Published on

Buffer Overflow

Overview

Buffers are memory storage regions that temporarily hold data while it is being transferred from one location to another.

Buffer overflow happens when data quantity exceeds memory buffer storage capacity. This can occur due to a programming mistake when a process tries to store data outside the limits of a fixed-sized buffer. Consequently, the program that attempts to write data to the buffer overwrites adjacent memory locations.

The consequence of a buffer overflow is the corruption of data, unexpected transfer of control, and possible memory access violations.

Exploiting

buffer_overflow

To exploit a buffer overflow, the attacker needs to identify a buffer overflow vulnerability and understand how that buffer will be stored in the process memory.

For example, a buffer for login credentials may be designed to expect 8-byte inputs for both the username and password. If a transaction involves an input of 10 bytes (2 bytes more than expected), the program may write the excess data past the buffer boundary.

if attackers know the memory layout of a program, they can intentionally feed input that the buffer cannot store, and overwrite areas that hold executable code, replacing it with their own code

Types of buffer overflow attacks

Stack-based attacks:

This type of attack is more common and leverages stack memory that only exists during the execution time of a function.

Heap-based attacks:

This type of attack can be difficult to carry out and may involve flooding the memory space allocated for a program beyond the memory used for current runtime operations.

Program Memory layout

When a program runs, it needs memory space to store data. For a C program, its memory is divided into five segments, each with its own purpose:

Text Segment:

Stores the executable code. Usually read-only.

Data Segment:

Stores static/global variables.

BSS Segment:

Stores uninitialized static/global variables. Filled with zeros by the OS.

Heap:

Used to provide space for dynamic memory allocation.

Stack:

Used for storing local variables defined inside functions.

Prevent Strategy

Address Space Randomization (ASLR):

ASLR randomly moves the address space location of data regions. Typically, buffer overflow attacks need to know the locality of executable code. Randomizing address spaces makes this virtually impossible.

Data Execution Prevention:

Data Execution Prevention is a security feature that flags certain areas of memory as non-executable or executable. This prevents an attacker from running code in a non-executable region.

Structured Exception Handler Overwrite Protection (SEHOP):

SEHOP is a built-in system that helps prevent malicious code from attacking structured exception handling. It manages hardware and software exceptions, thus preventing an attacker from using a stack-based buffer overflow to overwrite an exception registration record stored on a thread's stack.

Cases

  • Morris worm in 1988
  • Code Red worm in 2001
  • SQL Slammer in 2003
  • Stagefright attack against Android phones in 2015
  • CVE-2021-21017 (impacts Adobe Acrobat Reader)