Buffer Overflows Spring 2016 Buffer overflows Buffer overflows
![Buffer Overflows Spring 2016 Buffer overflows ¢ ¢ ¢ Buffer overflows are possible because Buffer Overflows Spring 2016 Buffer overflows ¢ ¢ ¢ Buffer overflows are possible because](https://slidetodoc.com/presentation_image_h2/6d5543dbc9b6ec83b622f0d2d1844cea/image-1.jpg)
Buffer Overflows Spring 2016 Buffer overflows ¢ ¢ ¢ Buffer overflows are possible because C does not check array boundaries Buffer overflows are dangerous because buffers for user input are often stored on the stack Specific topics: § § Address space layout Input buffers on the stack Overflowing buffers and injecting code Defenses against buffer overflows 1
![Buffer Overflows Spring 2016 x 86 -64 Linux Memory Layout 0 x 00007 FFFFFF Buffer Overflows Spring 2016 x 86 -64 Linux Memory Layout 0 x 00007 FFFFFF](http://slidetodoc.com/presentation_image_h2/6d5543dbc9b6ec83b622f0d2d1844cea/image-2.jpg)
Buffer Overflows Spring 2016 x 86 -64 Linux Memory Layout 0 x 00007 FFFFFF ¢ not drawn to scale Stack 8 MB § Runtime stack (8 MB limit) § E. g. , local variables ¢ Heap § Dynamically allocated as needed § When call malloc, calloc, new, … ¢ Data Shared Libraries § Statically allocated data Read-only: string literals § Read/write: global arrays and variables § ¢ Code / Shared Libraries Heap § Executable machine instructions § Read-only Hex Address 0 x 400000 0 x 000000 Data Instructions 2
![Buffer Overflows Spring 2016 Reminder: x 86 -64/Linux Stack Frame Higher Addresses ¢ Caller’s Buffer Overflows Spring 2016 Reminder: x 86 -64/Linux Stack Frame Higher Addresses ¢ Caller’s](http://slidetodoc.com/presentation_image_h2/6d5543dbc9b6ec83b622f0d2d1844cea/image-3.jpg)
Buffer Overflows Spring 2016 Reminder: x 86 -64/Linux Stack Frame Higher Addresses ¢ Caller’s Stack Frame § Arguments (if > 6 args) for this call § Return address § ¢ Pushed by call instruction Current/ Callee Stack Frame § Old frame pointer (optional) § Saved register context (when reusing registers) § Local variables (If can’t be kept in registers) § “Argument build” area (If callee needs to call another function parameters for function about to call, if needed) Caller Frame pointer (Optional) %rbp Stack pointer %rsp Arguments 7+ Return Addr Old %rbp Saved Registers + Local Variables Argument Build (Optional) Lower Addresses 3
![Buffer Overflows Memory Allocation Example char big_array[1 L<<24]; /* 16 MB */ char huge_array[1 Buffer Overflows Memory Allocation Example char big_array[1 L<<24]; /* 16 MB */ char huge_array[1](http://slidetodoc.com/presentation_image_h2/6d5543dbc9b6ec83b622f0d2d1844cea/image-4.jpg)
Buffer Overflows Memory Allocation Example char big_array[1 L<<24]; /* 16 MB */ char huge_array[1 L<<31]; /* 2 GB */ Spring 2016 not drawn to scale Stack int global = 0; int useless() { return 0; } int main () { void *p 1, *p 2, *p 3, *p 4; int local = 0; p 1 = malloc(1 L << 28); /* 256 MB */ p 2 = malloc(1 L << 8); /* 256 B */ p 3 = malloc(1 L << 32); /* 4 GB */ p 4 = malloc(1 L << 8); /* 256 B */ /* Some print statements. . . */ } Where does everything go? Heap Shared Libraries Heap Data Instructions 4
![Buffer Overflows Memory Allocation Example char big_array[1 L<<24]; /* 16 MB */ char huge_array[1 Buffer Overflows Memory Allocation Example char big_array[1 L<<24]; /* 16 MB */ char huge_array[1](http://slidetodoc.com/presentation_image_h2/6d5543dbc9b6ec83b622f0d2d1844cea/image-5.jpg)
Buffer Overflows Memory Allocation Example char big_array[1 L<<24]; /* 16 MB */ char huge_array[1 L<<31]; /* 2 GB */ Spring 2016 not drawn to scale Stack int global = 0; int useless() { return 0; } int main () { void *p 1, *p 2, *p 3, *p 4; int local = 0; p 1 = malloc(1 L << 28); /* 256 MB */ p 2 = malloc(1 L << 8); /* 256 B */ p 3 = malloc(1 L << 32); /* 4 GB */ p 4 = malloc(1 L << 8); /* 256 B */ /* Some print statements. . . */ } Where does everything go? Heap Shared Libraries Heap Data Instructions 5
![Buffer Overflows Spring 2016 Today ¢ ¢ Memory Layout Buffer Overflow § Vulnerability § Buffer Overflows Spring 2016 Today ¢ ¢ Memory Layout Buffer Overflow § Vulnerability §](http://slidetodoc.com/presentation_image_h2/6d5543dbc9b6ec83b622f0d2d1844cea/image-6.jpg)
Buffer Overflows Spring 2016 Today ¢ ¢ Memory Layout Buffer Overflow § Vulnerability § Protection 7
![Buffer Overflows Spring 2016 Internet Worm ¢ These characteristics of the traditional Linux memory Buffer Overflows Spring 2016 Internet Worm ¢ These characteristics of the traditional Linux memory](http://slidetodoc.com/presentation_image_h2/6d5543dbc9b6ec83b622f0d2d1844cea/image-7.jpg)
Buffer Overflows Spring 2016 Internet Worm ¢ These characteristics of the traditional Linux memory layout provide opportunities for malicious programs § Stack grows “backwards” in memory § Data and instructions both stored in the same memory ¢ November, 1988 § Internet Worm attacks thousands of Internet hosts. § How did it happen? ¢ Stack buffer overflow exploits! 8
![Buffer Overflows Spring 2016 Buffer Overflow in a nutshell ¢ ¢ ¢ Many classic Buffer Overflows Spring 2016 Buffer Overflow in a nutshell ¢ ¢ ¢ Many classic](http://slidetodoc.com/presentation_image_h2/6d5543dbc9b6ec83b622f0d2d1844cea/image-8.jpg)
Buffer Overflows Spring 2016 Buffer Overflow in a nutshell ¢ ¢ ¢ Many classic Unix/Linux/C functions do not check argument sizes C does not check array bounds Allows overflowing (writing past the end of) buffers (arrays) Overflows of buffers on the stack overwrite interesting data Attackers just choose the right inputs Why a big deal? § It is (was? ) the #1 technical cause of security vulnerabilities § ¢ #1 overall cause is social engineering / user ignorance Simplest form § Unchecked lengths on string inputs § Particularly for bounded character arrays on the stack § sometimes referred to as “stack smashing” 9
![Buffer Overflows Spring 2016 String Library Code ¢ Implementation of Unix function gets() /* Buffer Overflows Spring 2016 String Library Code ¢ Implementation of Unix function gets() /*](http://slidetodoc.com/presentation_image_h2/6d5543dbc9b6ec83b622f0d2d1844cea/image-9.jpg)
Buffer Overflows Spring 2016 String Library Code ¢ Implementation of Unix function gets() /* Get string from stdin */ char* gets(char* dest) { int c = getchar(); char* p = dest; while (c != EOF && c != 'n') { *p++ = c; c = getchar(); } *p = '