Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflows Many of the following slides are based on those from

Published byErika Powers Modified over 9 years ago

Similar presentations

Presentation on theme: "Buffer Overflows Many of the following slides are based on those from"— Presentation transcript:

1 Buffer Overflows Many of the following slides are based on those from
Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron The book is used explicitly in CS 2505 and CS 3214 and as a reference in CS 2506.

2 Basic Questions What is a buffer overflow? How can it be exploited?
How can it be avoided? Through programmer measures? Through system measures (and how effective are they)?

3 String Library Code Implementation of Unix function gets
No way to specify limit on number of characters to read // Get string from stdin char *gets(char *dest) { int c = getc(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getc(); } *p = '\0'; return dest; So bad it's officially deprecated, but it has been used widely, is still used, and gcc still supports it.

4 Vulnerable Buffer Code
int main() { printf("Type a string:"); echo(); return 0; } // Echo Line void echo() { char buf[4]; // Dangerously small! // Stored on the stack!! gets(buf); // Call to oblivious fn puts(buf); }

5 Buffer Overflow Executions
unix>./bufdemo Type a string:123 123 unix>./bufdemo Type a string:12345 Segmentation Fault unix>./bufdemo Type a string: Segmentation Fault

6 Buffer Overflow Stack // Echo Line void echo() { char buf[4]; // Way too small! gets(buf); puts(buf); } Return Address Saved %ebp [3] [2] [1] [0] Stack Frame for main for echo %ebp buf echo: pushl %ebp # Save %ebp on stack movl %esp,%ebp subl $20,%esp # Allocate space on stack pushl %ebx # Save %ebx addl $-12,%esp # Allocate space on stack leal -4(%ebp),%ebx # Compute buf as %ebp-4 pushl %ebx # Push buf on stack call gets # Call gets

7 Buffer Overflow Stack Example
unix> gdb bufdemo (gdb) break echo Breakpoint 1 at 0x (gdb) run Breakpoint 1, 0x in echo () (gdb) print /x *(unsigned *)$ebp $1 = 0xbffff8f8 (gdb) print /x *((unsigned *)$ebp + 1) $3 = 0x804864d 0xbffff8d8 Return Address Saved %ebp [3] [2] [1] [0] buf Stack Frame for main for echo bf ff f8 08 04 86 4d xx Before call to gets : call c <echo> 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point

8 Buffer Overflow Example #1
Before Call to gets Input = “123” After call to gets Return Address Saved %ebp [3] [2] [1] [0] buf %ebp Stack Frame for main for echo 0xbffff8d8 Return Address Saved %ebp [3] [2] [1] [0] buf Stack Frame for main for echo bf ff f8 08 04 86 4d 00 33 32 31 No Problem

9 Buffer Overflow Stack Example #2
Return Address Saved %ebp [3] [2] [1] [0] buf %ebp Stack Frame for main for echo Input = “12345” 0xbffff8d8 Return Address Saved %ebp [3] [2] [1] [0] buf Stack Frame for main for echo bf ff 00 35 08 04 86 4d 34 33 32 31 Saved value of %ebp set to 0xbfff0035 Bad news when later attempt to restore %ebp echo code: : push %ebx : call e4 <_init+0x50> # gets : mov 0xffffffe8(%ebp),%ebx 804859b: mov %ebp,%esp 804859d: pop %ebp # %ebp gets set to invalid value 804859e: ret

10 Buffer Overflow Stack Example #3
Return Address Saved %ebp [3] [2] [1] [0] buf %ebp Stack Frame for main for echo 0xbffff8d8 Return Address Saved %ebp [3] [2] [1] [0] buf Stack Frame for main for echo 38 37 36 35 08 04 86 00 34 33 32 31 Invalid address No longer pointing to desired return point Input = “ ” %ebp and return address corrupted : call c <echo> 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point

11 Malicious Use of Buffer Overflow
Stack right after call to H() void F(){ G(); ... } G stack frame return address toF toF void G(){ H(); ... } H stack frame buf[] void H() { char buf[64]; ... } B = &buf[0]

12 Malicious Use of Buffer Overflow
void G(){ H(); ... } Stack right after call to gets() G toF void H() { char buf[64]; gets(buf); ... } H buf[] return address to G toG dest gets gets()can now write whatever it wants, beginning at buf[0]

13 Malicious Use of Buffer Overflow
void G(){ H(); ... } Stack right before return from gets() G And new pointer that overwrites return address with address of buffer toF void H() { char buf[64]; gets(buf); ... } And padding (which overwrites rest of H()’s frame H buf[] Input string to gets() contains byte representation of executable code toG dest gets

14 Malicious Use of Buffer Overflow
void G(){ H(); ... } Stack right after return to H() from gets() G void H() { char buf[64]; gets(buf); ... } to buf[] padding H code buf[] When H() executes ret, will jump to exploit code

15 Avoiding Overflow Vulnerability
// Echo Line void echo() { char buf[4]; // Way too small! fgets(buf, 4, stdin); puts(buf); } Use Library Routines that check/limit string lengths fgets instead of gets strncpy/strlcpy instead of strcpy snprintf instead of sprintf Don’t use scanf with %s conversion specification Use fgets to read the string

16 Aftermath... void G(){ H(); ... } What happens next...? G void H() {
char buf[64]; gets(buf); ... } to buf[] padding H code buf[] The exploit code could (possibly): - exit the program - crash the program - trigger call to another program How could we make the exploit just return to G()?

Download ppt "Buffer Overflows Many of the following slides are based on those from"

Similar presentations

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Machine-Level Programming V: Miscellaneous Topics Topics Buffer Overflow Linux Memory Layout Understanding Pointers Floating-Point Code CS 105 Tour of.

Machine-Level Programming V: Miscellaneous Topics Topics Buffer Overflow Linux Memory Layout Understanding Pointers Floating-Point Code CS 105 Tour of.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Today C operators and their precedence Memory layout

Today C operators and their precedence Memory layout
Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002 Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code.

Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002 Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code.
Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Buffer Overflow Floating Point Code CS213.

Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Buffer Overflow Floating Point Code CS213.
– 1 – EECS213, S’08 Alignment Aligned Data Primitive data type requires K bytes Address must be multiple of K Required on some machines; advised on IA32.

– 1 – EECS213, S’08 Alignment Aligned Data Primitive data type requires K bytes Address must be multiple of K Required on some machines; advised on IA32.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Fabián E. Bustamante, Spring 2007 Machine-Level Prog. V – Miscellaneous Topics Today Buffer overflow Floating point code Next time Memory.

Fabián E. Bustamante, Spring 2007 Machine-Level Prog. V – Miscellaneous Topics Today Buffer overflow Floating point code Next time Memory.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Introduction to x86 Assembly or “How does someone hack my laptop?”

Introduction to x86 Assembly or “How does someone hack my laptop?”
CSCE 815 Network Security Lecture 20 Intruders / Intrusion Detection April 3, 2003.

CSCE 815 Network Security Lecture 20 Intruders / Intrusion Detection April 3, 2003.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Machine Programming – IA32 memory layout and buffer overflow CENG331: Introduction to Computer Systems 7 th Lecture Instructor: Erol Sahin Acknowledgement:

Machine Programming – IA32 memory layout and buffer overflow CENG331: Introduction to Computer Systems 7 th Lecture Instructor: Erol Sahin Acknowledgement:
Carnegie Mellon 1 This week Buffer Overflow  Vulnerability  Protection.

Carnegie Mellon 1 This week Buffer Overflow  Vulnerability  Protection.
1 UCR Common Software Attacks EE 260: Architecture/Hardware Support for Security Slide credits: some slides from Dave O’halloran, Lujo Bauer (CMU) and.

1 UCR Common Software Attacks EE 260: Architecture/Hardware Support for Security Slide credits: some slides from Dave O’halloran, Lujo Bauer (CMU) and.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Similar presentations

Ads by Google