Analysis and Study of Buffer Overflow

2009全国计算机网络与通信学术会议论文集计算机应用及其它Analysis and Study of Buffer OverflowLiu Sidong Zen TaoYu Yongquan(Faculty of Computer Science, Guangdong University of Technology, 510006)Abstract:Buffer overflow attack is one of the most threatening attack types and itjeopardizes security a lot. According to the principle of the attack, this paperdemonstrates how it works, and emphasizes the importance of writing code that does notpermit such attacks.Index Terms:buffer overflow; frame stack; secure codeI . INTRODUCTIONSince the event of“Morris Worm"'l, exploitation of buffer overflow becomes one of themost important and the most threatening network attacks. According to Cert.'s statistics, itshows that more than 50 percent of network atacks are exploitations of buffer overflow at thepresent timel2, which bring great destruction to computer systems all over the world.Exploitation of buffer overflow makes use of the leaks of buffer overflow in the system, andthey are largely due to unreliability of C/C++, which do not perform any bounds checking forarray references, and that local variables are stored on the stack along with state informationsuch as register values and retum pointers. As far as the theory is concerned, we can avoid theproblem of buffer overlow by adopting the safe languages such as Java, and C#, rather thanC/C++. It is, however, difficult to do when in practical use because of many factors. Therefore,the leak of buffer overflow will still exist for a fairly long time to come. The exploitations ofbuffer overflow may lead to runtime errors; system crash; even the whole network is paralyzed.Therefore, intensive study of buffer overflows is signifcant for exploring protection ofoverflow attacks.II. PROCEDURE AND STACK FRAME STRUCTUREA procedure call involves passing both data (in the form of procedure parameters and retumvalues) and control from one part of the code to another. In addition, it must allocate space forthe local variables of the procedure on entry and deallocate them on exit. Most machines,including IA32, provide only simple instructions for transferring control to and fromprocedures. The passing of data and the allocation and deallocation of local variables ishandled by manipulating the program stack.IA32 programs make use of the program stack to support procedure call. The stack is use topass procedure arguments, to store returm information, to save registers for later restoration,and for local storage. The portion of the stack alcated for a single procedure call is clledstack frame. Figure 1 diagrams the general structure of a stack frame5!. The topmost stackframe is delimited by two pointers, with registe中国煤化工-ointer, andregister %esp serving as the stack pointer. The stackrocedure isTHCNMHGexecuting, and hence most information is accessed r......_. ----.2842009全国计算机网络与通信学术会议论文集计算机应用及其它Suppose procedure P (the caller) calls procedure Q (the alle). The arguments to Q arecontained within the stack frame for P. In addition, when P calls Q, the retum address within Pwhere the program should resume execution when it returns from Q is pushed on the stack,forming the of P's stack frame. The stack frame for Q starts with the saved value of the framepointer (i.e, %ebp), followed by copies of any other saved register values.Eanrier tames .++40ArgumateCalla's hraeRetum addtessFane pintrSaved %etp%如pSaved rgriar,Local vanbles,Carrant fhantomporaritsStack pointrAngument%ap二buld arcStack"top"Figure 1. Stack frame structure.. BUFFER OVERFLOWBuffer overflow is that some character array is allocated on the stack to hold a string, butthe size of the string exceeds the space allocated for the array, and causing followed data to becorrupted. ldeally, the program checks the length of data, and do not allow inputting stringexceeds the space. Most programs, however, will suppose the length of data matches with thespace, and they leave hidden troubles for the buffer overflow. As a general rule, it will makeno sense of covering the data in the other data area, and cause program errors at most.However, if the program is fed with a string that contains the byte encoding of someexecutable code, called the exploit code, plus some extra bytes that overwrite the returnpointer to the code in the buffer, the intruder will gain the right of control.IV. EXAMPLE OF BUFFER OVERFLOWA. Description Of The ProblemConsider the fllowing scenariol), in bufbomb.c, you will find the fllowing functions:int getbuf()char buf[12];getxs(buf);returm 1;void test()中国煤化工MYHCNMHGint val;2852009全国计算机网络与通信学术会议论文集计算机应用及其它print("Type Hex string:“);val = getbuf();printf(" getbuf returmed 0x%x\n", val);The function getxs (also in bufbomb.c) is similar to the library gets, except that it readscharacters encoded as pairs of hex digits. For example, to give it a string “0123", the userwould type in the string“30 31 32 33". The function ignores blank characters.A typical execution of the program is as follows:unix>./bufbombType Hex string: 30 31 32 33getbuf returm 0x1Looking at the code for the getbuf function, it seems quite apparent that it will reurm value1 whenever it is called. It appears as if the call to getxs has no efect. However, we can makegetbuf retum -559038737(0xdeadbeef) to test, simply by typing an appropriate hexadecimalstring to the prompt.B . Analysis of the ProblemWe can compile bufbomb.c using a unix command line:unix> gcc -g O bufbomb bufbomb.cand then use a command line“objdump -d bufbomb" to create a disassembled version ofbufbomb. The assembly code file contains various declarations including the set of lines, asFigure 2 shows:Figure 2. Assembly-codesIf we want to make getbuf retum -559038737(0xdeadbeef) to test by simply typing anappropriate hexadecimal string, we must consider following values:1) The values oframe pointer to procedure test and procedure getbufWhile we input the string, we can not destroy the value of frame pointer (%ebp) to test,which is contained within the stack frame for getbuf, also the retum address within getbuf isneeded, where the program should resume execution when it returns from getxs. We can setbreakpoint at address 0x804848b through observation the disassembled code, as the Figure 3shows:中国煤化工YHCNMHG2862009全国计算机网络与通信学术会议论文集计算机应用及其它reakpoint 2. 0x08048486 1 getbaf 0 at befbonb.c:40Cadb) P疗tLat -)(Sebp)作Cat -15Sebp4)0x80484bfFigure3. Frame pointer to procedure test and procedure getbufAcording to the Figure 3, we know that the values of frame pointer to procedure test andprocedure getbuf are 0fxfffefe8 and 0oxfffefd8 respectively, which are 16 bytes apart. Andthe returm address within getbuf is 0x80484bf, that is the instruction “mov %eax,0ffffTC(%ebp)" will be executed next, which stores 0x1 to local variable val. However, ifwe want to returm 0xdeadbeef, we must jump to the next instruction, it means that we shouldoverwrite the returm address within getbuf by 0x80484C2, also we should overwrite the localvariable val by string“efbeadde".2) The addresses of Iocal variables (buf and val)Through the instruction “lea ffffe8(%ebp), %eax” at address 0x8048491 in thedisassembled code, we know that local variable buf is stored at address of (%ebp - 24), inwhich, the frame pointer is to getbuf. Similarly, we find that local variable val is stored ataddress of (%ebp - 4), and the frame pointer is to test.3) The values offrame pointer to procedure main and the returm address within testBecause local variable val is stored at address of (%ebp .4), and the last statement offunction getxs is“*sp++ = 10", the string“efbeadde" must be followed by the values of framepointer to procedure main and the retum address within test. Otherwise, it can not return toprocedure main normally. We can set breakpoint at address 0x80484a7 through observationthe disassembled code, and find that the values of frame pointer to procedure main and theretum address within test are 0xbffeb38 and 0x8048513 respectively, as the Figure 4 shows:Breakpoint 1, 0x080484a7 in test 0 at buf bonb.c:4751 : Bxfffgab 3-(int -)ISebp)Kgabl P X clInt )(5ebp4)Figure 4. Frame pointer to procedure main and the return address within testWe gain the frame stack after the analysis, as Figure 5 shows, x and y represent the value offrame pointers to test and to getbuf respectively.Stack "boromr"Retbrn aditSaed %ebptetr's frume12Rchurn addressSaved%ebpy.2bugtbuf's fameV%e中国煤化工stack "rop"MHCNMHGFigure5. Frame stack of the example2872009全国计算机网络与通信学术会议论文集计算机应用及其它c .The result of experimentBase on the frame stack, we can input the string as follow: AAAAAAAA FFFFFFAAAAAAAA FFFFFF AAAAAAAA FFFFFFF edffbf c2840408 AAAAAAAAefbeadde 38ebffbf 13850408 (Note that IA32 follows the convention - where the leastsignificant byte comes first - is referred to as lite endian), and Figure 6 shows that the returmvalue has changed from 0x1 to 0xdeadbeef.Figure6. The result of experimentDuring the upper experiment, we simply change the retum value. In real attack, however,we can encode some binary code, which is known as shellcode, and use some system calls, inorder to gain the right of control of system.V. PREVENTION FOR BUFFER OVERFLOWIn order to prevent attacks, we should eliminate the root cause and cut off the path ofassaultable. The root cause is that c and c++ are unsafe languages, which do not perform anybounds checking for array references. And the path is loopholes in computer systemrinaspects of hardware, system, running rules of programs, which are easy to be used to attack.A . Writing Secure CodesWe have found that most problems of buffer overlow are coursed by several functions instandard libary. Of these functions, the most unsafe ones are functions to manipulate stringsthat don't perform bounds checking, such as strcpy and strcat. But generally, these unsafefunctions can be instead of safe functions. It is a good style that you should not use theseunsafe ones. “Table I ”shows common high-risky functions and solutions about thesefunctions.Table I. HH-RISKY FUNCTIONS AND SOLUTIONSSolutionsfgets(buf, size, stdin)Stmcpy()Funcrion NameSprintfGetsScanfStrcpyFscanfStrcatViscanfUse symbol of precision orparse by yourselfVsprintfVsnprint() or Use symbol ofVscanfparsebyy中国煤化工THCNMHG2882009全国计算机网络与通信学术会议论文集计算机应用及其它B. Protection in Compile-LevelThe conversion, from source code to executable code, is completed by compiler, so theprotection in compile-level can be provided by enhancing the compiler.There have been several implementations of protection in compile-level, two of the mostcommon being StackGuards, and Stack smashing Protection (sSpl), also known as ProPolice).Typically, they modify the organization of data in the stack frame of a function call to include a“canary" value which, when destroyed, shows that a buffer preceding it in memory has beenoverflowed. This gives the benefit of preventing an entire class of attacks. StackGuard supportsthree types of canaries: Terminator, Random, and Random XOR, while ProPolice supportsTerminator and Random canaries.VI . CONCLUSIONExploitation of buffer overflow poses a great threat to computer security, people has done a gooddeal of study about how to detect the attack. By demonstrating how buffer overflow attacks work,we hope you will leam the importance of writing code that does not permit such attacks.REFERENCES[1] Aleph One. Smashing the Stack for Fun and Proft []. Phrack, 1996, 7(49).[2] CERT. The Computer Emergency Response Team Coordination Center [Z]. 2006.[3] Randal E Bryant, David R. O'Hallaron. Computer Systems: A Programmer's Perspective. pp. 170-171[4] Randal E. Bryant, David R. O'Hallaron. Computer Systems: A Programmer's Perspective. pp. 236-238[5] Crispin Cowan, Calton Pu, Dave Maier. Stack Guard: Automatic Adapive Detection and Prevention ofBuffer Overflow Atacks. In 7th USENIX Security Conference, pp. 6377,San Antonio, TX, January 1998[6] Stack Protection Method. htp://www.r1.ibm.com /projcts / security/ssp/node4.html, 1 1/8/2000Liu Sidong(1983-),male, native of Meizhou, Guangdong, postgraduate, engages in itelligenceengineering and softe computing.中国煤化工MYHCNMHG289