Stack-Based Buffer Overflows
Download as PPTX, PDF2 likes1,168 views
This document discusses stack-based buffer overflows, including: - How they occur when a program writes outside a fixed-length buffer, potentially corrupting data or code. - Their history and use in attacks like the 2001 Code Red worm. - Technical details like how the stack and registers work. - Career opportunities in security analysis and development to prevent and respond to such vulnerabilities. - The ethical responsibilities of developers to write secure code and disclose vulnerabilities responsibly.
Stack-Based Buffer Overflows
- 1. Stack-Based Buffer Overflows Joni Hall and Daniel Tumser
- 2. Overview =>
- 3. Table of Contents ● Introduction ● Related Works ● Technical Aspects ● Careers and Jobs ● Social Impact ● Ethical Impact ● Conclusion ● References
- 4. Introduction ● occurs when a program writes to a memory address outside of (usually) a fixed-length buffer ● results in data corruption, the stopping of a program, or the program to operate incorrectly ● deliberately overflowing a buffer is an attack known as stack smashing ● can be exploited to inject executable code into the running program and take control of the process o gain unauthorized access to a computer
- 5. Related Works ● 1962 - Burroughs B5000 designed first implementation of memory segmentation ● 1978 - x86 Instruction Set Architecture memory segmentation introduced on Intel 8086 ● 1996 - “Smashing the Stack for Fun and Profit” by Elias Levy published in Phrack issue 49 ● 2001 - Code Red Worm exploits buffer overflow in Microsoft’s Internet Information Services ● 2003 - SQL Slammer Worm compromises machines running Microsoft SQL Server 2000 ● 2003 - Buffer overflows in Xbox games allow unlicensed software to run on console o followed by PS2 o followed by Nintendo Wii (this one specifically a Stack-Based Buffer Overflow)
- 6. Technical Aspects ● A logical stack ● Variable size memory segment containing function variables, parameters, and context ● Grows from higher memory addresses to lower addresses ● Divided into Stack Frames via pointers stored in CPU registers The Stack & Stack Frames
- 7. Technical Aspects ● Instruction Pointer (32-bit EIP or 64-bit RIP) o Holds address of the next instruction to be executed o Next address after a function call is pushed onto the stack as the Return Address to continue execution when the function completes/returns. o Overwriting this is the danger of a stack buffer overflow ● Stack Frame pointers o EBP points to the address at the base of the stack frame just above the return address o ESP points to the top memory address of the stack frame ● There are more registers but not necessarily relevant in this case x86 Registers eg. EIP: 004013C2 EBP: 0028FEB8 ESP: 0028FE80
- 8. Technical Aspects ● A buffer is a block of memory for storing some data ● A buffer on Youtube stores a portion of the video that can be watched, and loads more as you go, as well as makes sure enough has loaded to compensate for some lost packets (ex. “buffering”) ● In this case it’s a block of memory (character arrays) for storing user input ● Buffers declared with Malloc(), Calloc(), Realloc() will be stored in the Heap. ● The buffers created in this example go in the Stack. What’s a buffer?
- 9. Technical Aspects With input strings of the proper length the program executes as normal and returns without error. With a 2nd string input of length 22(+1 for string terminator) it is overflowed and overwrites what is immediately below that buffer in the stack. In this case it overflows the 1st string input. Function context (base pointer, return address) isn’t overwritten, so program returns without an exception thrown. Examples’ Output
- 10. Technical Aspects ● OllyDbg with Vuln2.exe loaded and execution paused ● Window divided into 4 panes o Top-left is the Code memory segment o Top-Right are CPU registers o Bottom-Reft is the Data segment o Bottom-Right is the Stack OllyDbg of Example
- 11. Technical Aspects Stack Frame (no overflow)
- 12. Technical Aspects Stack Frame (with overflow)
- 13. Technical Aspects ContrastNo Overflow Overflowed
- 14. Technical Aspects Same exact buffer overflow as in previous examples but with user input instead of hardcoded strcpy() Stack pane shows 10 bytes between end of our overflowed buffer to the beginning of Return Address. Return Addr is a pointer, x86 is 32-bit, so it’s a 4 byte address. The 4 characters (8 hex digits) after the 10th additional character will become the new return addr. When function returns Return Addr is loaded into the Instruction pointer Overwriting Return Addr
- 15. Technical Aspects EIP successfully overwritten with user input, in this case four A characters, or hex-41. User can now control program execution flow with the Instruction pointer and execute code with this process’s privileges. Overwriting Return Addr
- 16. Career Impact & Job Outlook Information Security Analyst ● 2012 - 2022 job growth o +37% o more than 2x the total of all occupations ● Median Salary o $86, 170 o 2.4x total of all occupations Vulnerability Analyst
- 17. Career Impact & Job Outlook ● Skills o security risk management o security intrusion detection o IT security infrastructure o security testing and auditing o x86/x86_64 & Fuzzing* ● Minimum Qualifications o Bachelor’s in CS, Engineering or Programming o CompTIA Security+ Vulnerability Analyst
- 18. Career Impact & Job Outlook Software Developer ● Job Growth 2012-2022 o +22% o +222,600 jobs ● Median Salary o $93,350 o x2.69 national median Software Engineer
- 19. Career Impact & Job Outlook Software Engineer ● Skills ○ Python ○ C ○ C++ ○ UNIX ○ Linux ● Minimum Requirements ○ Bachelor’s Degree in Computer Science or Software Engineering ○ Programming experience
- 20. Social Impact ● Too esoteric for widespread social impact ● Should affect coding practices of CS and IT professionals Write secure code. Make your coworkers write secure code Bounds check all the buffers
- 21. Ethical Impact Code you produce is the responsibility of yourself and the organization you produce it for. Both have an ethical obligation to customers to provide secure code. To write secure code you need to understand the vulnerability and how it’s exploited Patch vulnerabilities that are discovered in development or in the wild. Vulnerability discovery and proofs of concept are not illegal, and obtaining a Common Vulnerabilities and Exposures (CVE) number for your work looks great on a resume. Vulnerability disclosure often negotiated and timed with the software vendor for patching. Exploiting vulnerabilities for unauthorized access of computer systems still very illegal. Don’t do it unless you’re cool with the risk of fines and prison time. Coding Vulnerability Analysis
- 22. Conclusion ● Overflowing a buffer may result in a program crash, program errors, or data corruption ● CS and IT professionals should write more secure code to prevent it from happening ● Exploiting a buffer overflow is one of the oldest ways to gain unauthorized access to a computer ● Don’t do it unless you are okay with fines and prison time!
- 23. References 1. Erickson, Jon. Hacking: the Art of Exploitation. 2nd ed. San Francisco, Calif.: No Starch, 2008. Print. 2. Koziol, Jack. The Shellcoder's Handbook: Discovering and Exploiting Security Holes. Indianapolis, IN: Wiley Pub., 2004. Print. 3. Levy, Elias. "Smashing the Stack for Fun and Profit." Phrack 49 (1996). Phrack. Web. 1 July 2015. <http://phrack.org/issues/49/14.html#article>. 4. "Information Security Analyst Salary (United States)." Information Security Analyst Salary (United States). Web. 5 July 2015. <http://www.payscale.com/research/US/Job=Information_Security_Analyst/Salary>. 5. "Software Engineer Salary (United States)." Software Engineer Salary (United States). Web. 5 July 2015. <http://www.payscale.com/research/US/Job=Software_Engineer/Salary>. 6. Staff Contributor. "Sourcefire VRT Unveils Research on 25 Years of Vulnerabilities: 1988-2012 | | Sourcefire Blog." Sourcefire, 5 Mar. 2013. Web. 5 July 2015. <http://blog.sourcefire.com/Post/2013/03/05/1362499920-sourcefire-vrt-unveils-research-on-- years-of-vulnerabilities-/>.
- 24. Stack-Based Buffer Overflows Joni Hall and Daniel Tumser