Buffer Overflow
A buffer is an area of memory that the application reserves to store expected data.
A buffer overflow is an attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory.
- is a software vulnerability where a program attempts to write more data to a buffer than it can hold, causing the excess data to overflow into adjacent memory space
- occur when an application receives more data than it is expected and has allocated
- can allow the attacker to crash the system or execute arbitrary code
- indicator of failed buffer overflow attempts:
- frequent process crashes
- common vulnerability is stack overflow
- stack is an area of memory used by a program subroutine
- includes a return address
- is the location of the program that called the subroutine
- attacker could use a buffer overflow to change the return address
- allowing the attacker to run arbitrary code on the system
Info
Normal Execution
- Main() process calls a Sub() function and passes arguments
- Sub() stores arguments as variables in its stack
- Sub() completes processing and returns execution control to Main() using a return address
Exploit Execution
- Malware passes infected arguments to Sub()
- Arguments overflow buffer to change return address
- Return address executes exploit shellcode inserted into stack
How it Works
- Most programming languages will require you to specify the amount of data you expect to receive and then set aside storage for that data
- Not setting a limit on the amount of data you take in could result in receiving more data than memory has allocated for it
- This surplus data then overwrites other areas in memory used by other applications or operating system
- Attackers could exploit this technique to tamper with other applications or execute commands
Example
- Entering 10 characters into a field that was expecting only 8
- The extra 2 characters might be written somewhere into memory, perhaps over memory locations used by other applications or the OS
- It is possible to execute commands by specifically crafting the excess data
Mitigation
- mitigated on modern hardware and operating systems via:
- address space layout randomization (ASLR)
- and Data Execution Prevention (DEP) controls
- utilizing type-safe programming languages
- program that enforces strict type-checking during compilation and ensures variables and data are used correctly
- prevents memory-related vulnerabilities and injection attacks
- C and C++ contain built-in functions that do not provide a default mechanism for checking if data will overwrite the bounds of a buffer
- dev must manually program secure operation
- Utilize proper bounds checking to nullify this attack entirely
- Bounds checking is the process of setting a limit, or bound, on the size of data being received in an input.
- Some languages implement bounds checking automatically
- E.g., Java and C#
- Intel Executable Disable (XD) provides hardware-level buffer overflow protection in Intel chipsets
- Useful for preventing malicious code execution at the system level
- AMD Enhanced Virus Protection offers hardware-level buffer overflow protection for AMD processors
- and incorporating secure coding practices