buffer overflows - swarthmore collegekwebb/cs31/f18/bufferoverflow.pdf•see “smashing the stack...
TRANSCRIPT
![Page 1: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/1.jpg)
Buffer Overflows
![Page 2: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/2.jpg)
Classic Security Vulnerability
• See “Smashing The Stack For Fun And Profit”
…Older stack frames.
…
Caller’s local variables.
Final Argument to Callee
…
First Argument to Callee
Return Address
Callee’s local variables.
Caller’s Frame Pointer
Caller’s frame.
Callee’sframe.
Shared by caller and callee.
![Page 3: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/3.jpg)
Classic Security Vulnerabilityvoid func(char *user_input) {
char name[100];
…
}
…Older stack frames.
…
Caller’s local variables.
Final Argument to Callee
…
First Argument to Callee
Return Address
Callee’s local variables.
Caller’s Frame Pointer
![Page 4: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/4.jpg)
Classic Security Vulnerabilityvoid func(char *user_input) {
char name[100];
…
}
…Older stack frames.
…
Caller’s local variables.
Final Argument to Callee
…
First Argument to Callee
Return Address
func’s local variables.
Caller’s Frame Pointer
![Page 5: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/5.jpg)
Classic Security Vulnerabilityvoid func(char *user_input) {
char name[100];
…
}
…Older stack frames.
…
Caller’s local variables.
Final Argument to Callee
…
First Argument to Callee
Return Address
Caller’s Frame Pointer
name: …
Suppose we asked a user to input their name. Is it safe to copy that into our “name” char array?
Why or why not?
A. SafeB. Not safe
![Page 6: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/6.jpg)
Is it safe? It depends…
• What function are we using to do the copy?– strcpy? When does it stop copying?
• What happens if we copy too much?– Does C ensure that we don’t go beyond the buffer?
– Does strcpy?
– What will we overwrite?
• Can we take advantage of that behavior?
![Page 7: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/7.jpg)
A well intentioned program…
name[0]
name[99]
Ret urn add ress
StackMemory
…
char name[100]
![Page 8: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/8.jpg)
A well intentioned program…
K e v i n
\0 \0 \0 \0 \0
\0 \0 \0 \0 \0
\0 \0 \0 \0 \0
Ret urn add ress
StackMemory
…
char name[100]
If used properly, with a reasonable name, no problem here.
![Page 9: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/9.jpg)
A well intentioned program…
name[0]
name[99]
Ret urn add ress
StackMemory
…
char name[100]
What if my cat steps on the keyboard and types in a name of:
asdfweffewaewerrr3f322frtfgfgdfgrgrdgrgdgvcdllliuiyytylj;jouiyiytuytrfbbncbvcxvcxznv,mn.,n..,mloijuytytytgjkghgfgdfdtreyteretdgfhdjfsdfsds
![Page 10: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/10.jpg)
A well intentioned program…
name[0]
name[99]
Gar bage Val ue
StackMemory
…
char name[100]
What if my cat steps on the keyboard and types in a name of:
asdfweffewaewerrr3f322frtfgfgdfgrgrdgrgdgvcdllliuiyytylj;jouiyiytuytrfbbncbvcxvcxznv,mn.,n..,mloijuytytytgjkghgfgdfdtreyteretdgfhdjfsdfsds
Set PC to this value on return!What’ll happen?
![Page 11: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/11.jpg)
• Is crashing the program the worst we can do?
Cat, performing the classic “Denial of Pizza” attack.
![Page 12: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/12.jpg)
A well intentioned program…
name[0]
name[99]
FE 32 78 12
StackMemory
…
char name[100]
Suppose I want to change the return address to do Evil™
Fake_name_that’s_really_long_to_fill_100_characters____..._____________________________________________________0xFE327812
Set PC to this value on return!What’ll happen?
Does this help me be evil?
![Page 13: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/13.jpg)
A well intentioned program…
name[0]
name[99]
FE 32 78 12
StackMemory
…
char name[100]
If I can set the return address to be an arbitrarypointer, I can control what gets executed next!
If only I could add my own instructions in memory somewhere…
![Page 14: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/14.jpg)
A well intentioned program…
NOP NOP NOP NOP NOP
NOP NOP NOP … NOP
Evil code goes here! evil
evil evil evil evil evil
FE 32 78 12
StackMemory
…
char name[100]
Suppose I want to change the return address to do Evil™
[Do nothing (NOP)]…[Do nothing (NOP)][Evil™ Code that sends all your secrets to me]0xFE327812
Aim for RA to point within this region.
![Page 15: Buffer Overflows - Swarthmore Collegekwebb/cs31/f18/BufferOverflow.pdf•See “Smashing The Stack For Fun And Profit” … Older stack frames. … Caller’s local variables. Final](https://reader034.vdocument.in/reader034/viewer/2022052010/601fa8dd9f4a27240d33e7ed/html5/thumbnails/15.jpg)