- A buffer overflow (or overrun) is a situation in which a program uses locations adjacent to a buffer (i.e., beyond one or both of the boundaries of a buffer).
- People frequently limit the definition of a buffer overflow to situations in which data is written to locations adjacent to the buffer
- We will include both reading and writing since reading beyond the boundary can lead to harm (e.g., confidentiality and availability)
- When explicitly using an array
- When using a string (i.e., implicitly using an array)
Vulnerabilities when Using Arrays - Length Faults
- A Common Idiom:
- Pass an array and its length as different parameters
(e.g., main(int argc, char* argv[]) )
- A length that is too large might be passed in (or the length might be increased locally)
Vulnerabilities when Using Arrays - Length Faults (cont.)
-
Another Common Idiom:
void operation(int array[]) < int length = sizeof(array) / sizeof(array[0]); for (int i=0; i>
- array is a parameter and, so, is a pointer type
- Hence, sizeof(array) is the size of an int * , not the size of the array
Vulnerabilities when Using Arrays - Sentinel Faults
- A Common Idiom:
- Use a special value to indicate the last element of the array (e.g., -1 in an array of non-negative integers)
- The sentinel can be omitted or misspecified
Vulnerabilities when Using Strings
- Recall:
- C has character types char and wchar_t
- A string in C is a contigous sequence of characters terminated by (and including) a sentinel character (the null character '\0' )
- Strings are stored in arrays
- The length of the string is (i.e., should be) at least one less than the length of the array
Vulnerabilities when Using Strings - gets()
- A Common Practice:
- Use gets() to read characters (until it reaches a newline or end-of-stream character)
char line[81]; gets(line);
- An attacker can enter an indeterminate number of characters making it impossible to ensure that the buffer is large enough
Vulnerabilities when Using Strings - strcpy()
- A Common Practice:
- Copy a source string into a target/destination string using strcpy()
- The attacker can supply a string that is too long (i.e., a file name that is longer than 64 characters in this example)
Vulnerabilities when Using Strings - strcat()
- A Common Practice:
- Use strcat() to append a source string to a target string
- The target might not be long enough to hold the result
Vulnerabilities when Using Strings - sprintf()
- A Common Practice:
- Use sprintf() to create a (formatted) string
char line[81]; sprintf(line, "%2d: %s\n", i, user_input);
- sprintf() assumes that the buffer it is passed is large enough and the attacker might provide a string that is too long (i.e., longer than 80 - 2 - 2 - 1 = 75 characters in this example)
Vulnerabilities when Using Strings - Null Termination
- Some Common Practices:
- Not allocating memory for the null character (i.e., an off-by-one error when calculating the size)
- Forgetting to include the null character (though there is space for it)
- Using strncpy() to copy the first n characters from the source to the target when the source contains n or more characters (which results in a non-null terminated string)
- strlen() uses the null character to determine the length of the string so any function that uses strlen() will have problems
- Other functions (e.g., strcpy() ) iterate until a null character is encountered so will have problems
Vulnerabilities when Using Strings - Null Termination (cont.)
char a[10], b[10]; strncpy(a, "0123456789", 10); // a will not be null-terminated strcpy(b, a); // b will probably overflow
Threats - Memory Corruption
- The Issue:
- By overflowing a buffer the attacker can corrupt memory that is being used to store information of various kinds
- User input
Threats - Arbitrary Memory Writes
- The Issue:
- By overflowing a buffer the attacker can corrupt the value of a pointer and, if the pointer is used in an assignment statement, corrupt the arbitrary address it now points to
. char buffer[BUFFER_SIZE]; long value = . ; long* p = . ; strncpy(buffer, argv[1], length); // Potential overflow into p *p = value; // Assign value to the address pointed to by p .
Threats - Corrupted Function Pointers
- The Issue:
- By overflowing a buffer the attacker can corrupt the value of function pointer and, if the function pointer is used subsequently, transfer control to arbitrary code
. static int value = . ; static char buffer[BUFFER_SIZE]; static void (*f)(int i); f = &some_function; strncpy(buffer, argv[1], length); // Potential overflow into f (void)(*f)(value); // Execute the code pointed to by f .
Threats - Stack Smashing
- The Issue:
- By overflowing a buffer the attacker can overwrite data in the memory allocated to the execution stack
- The values of automatic variables can be modified
- Program execution can be terminated
- Arbitrary code can be executed
Attacks - Data Integrity
-
A Memory Corruption Example:
cexamples/bufferoverflow/windows/string_overflow_data.c
#include #include char eid[9]; // 8 characters plus '\0' int grade; int main(int argc, char* argv[]) < // Initialize strcpy(eid, "bernstdh"); grade = 100; printf("EID: %8s Grade: %d\n", eid, grade); // Copy user input into the eid strcpy(eid, "bernstdh \x08\x08"); // 0x08 is ASCII backspace printf("EID: %8s Grade: %d\n", eid, grade); >- Address of eid: 0x0804a030
- Address of grade: 0x0804a024
Attacks - Data Integrity (cont.)
- Notes:
- Though eid only requires 9 bytes, space actually exists for 12 (for alignment reasons)
- Intelx86 is little-endian
Attacks - Program Termination/Availability
An Example
cexamples/bufferoverflow/smash.c
- Pass an array and its length as different parameters