CECS 378: Final - Buffer Overflow

Buffer Overflow

An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer. Attacker can crash a system or insert a malicious code that allows them to gain access to the system.

Which worm used a buffer overflow attack back in 1988

Morris Worm

Is it still a major concern?

Yes.

Issues in legacy code

From careless programming practices

Ways of Identifying a vulnerable program

Inspect the program source code

Trace the execution of the program based on the inputs given to it.

Are modern high-level languages vulnerable to buffer overflows

No as they require a strong notion of type and valid operations. However, it does incur overhead.

Are C and related languages vulnerable to buffer overflows?

Yes as they have direct access to memory.

Stack Frame

A stack frame contains all the data for one function call: its parameters, the return address, and its local variables.

Common unsafe C Standard Library Routines (SLR)

gets(char *str) read line from standard input into str

sprintf(char str, char format) create str according to supplied format and variable

strcat(char dest, char src)

strcpy(char dest, char src)

vsprintf(char str, char fmt, va_list ap) create str according to supplied format and variables

Shellcode

Code that is supplied by the attacker. The code is saved in the buffer and when executed, the program would transfer control to the attacker.

Metasploit Project

Provides useful information to people who perform penetration, IDS signature development, and exploit research

Target Program can be:

A trusted system utility

Network service daemon

Commonly used library code

Shellcode Functions

Launch a remote shell when connected to

Create a reverse shell that connects back to the hacker

Use local exploits that establish a shell

Flush firewall rules that currently block other attacks

Break out of a chroot (restricted execution) environment, giving full access to the system

Two Buffer Overflow Defense

Compile Time - Aim to harden programs to resist attacks in new programs

Run Time - Aim to detect and abort attacks in existing programs

Disadvantages of Compile-Time Defenses

Additional code must be executed at run time to impose checks

Flexibility and safety comes at a cost in resource use

Compile-Time Def: Safe Coding Techniques

C designers placed much more emphasis on space efficiency and performance considerations than on type safety

Programmers have audited the existing code base, including the operating system, standard libraries, and common utilities

Compile-Time Def: Language Extensions/Safe Libraries

One approach has been to replace these with safer variants

Compile-Time Def: Stack Protection

Add function entry and exit code to check stack for signs of corruption

Run-Time Def: Executable Address Space Protection

Use virtual memory support to make some regions of memory non-executable

Run-Time Def: Address Space Randomization

Manipulate location of key data structures

Randomize location of heap buffers

Random location of standard library functions

Run-Time Def: Guard Pages

Place guard pages between critical regions of memory

Heap Overflow

Attack buffer located in heap

No return address

Heap Overflow Defense

Making the heap non-executable

Randomizing the allocation of memory on the heap

Global Data Overflow

Can attack buffer located in global data

Global Data Overflow Defense

Non executable or random global data region

Move function pointers

Guard pages