer overflows attack

Hence, novice programmer can write C programming language safety since libsafe can prevent it from possibly being attacked by buffer overflow. Non executable buffers Mostly attackers inject malicious code by using buffer overflow attacks. Hence, by ensuring programs address cannot execute the code, it will prevent malicious code run without the permission of owner. Any code that attempts to execute code in the stack will cause a segmentation violation by using this method. Hence, program develop create kernel patches which make the stack segment of the programs address space non executable to solve this problem.

How to determine program code is vulnerable

For server products and libraries, keep up with the latest bud reports for the products that are used. For instance, if you found out there are bug inside the application, removed or uninstall that program as soon as possible to prevent become next victim. For custom application software, all code that accepts input from users via HTTP request must be recheck to ensure it provides appropriate size checking on all inputs.

Page | 14

Buffer overflows attack Real case of buffer overflows attack

Case 1: Attack in Microsoft Outlook and Outlook Express in July 2000 In July 2000, a vulnerability to buffer overflow attack was discovered in Microsoft Outlook and Outlook Express. A programming flaw made it possible for an attacker to compromise the integrity of the target computer by simply it sending an e-mail message. Unlike the typical e-mail virus, users could not protect themselves by not opening attached files; in fact, the user did not even have to open the message to enable the attack. The programs' message header mechanisms had a defect that made it possible for senders to overflow the area with extraneous data, which allowed them to execute whatever type of code they desired on the recipient's computers. Because the process was activated as soon as the recipient downloaded the message from the server, this type of buffer overflow attack was very difficult to defend. Microsoft has since created a patch to eliminate the vulnerability. Case 2: SQL Slammer attacks in January 25, 2003 SQL Slammer is a computer worm which exploited vulnerability in Microsoft SQL Server and Desktop Engine database in January 25, 2003. It cause denial of service on some Internet hosts and slowed down general Internet traffic. David Litchfield discovered the buffer overflow vulnerability in Microsoft SQL Server and makes this worm. SQL Slammer generates random IP address and sends itself out to those addresses. When the selected address is used by host that runs an unpatched copy of Microsoft SQL

Page | 15

Buffer overflows attack

Server, the host will be infected and begins spraying the Internet with more copies of the worm programs. SQL Slammer can be removed by rebooting an infected system or use system which already patched by installing SQL 2000 Service Pack 3. (a patch which design to prevent buffer overflow attack by SQL Slammer). In addition, system administrator can use firewall to block certain SQL server ports to defeat SQL Slammer. Hence, application user should always keep update with the bug reports to prevent become victim.

Page | 16

Buffer overflows attack Conclusion

In conclusion, buffer overflows attack occur because vulnerability of program. This kind of attack cannot be defeat completely by using the method which mention above. This is because there are no perfect codes in this world and attackers can find the vulnerability of program to perform such attacks again. But, normally the method which mention above can defeat many contemporary buffer overflow attacks. Write a secure code in program is still the best solution to these attacks. Hence, programmers should be educated to minimize the use of unsafe code. Program developers should always check and debug those vulnerable codes to avoid buffer overflows attacks. With time and increasing awareness among program developers, the probability of occur buffer overflows will be reduce.

Page | 17

Buffer overflows attack References

1. Buffer overflow attacks and their countermeasures,

2. What are buffer overflows


3. Blended attacks exploits, vulnerabilities and buffer overflow techniques in computer viruses http://www.symantec.com/avcenter/reference/blended.attacks.pdf 4. Modern buffer overflow prevention techniques

5. Buffer overflows: attacks and defenses for the vulnerability of the decade

6. A buffer overflow study Attacks & Defenses

http://citrin.ru/docs/Almost%20500%20Computer%20Ebooks/A%20Buffer%20Overflow %20Study%20-%20Attacks%20and%20Defenses%20(2002).pdf

7. Analysis of buffer overflow attacks


8. Avoiding buffer overflows and underflows

https://developer.apple.com/library/mac/#documentation/security/conceptual/SecureCo dingGuide/Articles/BufferOverflows.html

9. Secure programmer: countering buffer overflows


Page | 18