Buffer Overload Attack

By

Alfred Chin Toong Gaap

SCHOOL OF ARTS AND SCIENCE TUNKU ABDUL RAHMAN COLLEGE KUALA LUMPUR 2013/2014

Buffer Overflow Attack

Buffer Overload Attack

By

Alfred Chin Toong Gaap

A seminar report submitted to the School of Arts and Science in partial fulfillment of the requirement for the Bachelor of Science, Campbell University, U.S.A. and Advanced Diploma in Science, Tunku Abdul Rahman College 2013/2014
Seminar 2

Buffer Overflow Attack

Table Content

Page
5 7 7 8 9 10 10 11 11 12 13 14 15 16

1. Introduction ------------------------------------------------------------------------------2. Exploitation -----------------------------------------------------------------------------2.1. Stack Based ------------------------------------------------------------------------2.2. Heap Based -------------------------------------------------------------------------3. Countermeasures ------------------------------------------------------------------------3.1. Use of Programming Language --------------------------------------------------3.2. Use of Safe Libraries --------------------------------------------------------------3.3. Use of Compiler Tools ------------------------------------------------------------3.4. Dynamic Run Time Checks ------------------------------------------------------3.5. Always be updated ----------------------------------------------------------------4. Literature Review -----------------------------------------------------------------------5. Application in Final Year Project -----------------------------------------------------6. Conclusion -------------------------------------------------------------------------------7. References -------------------------------------------------------------------------------

Seminar

Buffer Overflow Attack

Problem Statement
Computer systems now are constantly evolving with the advances of technology. This in turn has replaced many paper based systems with computer systems. But is this really a good move? Computer systems also have its fair share of security risks and exploitable vulnerability. In addition, the Internet which connects almost every computer in the world together can also be used as a medium for hackers to attack any computer in the world and steal data or cause havoc. Security is now considered by many as the most important component of an computer system be it on a local network or web sites that is available on the Internet. In this seminar, I will be explaining the exploitations of the buffer overflow and what countermeasures are there for us to implement.

Seminar

Buffer Overflow Attack

1.

Introduction

Buffer overflow based exploits are featured on a number of security related websites. Although there are many people who are aware of the threat posed by buffer overflows, but to go any deeper into this topic is not relatively easy. The person must be at the very least be familiar with the basics or have a background in C programming language or any form of programming language for that matter. This report will explain some of the common buffer overflow exploitation techniques and countermeasures that can be taken to prevent such an attack. We will also take a brief look into the history of buffer overflow.

1.1

What is Buffer Overflow?

We now live in a world full of computer programs. There are simple programs such as a calculator or a children game to much more complex programs such as an operating system for an artificial intelligent robot on mars. But there is one thing that every computer programs has in common, which is a temporary memory space which is used to store data that is being processed. In most cases the data that is being processed is input from a user such as a calculation formula or something simple like a name on a registration page, which will occupy space in the temporary memory that has been allocated to the task. This temporary memory space is commonly known as a buffer. All of this seems normal in an average computer program, but what if the temporary memory that was allocated is not enough to hold the data that is being processed? The buffer will overflow to the adjacent memory space, overwriting and corrupting the data in the adjacent memory space. This anomaly is known as buffer overflow. On one hand, this anomaly will make the program behave erratically, return incorrect results, or the system crashes and stops everything, while on the other hand, it presents an opportunity for hackers to exploit this software vulnerability and attack by using it to run arbitrary code. Even though buffer overflow happens accidentally as a result of a programming error, it is becoming an increasingly common form of security attack.

Seminar

Buffer Overflow Attack

1.2

Technical Description
A buffer overflow will occur when data that is written into a buffer extends its boundaries, overwriting and corrupting data in the adjacent memory space. This can easily happen when copying data from one buffer to another without checking whether the size of the other buffer is big enough for the incoming data. In the following example, a program has two data items which are adjacent in memory. They are an 8 byte long string buffer, A, and a two byte big-endian integer, B.

Variable name Value Hex value

A [null string] 00 00 00 00 00 00 00 00 Figure 1.1 Original bytes allocation 07

B 1979 BB

Now the program tries to store the string excessive into A. Variable name Value Hex value A e x c e s s i v 65 78 63 65 73 73 69 76 65 B 25856 00

Figure 1.2 Overflowed bytes allocation Excessive is 9 characters long, but A can only take 8 bytes. Bs value has now changed because the character e has overflowed into the buffer of B from A. In this example, e followed by a zero byte would become 25856. Sometimes data that has been written past the end of the allocated memory can be detected by the operating system and will generate segmentation error that will terminate the process entirely.

Seminar

Buffer Overflow Attack

2.

Exploitation
Ever since the Internet went online and could be accessed by anyone at anytime and anywhere, hackers are spawning all around the world. There are hackers who hack into systems to steal information or even money, but there are also hackers who just hack into systems just for the fun of it and wreak havoc just because they can. Now with some of the information from the previous section, we are now able to move on to the two common buffer overflow exploitation that hackers could use to undermine the security of web sites.

2.1

Stack Based
The first form of exploitation that we are going to explore is known as stack smashing or stack overflow. In order to further explain this, we must first understand what is a stack? A stack consists of memory blocks that are stacked on top of one another containing data.

Figure 2.1 Stack memory block At the top of the stack, as shown in figure 2.1, there will be a stack pointer which is used as a starting point to store other called functions. Function parameters will be added or pushed onto the stack from top to bottom, followed by a return address and a frame pointer. Whenever a new process is pushed onto the stack which will cause the stack to grow from a high memory address to a low memory address,

Seminar

Buffer Overflow Attack

the stack pointer will change. That is where the frame pointer comes into place as a reference to the local variables and the parameters of the function. Now with an understanding of what a stack is, we will move on to see how hackers can exploit this vulnerability. Below is an example of a C program.
void function (char *text) { char buffer[15]; //buffer space of 15 bytes strcpy (buffer, text); // command to copy text into the buffer } int main () { char *text = "I am greater than 15 bytes"; // length of text = 27 bytes function (text); }

Example 2.1 The program shown in example 2.have a 15 byte buffer space allocated for variables a strcpy command to copy text into the buffer. When the program runs, it will definitely cause erratic behavior. This is because the length of the string that is being copied in to the buffer space is 27 bytes long and the buffer has only been allocated for 15 bytes. The extra bytes of data will overflow into the adjacent stack and overwrites the space allocated for the return address and the other variables. This way, hackers will be able to place their code that they wish to execute in the buffer's overflowing area which in this case is the return address that points back to the buffer. The code will then be executed. Such a code could be inserted into the program by using environment variables or program input parameters.

2.2

Heap based
The next form of exploitation on our list is the heap based. A heap is a memory location where memory can be allocated at random access. The heap is different compared to the stack in terms of memory allocation. On one side, stack memory is allocated and released in a much defined order, while on the other side; heap is allocated dynamically by the application during execution. Stack overflow and heap overflow both have the same idea of overflowing the buffer or memory, with an attacker code to gain access or corrupt the system, but the way to exploit them is entirely different. In one particular note, a heap does not have a frame pointer or a return address that could be abused to directly slip in the attacker

Seminar

Buffer Overflow Attack

code. In general, heap overflow attacks are harder to exploit that a stack overflow attack because the occurrence of an overflow is not the only factor that contributes to the success of the attack, but in most cases the data in the heap must be corrupted as well and not just overwritten. After the execution of the code is complete, the heap is freed and it goes back into a list of freed blocks of memory. Hackers would want to overflow the heap buffer and overwrite the pointers in the next memory block with their own code which will eventually put into place to be executed when the buffer is released. In 2004, a flaw with the way Microsoft Windows XP interpreted JPG files was discovered. The flaw allowed heap based buffer overflow attack to be carried out and allowed hackers to execute any code they wanted including running other programs.
[9]

Seminar

Buffer Overflow Attack

3.

Countermeasures
What is the best way to prevent a hacker from exploiting a buffer overflow? It is to prevent the buffer from overflowing in the first place. There have been many different types of techniques used to detect or prevent buffer overflows. Automatic protection at the language level has been considered the most reliable method to avoid or prevent a buffer overflow. The downside to this is that it cannot be applied to legacy codes that are still being used in many parts of the world. These sections will depict the choices and application available.

3.1

Use of programming language

The programming language that is being used can have a great effect on the occurrence of buffer overflows. The most popular languages used to date are C and C++. Unfortunately, built in protection against accessing or overwriting data in memory is non-existent. There are many other programming languages that performs checking during runtime and sometimes even during compile time and will send a warning or an exception will be raised when data is overwritten. Some examples of these languages are Ada, Lisp, Modula-2, OCaml, Cyclone and D. Buffer overflows are mostly common in the C and C++ because of their exposure of low level representation details of buffer. A high degree of correctness in codes that performs buffer management must be used in order to avoid buffer overflow. It is also recommended that programmers avoid using the function in the standard libraries that does not check their bounds, such as gets, scanf, and strcpy. Programmers can also choose to use higher level programming languages like php and avoiding low level programming languages that are mostly vulnerable to such attacks.

3.2

Use of safe Libraries

The use of data type libraries which perform buffer management and bounds checking can abate the occurrence and the kick of buffer overflows. Buffer overflows mainly occurs in two main data types which are arrays and strings. The use of proper libraries that prevents buffer overflow in these two data types would be the best choice for a programmer. One of the few libraries for C and C++ programming

Seminar

10

Buffer Overflow Attack

languages that is safe to implement are The Better String Library, Vstr, and Erwin.

3.3

Use of compiler tools

Nowadays, compiler tools are becoming more intelligent and aggressive in optimizing and checking for certain features that are suspicious. There are various compiler tools for C languages and C++ that offer warnings on the unsafe use of contractors like gets and strcpy. Other than that, modern compiler tools have changed the way programs are being compiled like performing bounds checking automatically without making any changes to the code. Compilers now can generate codes with build in safeguards that will be able to prevent illegal addresses to be used and prevent any such code from running. StackShield is a tool that is available for free. The tool will copy the functions return address to a safe place at the beginning of the function. When the function is done, just before it terminates, the tool will compare the two return addresses of the function. If there is a mismatch between the two addresses, the function will stop immediately. StackGuard is another available tool which protects the return address on the stack from being overwritten, and this will make it easier to detect and defeat stack overflow attacks. What the tool will do is to add a canary word next to the return address of a function that is being called. The canary word would be used to make sure that the return address has not been overwritten. If the canary word is different than when it was first placed, that would mean that an alteration has taken place and an attempt to overflow the buffer has been made. The tool will respond by giving out an alert and stop the execution.

3.4

Dynamic run time checks

In this method of protection, applications have restricted access in order to prevent attacks. This method uses a safety code that will be loaded before an application is executed. The preloaded safety code will be used to provide a safer

Seminar

11

Buffer Overflow Attack

version of the standard functions in C and C++, or at least ensure that the return addresses are not overwritten. Libsafe is one example of a tool that will protect the return address. Functions can be securely called by using the Libsafe libraries for c languages, even if the function is not available. Libsafe uses the fact that stack frames are linked together by frame pointers to stop an overwritten return address to be executed. Frame pointers will be followed by Libsafe to find the stack frame where the buffer was allocated to make sure that a buffer is not being passed to an unsafe function. Libsafe will also look for the closest return address on the stack and make sure that the address is not overwritten. If there is an attempt is made to overwrite the address, the program will be terminated and a warning will be given out.

3.5

Always be updated
Security is and has always been a hard problem to overcome. Where one difficulty has been dealt with, another will arise. This is extremely troublesome when security must be enforces on more than one layer of a web application. Web applications have 4 main components which is the operating system, web server, runtime programming, and the web application itself. If any of these components is compromised, it will affect the others and ultimately, the entire web application. Software developers are aware of this and are constantly updating their software with fixes to these problems. Therefore, programmers and clients alike must always keep their software and operating systems updated to the latest patch. One example of this is php. Php is constantly being updated with fixes to bugs or problems that it may have. The latest update to version 5.4.16 has fixed a bug on heap based overflow. [10] In any case, the weakest link is the one which will determine the overall strength of any web application.

Seminar

12

Buffer Overflow Attack

4.
4.1

Literature Review
Buffer Overflow Attacks and Their Countermeasures
By Sandeep Grover Date Read: 25th May 2012 This online article is written by Sandeep Grover for the Linux Journal. The article is just like its title suggested, is about buffer overflow attacks and possible countermeasures. After going through the article, I have learned about the buffer overflow exploitation and some countermeasures to prevent it. The article explains about stack based overflow exploitation. In my opinion, this article is quite informational and I would recommend others to read it if they are interested in vulnerabilities and exploitation of computer systems. But that person must have some understanding on basic programming language such as C or C++.

Seminar

13

Buffer Overflow Attack

5.
5.1

Application in Final Year Project

Use higher level programming language
Buffer overflow is quite a common mistake in low level programming languages like C or C++, and these mistakes have the potential to be a big problem for any developers of web based or software applications. I would choose to use php in my final year project as it is a higher level programming language. I will also be using the updated version of php that has been patched to fix any know buffer overflow problems. Programmers should also start practicing writing secure codes and minimize the use of standard unsafe functions and low level languages. This is because low level programming languages are more vulnerable to buffer overflow exploitation as compared to higher level programming languages.

Seminar

14

Buffer Overflow Attack

6.

Conclusion
The threat of buffer overflow is still relatively high and is still out there. The countermeasures mentioned above are limited one way or another. Frankly, there is no tool that can completely solve the buffer overflow problem, but can still decrease the probability of occurrences. The best possible solution to a buffer overflow however would be to write secure codes in the first place. In the end, no matter how secure programs are, security issues are bound to come back in one form or another and are here to stay.

Seminar

15

Buffer Overflow Attack

7.

References
1. Glynn, F. (2012) What is a Buffer Overflow? Learn About Buffer Overrun Vulnerabilities, Exploits & Attacks. [online] Available at: http://www.veracode.com/blog/2012/04/what-is-a-buffer-overflow-learn-aboutbuffer-overrun-vulnerabilities-exploits-attacks/ [Accessed: 20 May 2013]. 2. Searchsecurity.techtarget.com (2013) What is buffer overflow? - Definition from WhatIs.com. [online] Available at: http://searchsecurity.techtarget.com/definition/buffer-overflow [Accessed: 22 May 2013]. 3. Stackoverflow.com (n.d.) malloc - What is a Memory Heap? - Stack Overflow. [online] Available at: http://stackoverflow.com/questions/2308751/what-is-amemory-heap [Accessed: 25 May 2013]. 4. Grover, S. (2003) Buffer Overflow Attacks and Their Countermeasures. Linux Journal, p.3. Available at: http://www.linuxjournal.com/article/6701?page=0,0 [Accessed: 25th May 2013]. 5. Stackoverflow.com (n.d.) performance - What is the purpose of the frame pointer? Stack Overflow. [online] Available at: http://stackoverflow.com/questions/579262/what-is-the-purpose-of-the-frame-pointer [Accessed: 26 May 2013]. 6. Rsa.com (2000) RSA Laboratories - Countermeasures against Buffer Overflow Attacks. [online] Available at: http://www.rsa.com/rsalabs/node.asp?id=2011 [Accessed: 28 May 2013]. 7. Bstring.sourceforge.net (1970) The Better String Library. [online] Available at: http://bstring.sourceforge.net/ [Accessed: 29 May 2013]. 8. Sites.google.com (n.d.) Notable Heap Attacks - Buffer Overflow Attack. [online] Available at: https://sites.google.com/site/bufferattack/attacks/heap/notable_attacks [Accessed: 29 May 2013]. 9. Technet.microsoft.com (2004) Microsoft Security Bulletin MS04-028 : Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987). [online] Available at: http://technet.microsoft.com/en-us/security/bulletin/ms04-028 [Accessed: 29 May 2013]. 10. Php.net. 2013. PHP: PHP 5 ChangeLog. [online] Available at: http://php.net/ChangeLog-5.php [Accessed: 29 May 2013].

Seminar

16