Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon BakerMicrosoft ResearchersIEEE Security and Privacy , Vol 2, no.4, July 2004.

Presented byMeenakshi Lakshmikanthan on 03/25/2010

IntroductionBuffer overflows have been the most common form of security vulnerability for the last ten years.If buffer overflow vulnerabilities could be effectively eliminated, a very large portion of the most serious security threats would also be eliminated.Buffer overflow vulnerability presents the attacker the ability to inject and execute attack code.

Buffer OverflowBuffer Overflow vulnerabilities and attacks come in a variety of forms.The traditional approach to exploiting buffer overruns is Stack Smashing. Discussions of buffer overrun exploitation in literature typically concentrate on stack-smashing attacks.However, over the decade, hackers have developed several additional approaches to exploit buffer overruns.

Buffer Overflow TypesStack SmashingArc InjectionPointer SubterfugeFunction Pointer ClobberingData Pointer ModificationException Handler HijackingVPTR SmashingHeap Smashing

Stack SmashingChanging the return address of a function thereby changing the flow of execution of the program. Execute some code (potentially supplied by the attacker).Stack smashing relies on the fact that most C compilers store the saved return address on the same stack used for local variables.

Stack SmashingVoid f1a(void * arg, size_t len) {char buff[100];memcpy(buff, arg, len); /* ... */return; }

* Buffer overrun if len > 100 *Return Address Modification

Arc InjectionArc injection (return-into-libc), involves transferring control to code that already exists in the program's memory space.In other words, the exploit just inserts a new arc (control flow transfer) into the programs control flow graph, as opposed to code injection exploits.A straightforward version of arc injection is to use a stack buffer overrun to modify the saved return address to point to a location already in the programs address space.

Arc Injection Example ProgramVoid system(char * arg) { check_validity(arg);R = arg;target:execl(R, ...)}If an attacker can arrange for R to point to an attacker supplied string and then jump directly to the location target, thus bypassing the validity check and assignment, the system will treat the attacker-supplied string as a command line and execute it.

Void f1a(void * arg, size_t len) {char buff[100]; memcpy(buff, arg, len); /* ... */return;}Assuming Register R contains the address of arg or buff then

Void system(char * arg) { check_validity(arg);R = arg;target:execl(R, ...)}

Buffer OverflowBuff > 100Return Address

Arc Injection ContArc-injection exploits are especially useful when the program has memory protection which prevents any area of memory from being simultaneously writeable and executable.

Because no attacker-supplied code is executed, these mitigations do not prevent arc injection exploits.

Pointer SubterfugeA pointer is a variable that contains the address of a function, array element, or other data structure. Pointer subterfuge is a general term for exploits that involve modifying a pointers value.

Four varieties of Pointer Subterfuge exist.

Function Pointer Clobbering (Method 1)Function pointers can be overwritten to transfer control to attacker-supplied code.Clobbering a function pointer allows an attacker to directly transfer control to arbitrary, attacker-supplied codeWhen the program executes a call via the function pointer, the attackers code is executed instead of the originally intended code.

Function Point Clobbering : Example Programvoid f2a(void * arg, size_t len) {char buff[100];void (*f)() = ...;memcpy(buff, arg, len); // Buffer Overrun//f(); /* ... */return;}

Calls the malicious code

Data Pointer Modification (Method 2)Data pointers can be modified by an attacker when exploiting a buffer overflow vulnerability.If a data pointer is used as a target for a subsequent assignment, attackers can control the address to modify other memory locations.In other words, Arbitrary Memory Write occurs when an attacker can control an address to modify other memory locations.

Data Pointers Example Programvoid f2b(void * arg, size_t len) {char buff[100];long val = ...;long *ptr = ...;extern void (*f)(); memcpy(buff, arg, len); // Buffer Overrun//*ptr = val;f();/* ... */return;} By overflowing the buffer, an attacker can overwrite ptr and val. When *ptr = val is evaluated (line 6), an arbitrary memory write is performed.

External Function Pointer

Exception Handler Hijacking (Method 3)Several variations of exploit techniques target the Microsoft Windows Structured Exception Handling mechanism.When an exception is generated, Windows examines a linked list of exception handlers and invokes one of them via a function pointer stored in the list entry. Because the list entries are stored on the stack, it is possible to replace the exception-handler function pointer via buffer overflow, thus allowing an attacker to transfer control to an arbitrary location

VPTR Smashing (Method 4)A virtual function is a function member of a class, declared using the virtual keyword.

Most C++ compilers implement virtual functions via a virtual function table (VTBL) associated with each class.

VTBL is a list of function pointers to the virtual functions.

VPTR is the pointer to the VTBL.

VPTR Smashing Example Programvoid f4(void * arg, size_t len) {char *buff = new char[100];C *ptr = new C; New object of class Cmemcpy(buff, arg, len); /* buffer overrun! */ptr->vf(); // Call to a virtual functionreturn;}

Heap SmashingA buffer overrun is characterized as a stack buffer overrun or heap buffer overrun depending on what memory gets overrun.

Heaps, refer to any dynamic memory implementations such as the C standard librarys malloc, C++s new/delete etc.

The key insight behind heap smashing is to exploit the implementation of the dynamic memory allocator by violating some assumed invariants.

Heap Smashing Example Programvoid f1b(void * arg, size_t len) {char * ptr = malloc(100);if (ptr == NULL) return;memcpy(ptr, arg, len); /* buffer overrun if len > 100 *//* ... */return;}

Heap Smashing - ProblemsThe attacker typically does not know the heap blocks location ahead of time and hence it might be difficult to exploit the heap.Also, it is difficult to predict when the heap free operation will occur.Finally, in some situations, it is difficult to predict whether the next block has been allocated at the time the overrun occurs.

ContributionsThis paper has attempted to explain the different types of buffer overflows.Stack Smashing is the traditional approach which works by modifying the return address to transfer the control flow.Heap Smashing works by exploiting the dynamic memory allocator.Arc Injection transfers the control to code that already exists in the programs memory space.Pointer Subterfuge methods involve the exploits that modify a pointers value.

WeaknessHeap Smashing Techniques have not been dealt in detail.

Lot of mismatch between references to the figure and content.

Thank You!!!!!!!

*