CS 241 Data Organization Buffer Overflows December 4, 2018
The Problem
Exploitation • Use large strings (or other datatypes) to overflow a buffer • Craft input to make the server do whatever you want • Easy to crash a program • Harder to “program the program”!
C call stack call stack
Stack Frame Stack
Smashing the Stack for Fun and Profit • Idea: Overflow a buffer to overwrite the return address • When function is done, it’ll jump to that address. • Put some code in a buffer and send the return address to point to it.
Issues • How do we know what value the pointer should have? • How do we build a “small program” and stuff it into a buffer?
Demo Demo
NOP slide • Most CPUs have a No-Operation instruction it does nothing but advance the instruction pointer. • Usually we can put a bunch of these ahead of our program (in the string). • As long as the new return-address points to a NOP we are OK.
Other C security issues • Buffer overflow is just the most common programming problem exploited. • Integer arithmetic can also be a problem! • foo = malloc(num * sizeof(struct blah)); • What if num is 2 32 − 1? What if num is -1?
Summary • C is hard. • Don’t use strcpy on user input. • Check return value on library calls.
Recommend
More recommend