29-01-2024

Buffer Overflow
• Buffer: contiguous allocated chunk of memory, such as an
array or a pointer in C.

• Buffer overflow occurs when a user or a program writes

past the buffer, intruding into memory locations not
allocated for the buffer.

• Programming languages like C and C++ provide no

automatic bound checking on buffers thereby allowing
user to write past the buffer. 2

1
 29-01-2024

Anatomy of a Buffer Overflow

• Buffer: memory used to
store user input, has fixed
maximum size

• Buffer overflow: when user

input exceeds max buffer
size
– Extra input goes into
unexpected memory
locations
3

A Small Example
• Malicious user enters >
1024 chars, but buf can
only store 1024 chars;
extra chars overflow
buffer
void get_input() {
char buf[1024];
gets(buf);
}
void main(int argc, char*argv[]){
get_input();
}
4

2
 29-01-2024

The Problem
void try1(char *s) {
char buf[10];
strcpy(buf,s);
printf(“buf is %s\n”,s);
}
…
try1(“thisstringistolong”);

Continued…
int main()
{ Writing past the buffer

int buffer[10];
buffer[20]=10;
}

• Any C compiler will compile the above 6

segment with no errors.

3
 29-01-2024

Buffer Overflows
• Applications running on the host in Internet have certain
privileges.
• They can access part of the system resources like system
variables, system files and even execute certain commands
that a remote user/application cannot.
• From an attacker’s view point if he can take control of a
vulnerable application running on target on a target
computer he can misuse the privileges of victim
application.
• This happens in buffer overflow. 7

Types of Buffer Overflows

• Stack Overflows
• Format String Overflows
• Heap Overflows
• Integer Overflows

4
 29-01-2024

. A More Detailed Example

1 int checkPassword() {
2 char pass[16];
3 bzero(pass, 16); // Initialize
4 printf ("Enter password: ");
5 gets(pass);
6 if (strcmp(pass, "opensesame") == 0)
7 return 1;
8 else
9 return 0;
10 }
11
12 void openVault() {
13 // Opens the vault
checkPassword()
14 } pass[16] Return pass[16]
15
16 main() {
main() Addr. openVault()
17 if (checkPassword()) { main()
18 openVault();
19 printf ("Vault opened!");
20 } “Normal” Compromised
9
21 } Stack Stack

checkPassword() Bugs
• Execution stack: maintains current function state
and address of return function

• Stack frame: holds vars and data for function

• Extra user input (> 16 chars) overwrites return

address
– Attack string: 17-20th chars can specify address of
openVault() to bypass check
– Address can be found with source code or binary

10

5
 29-01-2024

The safe_gets() Function

#define EOLN '\n'
void safe_gets (char *input, int max_chars) {
if ((input == NULL) || (max_chars < 1))) return;
if (max_chars == 1) { input[0] = 0; return; }
int count = 0;
char next_char;
do {
next_char = getchar(); // one character at a time
if (next_char != EOLN)
input[count++] = next_char;
} while ((count < max_chars-1) && // leave space for null
(next_char != EOLN));
input[count]=0;
}
• Unlike gets(), takes parameter specifying max chars to
insert in buffer
• Use in checkPassword() instead of gets() to eliminate
buffer overflow vulnerability
11

Safe String Libraries

• C – Avoid (no bounds checks): strcpy(),
strcat(), sprintf(), scanf()
• Use safer versions (with bounds checking):
strncpy(), strncat(), fgets()
• Must pass the right buffer size to functions!
• C++: STL string class handles allocation
• Unlike compiled languages (C/C++),
interpreted ones (Java/C#) enforce type
safety, raise exceptions for buffer overflow
12

6
 29-01-2024

StackGuard
• Canary: random value, unpredictable to attacker
• Compiler technique: inserts canary before return
address on stack
• Corrupt Canary: code halts
program to thwart a
possible attack
• Not comprehensive
protection
Source: C. Cowan et. al., StackGuard,
13

Stack Direction
• On Linux (x86) the stack grows from high
addresses to low.

• Pushing something on the stack moves the

Top Of Stack towards the address 0.

14

7
 29-01-2024

A Stack Frame
Parameters
Return Address
Calling Frame Pointer
SP+offset
Local Variables
SP

Addresses

00000000
15

18
addressof(y=3) return address
Sample saved stack pointer
y
Stack x
buf

x=2; void test1(int j) {

test1(18); int x,y;
y=3; char buf[100];
x=j;
…
}
16

8
29-01-2024

9
 29-01-2024

NOPs
• Most CPUs have a No-Operation
instruction – it does nothing but advance the
instruction pointer.
• Usually we can put a bunch of these ahead
of our program (in the string).
• As long as the new return-address points to
a NOP we are OK.

20

10
 29-01-2024

Using NOPs
new return address

Real program
(exec /bin/ls or whatever)

nop instructions

21

for stack smashing

Overflow!!

22

11
 29-01-2024

Solutions

• The reason behind stack smashing is mismanagement of

memory and lazy programming.

• The main reason behind stack smashing is that no bound

checking is performed.

• Instead of using functions like strcpy, strcat use strncpy

and strncat which performs bound checking.
23

Solution with strncpy

Checking of
bounds

24

12
 29-01-2024

Format string overflows

• This type of vulnerability occurs while using the
format functions in C.
• Examples for format functions are:
– printf- printing to stdout
– fprint- printing to a file
– sprintf- printing to a string pointer

Format functions typically have 2 arguments:

– Format string like %d, %s, %x representing the type
and no: of parameters that are to follow.
25
– Data that is to be sent to the output stream
– Eg: printf(“%d”,input_decimal)

Vulnerability!!

26

13
 29-01-2024

Continued…
• Instead of giving a string if we give a
format string as below for the input of the
vulnfun() function:
“%08x.%08x.%08x.%08x.%08x”
• The printf below prints the values of five
consecutive words in the stack (as eight-
digit padded hexadecimal numbers). We
can walk up the stack this way and view the
27
contents of the stack.

Countermeasure…
Allow printf to print
only string values

28

14
 29-01-2024

Countermeasures
• Secure coding:
– Bound checking mandatory

– File access and user permissions must be kept in mind.

– Access permissions of even temporary files should be

restricted to prevent any malicious modifications in
between two consecutive executions

29
– All user inputs should be checked or validated for
malicious code.

Stop execution of malicious commands :

– Designate the data segment of an applications buffer
space as non executable zone.

– Unfortunately latest versions of unix & windows do not

have such a facility .
– Depending on the platform it is possible to download a
patch from your vendor.

– But this has the disadvantage that it stops legitimate

appliactions from offering there full fledged feauters. 30
It is a matter of balance between security &
functionality.

15
 29-01-2024

Conclusion
• Buffer Overflow attacks are not only very
dangerous but once executed,they are also quite
easy to execute.
• It is very important to take adequate security
countermeasures against buffer overflows.
• It is suggested to use programming languages like
java which do not give direct access on addresses.
• Buffer Overflow attacks can be countered by
Programming Applications efficiently & securely. 31

References
• Network Security: A Hacker’s Perspective-Ankit Fadia
• https://www.owasp.org/index.php/Buffer_Overflow
• www.linuxjournal.com/article/6701
• www.windowsecurity.com/.../analysis_of_buffer_overflow
_attacks
• Operating System #37 Buffer Overflow Attacks Explained
in Detail Best Programming Courses @
https://goo.gl/MVVDXR Complete Operating Systems
Lecture/ Tutorials from IIT @ https://goo.gl/GMr3if
32

16