Buffer Overflow

Home /articles/202307100221/

What is Buffer Overflow

Author: Jesper Jurcenoks

Published on: 2024-06-05

Buffer overflow Explained

  1. C/C++ uses Null terminated strings '\0', where other languages have the string length stored in a separate variable.
  2. The C/C++ function used to copy text from one string to another (strcpy) just keeps going until it finds a '\0'...
  3. It even keeps going past the end of the of the buffer...
  4. And keeps on going into some vital program area where the return address is stored...
  5. Then when the computer is trying to execute the overwritten return address the program will either: 1. crash (DoS) or 2. start executing the code placed by the attacker via the oversize source string (Remote Execution)
  6. If the exploited program has Admin privileges then it is GAME OVER and the victim computer has been completely "pwned" (pronounced "owned")
  7. A length of No-Operation instructions (NOP-sled) can be used to catch program execution when start position is not precisely known and lead program execution to the attack code


Detecting Buffer Overflow

  1. Law-Enforcement informs you that your machine was used as an attack bot - Ouch (in 2013 70% of data breaches were discovered by external parties)
  2. Manual Code Review - Yuk! Mind numbing and takes forever, due to the human element not very reliable for large amounts of code. Use this once you have located the vulnerability using other means.9 Only works where you have the source code.
  3. Fuzzing / Fuzz-testing - Input designed to break your application. Protocol specific testers are easier to use and setup than more general tools. This works for programs where you don't have the source code.
  4. Automated Code Review - This is effective if you have access to the source code. There are a number of free tools available. Also called Static Application Security Testing (SAST)
  5. Binary code Analysis - Static or Dynamic code analysis of compiled applications for security flaws - very few players in this space.
  6. Vulnerability Assessment (VA) This is the fastest and easiest way to find 3rd party applications with known buffer overflows. Coolest: Easy online solutions not requiring installation or training.
  7. Penetration testing - Like Vulnerability Assessment but more intrusive - tries to exploit the buffer overflow to prove it. (fewer false positives)


Buffer Overflow Prevention

  1. C/C++ are the primary languages that lacks boundary checking - use almost any other language
  2. In C/C++ avoid using functions such as strcpy(), strcat(), sprintf(), vsprintf(), and gets() as these functions lack bounds checking and operate on null terminated strings.
  3. Use Safe libraries, replace your string handling with vetted safe libraries
  4. Disallow execution of instructions from buffer. Can be bypassed in some circumstances
  5. Use stack cookies to ensure that contents of the stack remain unchanged. like Stack Frame Canary Validation^SFCV
  6. Use a compiler with integrated security checks and buffer overflow detection to help avoid unsafe coding practices
  7. Address space layout randomization (ASLR) can help decrease the probability of buffer overflow by changing addresses dynamically upon reboot.Can be bypassed in some circumstances
  8. Use Secure Development Life-cycle (SDLC) including code analysis tools