Embed Size (px)
Citation preview
Chapter 6
Buffer Overflow
Buffer Overflow
• Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory
• It was one of the first exploited security issues (Morris 1988)
• Many buffer overflow problems are related to string manipulations
• In the year 2000, 50% of CERT warnings were related to buffer overflow.
• Any language like C and C++ that does not enforce memory safety and type safety is a potential risk to buffer overflow.
Example
void trouble () {
int a = 32;
char line[128];
gets(line);
}
Buffer Over Attack
line areturnaddress
line areturnaddress
line areturnaddress
Buffer Allocation Strategies
• Static– Use a fixed size allocation. Alter the program behavior
if the data does not fit or truncate the data. – Buffer overflow mistakes can be checked by
automated tools or humans.
• Dynaminc– Resize the buffer as needed– More difficult to check for code problems.
• Mixing static and dynamic allocation can cause problems.
Static Allocation Example
#define BUFSIZE 1024#define SUCCESS 0int main(int argc, char **argv) {
char str[BUFSIZE];int len;len = snprintf(str, BUFSIZE, “%S(%d)”, argv[0], argc);printf(“%s\n”, str);if (len >= BUFSIZE) {
printf(“length truncated (from %d)\n”, len);}return SUCCESS;
}
Dynamic Allocation Example#define BUFSIZE 1024#define SUCCESS 0int main(int argc, char **argv) {
char *str;int len;if ((str = (char *)malloc(BUFSIZE)) == NULL) {
return -1;}len = snprintf(str, BUFSIZE, “%S(%d)”, argv[0], argc);if (len >= BUFSIZE) {
free(str);if ((str = (char *)malloc(len + 1)) == NULL) {
return -1;} snprintf(str, len+1, “%S(%d)”, argv[0], argc);
}printf(“%s\n”, str);free(str);str = NULL;return SUCCESS;
}
Dynamic Allocation
• Issues– More difficult to manage.– Can introduce memory leaks– Use-after-free– Double free
• Solutions– Enforce Null-After-Free– Tracking buffer sizes
Tracking Buffer Sizes
• C and C++ do not track buffer sizes– Programmers have to do it on their own
• Some languages track buffer sizes.
• Errors in tracking buffer sizes could lead to buffer overflow conditions
Unsafe String functions
• gets()
• scanf()
• strcpy()
• sprintf()
gets() and friends
• gets() reads input stream into a buffer until a new line is found.
• Very dangerous function and it should be avoided.
• To use gets() you must be 100% sure you trust the input.
• C++ >> operator repeated the same mistake as gets().
scanf() and friends
• %s specifier in the format string can cause a buffer overflow condition.
• scanf() can be used safely if the format specifier properly bounds the amount of data to be read.
strcpy() and friends
• strcpy() copies one buffer to another until a null character is found.
• If source buffer is larger than destination or source is not null terminated buffer overflow condition may occur.
sprintf() and friends
• To avoid buffer overflow the destination buffer must be large enough to accommodate the combination of all source arguments.
• %s can be a variable string length and can cause buffer overflow.
• Bounded format string can make sprintf() safer to use.
Risk of reimplementation
• Programmers should be careful not to duplicate the same mistakes made in the dangerous standard C functions.
• Implementation of similar functions can be harder to detect.
Example of reimplementaion
void get_word(char *word) {
int c;while (isspace(c = getchar())) {}while (c = getchar()) {
if (c == -1) { break; }if (isspace(c)) { *word = ‘\0’; break; }*word = c;word++;
}
}
strncpy() and strncat() pitfalls
• The size incorrectly specified– char s1[S1_SIZE], s2[S2_SIZE]– strncpy (s1, s2, S2_SIZE)– strncat (s1, s2, S1_SIZE)
• strncpy does not always null terminate the destination.
• strncat destination and source must be terminated.
Truncation Errors
• A truncation after copying a buffer can cause unpredictable problems.
• Some examples– Check access control on a file then copy the
file to another smaller buffer. The new buffer points to another file.
– Check the validity of a host name then copy to a smaller buffer. New buffer now contains a new hostname.
Maintaining null terminator
• Many libc functions rely on the null char at the end of a string. – Examples: strlen, strcpy, strncpy, strncat
• Some functions that are designed to operate on memory blocks may not null terminate a string– Examples: fread(), recvmsg(), strncpy()
• Programmers must ensure strings are null terminated to avoid runtime errors and buffer overflows.
• Catching errors due to failure of null terminating a string is very difficult and may not be possible until the program is running in production.
• One way to ensure strings are terminated is to explicitly add a null char at the end of a buffer.
Character Sets
• Today several character sets exist and are used for input and output.
• ISO-8859-1, UTF-8, UTF-16 and UTF-32 are some of the most commonly used.
• ISO-8859-1 and UTF-32 are fixed-width encoding.
• UTF-16 and UTF-8 are variable-width encoding.• New type wchar_t was introduced to handle
other character sets.
Characters and buffer overflow
• Mismatch between the string length and the number of bytes in the buffer can cause buffer overflow issues.
• Operation that expects bounds in bytes is passed bound in characters or vice-versa
• Functions that convert from one encoding to another magnify the problem.
Format Strings
• When a variable string is passed as a format string to a function that can cause a format string vulnerability.
while (fgets(buf, sizeof buf, f)) {lreply(200, buf)...
}void lreply(int n, char *fmt, ... ) {
char buf[BUFSIZ];...vsnprintf(buf, sizeof buf, fmt, ap);...
}
Format Strings
• Most format string vulnerabilities are caused by misuse of functions that require a format string– Example: printf(str) instead of printf (“%s”, str)
• Read data from the stack by passing formatting characters
• Use %n directive to write arbitrary positions in memory.
Preventing Format String exploits
• Always pass a static format string
• If static string is too restrictive choose from a list of format strings
• If a format string must be read from input perform input validation.
Better String Classes and Libraries
• std::string class in STL
• Microsoft CString in ATL/MFC
• Vstr library– Designed to work with readv() and writev()
• SafeStr library
