Interested in learning more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Inside the Buffer Overflow Attack:Mechanism,
Method, & Prevention
The objective of this study is to take one inside the buffer overflow attack and bridge the gap between the "descriptive account" and the "technically intensive account". The intent is to provide a logical, detailed, and technical explanation of the problem and the exploit that can be well understood by all, including those
with little background in the mechanics and methodology of applications programming. We will begin by looking at the "problem" and the problem "mechanism", and then investigate the "means" and the "...
Copyright SANS Institute
Author Retains Full Rights
AD
INSIDE THE BUFFER OVERFLOW ATTACK:
MECHANISM, METHOD, & PREVENTION
Mark E. Donaldson
April 3, 2002
GSEC Version 1.3
ABSTRACT
The objective of this study is to take one inside the buffer overflow attack and bridge the gap between the “descriptive account” and the “technically intensive account”. The intent is to provide a logical, detailed, and technical. explanation of the problem and the exploit that can be well understood by all, including those with little background in the mechanics and methodology of applications
programming. rights
We will begin by looking at the “problem” and the problemfull “mechanism”, and then investigate the “means” and the “method”. Based on what we find, we will
security concern, it is certainly within the realmretainsof possibility that the buffer overflow attack be reduced to a level of insignificance through true
conclude with recommendations, and a menu for “prevention”. Hopefully this
approach may also help bridge the gap between “knowledge” and
“understanding”. Although it may never be possible to purge the world of this
understanding. Robert Louis StevensonAuthoronce wrote: “Look at yourself. Could you be a doctor, a healing man, with the things those eyes have seen? There’s a lot of knowledge in those eyes, but no understanding.1” The technology community must move from fighting buffer overrun attacks defensively to fighting them offensively. To do this, they must transform their knowledge into understanding.
THE PROBLEM 2002,
Problematic buffer Instituteoverruns2 related to the C programming language data integrity model were first recognized as early as 1973. The first well known
exploit of this vulnerability occurred in 1988 when the well documented and infamous Internet Worn shutdown over 6,000 systems in just a few short hours, utilizing an unchecked buffer initialized by the gets() function call in the fingerd
daemon process. Despite this lengthy history and simple preventative methods, the buffer overflow continues to be a significant and prominent computer security
concern even today. For example, buffer overflow problems are implicated in
© SANS
1 Robert Louis Stevenson from “The Body Snatcher” published in 1881.
2 Buffer overflows have assumed several different names over the years. These include buffer overrun, stack overrun, and stack overflow. In practice, all these terms share the same definition and can be used synonymously and interchangeably. Additionally, the stack buffer overflow exploit is often referred to as “stack smashing” in modern day parlance.
2/6/2003 Page 1 of 24
© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
five of the Sans “Top 20” vulnerabilities.3 If one ventured to the SuSE Linux Web Site, they would find 22 buffer overflow vulnerabilities since January 2001 that require patching (see Table I). Additionally, of the 44 CERT advisories published between 1997 and 1999, 24 were related to buffer overrun issues.
TABLE I
BUFFER OVERFLOW VULNERABILITIES SUSE LINUX
Date Vulnerability
12.03.2002 buffer overflow in zlib library .
04.03.2002 buffer overflow in squid
28.02.2002revised: buffer overflow in cupsd
28.02.2002 buffer overflows in mod_php4 and mod php
25.02.2002buffer overflow in cupsd
25.01.2002buffer overflow in rsync buffer overflow in rsync
16.01.2002buffer overflow corruption in /usr/bin/at rights
07.01.2002buffer overflow in mutt
24.12.2001buffer overflow in glibc globbing functionsfull
03.12.2001buffer overflow problems in openssh
28.11.2001buffer overflows in wuftpd
10.10.2001 overflow in lpd/lprold
20.09.2001buffer overflow in WindowMaker
03.09.2001daemon buffer overflow (nkitb)
retains
23.08.2001signedness buffer overflow in sendmail
17.08.2001 fetchmail buffer overflow
24.07.2001(xli) buffer overflow, local+remote
18.04.2001exploitable buffer overflow in sudo
09.04.2001xntpd remotely exploitable buffer overflow
27.03.2001buffer overflow in eperl
Author
22.03.2001one-byte-buffer overflow in bsd-ftpd and in timed
31.01.2001buffer overflow in bind8 (new problem; January 2001)
lingering buffer overruns2002,
Resident and left in program code are often attributed to
the buffer overflow Institutevulnerability and attack remain only loosely and informally documented in the literature. From this one might conclude the problem is
“lazy”, “sloppy”, or “uncaring” programmers, or to modern compilers that fail to
perform integrity or bounds checking on their source input or machine output
instructions. However, these views may be a bit too simplistic. The root of the
problem may run deeper than that. For instance, despite their prevalence today,
generally not well understood. This may explain why overrun vulnerabilities
continue to appear in new software applications.
SANS is necessary here. Indeed, the buffer overflow and exploit
Some clarification©
problem are well known. Unfortunately, “well known” and “well understood” are often two entirely different views of the same thing. For instance, nearly every book, article, or white paper worth its salt that focuses on computer security
3 These include W2-ISAPI Extension Buffer Overflows, U1-Buffer Overflows in RPC Services, U3-Bind Weaknesses, U5-LPD (remote print protocol daemon), and U6–sadmind and mountd. 2/6/2003 Page 2 of 24
© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
mentions the buffer overflow vulnerability and their enabling factors. They normally even site preventions or defenses against them. However, they typically avoid discussing or describing the intricate details or complex mechanisms of their cause and their manipulative use in terms that can easily be understood by the novice or inexperienced programmer, system administrator, or computer security practitioner or principal.
Certainly, several detailed accounts of the buffer overflow exploit have been written. These were cited by Nicole LaRock Decker in her GSEC paper “Buffer Overflows: Why, How and Prevention”. However, these accounts. were written by exceptionally brilliant, and perhaps devious, programmers that chose to jump straight into the details of the low level machine and assembler code necessary
to effect the overrun exploit. A typical reader of these accounts usually becomes
rights
overwhelmed by the third paragraph, and lays the document to rest.
THE MECHANISM full
1997 study “Stack Smashing VulnerabilitiesretainsInThe UNIX Operating System.” However, the vulnerability is not just limited to C or UNIX. Indeed, both DilDog
Buffer overflow vulnerabilities are often attributed to the combined effects of the
permissions security features of the UNIX operating system and defects in the C
programming language. Such was the premise assumed by Nathan Smith in his
Overflow” and “Exploiting Windows NT4 Author Buffer Overruns.” The paper “Windows
and David Litchfield demonstrated the exploit could be used effectively against
the Windows NT kernel in their respective papers “The Tao Of Windows Buffer
NT Buffer Overflow’s Start to Finish” shows the problem present and able within the MFC4 as well. Hence, this2002,paper views the buffer overflow as a language and an operating system independent problem.
Microsoft Corporation defines the buffer overflow attack as follows:
A buffer overflow attackInstituteisan attack in which a malicious user exploits an unchecked buffer in a program and overwrites the program code with their-own data. If the
program code is overwritten with new executable code, the effect is to change the program's operation as dictated by the attacker. If overwritten with other data, the likely effect is to cause the program to crash.
Since Microsoft has produced their fair share of buffer overflow vulnerabilities
over the years, SANS they should be well versed on the problem and we should not
doubt the validity © of this description. Thus, we will use this as our official working
definition. But what exactly does this mean? And, how do we get there?
4 MFC is the acronym for Microsoft Foundation Class, Microsoft’s C++ OOP library.
2/6/2003 Page 3 of 24
© SANS Institute 2002, As part of the Information Security Reading Room. Author retains full rights.
To answer these questions adequately, we must begin by looking at the high level language code and the resultant machine code at the most basic level of the “hardware chain”, and investigate how the 80386 processor architecture manages and utilizes memory.5
The Buffer Overflow
A buffer overflow is very much like pouring ten ounces of water in a glass designed to hold eight ounces. Obviously, when this happens, the water overflows the rim of the glass, spilling out somewhere and creating a mess.
6 .
Here, the glass represents t
đang được dịch, vui lòng đợi..