buffer overflows

Click here to load reader

Post on 01-Jul-2015




2 download

Embed Size (px)


A short presentation I gave summarizing a project I completed for a graduate course in Network Security


  • 1. An analysis of stack based vulnerabilities


  • 1972: First recorded overflow vulnerability by the Computer Security Technology Planning Study
  • 1988: The Morris worm becomes the first major Internet Worm
  • 2001: Red Code I & II Infect hundreds of thousands of hosts
  • 2003: SQL Slammer (aka Sapphire) becomes the fastest spreading worm in modern history


  • Overflow vulnerabilities are not obvious from source code inspection alone
  • Linking to any vulnerable library effectively makes an application vulnerable
  • Effective protection may require special OS and compiler configuration


  • Major CPU elements include:
  • Memory
    • Paged, Hardware protected
  • Registers
    • Move data from memory to other hardware
  • Control Unit
    • Send OpCodes, Operands, HW Signals
  • ALU
    • Perform OpCodes, set status flags


  • Standardized mnemonic references for hardware supported operations
    • Hardware OpCode: 0x0305000000
    • Assembly Instruction: ADD R0, R1
  • All high level languages ultimately compiled, assembled, linked, and loaded


  • Stack: First in, last out data structure implemented on reserved memory page
  • Every procedure is given a stack frame
  • Procedures allocate space for local variables within their frame
  • New frame is pushed onto the stack when a procedure is called, popped off on return

7. 8.

  • Write malicious payload assembly program
  • Compile, determine OpCodes, encode in hexadecimal string
  • Overflow target buffer with addresses pointing to injected code

9. 10. 11.

  • Key Defensive Goals:
    • Make target address guess difficult
    • Detect or prevent the attempt at run-time
  • Developers:
    • Safe Libraries
    • Stack Protecting Compilers
    • Static Code Analysis
  • Hardware
    • NX Memory Page Bit (Sun SPARC, IBM PowerPC, newer Intel x86-64)


  • Operating System
    • Address Space Randomization (Linux, Windows Vista/Server2008, some support in Mac OS 10.5)
    • Memory Page protection (OpenBSD derivatives, Windows if harware supports it)
    • The combination of these two techniques has great potential


  • Defenses are being developed in a wide cross section of areas
  • Rate of new attack ideas is limited in scope and incidence
    • return-to-libc ,format string errors
  • Operating system defenses will probably remove this threat one day
  • Best present advice: Deploy all important patches!


  • [1] Alan Clements. Principles of Computer Hardware. Oxford
  • University Press, Inc., New York, NY, USA, 2000.
  • [2] John L. Hennessy and David A. Patterson. Computer architecture:
  • a quantitative approach. Morgan Kaufmann Publishers
  • Inc., San Francisco, CA, USA, 2002.
  • [3] Intel. Intel Architecture Software Developers Manual. Volume
  • 1:Basic Architecture, 1999.
  • [4] Intel. Intel Architecture Software Developers Manual. Volume
  • 2:Instruction Set Reference, 1999
  • [5] Elias Levy. Smashing the stack for fun and profit. Internet
  • Article, 1996. Accessed on November 11, 2008 from http://insecure.
  • org/stf/smashstack.html.