W5.2 - Buffer Overflow

What is a buffer overflow vulnerability?

A security flaw where a program writes more data to a buffer than it can hold, causing data to overflow into adjacent memory locations and potentially overwriting critical system information

What are the main memory segments in a program?

• Text Segment: Contains executable code (lowest addresses)
• Data Segment: Contains initialized global variables
• BSS Segment: Contains uninitialized global variables
• Heap: Dynamic memory allocation (grows upward)
• Stack: Function calls and local variables (grows downward from highest addresses)

What is the critical concept about stack growth direction?

The stack grows from high memory addresses to low memory addresses, but arrays within the stack grow from low to high addresses. This opposing growth direction creates the fundamental vulnerability for buffer overflow attacks

What registers are used for stack management in x86 architecture?

• ebp (Extended Base Pointer): Points to the current frame's base
• esp (Extended Stack Pointer): Points to the top of the stack

How are function arguments accessed in x86 stack frames?

Arguments are accessed at positive offsets from ebp:
• First argument: ebp+8
• Second argument: ebp+12
• Return address: ebp+4
• Local variables: negative offsets like ebp-4, ebp-8

What is the structure of a stack frame?

• Function Arguments (higher addresses)
• Return Address
• Previous Frame Pointer (ebp)
• Local Variables (lower addresses)

What makes strcpy() dangerous for buffer security?

strcpy() performs no bounds checking when copying strings. It continues copying until it encounters a null terminator, regardless of the destination buffer size, making it prone to buffer overflows

What happens during a buffer overflow attack?

• Data exceeds allocated buffer space
• Overflow overwrites adjacent memory locations
• Critical stack data gets corrupted (frame pointer, return address)
• Program execution can be redirected to malicious code

What are the two main tasks for exploiting a buffer overflow?

• Task A: Find the offset distance between buffer start and return address
• Task B: Determine the address where shellcode will be placed in memory

How do you find the offset distance using GDB?

Set breakpoint at vulnerable function, print buffer address with 'p &buffer', print frame pointer with 'p $ebp', then calculate offset with 'p $ebp + 4 - &buffer'

What is a NOP sled and why is it used?

A sequence of NOP (No Operation) instructions that do nothing but take up space. Used to increase attack reliability by creating a large target area - execution will slide down the NOPs to reach the actual shellcode

Why can't return addresses contain null bytes?

strcpy() and similar functions treat null bytes as string terminators, so the copy operation would stop prematurely if a null byte is encountered, causing the attack to fail

What is shellcode?

Assembly code designed to launch a shell program (/bin/sh) and provide an attacker with system access, typically executing with the target program's privileges

What system call does shellcode typically use?

The execve() system call to execute /bin/sh with the format: execve("/bin/sh", argv, NULL)

What registers must be set up for the execve() system call?

• eax: System call number (11 for execve)
• ebx: Pointer to program path ("/bin/sh")
• ecx: Pointer to argument array
• edx: Environment pointer (NULL)
• int 0x80: Triggers the system call

How do you avoid null bytes in shellcode?

Use XOR operations to zero registers instead of direct assignment:
• Bad: mov eax, 0x0000000b (contains nulls)
• Good: xorl %eax, %eax

movb $0x0b, %al

What are the four categories of buffer overflow countermeasures?

• Developer approaches: Safe functions and input validation
• OS approaches: Address Space Layout Randomization (ASLR)
• Compiler approaches: Stack Guard/Stack Canaries
• Hardware approaches: Non-Executable Stack (NX bit)

What do safe functions provide that unsafe functions don't?

Safe functions include bounds checking to prevent buffer overflows:
• strcpy() → strncpy() or strlcpy()
• sprintf() → snprintf()
• gets() → fgets()

What is ASLR and how does it work?

Address Space Layout Randomization randomizes the memory layout each time a program runs:
• Stack base address changes on each execution
• Makes it difficult to predict shellcode location
• Can be set to randomize stack only or both stack and heap

What are the ASLR configuration levels?

• Level 0: No randomization
• Level 1: Randomize stack only
• Level 2: Randomize both stack and heap

How can ASLR be defeated?

• Brute force: Repeatedly attempt exploitation until addresses align
• Information disclosure: Leak memory addresses through other vulnerabilities
• Return-to-libc: Use existing code instead of injected shellcode

What is a stack canary?

A secret value placed between local variables and the return address. The program checks if this value has been modified before returning from a function, detecting buffer overflow attempts

How does the stack canary detection work?

• Compiler inserts secret value before function execution
• Value is checked before function returns
• If value has changed, program aborts (stack smashing detected)
• Prevents return address modification from succeeding

What is the NX bit?

The No-eXecute bit is a CPU feature that marks certain memory areas as non-executable, preventing injected shellcode from running on the stack

How can the NX bit protection be bypassed?

• Return-to-libc: Use existing library functions instead of injected code
• ROP (Return-Oriented Programming): Chain existing code snippets
• JIT-ROP: Just-in-time ROP chain construction

What is defense in depth for buffer overflow protection?

A layered security approach:
• Development: Use safe coding practices
• Compilation: Enable all security features
• OS Configuration: Enable ASLR and protections
• Hardware: Utilize NX bit and CPU features

Why do buffer overflow vulnerabilities remain critical today?

• Allow arbitrary code execution
• Enable privilege escalation
• Can bypass security controls
• Provide pathway to complete system compromise
• Legacy systems often remain vulnerable

What is the key principle for secure buffer management?

Never trust user input - always validate buffer boundaries and input lengths before processing any data from external sources

What makes a buffer overflow attack successful?

• Precise offset calculation to reach return address
• Reliable shellcode placement in predictable memory location
• Proper payload construction avoiding null bytes
• Successful redirection of program execution flo