buffer overflow maddikayala, jagadish. csci 5931 web security prof. t. andrew yang monday feb. 23
TRANSCRIPT
Buffer Overflow
Maddikayala, jagadish. CSCI 5931Web Security
Prof. T. Andrew Yang Monday Feb. 23
CSCI 5931 Web Security
What is Buffer Overflow?
A buffer is a contiguous allocated chunk of memory, such as an array or a pointer in C
Buffer overflow occurs when a program or process tries to store more data in a buffer than it was intended to hold
Buffer overflows are exploited to change the flow of a program in execution
Buffer overflows are by far the most commonly exploited bug on the linux/unix Operating systems
CSCI 5931 Web Security
Process Memory Organization
env, argv strings
env, argv pointers
stack
heap
.bss
.data
.text
High addess
Low address
Heapint main(){
Char *var = malloc(3);
…
}
var points to an address which is in the heap
.bss
char global;
int main(){
….
}
int main(){
static int var;
…
}
global and var will be in .bss
.data
char global = ‘a’;
int main(){
…
}
int main(){
static char var = ‘a’;
…
}
global and var will be in .data
CSCI 5931 Web Security
Buffer Organization
Storage of xyz buffer. Buffer “xyz” in memory Two consecutive
buffers, xyz and abcde.
\0 z y x
\0 z y x
\0 e
d c b a
Unused byte
1 word = 4 bytes
CSCI 5931 Web Security
Examples
char a[5]="yang"; char b[9]="security"; strcpy(b, "maddikayala"); printf("%s\n", a);
Initial stack organization After the overflow
\0
g n a y
\0
y t i r
u c e s
\0
g n a y
\0 a l a
y a k i
d d a m
a
b
a
b
CSCI 5931 Web Security
Examples
char a[4]="tom"; char b[8]="michael"; strcpy(b, "maddikayala"); printf("%s\n", a);
Initial stack organization After the overflow
\0 m o t
\0 l a e
h c i m
\0 a l a
y a k i
d d a m
a
b
a overwritten
b
This is the kind of vulnerability used in buffer overflow exploits
CSCI 5931 Web Security
Buffer Overflow Countermeasures
Write secure code Non-executable Buffers Advanced debugging tools
– Fault injection tools– Static analysis tools– StackShield and StackGuard
Compilers– offer warnings on the use of unsafe constructs such as gets
(), strcpy ()– generate the code with built-in safeguards to prevent the
use of illegal addresses
CSCI 5931 Web Security
References
http://mixter.void.ru/exploit.html http://www.linuxjournal.com/article.php?sid=6701 http://www.linuxjournal.com/article.php?sid=2902 http://www.devbuilder.org/asp/dev_article.asp?aspid=43 http://immunix.org/StackGuard/discex00.pdf http://www.infosecwriters.com/texts.php?op=display&id=134 http://searchsecurity.techtarget.com/sDefinition/
0,,sid14_gci549024,00.html
CSCI 5931 Web Security
Thank you
Any Questions???