Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and Privacy , Vol 2, no.4, July 2004. Presented by Meenakshi Lakshmikanthan on 03/25/2010

Introduction Buffer overflows have been the most common form of security vulnerability for the last ten years. If buffer overflow vulnerabilities could be effectively eliminated, a very large portion of the most serious security threats would also be eliminated. Buffer overflow vulnerability presents the attacker the ability to inject and execute attack code.

Buffer Overflow Buffer Overflow vulnerabilities and attacks come in a variety of forms. The traditional approach to exploiting buffer overruns is Stack Smashing. Discussions of buffer overrun exploitation in literature typically concentrate on stack-smashing attacks. However, over the decade, hackers have developed several additional approaches to exploit buffer overruns.

Buffer Overflow Types Stack Smashing Arc Injection Pointer Subterfuge Function Pointer Clobbering Data Pointer Modification Exception Handler Hijacking VPTR Smashing Heap Smashing

Stack Smashing Changing the return address of a function thereby changing the flow of execution of the program. Execute some code (potentially supplied by the attacker). Stack smashing relies on the fact that most C compilers store the saved return address on the same stack used for local variables.

Stack Smashing * Buffer overrun if len > 100 * Void f1a(void * arg, size_t len) { char buff[100]; memcpy(buff, arg, len); /* ... */ return; } * Buffer overrun if len > 100 * Return Address Modification

Arc Injection Arc injection (return-into-libc), involves transferring control to code that already exists in the program's memory space. In other words, the exploit just inserts a new arc (control flow transfer) into the program’s control flow graph, as opposed to code injection exploits. A straightforward version of arc injection is to use a stack buffer overrun to modify the saved return address to point to a location already in the program’s address space.

Arc Injection – Example Program Void system(char * arg) { check_validity(arg); R = arg; target: execl(R, ...) } If an attacker can arrange for R to point to an attacker supplied string and then jump directly to the location target, thus bypassing the validity check and assignment, the system will treat the attacker-supplied string as a command line and execute it.

Void f1a(void * arg, size_t len) { char buff[100]; memcpy(buff, arg, len); /* ... */ return; } Assuming Register R contains the address of arg or buff then Void system(char * arg) { check_validity(arg); R = arg; target: execl(R, ...) Buffer Overflow Buff > 100 Return Address

Arc Injection Cont’ Arc-injection exploits are especially useful when the program has memory protection which prevents any area of memory from being simultaneously writeable and executable. Because no attacker-supplied code is executed, these mitigations do not prevent arc injection exploits.

Pointer Subterfuge A pointer is a variable that contains the address of a function, array element, or other data structure. Pointer subterfuge is a general term for exploits that involve modifying a pointer’s value. Four varieties of Pointer Subterfuge exist.

Function Pointer Clobbering (Method 1) Function pointers can be overwritten to transfer control to attacker-supplied code. Clobbering a function pointer allows an attacker to directly transfer control to arbitrary, attacker-supplied code When the program executes a call via the function pointer, the attacker’s code is executed instead of the originally intended code.

Function Point Clobbering : Example Program void f2a(void * arg, size_t len) { char buff[100]; void (*f)() = ...; memcpy(buff, arg, len); // Buffer Overrun// f(); /* ... */ return; } Calls the malicious code

Data Pointer Modification (Method 2) Data pointers can be modified by an attacker when exploiting a buffer overflow vulnerability. If a data pointer is used as a target for a subsequent assignment, attackers can control the address to modify other memory locations. In other words, Arbitrary Memory Write occurs when an attacker can control an address to modify other memory locations.

Data Pointers – Example Program void f2b(void * arg, size_t len) { char buff[100]; long val = ...; long *ptr = ...; extern void (*f)(); memcpy(buff, arg, len); // Buffer Overrun// *ptr = val; f(); /* ... */ return; } By overflowing the buffer, an attacker can overwrite ptr and val. When *ptr = val is evaluated (line 6), an arbitrary memory write is performed. External Function Pointer

Exception Handler Hijacking (Method 3) Several variations of exploit techniques target the Microsoft Windows Structured Exception Handling mechanism. When an exception is generated, Windows examines a linked list of exception handlers and invokes one of them via a function pointer stored in the list entry. Because the list entries are stored on the stack, it is possible to replace the exception-handler function pointer via buffer overflow, thus allowing an attacker to transfer control to an arbitrary location

VPTR Smashing (Method 4) A virtual function is a function member of a class, declared using the virtual keyword. Most C++ compilers implement virtual functions via a virtual function table (VTBL) associated with each class. VTBL is a list of function pointers to the virtual functions. VPTR is the pointer to the VTBL.

VPTR Smashing – Example Program void f4(void * arg, size_t len) { char *buff = new char[100]; C *ptr = new C;  New object of class C memcpy(buff, arg, len); /* buffer overrun! */ ptr->vf(); // Call to a virtual function return; }

Heap Smashing A buffer overrun is characterized as a stack buffer overrun or heap buffer overrun depending on what memory gets overrun. Heaps, refer to any dynamic memory implementations such as the C standard library’s malloc, C++’s new/delete etc. The key insight behind heap smashing is to exploit the implementation of the dynamic memory allocator by violating some assumed invariants.

Heap Smashing Example Program void f1b(void * arg, size_t len) { char * ptr = malloc(100); if (ptr == NULL) return; memcpy(ptr, arg, len); /* buffer overrun if len > 100 */ /* ... */ return; }

Heap Smashing - Problems The attacker typically does not know the heap block’s location ahead of time and hence it might be difficult to exploit the heap. Also, it is difficult to predict when the heap free operation will occur. Finally, in some situations, it is difficult to predict whether the next block has been allocated at the time the overrun occurs.

Contributions This paper has attempted to explain the different types of buffer overflows. Stack Smashing is the traditional approach which works by modifying the return address to transfer the control flow. Heap Smashing works by exploiting the dynamic memory allocator. Arc Injection transfers the control to code that already exists in the program’s memory space. Pointer Subterfuge methods involve the exploits that modify a pointer’s value.

Weakness Heap Smashing Techniques have not been dealt in detail. Lot of mismatch between references to the figure and content.

Thank You!!!!!!!