CS406: Information Security

Overview

• A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data and may cause a process to crash or produce incorrect results. They can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many software vulnerabilities and form the basis of many exploits.
  
  

Buffer Overflow Techniques

• Stack Buffer Overflow
  • A stack buffer overflow occurs when a program writes to a memory address on the program's call stack outside of the intended data structure; usually a fixed-length buffer.
  • Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than there was actually allocated for that buffer. This almost always results in corruption of adjacent data on the stack, and in cases where the overflow was triggered by mistake, will often cause the program to crash or operate incorrectly.
  • A technically inclined and malicious user may exploit stack-based buffer overflows to manipulate the program in one of several ways:
    • By overwriting a local variable that is near the buffer in memory on the stack to change the behaviour of the program which may benefit the attacker;
    • By overwriting the return address in a stack frame. Once the function returns, execution will resume at the return address as specified by the attacker, usually a user input filled buffer; and
    • By overwriting a function pointer, or exception handler, which is subsequently executed.
• Heap Buffer Overflow
  • A heap overflow is another type of buffer overflow that occurs in the heap data area. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data.
  • Exploitation goes as follows: If an application copies data without first checking to see if it fits into the chunk (blocks of data in the heap), the attacker could supply the application with a piece of data that is too large, overwriting heap management information (metadata) of the next chunk. This allows an attacker to overwrite an arbitrary memory location with four bytes of data. In most environments, this may allow the attacker control over the program execution.
    
    

Countermeasure

• Choice of programming language
• Use of safe libraries
• Stack-smashing protection, which refers to various techniques for detecting buffer overflows on stack-allocated variables. The most common implementation being StackGuard, and SSP
• Executable space protection, which is the marking of memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. It makes use of hardware features such as the NX bit (Non-Execute bit).
• Address space layout randomization: A technique that involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space.
• Deep packet inspection: It is a form of computer network packet filtering that examines the data and/or header part of a packet as it passes an inspection point, searching for non-protocol compliance, viruses, spam, intrusions, or predefined criteria to decide if the packet can pass or if it needs to be routed to a different destination, or for the purpose of collecting statistical information. It also called Content Inspection or Content Processing.