Buffer overflow

1
Buffer overflow

• Attacker can exploit
• Activation records
• Attack return address
• Function pointers
• Example void ( foo) () declares the variable
  foo which is of type pointer to function
  returning void
• Longjmp buffers
• setjmp(buffer) to go to checkpoint, and
  longjmp(buffer) to go back to the checkpoint.
• ? attack longjmp

2
Stack smashing attack
3
Canary

• Place a canary word next to the return address
  on the stack.

• Stack smashing attack occurs ? canary is
  overlapped
• ? Detect

4
Canary

• Problem attackers can forge the canary.
• Solutions
• Terminator Canary
• 0 (null), CR, LF, -1 (EOF)
• When the program reach the termination canary ,
  it stops.
• Random Canary
• 32-bit random number chosen secretly at the time
  the program starts.
• StackGuard is a compiler technique that use
  canary (a small patch to gcc that enhances the
  code generator).