Stack-Based Buffer Overflows

Joni Hall and Daniel Tumser

Overview

=>

Table of Contents● Introduction● Related Works● Technical Aspects● Careers and Jobs● Social Impact● Ethical Impact● Conclusion● References

Introduction

● occurs when a program writes to a memory address outside of (usually) a

fixed-length buffer

● results in data corruption, the stopping of a program, or the program to

operate incorrectly

● deliberately overflowing a buffer is an attack known as stack smashing

● can be exploited to inject executable code into the running program and

take control of the process

o gain unauthorized access to a computer

Related Works

● 1962 - Burroughs B5000 designed first implementation of memory segmentation

● 1978 - x86 Instruction Set Architecture memory segmentation introduced on Intel 8086

● 1996 - “Smashing the Stack for Fun and Profit” by Elias Levy published in Phrack issue 49

● 2001 - Code Red Worm exploits buffer overflow in Microsoft’s Internet Information Services

● 2003 - SQL Slammer Worm compromises machines running Microsoft SQL Server 2000

● 2003 - Buffer overflows in Xbox games allow unlicensed software to run on console

o followed by PS2

o followed by Nintendo Wii (this one specifically a Stack-Based Buffer Overflow)

Technical Aspects

● A logical stack● Variable size memory

segment containing function variables, parameters, and context

● Grows from higher memory addresses to lower addresses

● Divided into Stack Frames via pointers stored in CPU registers

The Stack & Stack Frames

Technical Aspects

● Instruction Pointer (32-bit EIP or 64-bit RIP)o Holds address of the next instruction to be executedo Next address after a function call is pushed onto the

stack as the Return Address to continue execution when the function completes/returns.

o Overwriting this is the danger of a stack buffer overflow

● Stack Frame pointers

o EBP points to the address at the base of the stack frame just above the return address

o ESP points to the top memory address of the stack frame● There are more registers but not necessarily relevant in this

case

x86 Registers

eg.EIP: 004013C2

EBP: 0028FEB8

ESP: 0028FE80

Technical Aspects

● A buffer is a block of memory for storing some data

● A buffer on Youtube stores a portion of the video that can be watched, and loads more as you go, as well as makes sure enough has loaded to compensate for some lost packets (ex. “buffering”)

● In this case it’s a block of memory (character arrays) for storing user input

● Buffers declared with Malloc(), Calloc(), Realloc() will be stored in the Heap.

● The buffers created in this example go in the Stack.

What’s a buffer?

Technical Aspects

With input strings of the proper length the program executes as normal and returns without error.

With a 2nd string input of length 22(+1 for string terminator) it is overflowed and overwrites what is immediately below that buffer in the stack. In this case it overflows the 1st string input.

Function context (base pointer, return address) isn’t overwritten, so program returns without an exception thrown.

Examples’ Output

Technical Aspects

● OllyDbg with Vuln2.exe loaded and execution paused

● Window divided into 4 paneso Top-left is the Code

memory segmento Top-Right are CPU

registerso Bottom-Reft is the

Data segmento Bottom-Right is the

Stack

OllyDbg of Example

Technical AspectsStack Frame (no overflow)

Technical AspectsStack Frame (with overflow)

Technical AspectsContrastNo Overflow Overflowed

Technical Aspects

Same exact buffer overflow as in previous examples but with user input instead of hardcoded strcpy()

Stack pane shows 10 bytes between end of our overflowed buffer to the beginning of Return Address.

Return Addr is a pointer, x86 is 32-bit, so it’s a 4 byte address. The 4 characters (8 hex digits) after the 10th additional character will become the new return addr.

When function returns Return Addr is loaded into the Instruction pointer

Overwriting Return Addr

Technical Aspects

EIP successfully overwritten with user input, in this case four A characters, or hex-41.

User can now control program execution flow with the Instruction pointer and execute code with this process’s privileges.

Overwriting Return Addr

Career Impact & Job Outlook

Information Security Analyst● 2012 - 2022 job growth

o +37% o more than 2x the total of all occupations

● Median Salaryo $86, 170o 2.4x total of all occupations

Vulnerability Analyst

Career Impact & Job Outlook

● Skills

o security risk management

o security intrusion detection

o IT security infrastructure

o security testing and auditing

o x86/x86_64 & Fuzzing*

● Minimum Qualifications

o Bachelor’s in CS, Engineering or Programming

o CompTIA Security+ Certification

Vulnerability Analyst

Career Impact & Job Outlook

Software Developer● Job Growth 2012-2022

o +22%o +222,600 jobs

● Median Salaryo $93,350o x2.69 national median

Software Engineer

Career Impact & Job OutlookSoftware Engineer

● Skills○ Python○ C○ C++○ UNIX○ Linux

● Minimum Requirements○ Bachelor’s Degree in

Computer Science or Software Engineering

○ Programming experience

Social Impact● Too esoteric for widespread social

impact● Should affect coding practices of

CS and IT professionals

Write secure code.

Make your coworkers write secure code

Bounds check all the buffers

Ethical Impact

Code you produce is the responsibility of yourself and the organization you produce it for.

Both have an ethical obligation to customers to provide secure code.

To write secure code you need to understand the vulnerability and how it’s exploited

Patch vulnerabilities that are discovered in development or in the wild.

Vulnerability discovery and proofs of concept are not illegal, and obtaining a Common Vulnerabilities and Exposures (CVE) number for your work looks great on a resume.

Vulnerability disclosure often negotiated and timed with the software vendor for patching.

Exploiting vulnerabilities for unauthorized access of computer systems still very illegal. Don’t do it unless you’re cool with the risk of fines and prison time.

Coding Vulnerability Analysis

Conclusion● Overflowing a buffer may result in a program crash, program errors, or

data corruption

● CS and IT professionals should write more secure code to prevent it from happening

● Exploiting a buffer overflow is one of the oldest ways to gain unauthorized access to a computer

● Don’t do it unless you are okay with fines and prison time!

References1. Erickson, Jon. Hacking: the Art of Exploitation. 2nd ed. San Francisco, Calif.: No Starch, 2008.

Print. 2. Koziol, Jack. The Shellcoder's Handbook: Discovering and Exploiting Security Holes.

Indianapolis, IN: Wiley Pub., 2004. Print. 3. Levy, Elias. "Smashing the Stack for Fun and Profit." Phrack 49 (1996). Phrack. Web. 1 July

2015. <http://phrack.org/issues/49/14.html#article>.4. "Information Security Analyst Salary (United States)." Information Security Analyst Salary

(United States). Web. 5 July 2015. <http://www.payscale.com/research/US/Job=Information_Security_Analyst/Salary>.

5. "Software Engineer Salary (United States)." Software Engineer Salary (United States). Web. 5 July 2015. <http://www.payscale.com/research/US/Job=Software_Engineer/Salary>.

6. Staff Contributor. "Sourcefire VRT Unveils Research on 25 Years of Vulnerabilities: 1988-2012 | | Sourcefire Blog." Sourcefire, 5 Mar. 2013. Web. 5 July 2015. <http://blog.sourcefire.com/Post/2013/03/05/1362499920-sourcefire-vrt-unveils-research-on--years-of-vulnerabilities-/>.

Stack-Based Buffer Overflows

Joni Hall and Daniel Tumser