TCOM 401/CIS 551 on 01/17/2006




  1. The CERT/CC (Computer Emergency Response Team Coordination Center) described buffer overflow as the most critical software flaw causing vulnerabilities, like illegally executing system calls and deleting data, caused by the insecurity of C and C++ programming languages which do not enforce array bound checks.

  2. A string in C can be visualized as an initialized group of contiguous memory which is terminated by null character (‘/0’). The memory following the null character is not initialized.

  3. From the diagram available on the PPT slides, there are three parts in a C memory model. The RAM (Random Access Memory) can be visualized as a column of memory addresses (0 to 2^32 -1) with data entered at every address.

  1. An example is described where a function ‘f()’ calls a function ‘g(parameters)’, in order to describe the flow of control and the allocation of memory on the RAM

  2. The next PPT slide explains how a buffer overflow attack may be carried out.

  3. This attack can be easily visualized by the next PPT slide

  4. The ‘payload’ is code that is part of the data input into the buffer overflow. Having the “blame.c” source code can help create the code to put in the buffer by running the debugger to find the position so as to place the address that the Return address pointer must point to after the buffer overflow has occurred.

  5. To ensure the success of the attack, the ‘payload’ can be constructed with a bunch of “NO-OP” operations, followed by the attack code, attack data and finally a bunch of the same address repeated multiple times. The address should point to the code earlier in the buffer (e.g. one of the NO-OPs in the 'landing pad').

  6. More information about attack code can be retrieved from the ‘gcc’ and ‘gdb’ documentation. Remember, when using the Intel X86 processor that it is "Little Endian" assigned which means that the low-order byte of the number is stored in memory at the lowest address, and the high-order byte at the highest address.

  7. C and C++ uses null terminated string representation and stores no string length information. Hence the assumption which makes buffer overflows possible is that strings will always have the null character (‘/0’) at the end.

  8. Hence the first rule of thumb for security against buffer overflow attacks in C and C++ is the use of array size assigned instructions like ‘strncpy()’, ‘snprintf()’ and ‘fgets()’ over ‘strcpy’, ‘sprintf’ and ‘gets’.

  9. There many tools available for C and C++ programming support like libsafe, Purify, Splint, Stackguard, Pointguard, etc.

  10. In conclusion, use modern programming languages with garbage-collection ability like Java and C# instead of C and C++. Also latest versions of operating systems now enable the Stack pointer to be initialized to a (pseudo) random address. This makes buffer overflow attacks more difficult to execute malicious code, which have been engineered at a specific location in the ‘payload’.

                                                                                                                                                                                                          -Amit Mohan Easow