1. 1. Stack-Based Buffer Overflows Joni Hall and Daniel Tumser
2. 2. Overview =>
3. 3. Table of Contents Introduction Related Works Technical Aspects Careers and Jobs Social Impact Ethical Impact Conclusion References
4. 4. Introduction occurs when a program writes to a memory address outside of (usually) a fixed-length buffer results in data corruption, the stopping of a program, or the program to operate incorrectly deliberately overflowing a buffer is an attack known as stack smashing can be exploited to inject executable code into the running program and take control of the process o gain unauthorized access to a computer
5. 5. Related Works 1962 - Burroughs B5000 designed first implementation of memory segmentation 1978 - x86 Instruction Set Architecture memory segmentation introduced on Intel 8086 1996 - Smashing the Stack for Fun and Profit by Elias Levy published in Phrack issue 49 2001 - Code Red Worm exploits buffer overflow in Microsofts Internet Information Services 2003 - SQL Slammer Worm compromises machines running Microsoft SQL Server 2000 2003 - Buffer overflows in Xbox games allow unlicensed software to run on console o followed by PS2 o followed by Nintendo Wii (this one specifically a Stack-Based Buffer Overflow)
6. 6. Technical Aspects A logical stack Variable size memory segment containing function variables, parameters, and context Grows from higher memory addresses to lower addresses Divided into Stack Frames via pointers stored in CPU registers The Stack & Stack Frames
7. 7. Technical Aspects Instruction Pointer (32-bit EIP or 64-bit RIP) o Holds address of the next instruction to be executed o Next address after a function call is pushed onto the stack as the Return Address to continue execution when the function completes/returns. o Overwriting this is the danger of a stack buffer overflow Stack Frame pointers o EBP points to the address at the base of the stack frame just above the return address o ESP points to the top memory address of the stack frame There are more registers but not necessarily relevant in this case x86 Registers eg. EIP: 004013C2 EBP: 0028FEB8 ESP: 0028FE80
8. 8. Technical Aspects A buffer is a block of memory for storing some data A buffer on Youtube stores a portion of the video that can be watched, and loads more as you go, as well as makes sure enough has loaded to compensate for some lost packets (ex. buffering) In this case its a block of memory (character arrays) for storing user input Buffers declared with Malloc(), Calloc(), Realloc() will be stored in the Heap. The buffers created in this example go in the Stack. Whats a buffer?
9. 9. Technical Aspects With input strings of the proper length the program executes as normal and returns without error. With a 2nd string input of length 22(+1 for string terminator) it is overflowed and overwrites what is immediately below that buffer in the stack. In this case it overflows the 1st string input. Function context (base pointer, return address) isnt overwritten, so program returns without an exception thrown. Examples Output
10. 10. Technical Aspects OllyDbg with Vuln2.exe loaded and execution paused Window divided into 4 panes o Top-left is the Code memory segment o Top-Right are CPU registers o Bottom-Reft is the Data segment o Bottom-Right is the Stack OllyDbg of Example
11. 11. Technical Aspects Stack Frame (no overflow)
12. 12. Technical Aspects Stack Frame (with overflow)
13. 13. Technical Aspects ContrastNo Overflow Overflowed
14. 14. Technical Aspects Same exact buffer overflow as in previous examples but with user input instead of hardcoded strcpy() Stack pane shows 10 bytes between end of our overflowed buffer to the beginning of Return Address. Return Addr is a pointer, x86 is 32-bit, so its a 4 byte address. The 4 characters (8 hex digits) after the 10th additional character will become the new return addr. When function returns Return Addr is loaded into the Instruction pointer Overwriting Return Addr
15. 15. Technical Aspects EIP successfully overwritten with user input, in this case four A characters, or hex-41. User can now control program execution flow with the Instruction pointer and execute code with this processs privileges. Overwriting Return Addr
16. 16. Career Impact & Job Outlook Information Security Analyst 2012 - 2022 job growth o +37% o more than 2x the total of all occupations Median Salary o $86, 170 o 2.4x total of all occupations Vulnerability Analyst
17. 17. Career Impact & Job Outlook Skills o security risk management o security intrusion detection o IT security infrastructure o security testing and auditing o x86/x86_64 & Fuzzing* Minimum Qualifications o Bachelors in CS, Engineering or Programming o CompTIA Security+ Vulnerability Analyst
18. 18. Career Impact & Job Outlook Software Developer Job Growth 2012-2022 o +22% o +222,600 jobs Median Salary o $93,350 o x2.69 national median Software Engineer
19. 19. Career Impact & Job Outlook Software Engineer Skills Python C C++ UNIX Linux Minimum Requirements Bachelors Degree in Computer Science or Software Engineering Programming experience
20. 20. Social Impact Too esoteric for widespread social impact Should affect coding practices of CS and IT professionals Write secure code. Make your coworkers write secure code Bounds check all the buffers
21. 21. Ethical Impact Code you produce is the responsibility of yourself and the organization you produce it for. Both have an ethical obligation to customers to provide secure code. To write secure code you need to understand the vulnerability and how its exploited Patch vulnerabilities that are discovered in development or in the wild. Vulnerability discovery and proofs of concept are not illegal, and obtaining a Common Vulnerabilities and Exposures (CVE) number for your work looks great on a resume. Vulnerability disclosure often negotiated and timed with the software vendor for patching. Exploiting vulnerabilities for unauthorized access of computer systems still very illegal. Dont do it unless youre cool with the risk of fines and prison time. Coding Vulnerability Analysis
22. 22. Conclusion Overflowing a buffer may result in a program crash, program errors, or data corruption CS and IT professionals should write more secure code to prevent it from happening Exploiting a buffer overflow is one of the oldest ways to gain unauthorized access to a computer Dont do it unless you are okay with fines and prison time!
23. 23. References 1. Erickson, Jon. Hacking: the Art of Exploitation. 2nd ed. San Francisco, Calif.: No Starch, 2008. Print. 2. Koziol, Jack. The Shellcoder's Handbook: Discovering and Exploiting Security Holes. Indianapolis, IN: Wiley Pub., 2004. Print. 3. Levy, Elias. "Smashing the Stack for Fun and Profit." Phrack 49 (1996). Phrack. Web. 1 July 2015. . 4. "Information Security Analyst Salary (United States)." Information Security Analyst Salary (United States). Web. 5 July 2015. . 5. "Software Engineer Salary (United States)." Software Engineer Salary (United States). Web. 5 July 2015. . 6. Staff Contributor. "Sourcefire VRT Unveils Research on 25 Years of Vulnerabilities: 1988-2012 | | Sourcefire Blog." Sourcefire, 5 Mar. 2013. Web. 5 July 2015. .
24. 24. Stack-Based Buffer Overflows Joni Hall and Daniel Tumser