buffer overload (stack overflow, memory overflow)
inserting extra instructions into a command to force an overflow that inserts calls to malware
stacks are used
- in function/procedure calls
- allocation of memory for: local variables, parameterscontrol information (return address)
Vulnerability of the password checking
- Passwords do not keep copy of your password
- allowing the user to insert a longer password, which bypasses the check procedure (does not check the password length to prevent overflow)
- Any password of length greater than 12 bytes that ends in ‘123’
- Any password of length greater than 16 bytes that begins with ‘MyPwd123’
Stack
- shrinks and grows with the pushing and popping of data on and off the stack
- grows from high to low addresses
shellcode
- a shell that executes any code the attacker wants
- must be in machine code so that can be inserted directly into memory
- must have a legitimate return address
attacker code’s privileges
same as YOU!
- the host program’s
- system service or OS root privileges , if the program is a system service
NVD stands for
national vulnerability database
CVE stands for
common vulnerability and Exposure
How many vulnerabilities in our system in:
a. NVD
b. 3 months
c. 3 years
a. 70000
b. ~100
c. 1000+
return-to-libc
the return address is overwritten to point to a function in a library. The function can then be executed with parameters of the attacker’s choice
Heap Overflows
- The heap does not store return addresses
- Data can be tables of function pointers. So the attacker can modify a function pointer to point to malware. This is more sophisticated than buffer overflow.
OpenSSL Heartbleed Vulnerability
- e the attacker asks for more data than usual. This may expose sensitive data
defense against overflow
- language choice
- check all inputs (all input is evil)
- use functions that (are safer,) do bound checking
- use automatic tools to analyze vulnerability
language choice to prevent overflow
- should be strongly typed
- should do automatic bounds checks - should do automatic memory management
ex: java, C++, OOP, strongly typed languages.
buffer overflow is impossible due to runtime system check
a drawback of a secure language
possible performance degradation
Stack canaries
a canary values is written into the stack frame, just before the return address. IF the canary value is modified, then there is a good possibility the return address has been changed. Thus an overflow is detected
Address Space Layout Randomization (ASLR)
- randomizes the stack, heap, libc
- can be used with Nonexecutable Stack. This requires hardware support
