What is Buffer Overflow?
- A common attack mechanism
- Caused by “BUFFER OVERUN /Storing beyond the limit of a fixed sized buffer”
Writing data to a buffer overruns the buffer boundary and overwrites the memory.
Located in the stack, heap and data section of the process
Consequences of Buffer Overflow
- Corruption of the program data
- Unexpected transfer of control
- Memory access violations
- Execution code chosen by the attack
Exploiting Buffer Overflow attacks
- A program that can be triggered using external source data under the attacker’s control
- Stored in memory > potential corruption
Identify vulnerable programs
- Inspection program source
- Triggering execution of programs in large variables
- Using tools ‘Fuzzing’
What is Stack Buffer Overflow?
- Known as Stack Smashing
- Writes memory address on the stack OUTSIDE of the data structure
What is Stack Frame?
- One function calls another to its address
- Passes parameters to save each register value
Shell code and Machine code
- A small piece of code used as a payload in the exploitation of a software vulnerability
Machine code
- A set of instructions executed directly by a CPU, performing a specific task: LOAD, JUMP or ALU operation on the memory
Stack Overflow variants + the target programs
- Launch a remote shell
- Creates a reverse shell back to hacker
- Use local exploits to establish hacker
- Flush firewall to block hacker
- Break out of chroot to enter the system
Target programs:
- Trusted system utility
- Network service daemon
- Library code
Buffer Overflow Defence
Compile time: Hardens programs to resist attacks in new programs
Runtime: DETECT + ABORT attacks from **existing programs **
Compile Time Defences: Programming Language
- Uses High Level language
- Enforces a range of checks and permissions on variables
- Not vulnerable to buffer overflow attacks
Compile Time Defences: Safe Coding Techniques
- Needs to inspect code and rewrite an unsafe codes
- Placing emphasis in efficacy and performance when _writing code than type safely _
Compile Time Defences: Languages Extensions/Safe Library
- Handling dynamically allocated memory is more problematic because the size information is not available at compile time
- Requires extension on the library routines
- Libraries and programs need to be **recompiled **
Compile Time Defences: Stack Protection
- Add function entry and exit code to check stack for signs of corruption
- Used on different systems
- Function entry writes a copy of the return address to a safe region of memory
- Function exit code checks if the return address is in the stack frame against the saved copy
- If change is found > aborts program
Run Time Defences: Executable Address Space Protection
- Use virtual memory support regions of memory
- Non-executable
- Requires support from MMU
Issues:
- Executable Stack code
- Support provisions are needed
Run Time Defences: Address Space Randomisation
- Manipulate location of key data structures
Stack, heap and global data
- Using random shift for each processes
- Code needs to run for the shell code to open to the attacker
- Randomise location of heap buffers
Run Time Defences: Guard Pages
- Place guard pages between regions of memory
- Exploits a process having more vital memory available than it typically needs
- Flagged in MMU as illegal addresses
Any attempted access aborts process
Replacement Stack Frame
- Overwrites buffer and frame pointer address
- Frame pointer becomes a dummy stack
Off-by-one attacks
- Coding error that allows one+ byte to be copied for more space
Return to System call
- Stack overflow variant replaces return address with standard library
- Non-executable stack defences
- Attacker constructs suitable parameters on stack above return address
Global Data Overflow
- Attack buffer can be located in the global data
- Located above program code
- Has function and vulnerable pointer
Defence:
- Non-executable random global data region
- Guard pages
SQL Injection Attack
- Used to inject malicious SQL statements to steal information from a database
- Similar to command injection
Command injection
- Executing commands to gain control over a server
- PHP remote code injection vulnerability
- PHP file inclusion vulnerability
Cross site scripting
- Vulnerability found in Web Applications
- Injects client-side script into Web pages viewed by other users
- Browsers impose security checks and restricts data access to pages from the **original site **
