Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value."— Presentation transcript:

1 Buffer Overflow Exploits CS-480b Dick Steflik

2 What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value parameters Buffer is a contiguously allocated chunk of memory Anytime we put more data into a data structure than it was designed for.

3 Side Effects The side effects of a buffer overflow may cause: the program may work strangely the program may fail the program may continue without any noticeable problems

4 Side Effects Depend on: How much data was written past the end of the buffer What data (if any) are overwritten Whether the program attempts to read data that are overwritten What data ends up replacing the memory that gets overwritten

5 Three Basic Attacks Overrun a static buffer hurts data but little to no exposure for loss of control Stack smashing place attack code in memory, find some sloppy use of the runtime stack, use stack to transfer control to attack code Heap overflow much harder to exploit as there isn’t usually a mechanism to gain control

6 Defensive Programming The C Standard library has a number of highly susceptible function calls: gets( ) - reads data from stdin until eof or a newline character strcpy( ) - copies a string into a buffer, number of chars copied depend on length of source string

7 strcpy() if you know the size of the destination buffer: if (strlen(src) >= dst_size {/* throw an error */ } else { strcpy(dst, src); } - or - strncpy(dst, src, dst_size-1); dst[dst_size -1] = ‘\0’; /* just to be safe */ -or- /* allocate the destination buffer when you need it */ dst = (char *)malloc(strlen(src) +1); srtcpy(dst, src)

8 strcat( ) /* same as srtcpy( ) but cancatenates source string to end of a buffer */ /* safer alternative is to use strncat( ) ; still need to insure you don’t */ /* overrun the destination buffer */ strncat(dst, src, dst_size - strlen(dst) -1);

9 sprintf( ) & vsprintf( ) /* usually used for formatting text but can accidentally cause a buffer overrun */ void main(int argc, char **argv) { char usage[1024]; sprintf(usage, “USAGE: %s -f flag [arg1]\n”, argv[0]); /* this program could easily be subverted by: */ void main( ) { exec1(“/path/to/previous/program”, >, NULL); }

10 sprintf( ) & vsprintf( ) /* There is no really portable way around this problem, sometimes a snprintf( ) */ /* is provided that lets you specify max number of characters to copy: */ void main(int argc, char **argv) { char usage[1024]; char format_string = “USAGE: %s -f flag [arg1]\n” snprintf(usage, 1024, format_string, argv[0]); } /* asafer way is to specify a precision for each argument */ void main (int argc, char **argv) { char usage[1024]; sprintf(usage, “USAGE: %.1000s -f flag [arg1]\n”, argv[0]); }

11 scanf( ), sscanf( ), fscanf( ), vfscanf( ) /* these are likewise poorly designed, in this case destination buffers can overflow */ void main(int argc, char **argv) { char buffer[256]; sscanf(argv[0], %s, &buffer); } /* if the word being scanned is bigger than the buffer size it will overflow, fix the */ /* problem by specifying a precision for the arguement: */ void main(int argc, char **argv) { char buffer[256]; sscanf(argv[0], “%255s”, &buffer); }

12 streadd( ), strecpy( ) strecpy() copies the input string, up to a null byte, to the output string, expanding non-graphic characters to their equivalent C- language escape sequences (for example, \n, \001). This means that to avoid a possible overflow the destination must be 4x bigger than the source streadd() is identical to strecpy(), except that it returns the pointer to the null byte that terminates the output.

13 strtrns( ) strtrns() transforms string and copies it into result. Any character that appears in old is replaced with the character in the same position in new. The new result is returned. void main(int argc, char **argv) { char lower[ ] = “abcdefg....xyz”; char upper[ ] = “ABCDEFG....XYZ”; char *buffer; if argc <2 { printf(“USAGE: %s arg\n”, argv[0]); return 0; } buffer = (char *)malloc(strlen(argv[1]+1); strtrns(argv[1], lower, upper, buffer); printf(“%s\n”, buffer); }

14 functions to be wary of: gets( ) strcpy( ) strcat( ) sprintf( ) scanf( ) sscanf( ) fscanf( ) vfscanf( ) vsscanf( ) streadd( ) strecpy( ) strtrns( ) realpath( ) syslog( ) getopt( ) getopt_long( ) getpass( ) getchar( ) fgetc( ) getc( ) read( ) bcopy( ) fgets( ) memcpy( ) snprintf( ) strccpy( ) strcadd( ) strncpy( ) vsnprintf( )

15 heap overflows

16 stack overflows

Download ppt "Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value."

Similar presentations

SWE 681 / ISA 681 Secure Software Design & Programming: Lecture 3: Buffer Overflow Dr. David A. Wheeler 2013-09-12.

SWE 681 / ISA 681 Secure Software Design & Programming: Lecture 3: Buffer Overflow Dr. David A. Wheeler
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Introduction to C Programming

Introduction to C Programming
A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.

A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.
Week 5 Part I Kyle Dewey. Overview Exam will be back Thursday New office hour More on functions File I/O Project #2.

Week 5 Part I Kyle Dewey. Overview Exam will be back Thursday New office hour More on functions File I/O Project #2.
Functions, Varargs, and Stack Smashing Using the Stack for Good And Evil Before You Sit Down Please Get The Handout at the Entrance This file is called.

Functions, Varargs, and Stack Smashing Using the Stack for Good And Evil Before You Sit Down Please Get The Handout at the Entrance This file is called.
Lectures 10 & 11.

Lectures 10 & 11.
C Characters & Strings Character Review Character Handling Library Initialization String Conversion Functions String Handling Library Standard Input/Output.

C Characters & Strings Character Review Character Handling Library Initialization String Conversion Functions String Handling Library Standard Input/Output.
1 Chapter 10 Strings and Pointers. 2 Introduction  String Constant  Example: printf(“Hello”); “Hello” : a string constant oA string constant is a series.

1 Chapter 10 Strings and Pointers. 2 Introduction  String Constant  Example: printf(“Hello”); “Hello” : a string constant oA string constant is a series.
Character String Manipulation. Overview Character string functions sscanf() function sprintf() function.

Character String Manipulation. Overview Character string functions sscanf() function sprintf() function.
Character String Manipulation. Overview Character string functions sscanf() function snprintf() function.

Character String Manipulation. Overview Character string functions sscanf() function snprintf() function.
Lecture 20 Arrays and Strings

Lecture 20 Arrays and Strings
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
Strings CS240 Dick Steflik. What is a string A null terminated array of characters: char thisIsAString[10]; 0 1 2 3 4 5 6 7 8 9 \0 The “\0” (null character)

Strings CS240 Dick Steflik. What is a string A null terminated array of characters: char thisIsAString[10]; \0 The “\0” (null character)
Nirmalya Roy School of Electrical Engineering and Computer Science Washington State University Cpt S 122 – Data Structures Characters and Strings.

Nirmalya Roy School of Electrical Engineering and Computer Science Washington State University Cpt S 122 – Data Structures Characters and Strings.
Chapter Fourteen Strings Revisited. Strings A string is an array of characters A string is a pointer to a sequence of characters A string is a complete.

Chapter Fourteen Strings Revisited. Strings A string is an array of characters A string is a pointer to a sequence of characters A string is a complete.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.

Similar presentations

Ads by Google