This document discusses stack-based buffer overflows, including: - How they occur when a program writes outside a fixed-length buffer, potentially corrupting data or code. - Their history and use in attacks like the 2001 Code Red worm. - Technical details like how the stack and registers work. - Career opportunities in security analysis and development to prevent and respond to such vulnerabilities. - The ethical responsibilities of developers to write secure code and disclose vulnerabilities responsibly.

1. Stack-Based Buffer
Overflows
Joni Hall and Daniel Tumser

2. Overview
=>

3. Table of Contents
● Introduction
● Related Works
● Technical Aspects
● Careers and Jobs
● Social Impact
● Ethical Impact
● Conclusion
● References

4. Introduction
● occurs when a program writes to a memory address outside of (usually) a
fixed-length buffer
● results in data corruption, the stopping of a program, or the program to
operate incorrectly
● deliberately overflowing a buffer is an attack known as stack smashing
● can be exploited to inject executable code into the running program and
take control of the process
o gain unauthorized access to a computer

5. Related Works
● 1962 - Burroughs B5000 designed first implementation of memory segmentation
● 1978 - x86 Instruction Set Architecture memory segmentation introduced on Intel 8086
● 1996 - “Smashing the Stack for Fun and Profit” by Elias Levy published in Phrack issue 49
● 2001 - Code Red Worm exploits buffer overflow in Microsoft’s Internet Information Services
● 2003 - SQL Slammer Worm compromises machines running Microsoft SQL Server 2000
● 2003 - Buffer overflows in Xbox games allow unlicensed software to run on console
o followed by PS2
o followed by Nintendo Wii (this one specifically a Stack-Based Buffer Overflow)

6. Technical Aspects
● A logical stack
● Variable size memory
segment containing
function variables,
parameters, and
context
● Grows from higher
memory addresses to
lower addresses
● Divided into Stack
Frames via pointers
stored in CPU
registers
The Stack & Stack Frames

7. Technical Aspects
● Instruction Pointer (32-bit EIP or 64-bit RIP)
o Holds address of the next instruction to be executed
o Next address after a function call is pushed onto the stack
as the Return Address to continue execution when the
function completes/returns.
o Overwriting this is the danger of a stack buffer
overflow
● Stack Frame pointers
o EBP points to the address at the base of the stack frame
just above the return address
o ESP points to the top memory address of the stack frame
● There are more registers but not necessarily relevant in this
case
x86 Registers
eg.
EIP: 004013C2
EBP: 0028FEB8
ESP: 0028FE80

8. Technical Aspects
● A buffer is a block of memory for storing some
data
● A buffer on Youtube stores a portion of the video
that can be watched, and loads more as you go,
as well as makes sure enough has loaded to
compensate for some lost packets
(ex. “buffering”)
● In this case it’s a block of memory (character
arrays) for storing user input
● Buffers declared with Malloc(), Calloc(),
Realloc() will be stored in the Heap.
● The buffers created in this example go in the
Stack.
What’s a buffer?

9. Technical Aspects
With input strings of the proper length the
program executes as normal and returns without
error.
With a 2nd string input of length 22(+1 for string
terminator) it is overflowed and overwrites what is
immediately below that buffer in the stack. In this
case it overflows the 1st string input.
Function context (base pointer, return address)
isn’t overwritten, so program returns without an
exception thrown.
Examples’ Output

10. Technical Aspects
● OllyDbg with Vuln2.exe
loaded and execution
paused
● Window divided into 4
panes
o Top-left is the Code
memory segment
o Top-Right are CPU
registers
o Bottom-Reft is the
Data segment
o Bottom-Right is the
Stack
OllyDbg of Example

11. Technical Aspects
Stack Frame (no overflow)

12. Technical Aspects
Stack Frame (with overflow)

13. Technical Aspects
ContrastNo Overflow Overflowed

14. Technical Aspects
Same exact buffer overflow as in previous examples
but with user input instead of hardcoded strcpy()
Stack pane shows 10 bytes between end of our
overflowed buffer to the beginning of Return Address.
Return Addr is a pointer, x86 is 32-bit, so it’s a 4 byte
address. The 4 characters (8 hex digits) after the 10th
additional character will become the new return addr.
When function returns Return Addr is loaded into the
Instruction pointer
Overwriting Return Addr

15. Technical Aspects
EIP successfully overwritten with user input, in this case
four A characters, or hex-41.
User can now control program execution flow with the
Instruction pointer and execute code with this process’s
privileges.
Overwriting Return Addr

16. Career Impact & Job Outlook
Information Security Analyst
● 2012 - 2022 job growth
o +37%
o more than 2x the total of all occupations
● Median Salary
o $86, 170
o 2.4x total of all occupations
Vulnerability Analyst

17. Career Impact & Job Outlook
● Skills
o security risk management
o security intrusion detection
o IT security infrastructure
o security testing and auditing
o x86/x86_64 & Fuzzing*
● Minimum Qualifications
o Bachelor’s in CS,
Engineering or
Programming
o CompTIA Security+
Vulnerability Analyst

18. Career Impact & Job Outlook
Software Developer
● Job Growth 2012-2022
o +22%
o +222,600 jobs
● Median Salary
o $93,350
o x2.69 national median
Software Engineer

19. Career Impact & Job Outlook
Software Engineer
● Skills
○ Python
○ C
○ C++
○ UNIX
○ Linux
● Minimum Requirements
○ Bachelor’s Degree in
Computer Science or
Software Engineering
○ Programming experience

20. Social Impact
● Too esoteric for widespread social
impact
● Should affect coding practices of
CS and IT professionals
Write secure code.
Make your coworkers write secure code
Bounds check all the buffers

21. Ethical Impact
Code you produce is the responsibility of yourself
and the organization you produce it for.
Both have an ethical obligation to customers to
provide secure code.
To write secure code you need to understand the
vulnerability and how it’s exploited
Patch vulnerabilities that are discovered in
development or in the wild.
Vulnerability discovery and proofs of concept are
not illegal, and obtaining a Common
Vulnerabilities and Exposures (CVE) number for
your work looks great on a resume.
Vulnerability disclosure often negotiated and
timed with the software vendor for patching.
Exploiting vulnerabilities for unauthorized access
of computer systems still very illegal. Don’t do it
unless you’re cool with the risk of fines and prison
time.
Coding Vulnerability Analysis

22. Conclusion
● Overflowing a buffer may result in a program crash, program errors, or
data corruption
● CS and IT professionals should write more secure code to prevent it from
happening
● Exploiting a buffer overflow is one of the oldest ways to gain unauthorized
access to a computer
● Don’t do it unless you are okay with fines and prison time!

23. References
1. Erickson, Jon. Hacking: the Art of Exploitation. 2nd ed. San Francisco, Calif.: No Starch, 2008.
Print.
2. Koziol, Jack. The Shellcoder's Handbook: Discovering and Exploiting Security Holes.
Indianapolis, IN: Wiley Pub., 2004. Print.
3. Levy, Elias. "Smashing the Stack for Fun and Profit." Phrack 49 (1996). Phrack. Web. 1 July
2015. <http://phrack.org/issues/49/14.html#article>.
4. "Information Security Analyst Salary (United States)." Information Security Analyst Salary
(United States). Web. 5 July 2015.
<http://www.payscale.com/research/US/Job=Information_Security_Analyst/Salary>.
5. "Software Engineer Salary (United States)." Software Engineer Salary (United States). Web. 5
July 2015. <http://www.payscale.com/research/US/Job=Software_Engineer/Salary>.
6. Staff Contributor. "Sourcefire VRT Unveils Research on 25 Years of Vulnerabilities: 1988-2012 |
| Sourcefire Blog." Sourcefire, 5 Mar. 2013. Web. 5 July 2015.
<http://blog.sourcefire.com/Post/2013/03/05/1362499920-sourcefire-vrt-unveils-research-on--
years-of-vulnerabilities-/>.

24. Stack-Based Buffer
Overflows
Joni Hall and Daniel Tumser