8 CS4615 System Security - Buffer Overflows

What is the Stack in memory?

Function calls change the execution flow and the Stack is used to keep track of program flow and information needed to return.

Some more Stack information (Not a question, just some basics, example shown in L11 Buffer Overflow Slide 5)

• Stack is continuous block of memory
• Last object placed is first to be removed (LIFO)
• Bottom of the stack is at a fixed address
• Stack grows down towards lower memory
• Stack Pointer (SP) points to the top of stack
• Frame Pointer FP points to a fixed address in the current frame

What is a Buffer Overflow?

A buffer overflow occurs when a program tries to store more data in a buffer than it can hold, causing the excess data to overwrite adjacent memory locations.. Therefore, we need to modify data in spaces we normally cannot access.
Use modification to change program flow or execute malicious code for attacks.

How can you change the program flow with Buffer Overflow?

An attacker provides more data than the buffer can hold, causing the excess data to overwrite adjacent memory locations on the stack. One of the memory locations that can be overwritten is the return address, which is used by the program to determine where to return to after a function call is completed.
By overwriting the return address with a value that points to a malicious code (e.g., shellcode) in the stack, an attacker can trick the program into executing the malicious code after the function returns. This allows the attacker to take control of the program's flow and potentially compromise the system.
YES THIS WAS CHAT GPT BUT I UNDERSTAND IT BETTER THAN THE SLIDES

Explain how the flow of execution of a program can be changed by using a buffer overflow that targets the stack. Explain how this approach can be used to compromise a system.

Use ChatGPT to answer this, will even give you C code to illustrate.

What are the problems of countermeasures with buffer overflows?

• Countermeasures require change à not always possible
• Countermeasures have a performance impact à not desirable

What are methods to prevent Buffer Overflow in Linux? (5)

• Address space layout randomization (Kernel)
• Executable stack protection (Compiler)
• Stack canary (Compiler)
• Fortify source (Compiler)
• Stack protector (Compiler)

What is Address Space Layout Randomization? (ASLR)

Data, stack and code use random start addresses selected at program start to prevent attackers from guessing where things are.

What is Executable Stack Protection?

To prevent attacks, the stack is marked as non-executable, this means code present on the stack cannot be executed.

What is a Stack Canary?

A stack canary is a small, random value that is placed on the stack just before the return address. Before a function returns, it checks whether the canary value has been modified. If the value has been modified, it indicates that a buffer overflow has occurred, and the program can take appropriate action.

Where is the Stack Canary located?

The canary is placed before the EBP and EIB on the stack, between the local variables and the return addresses.

What are some Stack Canary Types?

Random Canary, Random XOR Canary, Null Canary, Terminator Canary

What is the Terminator Canary

• The canary value is set to a combination of Null, CR, LF, and 0xFF. These values act as string terminators in most string functions. (No, it is not an evil robot bird)

Give an example of a Terminator Canary.

• line would be longer than 8 characters to overflow buffer and then RET
• After the buffer sits the canary, so we need to keep the canary intact
• After the first 8 characters we need to include the canary 0x000aff0d
• However, strcpy() stops when it sees a 0x00 (Null)
• So we cannot exploit this and spill data into RET

What is Fortify Source?

It is a compile flag for functions to include support for detecting Buffer Overflows.