Buffer%20Overflow - PowerPoint PPT Presentation

About This Presentation
Title:

Buffer%20Overflow

Description:

Many buffer overflow problems are related to string manipulations ... { char buf[BUFSIZ]; vsnprintf(buf, sizeof buf, fmt, ap); Format Strings ... – PowerPoint PPT presentation

Number of Views:97
Avg rating:3.0/5.0
Slides: 26
Provided by: IBMU291
Learn more at: https://www.cs.kent.edu
Category:

less

Transcript and Presenter's Notes

Title: Buffer%20Overflow


1
Chapter 6
  • Buffer Overflow

2
Buffer Overflow
  • Buffer Overflow occurs when the program
    overwrites data outside the bounds of allocated
    memory
  • It was one of the first exploited security issues
    (Morris 1988)?
  • Many buffer overflow problems are related to
    string manipulations
  • In the year 2000, 50 of CERT warnings were
    related to buffer overflow.
  • Any language like C and C that does not enforce
    memory safety and type safety is a potential risk
    to buffer overflow.

3
Example
  • void trouble ()
  • int a 32
  • char line128
  • gets(line)

4
Buffer Over Attack
return address
a
line
return address
a
line
return address
a
line
5
Buffer Allocation Strategies
  • Static
  • Use a fixed size allocation. Alter the program
    behavior if the data does not fit or truncate the
    data.
  • Buffer overflow mistakes can be checked by
    automated tools or humans.
  • Dynaminc
  • Resize the buffer as needed
  • More difficult to check for code problems.
  • Mixing static and dynamic allocation can cause
    problems.

6
Static Allocation Example
  • define BUFSIZE 1024
  • define SUCCESS 0
  • int main(int argc, char argv)
  • char strBUFSIZE
  • int len
  • len snprintf(str, BUFSIZE, S(d), argv0,
    argc)
  • printf(s\n, str)
  • if (len gt BUFSIZE)
  • printf(length truncated (from d)\n, len)
  • return SUCCESS

7
Dynamic Allocation Example
  • define BUFSIZE 1024
  • define SUCCESS 0
  • int main(int argc, char argv)
  • char str
  • int len
  • if ((str (char )malloc(BUFSIZE)) NULL)
  • return -1
  • len snprintf(str, BUFSIZE, S(d), argv0,
    argc)
  • if (len gt BUFSIZE)
  • free(str)
  • if ((str (char )malloc(len 1)) NULL)
  • return -1
  • snprintf(str, len1, S(d), argv0, argc)
  • printf(s\n, str)
  • free(str)
  • str NULL

8
Dynamic Allocation
  • Issues
  • More difficult to manage.
  • Can introduce memory leaks
  • Use-after-free
  • Double free
  • Solutions
  • Enforce Null-After-Free
  • Tracking buffer sizes

9
Tracking Buffer Sizes
  • C and C do not track buffer sizes
  • Programmers have to do it on their own
  • Some languages track buffer sizes.
  • Errors in tracking buffer sizes could lead to
    buffer overflow conditions

10
Unsafe String functions
  • gets()?
  • scanf()?
  • strcpy()?
  • sprintf()?

11
gets() and friends
  • gets() reads input stream into a buffer until a
    new line is found.
  • Very dangerous function and it should be avoided.
  • To use gets() you must be 100 sure you trust the
    input.
  • C gtgt operator repeated the same mistake as
    gets().

12
scanf() and friends
  • s specifier in the format string can cause a
    buffer overflow condition.
  • scanf() can be used safely if the format
    specifier properly bounds the amount of data to
    be read.

13
strcpy() and friends
  • strcpy() copies one buffer to another until a
    null character is found.
  • If source buffer is larger than destination or
    source is not null terminated buffer overflow
    condition may occur.

14
sprintf() and friends
  • To avoid buffer overflow the destination buffer
    must be large enough to accommodate the
    combination of all source arguments.
  • s can be a variable string length and can cause
    buffer overflow.
  • Bounded format string can make sprintf() safer to
    use.

15
Risk of reimplementation
  • Programmers should be careful not to duplicate
    the same mistakes made in the dangerous standard
    C functions.
  • Implementation of similar functions can be harder
    to detect.

16
Example of reimplementaion
  • void get_word(char word)
  • int c
  • while (isspace(c getchar()))
  • while (c getchar())
  • if (c -1) break
  • if (isspace(c)) word \0 break
  • word c
  • word

17
strncpy() and strncat() pitfalls
  • The size incorrectly specified
  • char s1S1_SIZE, s2S2_SIZE
  • strncpy (s1, s2, S2_SIZE)?
  • strncat (s1, s2, S1_SIZE)?
  • strncpy does not always null terminate the
    destination.
  • strncat destination and source must be
    terminated.

18
Truncation Errors
  • A truncation after copying a buffer can cause
    unpredictable problems.
  • Some examples
  • Check access control on a file then copy the file
    to another smaller buffer. The new buffer points
    to another file.
  • Check the validity of a host name then copy to a
    smaller buffer. New buffer now contains a new
    hostname.

19
Maintaining null terminator
  • Many libc functions rely on the null char at the
    end of a string.
  • Examples strlen, strcpy, strncpy, strncat
  • Some functions that are designed to operate on
    memory blocks may not null terminate a string
  • Examples fread(), recvmsg(), strncpy()?
  • Programmers must ensure strings are null
    terminated to avoid runtime errors and buffer
    overflows.
  • Catching errors due to failure of null
    terminating a string is very difficult and may
    not be possible until the program is running in
    production.
  • One way to ensure strings are terminated is to
    explicitly add a null char at the end of a
    buffer.

20
Character Sets
  • Today several character sets exist and are used
    for input and output.
  • ISO-8859-1, UTF-8, UTF-16 and UTF-32 are some of
    the most commonly used.
  • ISO-8859-1 and UTF-32 are fixed-width encoding.
  • UTF-16 and UTF-8 are variable-width encoding.
  • New type wchar_t was introduced to handle other
    character sets.

21
Characters and buffer overflow
  • Mismatch between the string length and the number
    of bytes in the buffer can cause buffer overflow
    issues.
  • Operation that expects bounds in bytes is passed
    bound in characters or vice-versa
  • Functions that convert from one encoding to
    another magnify the problem.

22
Format Strings
  • When a variable string is passed as a format
    string to a function that can cause a format
    string vulnerability.
  • while (fgets(buf, sizeof buf, f))
  • lreply(200, buf)?
  • ...
  • void lreply(int n, char fmt, ... )
  • char bufBUFSIZ
  • ...
  • vsnprintf(buf, sizeof buf, fmt, ap)
  • ...

23
Format Strings
  • Most format string vulnerabilities are caused by
    misuse of functions that require a format string
  • Example printf(str) instead of printf (s,
    str)?
  • Read data from the stack by passing formatting
    characters
  • Use n directive to write arbitrary positions in
    memory.

24
Preventing Format String exploits
  • Always pass a static format string
  • If static string is too restrictive choose from a
    list of format strings
  • If a format string must be read from input
    perform input validation.

25
Better String Classes and Libraries
  • stdstring class in STL
  • Microsoft CString in ATL/MFC
  • Vstr library
  • Designed to work with readv() and writev()?
  • SafeStr library
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Buffer%20Overflow" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!