2. Buffer
A place to store or hold something temporarily before using it
In computer programming, data can be placed in a software
buffer before it is processed.
A software buffer is just an area of physical memory (RAM)
with a specified capacity to store data allocated by the
programmer or program.
3. A process that gains control or crashes another process by
overwriting the boundary of a fixed length buffer is called
Buffer Overflow
4. What is buffer overflow?
A buffer overflow is an anomaly where a computer program,
while writing data to a buffer, overruns it’s capacity or the
buffer’s boundary and then bursts into boundaries of other
buffers, and corrupts or overwrites the legitimate data present
5. By entering data crafted to cause a buffer overflow, it is
possible to write into areas known to hold executable code
and replace it with malicious code;
This overwritten data can also alter the normal functioning
of the application by
• making it perform unauthorized activities
• resulting in memory access errors
• incorrect results
• Crashes
This is commonly referred to as buffer overflow attack.
6. Buffer overflow vulnerabilities and attacks
Certain programming languages such as C and C++ are vulnerable
to buffer overflow, since they contain no built-in bounds checking
or protections against accessing or overwriting data in their
memory.
More modern high-level languages such as Java, Python, and C#
have built-in features that help reduce the chances of buffer
overflow, but may not completely eliminate it.
7. Many cyber attacks exploit buffer overflow vulnerabilities to
compromise or take control of target applications or systems.
Attackers exploit buffer overflow issues by attempting to
overwrite the memory of an application in order to change the
execution path of the program, thereby triggering a response that
exposes private data.
If attackers know the memory layout of a program, they can
intentionally send new instructions to the application by injecting
extra code to gain unauthorized access to the application.
8. The two most common attack tactics are:
Stack overflow attack
Heap overflow attack
Exploitation
13. A stack-based buffer overflow occurs when a program writes more
data to a buffer located on the stack than what is actually allocated
for that buffer.
This almost always results in the corruption of adjacent data on the
stack. This is the most common type of buffer overflow attack.
Stack overflow attack
Stack overflow attack
14.
15.
16. A technically inclined user may exploit stack-based buffer
overflows to manipulate the program to their advantage in one of
several ways:
• By overwriting a local variable that is located near the
vulnerable buffer on the stack, in order to change the behavior
of the program
• By overwriting the return address in a stack frame to point to
code selected by the attacker, usually called the shellcode.
Once the function returns, execution will resume at the
attacker's shellcode.
• By overwriting a function pointer or exception handler to point
to the shellcode, which is subsequently executed
• By overwriting a pointer of a different stack frame, which will
be used by the function which owns that frame later.
17. One technique that can be used to exploit such a buffer overflow
is called "trampolining".
In that technique, an attacker will find a pointer to the
vulnerable stack buffer, and compute the location of
their shellcode relative to that pointer. Then, they will use the
overwrite to jump to an instruction already in memory which will
make a second jump, this time relative to the pointer; that
second jump will branch execution into the shellcode. Suitable
instructions are often present in large code.
18. A heap-based buffer overflow is where the buffer, to be
overwritten, is allocated a large portion of additional memory.
Exploitation is performed by corrupting stored data in ways that
cause the application to overwrite internal structures.
This type of attack targets data in the open memory pool known
as the heap.
Heap overflow attack
19. Microsoft's GDI+ vulnerability in handling JPEGs is an example of
the danger a heap overflow can present
A buffer overflow occurring in the heap data area is referred to as
a heap overflow and is exploitable in a manner different from that
of stack-based overflows.
Memory on the heap is dynamically allocated by the application at
run-time and typically contains program data.
Exploitation is performed by corrupting this data in specific ways
to cause the application to overwrite internal structures such as
linked list pointers.
Heap overflow attack
20.
21. Notable examples of buffer overflow attacks
Morris Worm
SQL Slammer
Heartbleed
Adobe Flash Player
WhatsApp VoIP
22. the first internet-distributed computer worms
It exploited a buffer overflow vulnerability in the Unix sendmail,
finger, and rsh/rexec,
infecting 10% of the internet within two days
The Morris worm exploitation infected over 60,000 machines
between 1988 and 1990.
It has sometimes been referred to as the “Great Worm”, or the
“Grand Daddy” when it comes to buffer overflows
Morris Worm
23. 2003 computer worm that exploited a buffer overflow bug in
Microsoft’s SQL Server and Desktop Engine database products.
It generate random IP addresses and send itself out to those
addresses.
If a selected address happens to belong to a host that is running an
unpatched copy of Microsoft SQL Server Resolution Service
listening on UDP port 1434, the host immediately becomes infected
and begins spraying the internet with more copies of the worm
program.
SQL Slammer caused a denial of service on some internet hosts,
ISPs, and ATMs and dramatically slowed general internet traffic. It
spread rapidly, infecting 90% of vulnerable hosts (about 75,000
victims) within 10 minutes, according to Silicon Defence.
SQL Slammer
24. A widely publicized security bug in OpenSSL that came to light in
2014.
It exploited a buffer over-read vulnerability in the OpenSSL
cryptography library used for the implementation of the Transport
Layer Security (TLS) protocol.
Experts estimated as much as two-thirds of https-enabled websites
worldwide—millions of sites—were affected. eWEEK estimated
$500 million in damages as a starting point.
Heartbleed
25. In 2016, a buffer overflow vulnerability was found in Adobe Flash
Player for Windows, macOS, Linux and Chrome OS.
The vulnerability was due to an error in Adobe Flash Player while
parsing a specially crafted SWF (Shockwave Flash) file.
Malicious entities could exploit these vulnerabilities
- to bypass security restrictions
- execute arbitrary code
- obtain sensitive information
by enticing users to open the SWF files or Office documents with
embedded malicious Flash Player content distributed via email.
Adobe Flash Player
26. In May 2019, Facebook announced a vulnerability associated with
all of its WhatsApp products.
The vulnerability exploited a buffer overflow weakness in
WhatsApp’s VOIP stack on smartphones. This allows remote code
execution via a specially-crafted series of SRTP (secure real-time
transport protocol) packets sent to a target phone number.
An exploit of the vulnerability was used to infect over 1,400
smartphones with malware by just calling the target phone via
Whatsapp voice, even if the call wasn’t picked up.
WhatsApp VoIP
27. In 2001, the Code Red worm exploited a buffer overflow in
Microsoft's Internet Information Services (IIS) 5.0
In 2003, buffer overflows present in licensed Xbox games have
been exploited to allow unlicensed software,
including homebrew games, to run on the console without the
need for hardware modifications, known as modchips.
The PS2 Independence Exploit also used a buffer overflow to
achieve the same for the PlayStation 2.
Some Other Buffer Overflow Attacks
28. How to detect buffer overflow
The main reason buffer overflow occurs is because software
developers fail to perform bounds checking. Programmers need to
pay special attention to sections of codes where buffers are used—
especially functions dealing with user-supplied input.
Vulnerability assessment and software testing methodologies can be
employed to detect buffer overflow errors in those functions and
other parts of the source code.
There are two main approaches available in software testing—
Static Testing
Dynamic Testing
29. Code reviews, proofreading, or inspections are referred to as
static testing.
However, manually combing through thousands of lines of source
code looking for potential buffer overflow errors can be a
herculean task. Besides, there is always the possibility of missing
critical errors by an oversight.
Static Application Testing Tools such as Checkmarx, Coverity, and
others automatically check for buffer overflow bugs by analyzing
the source code of a target program, without executing the
program.
Static testing
30. Executing codes with a given set of test cases (manual or
automated) is referred to as dynamic testing.
Dynamic application testing tools such as Appknox, Veracode
Dynamic Analysis, or Netsparker automatically execute the target
program and check whether the program’s runtime behavior
satisfies some expected security characteristics.
These tools can be used for the detection of buffer overflow
vulnerabilities during and/or after development, and for the
enforcement of expected code quality (quality assurance).
Dynamic Testing
31. How to mitigate and prevent buffer overflow
There are several different approaches for mitigating and
preventing buffer overflows. They include -
• software developer training on secure coding
• enforcing secure coding practices
• use of safe buffer handling functions
• code review
• statically analyzing source code
• detecting buffer overflows at runtime
• and halting exploits via the operating system
32. Use of the following secure practices for handling buffers becomes
necessary:
Bounds checking: Bounds checking in abstract data type libraries
can limit the occurrence of buffer overflows.
Where possible, avoid using standard library functions such
as gets(), strcpy(), strcat() that are susceptible to buffer overflows.
Executable space protection: Designate or mark memory regions as
non-executable to prevent the execution of machine code in these
areas.
Use modern operating systems: Most modern operating systems
have in-built runtime protection capabilities. These in-built runtime
protections help mitigate buffer overflow attacks.