University of Washington

Buffer overflows

¢ Address space layout

¢ Input buffers on the stack
¢ Overflowing buffers and injecting code
¢ Defenses against buffer overflows

Autumn 2013 Buffer Overflow 1

 University of Washington

not drawn to scale

IA32 Linux Memory Layout FF
Stack
¢ Stack 8MB
§ Runtime stack (8MB limit)
¢ Heap
§ Dynamically allocated storage
§ Allocated by malloc(), calloc(), new()
¢ Data
§ Statically allocated data
§ Read-only: string literals
§ Read/write: global arrays and variables
¢ Text
§ Executable machine instructions
§ Read-only

Heap
Data
Upper 2 hex digits Text
08
= 8 bits of address 00
Autumn 2013 Buffer Overflow 2
 University of Washington

IA32/Linux Stack Frame

¢ Current Stack Frame (“Top” to Bottom)
§ “Argument build” area
(parameters for function Caller
about to be called) Frame
§ Local variables Arguments
(if can’t be kept in registers)
§ Saved register context Frame pointer Return Addr
(when reusing registers) %ebp Old %ebp
§ Old frame pointer (for caller)
Saved
Registers
+
¢ Caller’s Stack Frame Local
§ Return address Variables
§How does call/ret change the stack?
§ Arguments for this call Argument
Stack pointer
Build
%esp
Autumn 2013 Buffer Overflow 3
 University of Washington

not drawn to scale

Memory Allocation Example FF
Stack

char big_array[1<<24]; /* 16 MB */
char huge_array[1<<28]; /* 256 MB */

int beyond;
char *p1, *p2, *p3, *p4;

int useless() { return 0; }

int main()
{
p1 = malloc(1 <<28); /* 256 MB */
p2 = malloc(1 << 8); /* 256 B */
p3 = malloc(1 <<28); /* 256 MB */
p4 = malloc(1 << 8); /* 256 B */
/* Some print statements ... */ Heap
} Data
Text
Where does everything go? 08
00
Autumn 2013 Buffer Overflow 4
 University of Washington

not drawn to scale

IA32 Example Addresses FF
Stack
address range ~232

$esp 0xffffbcd0
p3 0x65586008
p1 0x55585008
p4 0x1904a110
p2 0x1904a008
&p2 0x18049760
beyond 0x08049744
big_array 0x18049780 80
huge_array 0x08049760
main() 0x080483c6
Heap
useless() 0x08049744
final malloc() 0x006be166
Data
malloc() is dynamically linked; Text
its address is determined at runtime. 08
00
Autumn 2013 Buffer Overflow 5
 University of Washington

Internet Worm
¢ These characteristics of the traditional IA32 Linux memory
layout provide opportunities for malicious programs
§ Stack grows “backwards” in memory
§ Data and instructions both stored in the same memory

¢ November, 1988
§ Internet Worm attacks thousands of Internet hosts.
§ How did it happen?

Autumn 2013 Buffer Overflow 6

 University of Washington

Internet Worm
¢ These characteristics of the traditional IA32 Linux memory
layout provide opportunities for malicious programs
§ Stack grows “backwards” in memory
§ Data and instructions both stored in the same memory

¢ November, 1988
§ Internet Worm attacks thousands of Internet hosts.
§ How did it happen?

¢ Stack buffer overflow exploits!

Autumn 2013 Buffer Overflow 7

 University of Washington

Buffer Overflow in a nutshell

¢ Many classic Unix/Linux/C functions do not check argument
sizes.
¢ C does not check array bounds.
¢ Allows overflowing (writing past the end of) buffers (arrays)
¢ Overflows of buffers on the stack overwrite interesting data.
¢ Attackers just choose the right inputs.
¢ Probably the most common type of security vulnerability

Autumn 2013 Buffer Overflow 8

 University of Washington

String Library Code

¢ Implementation of Unix function gets()
/* Get string from stdin */
char* gets(char* dest) {
int c = getchar();
char* p = dest;
while (c != EOF && c != '\n') { pointer to start of an array
*p++ = c;
c = getchar();
}
*p = '\0';
return dest; same as:
}
*p = c;
p++;
§ What could go wrong in this code?

Autumn 2013 Buffer Overflow 9

 University of Washington

String Library Code

¢ Implementation of Unix function gets()
/* Get string from stdin */
char* gets(char* dest) {
int c = getchar();
char* p = dest;
while (c != EOF && c != '\n') {
*p++ = c;
c = getchar();
}
*p = '\0';
return dest;
}

§ No way to specify limit on number of characters to read

¢ Similar problems with other Unix functions
§ strcpy: Copies string of arbitrary length
§ scanf, fscanf, sscanf, when given %s conversion specification
Autumn 2013 Buffer Overflow 10
 University of Washington

Vulnerable Buffer Code

/* Echo Line */
void echo()
{
char buf[4]; /* Way too small! */
gets(buf);
puts(buf);
}

int main()
{
printf("Type a string:");
echo(); unix>./bufdemo
return 0; Type a string:1234567
} 1234567

unix>./bufdemo
Type a string:12345678
Segmentation Fault

unix>./bufdemo
Type a string:123456789ABC
Segmentation Fault
Autumn 2013 Buffer Overflow 11
 University of Washington

Buffer Overflow Disassembly

080484f0 <echo>:
80484f0: 55 push %ebp
80484f1: 89 e5 mov %esp,%ebp
80484f3: 53 push %ebx
80484f4: 8d 5d f8 lea 0xfffffff8(%ebp),%ebx
80484f7: 83 ec 14 sub $0x14,%esp
80484fa: 89 1c 24 mov %ebx,(%esp)
80484fd: e8 ae ff ff ff call 80484b0 <gets>
8048502: 89 1c 24 mov %ebx,(%esp)
8048505: e8 8a fe ff ff call 8048394 <puts@plt>
804850a: 83 c4 14 add $0x14,%esp
804850d: 5b pop %ebx
804850e: c9 leave
804850f: c3 ret
80485f2: e8 f9 fe ff ff call 80484f0 <echo>
80485f7: 8b 5d fc mov 0xfffffffc(%ebp),%ebx
80485fa: c9 leave
80485fb: 31 c0 xor %eax,%eax
80485fd: c3 ret
Autumn 2013 Buffer Overflow 12
 University of Washington

Buffer Overflow Stack

Before call to gets
Stack Frame
for main
/* Echo Line */
void echo()
Return Address {
Saved %ebp %ebp char buf[4]; /* Way too small! */
Saved %ebx gets(buf);
puts(buf);
[3] [2] [1] [0] buf }

echo:
pushl %ebp # Save %ebp on stack
movl %esp, %ebp
buf pushl %ebx # Save %ebx
leal -8(%ebp),%ebx # Compute buf as %ebp-8
subl $20, %esp # Allocate stack space
movl %ebx, (%esp) # Push buf addr on stack
call gets # Call gets
. . .
Autumn 2013 Buffer Overflow 13
 University of Washington

Buffer Overflow Stack Example

Before call to gets Before call to gets
Stack Frame Stack Frame 0xffffc658
for main for main

Return Address f7 85 04 08
Saved %ebp 58 c6 ff ff 0xffffc638
Saved %ebx Saved %ebx
[3] [2] [1] [0] buf xx xx xx xx buf

buf 0xffffc630

80485f2: call 80484f0 <echo>

80485f7: mov 0xfffffffc(%ebp),%ebx # Return Point

Autumn 2013 Buffer Overflow 14

 University of Washington

Buffer Overflow Example #1

Before call to gets Input “1234567”
Stack Frame 0xffffc658 Stack Frame 0xffffc658
for main for main

f7 85 04 08 f7 85 04 08
58 c6 ff ff 0xffffc638 58 c6 ff ff 0xffffc638
Saved %ebx 00 37 36 35
xx xx xx xx buf 34 33 32 31 buf

0xffffc630 0xffffc630

Overflow buf, and corrupt

saved %ebx, but no problem, why?
What happens if input has one more byte?
Autumn 2013 Buffer Overflow 15
 University of Washington

Buffer Overflow Example #2

Before call to gets Input “12345678”
Stack Frame 0xffffc658 Stack Frame 0xffffc658
for main for main

f7 85 04 08 f7 85 04 08
58 c6 ff ff 0xffffc638 58 c6 ff 00 0xffffc638
Saved %ebx 38 37 36 35
xx xx xx xx buf 34 33 32 31 buf

0xffffc630 0xffffc630

. . . Frame pointer corrupted

804850a: 83 c4 14 add $0x14,%esp # deallocate space
804850d: 5b pop %ebx # restore %ebx
804850e: c9 leave # movl %ebp, %esp; popl %ebp
804850f: c3 ret # Return
Autumn 2013 Buffer Overflow 16
 University of Washington

Buffer Overflow Example #3

Before call to gets Input “123456789ABC”
Stack Frame 0xffffc658 Stack Frame 0xffffc658
for main for main

f7 85 04 08 f7 85 04 00
58 c6 ff ff 0xffffc638 43 42 41 39 0xffffc638
Saved %ebx 38 37 36 35
xx xx xx xx buf 34 33 32 31 buf

0xffffc630 0xffffc630
Return address corrupted
080485f2: call 80484f0 <echo> Hmmm, what can you do with it?
080485f7: mov 0xfffffffc(%ebp),%ebx # Return Point

Autumn 2013 Buffer Overflow 17

 University of Washington

Malicious Use of Buffer Overflow

Stack after call to gets()

void foo(){
foo stack frame
bar();
... return address A
} B (was A)

int bar() { data written pad

char buf[64]; by gets()
gets(buf);
... exploit bar stack frame
return ...; code
B
}

¢ Input string contains byte representation of executable code

¢ Overwrite return address A with address of buffer (need to know B)
¢ When bar() executes ret, will jump to exploit code (instead of A)
Autumn 2013 Buffer Overflow 18
 University of Washington

Exploits Based on Buffer Overflows

¢ Buffer overflow bugs allow remote machines to execute
arbitrary code on victim machines
¢ Internet worm
§ Early versions of the finger server (fingerd) used gets() to read the
argument sent by the client:
§ finger droh@cs.cmu.edu
§ Worm attacked fingerd server by sending phony argument:
§ finger “exploit-code padding new-return-
address”
§ exploit code: executed a root shell on the victim machine with a
direct TCP connection to the attacker

commandline facebook of the 80s!

Autumn 2013 Buffer Overflow 19

 University of Washington

Avoiding Overflow Vulnerability

/* Echo Line */
void echo()
{
char buf[4]; /* Way too small! */
fgets(buf, 4, stdin);
puts(buf);
}

¢ Use library routines that limit string lengths

§ fgets instead of gets (second argument to fgets sets limit)
§ strncpy instead of strcpy
§ Don’t use scanf with %s conversion specification
§ Use fgets to read the string
§ Or use %ns where n is a suitable integer
¢ Other ideas?
Autumn 2013 Buffer Overflow 20
 University of Washington

not drawn to scale

System-Level Protections FF
Stack

¢ Randomized stack offsets

§ At start of program, allocate random amount
of space on stack
§ Makes it difficult for exploit to predict
beginning of inserted code

¢ Use techniques to detect stack

corruption

¢ Nonexecutable code segments

§ Only allow code to execute from “text”
Heap
sections of memory
Data
§ Do NOT execute code in stack, data, or heap Text
regions 08
00
Autumn 2013
§ Hardware support needed Buffer Overflow 21