University of Washington Buffer Overflow Buffer overflows are
University of Washington Buffer Overflow ¢ ¢ Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are often stored on the stack § Probably the most common type of security vulnerability ¢ Today we’ll go over: § § Address space layout Input buffers on the stack Overflowing buffers and injecting code Defenses against buffer overflows Buffer Overflow
University of Washington IA 32 Linux Memory Layout ¢ ¢ ¢ not drawn to scale FF Stack § Runtime stack (8 MB limit) Heap § Dynamically allocated storage § Allocated by malloc(), calloc(), new() Data § Statically allocated data Stack 8 MB Read-only: string literals § Read/write: global arrays and variables § ¢ Text § Executable machine instructions § Read-only Upper 2 hex digits = 8 bits of address Buffer Overflow 08 00 Heap Data Text
University of Washington Memory Allocation Example not drawn to scale FF Stack char big_array[1<<24]; /* 16 MB */ char huge_array[1<<28]; /* 256 MB */ int beyond; char *p 1, *p 2, *p 3, *p 4; int useless() { int { p 1 p 2 p 3 p 4 /* } return 0; } main() = malloc(1 Some print <<28); /* << 8); /* statements 256 256. . . MB B */ Where does everything go? */ */ 08 00 Buffer Overflow Heap Data Text
University of Washington IA 32 Example Addresses not drawn to scale FF Stack address range ~232 $esp p 3 p 1 p 4 p 2 &p 2 beyond big_array huge_array main() useless() final malloc() 0 xffffbcd 0 0 x 65586008 0 x 55585008 0 x 1904 a 110 0 x 1904 a 008 0 x 18049760 0 x 08049744 0 x 18049780 0 x 08049760 0 x 080483 c 6 0 x 08049744 0 x 006 be 166 malloc() is dynamically linked address determined at runtime 80 Heap 08 00 Buffer Overflow Data Text
University of Washington Internet Worm ¢ These characteristics of the traditional IA 32 Linux memory layout provide opportunities for malicious programs § Stack grows “backwards” in memory § Data and instructions both stored in the same memory ¢ November, 1988 § Internet Worm attacks thousands of Internet hosts. § How did it happen? ¢ The Internet Worm was based on stack buffer overflow exploits! § Many Unix functions do not check argument sizes § Allows target buffers to overflow Buffer Overflow
University of Washington String Library Code ¢ Implementation of Unix function gets() /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != 'n') { *p++ = c; c = getchar(); } *p = '