buffer overflows

An analysis of stack based vulnerabilities

1972: First recorded overflow vulnerability by the Computer Security Technology Planning Study

1988: The Morris worm becomes the first major Internet Worm

2001: Red Code I & II Infect hundreds of thousands of hosts

2003: SQL Slammer (aka Sapphire) becomes the fastest spreading worm in modern history

Overflow vulnerabilities are not obvious from source code inspection alone

Linking to any vulnerable library effectively makes an application vulnerable

Effective protection may require special OS and compiler configuration

Major CPU elements include: Memory

• Paged, Hardware protected Registers

• Move data from memory to other hardware Control Unit

• Send OpCodes, Operands, HW Signals ALU

• Perform OpCodes, set status flags

Standardized mnemonic references for hardware supported operations• Hardware OpCode: 0x0305000000• Assembly Instruction: ADD R0, R1

All high level languages ultimately compiled, assembled, linked, and loaded

Stack: First in, last out data structure implemented on reserved memory page

Every procedure is given a stack frame Procedures allocate space for local

variables within their frame New frame is pushed onto the stack

when a procedure is called, popped off on return

1. Write malicious payload assembly program

2. Compile, determine OpCodes, encode in hexadecimal string

3. Overflow target buffer with addresses pointing to injected code

Key Defensive Goals:• Make target address guess difficult• Detect or prevent the attempt at run-time

Developers:• Safe Libraries• Stack Protecting Compilers• Static Code Analysis

Hardware• NX Memory Page Bit (Sun SPARC, IBM

PowerPC, newer Intel x86-64)

Operating System• Address Space Randomization (Linux,

Windows Vista/Server2008, some support in Mac OS 10.5)

• Memory Page protection (OpenBSD derivatives, Windows if harware supports it)

• The combination of these two techniques has great potential

Defenses are being developed in a wide cross section of areas

Rate of new attack ideas is limited in scope and incidence • return-to-libc, format string errors

Operating system defenses will probably remove this threat one day

Best present advice: Deploy all important patches!

[1] Alan Clements. Principles of Computer Hardware. OxfordUniversity Press, Inc., New York, NY, USA, 2000.

[2] John L. Hennessy and David A. Patterson. Computer architecture:a quantitative approach. Morgan Kaufmann PublishersInc., San Francisco, CA, USA, 2002.

[3] Intel. Intel Architecture Software Developers Manual. Volume1: Basic Architecture, 1999.

[4] Intel. Intel Architecture Software Developers Manual. Volume2: Instruction Set Reference, 1999

[5] Elias Levy. Smashing the stack for fun and profit. InternetArticle, 1996. Accessed on November 11, 2008 from http://insecure.org/stf/smashstack.html.