Content deleted Content added
m learning Tags: Mobile edit Mobile app edit iOS app edit App section source |
|||
Line 1:
{{short description|Anomaly in computer security and programming}}
[[File:Buffer overflow basicexample.svg|thumb|Visualization of a software buffer overflow. Data is written into A, but is too large to fit within A, so it ''overflows'' into B.]]
In [[computer programming|programming]] and [[information security]], a '''buffer overflow''' or '''buffer overrun''' is an [[anomaly in software|anomaly]] whereby a [[computer program|program]] writes [[Data (computing)|data]] to a [[Data buffer|buffer]] beyond the buffer's [[Memory allocation|allocated memory]], overwriting adjacent [[Main memory|memory]] locations.
Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs; if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, then an anomalous transaction that produces more data could cause it to write past the end of the buffer. If this overwrites adjacent data or executable code, this may result in erratic program behavior, including [[Memory fault|memory access errors]], incorrect results, and [[crash (computing)|crashes]].
Exploiting the behavior of a buffer overflow is a well-known [[security exploit]]. On many systems, the memory layout of a program, or the system as a whole, is well defined. By sending in data designed to cause a buffer overflow, it is possible to write into areas known to hold [[execution (computing)|executable code]] and replace it with [[malicious code]], or to selectively overwrite data pertaining to the program's state, therefore causing behavior that was not intended by the original programmer. Buffers are widespread in [[operating system]] (OS) code, so it is possible to make attacks that perform [[privilege escalation]] and gain unlimited access to the computer's resources. The famed [[Morris worm]] in 1988 used this as one of its attack techniques.
[[Programming language]]s commonly associated with buffer overflows include [[C (programming language)|C]] and [[C++]], which provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an [[Array data structure|array]] (the built-in buffer type) is within the boundaries of that array. [[Bounds checking]] can prevent buffer overflows, but requires additional code and processing time. Modern operating systems use a variety of techniques to combat malicious buffer overflows, notably by [[Address space layout randomization|randomizing the layout of memory]], or deliberately leaving space between buffers and looking for actions that write into those areas ("[[Buffer overflow protection#Canaries|canaries]]").
==Technical description==
A buffer overflow occurs when [[data]] written to a buffer also corrupts data values in [[memory address]]es adjacent to the destination buffer due to insufficient [[bounds checking]].{{Ref RFC|4949|notes=no|rp=41}} This can occur when copying data from one buffer to another without first checking that the data fits within the destination buffer.
===Example===
{{further|topic=stack-based overflows|Stack buffer overflow}}
In the following example expressed in [[C (programming language)|C]], a program has two variables which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte [[big-endian]] integer, B.
<syntaxhighlight lang="c">
char A[8] = "";
unsigned short B = 1979;
</syntaxhighlight>
Initially, A contains nothing but zero bytes, and B contains the number 1979.
{| class="wikitable" style="width:32em; text-align:center;"
! style="white-space:nowrap;" | variable name
! colspan=8 style="background:#ddf;" | A
! colspan=2 style="background:#fdd;" | B
|- style="background:#ddf;"
! value
| colspan=8 | [<nowiki/>[[null string]]<nowiki/>]
| colspan=2 style="background:#fdd;" | 1979
|- style="background:#ddf;"
! hex value
| <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd> || <kbd>00</kbd>
| style="background:#fdd;" | <kbd>07</kbd> || style="background:#fdd;" | <kbd>BB</kbd>
|}
Now, the program attempts to store the [[null-terminated string]] {{code|"excessive"}} with [[ASCII]] encoding in the A buffer.
<syntaxhighlight lang="c">
strcpy(A, "excessive");
</syntaxhighlight>
{{code|"excessive"}} is 9 characters long and encodes to 10 bytes including the null terminator, but A can take only 8 bytes. By failing to check the length of the string, it also overwrites the value of B:
{| class="wikitable" style="width:32em; text-align:center;"
! style="white-space:nowrap;" | variable name
! colspan=8 style="background:#ddf;" | A
! colspan=2 style="background:#fdd;" | B
|- style="background:#ddf;"
! value
| <kbd>'e'</kbd> || <kbd>'x'</kbd> || <kbd>'c'</kbd> || <kbd>'e'</kbd> || <kbd>'s'</kbd> || <kbd>'s'</kbd> || <kbd>'i'</kbd> || <kbd>'v'</kbd>
| colspan=2 style="background:#dbd;" | <kbd>25856</kbd>
|- style="background:#ddf;"
! hex
| <kbd>65</kbd> || <kbd>78</kbd> || <kbd>63</kbd> || <kbd>65</kbd> || <kbd>73</kbd> || <kbd>73</kbd> || <kbd>69</kbd> || <kbd>76</kbd>
| style="background:#dbd;" | <kbd>65</kbd> || style="background:#dbd;" | <kbd>00</kbd>
|}
B's value has now been inadvertently replaced by a number formed from part of the character string. In this example "e" followed by a zero byte would become 25856.
Writing data past the end of allocated memory can sometimes be detected by the operating system to generate a [[segmentation fault]] error that terminates the process.
To prevent the buffer overflow from happening in this example, the call to <kbd>[[strcpy]]</kbd> could be replaced with <kbd>[[strlcpy]]</kbd>, which takes the maximum capacity of A (including a null-termination character) as an additional parameter and ensures that no more than this amount of data is written to A:
<syntaxhighlight lang="c">
strlcpy(A, "excessive", sizeof(A));
</syntaxhighlight>
When available, the <kbd>[[strlcpy]]</kbd> library function is preferred over <kbd>[[strncpy]]</kbd> which does not null-terminate the destination buffer if the source string's length is greater than or equal to the size of the buffer (the third argument passed to the function). Therefore <kbd>A</kbd> may not be null-terminated and cannot be treated as a valid C-style string.
==Exploitation==
The techniques to [[exploit (computer security)|exploit]] a buffer overflow vulnerability vary by [[computer architecture|architecture]], [[operating system]], and memory region. For example, exploitation on the [[heap memory|heap]] (used for dynamically allocated memory), differs markedly from exploitation on the [[call stack]]. In general, heap exploitation depends on the heap manager used on the target system, while stack exploitation depends on the calling convention used by the architecture and compiler.
===Stack-based exploitation===
{{Main|Stack buffer overflow}}
There are several ways in which one can manipulate a program by exploiting stack-based buffer overflows:
* Changing program behavior by overwriting a local variable located near the vulnerable buffer on the stack;
* By overwriting the return address in a [[stack frame]] to point to code selected by the attacker, usually called the [[shellcode]]. Once the function returns, execution will resume at the attacker's shellcode;
* By overwriting a [[function pointer]]<ref>{{cite web |url=http://www.securityfocus.com/archive/1/462728/30/150/threaded |title=CORE-2007-0219: OpenBSD's IPv6 mbufs remote kernel buffer overflow |access-date=2007-05-15}}</ref> or [[exception handler]] to point to the shellcode, which is subsequently executed;
* By overwriting a local variable (or pointer) of a different stack frame, which will later be used by the function that owns that frame.<ref>{{cite web |url=http://packetstormsecurity.com/files/download/121751/ModernOverflowTargets.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://packetstormsecurity.com/files/download/121751/ModernOverflowTargets.pdf |archive-date=2022-10-09 |url-status=live |title=Modern Overflow Targets |access-date=2013-07-05}}</ref>
The attacker designs data to cause one of these exploits, then places this data in a buffer supplied to users by the vulnerable code. If the address of the user-supplied data used to affect the stack buffer overflow is unpredictable, exploiting a stack buffer overflow to cause remote code execution becomes much more difficult. One technique that can be used to exploit such a buffer overflow is called "[[trampolining (computing)|trampolining]]". Here, an attacker will find a pointer to the vulnerable stack buffer and compute the ___location of their [[shellcode]] relative to that pointer. The attacker will then use the overwrite to jump to an [[Opcode|instruction]] already in memory which will make a second jump, this time relative to the pointer. That second jump will branch execution into the shellcode. Suitable instructions are often present in large code. The [[Metasploit Project]], for example, maintains a database of suitable opcodes, though it lists only those found in the [[Windows]] operating system.<ref>{{cite web|url=http://metasploit.com/users/opcode/msfopcode.cgi |title=The Metasploit Opcode Database |access-date=2007-05-15 |url-status=dead |archive-url=https://web.archive.org/web/20070512195939/http://www.metasploit.com/users/opcode/msfopcode.cgi |archive-date=12 May 2007 }}</ref>
===Heap-based exploitation===
{{Main|Heap overflow}}
A buffer overflow occurring in the heap data area is referred to as a heap overflow and is exploitable in a manner different from that of stack-based overflows. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as [[malloc]] meta data) and uses the resulting pointer exchange to overwrite a program function pointer.
[[Microsoft]]'s [[Graphics Device Interface|GDI+]] vulnerability in handling [[JPEG]]s is an example of the danger a heap overflow can present.<ref>{{cite web |url=http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx |title=Microsoft Technet Security Bulletin MS04-028 |website=[[Microsoft]] |access-date=2007-05-15 |archive-url=https://web.archive.org/web/20110804221311/http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx |archive-date=2011-08-04 |url-status=dead }}</ref>
===Barriers to exploitation===
Manipulation of the buffer, which occurs before it is read or executed, may lead to the failure of an exploitation attempt. These manipulations can mitigate the threat of exploitation, but may not make it impossible. Manipulations could include conversion to upper or lower case, removal of [[metacharacter]]s and filtering out of non-[[alphanumeric]] strings. However, techniques exist to bypass these filters and manipulations, such as [[alphanumeric shellcode]], [[polymorphic code]], [[self-modifying code]], and [[return-to-libc attack]]s. The same methods can be used to avoid detection by [[intrusion detection system]]s. In some cases, including where code is converted into [[Unicode]],<ref>{{cite web |url=http://www.net-security.org/dl/articles/unicodebo.pdf |title=Creating Arbitrary Shellcode In Unicode Expanded Strings |access-date=2007-05-15 |url-status=dead |archive-url=https://web.archive.org/web/20060105041036/http://www.net-security.org/dl/articles/unicodebo.pdf |archive-date=2006-01-05 }}</ref> the threat of the vulnerability has been misrepresented by the disclosers as only Denial of Service when in fact the remote execution of arbitrary code is possible.
===
In real-world exploits there are a variety of challenges which need to be overcome for exploits to operate reliably. These factors include null bytes in addresses, variability in the ___location of shellcode, differences between environments, and various counter-measures in operation.
====NOP sled technique====
{{Main|NOP slide}}
[[File:nopsled.svg|right|thumb|200px|Illustration of a NOP-sled payload on the stack.]]
A NOP-sled is the oldest and most widely known technique for exploiting stack buffer overflows.<ref name="neworder" /> It solves the problem of finding the exact address of the buffer by effectively increasing the size of the target area. To do this, much larger sections of the stack are corrupted with the [[no-op]] machine instruction. At the end of the attacker-supplied data, after the no-op instructions, the attacker places an instruction to perform a relative jump to the top of the buffer where the [[shellcode]] is located. This collection of no-ops is referred to as the "NOP-sled" because if the return address is overwritten with any address within the no-op region of the buffer, the execution will "slide" down the no-ops until it is redirected to the actual malicious code by the jump at the end. This technique requires the attacker to guess where on the stack the NOP-sled is instead of the comparatively small shellcode.<ref name="enderunix" />
Because of the popularity of this technique, many vendors of [[intrusion prevention system]]s will search for this pattern of no-op machine instructions in an attempt to detect shellcode in use. A NOP-sled does not necessarily contain only traditional no-op machine instructions. Any instruction that does not corrupt the machine state to a point where the shellcode will not run can be used in place of the hardware assisted no-op. As a result, it has become common practice for exploit writers to compose the no-op sled with randomly chosen instructions which will have no real effect on the shellcode execution.<ref name="Akritidis1" />
While this method greatly improves the chances that an attack will be successful, it is not without problems. Exploits using this technique still must rely on some amount of luck that they will guess offsets on the stack that are within the NOP-sled region.<ref name="klein1" /> An incorrect guess will usually result in the target program crashing and could alert the [[system administrator]] to the attacker's activities. Another problem is that the NOP-sled requires a much larger amount of memory in which to hold a NOP-sled large enough to be of any use. This can be a problem when the allocated size of the affected buffer is too small and the current depth of the stack is shallow (i.e., there is not much space from the end of the current stack frame to the start of the stack). Despite its problems, the NOP-sled is often the only method that will work for a given platform, environment, or situation, and as such it is still an important technique.
====The jump to address stored in a register technique====
The "jump to register" technique allows for reliable exploitation of stack buffer overflows without the need for extra room for a NOP-sled and without having to guess stack offsets. The strategy is to overwrite the return pointer with something that will cause the program to jump to a known pointer stored within a register which points to the controlled buffer and thus the shellcode. For example, if register A contains a pointer to the start of a buffer then any jump or call taking that register as an operand can be used to gain control of the flow of execution.<ref name="shah" /> [[File:jumpToEsp.png|left|thumb|300px|An instruction from ntdll.dll to call the <code>DbgPrint()</code> routine contains the [[i386]] machine opcode for <code>jmp esp</code>.]]
In practice a program may not intentionally contain instructions to jump to a particular register. The traditional solution is to find an unintentional instance of a suitable [[opcode]] at a fixed ___location somewhere within the program memory. Figure [[:Image:JumpToEsp.png|E]] on the left contains an example of such an unintentional instance of the i386 <code>jmp esp</code> instruction. The opcode for this instruction is <code>FF E4</code>.<ref name="intel1" /> This two-byte sequence can be found at a one-byte offset from the start of the instruction <code>call DbgPrint</code> at address <code>0x7C941EED</code>. If an attacker overwrites the program return address with this address the program will first jump to <code>0x7C941EED</code>, interpret the opcode <code>FF E4</code> as the <code>jmp esp</code> instruction, and will then jump to the top of the stack and execute the attacker's code.<ref name="packetstorm1" />
When this technique is possible the severity of the vulnerability increases considerably. This is because exploitation will work reliably enough to automate an attack with a virtual guarantee of success when it is run. For this reason, this is the technique most commonly used in [[Internet worm]]s that exploit stack buffer overflow vulnerabilities.<ref name="Yuji1" />
This method also allows shellcode to be placed after the overwritten return address on the [[Microsoft Windows|Windows]] platform. Since executables are mostly based at address <code>0x00400000</code> and x86 is a [[little endian]] architecture, the last byte of the return address must be a null, which terminates the buffer copy and nothing is written beyond that. This limits the size of the shellcode to the size of the buffer, which may be overly restrictive. [[Dynamic-link library|DLLs]] are located in high memory (above <code>0x01000000</code>) and so have addresses containing no null bytes, so this method can remove null bytes (or other disallowed characters) from the overwritten return address. Used in this way, the method is often referred to as "DLL trampolining".
==Protective countermeasures==
Various techniques have been used to detect or prevent buffer overflows, with various tradeoffs. The following sections describe the choices and implementations available.
===Choice of programming language===
[[Assembly language|Assembly]], [[C (programming language)|C]], and [[C++]] are popular programming languages that are vulnerable to buffer overflow in part because they allow direct access to memory and are not [[strongly typed]].<ref name="OWASP">https://www.owasp.org/index.php/Buffer_OverflowsBuffer Overflows article on OWASP {{Webarchive|url=https://web.archive.org/web/20160829122543/https://www.owasp.org/index.php/Buffer_Overflows |date=2016-08-29 }}</ref> C provides no built-in protection against accessing or overwriting data in any part of memory. More specifically, it does not check that data written to a buffer is within the boundaries of that buffer. The standard C++ libraries provide many ways of safely buffering data, and C++'s [[Standard Template Library]] (STL) provides containers that can optionally perform bounds checking if the programmer explicitly calls for checks while accessing data. For example, a <code>vector</code>'s member function <code>at()</code> performs a bounds check and throws an <code>out_of_range</code> [[Exception handling|exception]] if the bounds check fails.<ref>{{cite web|url=http://www.cplusplus.com/reference/vector/vector/at/ |title=vector::at - C++ Reference |publisher=Cplusplus.com |access-date=2014-03-27}}</ref> However, C++ behaves just like C if the bounds check is not explicitly called. Techniques to avoid buffer overflows also exist for C.
Languages that are strongly typed and do not allow direct memory access, such as COBOL, Java, Eiffel, Python, and others, prevent buffer overflow in most cases.<ref name="OWASP"/> Many programming languages other than C or C++ provide runtime checking and in some cases even compile-time checking which might send a warning or raise an exception, while C or C++ would overwrite data and continue to execute instructions until erroneous results are obtained, potentially causing the program to crash. Examples of such languages include [[Ada (programming language)|Ada]], [[Eiffel (programming language)|Eiffel]], [[Lisp (programming language)|Lisp]], [[Modula-2]], [[Smalltalk]], [[OCaml]] and such C-derivatives as [[Cyclone (programming language)|Cyclone]], [[Rust (programming language)|Rust]] and [[D (programming language)|D]]. The [[Java (software platform)|Java]] and [[.NET Framework]] bytecode environments also require bounds checking on all arrays. Nearly every [[interpreted language]] will protect against buffer overflow, signaling a well-defined error condition. Languages that provide enough type information to do bounds checking often provide an option to enable or disable it. [[Static code analysis]] can remove many dynamic bound and type checks, but poor implementations and awkward cases can significantly decrease performance. Software engineers should carefully consider the tradeoffs of safety versus performance costs when deciding which language and compiler setting to use.
===Use of safe libraries===
The problem of buffer overflows is common in the C and C++ languages because they expose low level representational details of buffers as containers for data types. Buffer overflows can be avoided by maintaining a high degree of correctness in code that performs buffer management. It has also long been recommended to avoid standard library functions that are not bounds checked, such as <code>[[gets()|gets]]</code>, <code>[[scanf]]</code> and <code>[[strcpy]]</code>. The [[Morris worm]] exploited a <code>gets</code> call in [[fingerd]].<ref>{{cite web |url=http://wiretap.area.com/Gopher/Library/Techdoc/Virus/inetvir.823 |title=Archived copy |website=wiretap.area.com |access-date=6 June 2022 |archive-url=https://web.archive.org/web/20010505080457/http://wiretap.area.com/Gopher/Library/Techdoc/Virus/inetvir.823 |archive-date=5 May 2001 |url-status=dead}}</ref>
Well-written and tested abstract data type libraries that centralize and automatically perform buffer management, including bounds checking, can reduce the occurrence and impact of buffer overflows. The primary data types in languages in which buffer overflows are common are strings and arrays. Thus, libraries preventing buffer overflows in these data types can provide the vast majority of the necessary coverage. However, failure to use these safe libraries correctly can result in buffer overflows and other vulnerabilities, and naturally any [[Software bug|bug]] in the library is also a potential vulnerability. "Safe" library implementations include "The Better String Library",<ref>{{cite web |url=http://bstring.sf.net/ |title=The Better String Library}}</ref> Vstr<ref>{{cite web |url=http://www.and.org/vstr/ |title=The Vstr Homepage |access-date=2007-05-15 |archive-url=https://web.archive.org/web/20170305020810/http://www.and.org/vstr/ |archive-date=2017-03-05 |url-status=dead }}</ref> and Erwin.<ref>{{cite web |url=http://www.theiling.de/projects/erwin.html |title=The Erwin Homepage |access-date=2007-05-15}}</ref> The [[OpenBSD]] operating system's [[C library]] provides the [[strlcpy]] and [[strlcat]] functions, but these are more limited than full safe library implementations.
In September 2007, Technical Report 24731, prepared by the C standards committee, was published.<ref>{{Cite web|url=https://www.iso.org/obp/ui/#iso:std:iso-iec:tr:24731:-1:ed-2:v1:en:sec:4|title=Information technology – Programming languages, their environments and system software interfaces – Extensions to the C library – Part 1: Bounds-checking interfaces|last=International Organization for Standardization|date=2007|website=ISO Online Browsing Platform}}</ref> It specifies a set of functions that are based on the standard C library's string and IO functions, with additional buffer-size parameters. However, the efficacy of these functions for reducing buffer overflows is disputable. They require programmer intervention on a per function call basis that is equivalent to intervention that could make the analogous older standard library functions buffer overflow safe.<ref>{{cite web |url=https://www.securecoding.cert.org/confluence/x/QwY |archive-url=https://archive.today/20121228031633/https://www.securecoding.cert.org/confluence/x/QwY |url-status=dead |archive-date=December 28, 2012 |title=CERT Secure Coding Initiative |access-date=2007-07-30 }}</ref>
===Buffer overflow protection===
{{Main|Buffer overflow protection}}
Buffer overflow protection is used to detect the most common buffer overflows by checking that the [[call stack|stack]] has not been altered when a function returns. If it has been altered, the program exits with a [[segmentation fault]]. Three such systems are Libsafe,<ref>{{cite web |url=http://directory.fsf.org/libsafe.html |title=Libsafe at FSF.org |access-date=2007-05-20}}</ref> and the ''[[StackGuard]]''<ref>{{cite web |url=https://www.usenix.org/publications/library/proceedings/sec98/full_papers/cowan/cowan.pdf |archive-url=https://ghostarchive.org/archive/20221009/https://www.usenix.org/publications/library/proceedings/sec98/full_papers/cowan/cowan.pdf |archive-date=2022-10-09 |url-status=live |title=StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks by Cowan et al. |access-date=2007-05-20}}</ref> and ''[[ProPolice]]''<ref>{{cite web|url=http://wiki.x.org/wiki/ProPolice |title=ProPolice at X.ORG |access-date=2007-05-20 |url-status=dead |archive-url=https://web.archive.org/web/20070212032750/http://wiki.x.org/wiki/ProPolice |archive-date=12 February 2007 }}</ref> [[GNU Compiler Collection|gcc]] patches.
Microsoft's implementation of [[Data Execution Prevention]] (DEP) mode explicitly protects the pointer to the [[Structured Exception Handler]] (SEH) from being overwritten.<ref>{{cite web |url=http://www.uninformed.org/?v=2&a=4&t=txt |title=Bypassing Windows Hardware-enforced Data Execution Prevention |access-date=2007-05-20 |archive-url=https://web.archive.org/web/20070430040534/http://www.uninformed.org/?v=2&a=4&t=txt |archive-date=2007-04-30 |url-status=dead }}</ref>
Stronger stack protection is possible by splitting the stack in two: one for data and one for function returns. This split is present in the [[Forth language]], though it was not a security-based design decision. Regardless, this is not a complete solution to buffer overflows, as sensitive data other than the return address may still be overwritten.
This type of protection is also not entirely accurate because it does not detect all attacks. Systems like StackGuard are more centered around the behavior of the attacks, which makes them efficient and faster in comparison to range-check systems.<ref>{{Cite journal |last1=Lhee |first1=Kyung-Suk |last2=Chapin |first2=Steve J. |date=2003-04-25 |title=Buffer overflow and format string overflow vulnerabilities |url=https://onlinelibrary.wiley.com/doi/10.1002/spe.515 |journal=Software: Practice and Experience |language=en |volume=33 |issue=5 |pages=423–460 |doi=10.1002/spe.515 |issn=0038-0644|url-access=subscription }}</ref>
===Pointer protection===
Buffer overflows work by manipulating [[Pointer (computer programming)|pointers]], including stored addresses. PointGuard was proposed as a compiler-extension to prevent attackers from reliably manipulating pointers and addresses.<ref>{{cite web|url=http://www.usenix.org/events/sec03/tech/full_papers/cowan/cowan_html/index.html|title=12th USENIX Security Symposium – Technical Paper|website=www.usenix.org|access-date=3 April 2018}}</ref> The approach works by having the compiler add code to automatically XOR-encode pointers before and after they are used. Theoretically, because the attacker does not know what value will be used to encode and decode the pointer, one cannot predict what the pointer will point to if it is overwritten with a new value. PointGuard was never released, but Microsoft implemented a similar approach beginning in [[Windows XP]] SP2 and [[Windows Server 2003]] SP1.<ref>{{cite web|url=http://blogs.msdn.com/michael_howard/archive/2006/01/30/520200.aspx|title=Protecting against Pointer Subterfuge (Kinda!)|website=msdn.com|access-date=3 April 2018|archive-url=https://web.archive.org/web/20100502021754/http://blogs.msdn.com/michael_howard/archive/2006/01/30/520200.aspx|archive-date=2010-05-02|url-status=dead}}</ref> Rather than implement pointer protection as an automatic feature, Microsoft added an API routine that can be called. This allows for better performance (because it is not used all of the time), but places the burden on the programmer to know when its use is necessary.
Because XOR is linear, an attacker may be able to manipulate an encoded pointer by overwriting only the lower bytes of an address. This can allow an attack to succeed if the attacker can attempt the exploit multiple times or complete an attack by causing a pointer to point to one of several locations (such as any ___location within a NOP sled).<ref>{{cite web|url=http://www.usenix.org/publications/login/2005-06/pdfs/alexander0506.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://www.usenix.org/publications/login/2005-06/pdfs/alexander0506.pdf |archive-date=2022-10-09 |url-status=live|title=USENIX - The Advanced Computing Systems Association|website=www.usenix.org|access-date=3 April 2018}}</ref> Microsoft added a random rotation to their encoding scheme to address this weakness to partial overwrites.<ref>{{cite web|url=http://blogs.msdn.com/michael_howard/archive/2006/08/16/702707.aspx|title=Protecting against Pointer Subterfuge (Redux)|website=msdn.com|access-date=3 April 2018|archive-url=https://web.archive.org/web/20091219202748/http://blogs.msdn.com/michael_howard/archive/2006/08/16/702707.aspx|archive-date=2009-12-19|url-status=dead}}</ref>
===Executable space protection===
{{Main|Executable space protection}}
Executable space protection is an approach to buffer overflow protection that prevents execution of code on the stack or the heap. An attacker may use buffer overflows to insert arbitrary code into the memory of a program, but with executable space protection, any attempt to execute that code will cause an exception.
Some CPUs support a feature called [[NX bit|NX]] ("No eXecute") or [[XD bit|XD]] ("eXecute Disabled") bit, which in conjunction with software, can be used to mark [[paging|pages of data]] (such as those containing the stack and the heap) as readable and writable but not executable.
Some Unix operating systems (e.g. [[OpenBSD]], [[macOS]]) ship with executable space protection (e.g. [[W^X]]). Some optional packages include:
* [[PaX]]<ref>{{cite web |title=PaX: Homepage of the PaX team |url=http://pax.grsecurity.net |access-date=2007-06-03}}</ref>
* [[Exec Shield]]<ref>{{cite web |title=KernelTrap.Org |url=http://kerneltrap.org/node/644 |access-date=2007-06-03 |url-status=dead |archive-url=https://archive.today/20120529183334/http://kerneltrap.org/node/644 |archive-date=2012-05-29 }}</ref>
* [[Openwall]]<ref>{{cite web |title=Openwall Linux kernel patch 2.4.34-ow1 |url=http://linux.softpedia.com/get/System/Operating-Systems/Kernels/Openwall-Linux-kernel-patch-16454.shtml |access-date=2007-06-03 |url-status=dead |archive-url=https://web.archive.org/web/20120219111512/http://linux.softpedia.com/get/System/Operating-Systems/Kernels/Openwall-Linux-kernel-patch-16454.shtml |archive-date=2012-02-19 }}</ref>
Newer variants of Microsoft Windows also support executable space protection, called [[Data Execution Prevention]].<ref>{{cite web |title=Microsoft Technet: Data Execution Prevention |url=http://technet2.microsoft.com/WindowsServer/en/Library/b0de1052-4101-44c3-a294-4da1bd1ef2271033.mspx?mfr=true |access-date=2006-06-30 |archive-url=https://web.archive.org/web/20060622140239/http://technet2.microsoft.com/WindowsServer/en/Library/b0de1052-4101-44c3-a294-4da1bd1ef2271033.mspx?mfr=true |archive-date=2006-06-22 |url-status=dead }}</ref> [[proprietary software|Proprietary]] add-ons include:
* BufferShield<ref>{{cite web |title=BufferShield: Prevention of Buffer Overflow Exploitation for Windows |url=http://www.sys-manage.com/english/products/products_BufferShield.html |access-date=2007-06-03}}</ref>
* StackDefender<ref>{{cite web |title=NGSec Stack Defender |url=http://www.ngsec.com/ngproducts/stackdefender/ |access-date=2007-06-03 |archive-url = https://web.archive.org/web/20070513235539/http://www.ngsec.com/ngproducts/stackdefender/ <!-- Bot retrieved archive --> |archive-date = 2007-05-13}}</ref>
Executable space protection does not generally protect against [[return-to-libc attack]]s, or any other attack that does not rely on the execution of the attackers code. However, on [[64-bit]] systems using [[ASLR]], as described below, executable space protection makes it far more difficult to execute such attacks.
===Capability Hardware Enhanced RISC Instructions===
{{Main|Capability Hardware Enhanced RISC Instructions}}
CHERI (Capability Hardware Enhanced RISC Instructions) is a computer processor technology designed to improve security. It operates at a hardware level by providing a hardware-enforced type (a CHERI capability) that authorises access to memory. Traditional pointers are replaced by addresses accompanied by metadata that limit what can be accessed through any given pointer.
===Address space layout randomization===
{{Main|Address space layout randomization}}
Address space layout randomization (ASLR) is a computer security feature that involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space.
Randomization of the [[virtual memory]] addresses at which functions and variables can be found can make exploitation of a buffer overflow more difficult, but not impossible. It also forces the attacker to tailor the exploitation attempt to the individual system, which foils the attempts of [[internet worm]]s.<ref>{{cite web |title=PaX at GRSecurity.net |url=http://pax.grsecurity.net/docs/aslr.txt |access-date=2007-06-03}}</ref> A similar but less effective method is to [[rebasing|rebase]] processes and libraries in the virtual address space.
===Deep packet inspection===
{{Main|Deep packet inspection}}
The use of deep packet inspection (DPI) can detect, at the network perimeter, very basic remote attempts to exploit buffer overflows by use of attack signatures and [[heuristic (computer science)|heuristics]]. This technique can block packets that have the signature of a known attack. It was formerly used in situations in which a long series of No-Operation instructions (known as a NOP-sled) was detected and the ___location of the exploit's [[payload (software)|payload]] was slightly variable.
Packet scanning is not an effective method since it can only prevent known attacks and there are many ways that a NOP-sled can be encoded. [[Shellcode]] used by attackers can be made [[alphanumeric]], [[metamorphic code|metamorphic]], or [[self-modifying code|self-modifying]] to evade detection by heuristic packet scanners and [[intrusion detection system]]s.
=== Testing ===
Checking for buffer overflows and patching the bugs that cause them helps prevent buffer overflows. One common automated technique for discovering them is [[fuzzing]].<ref>{{cite web|url=http://raykoid666.wordpress.com|title=The Exploitant - Security info and tutorials|access-date=2009-11-29}}</ref> Edge case testing can also uncover buffer overflows, as can static analysis.<ref>{{Cite journal|last1=Larochelle|first1=David|last2=Evans|first2=David|date=13 August 2001|title=Statically Detecting Likely Buffer Overflow Vulnerabilities|url=https://www.usenix.org/legacy/events/sec01/full_papers/larochelle/larochelle_html/|journal=USENIX Security Symposium|volume=32}}</ref> Once a potential buffer overflow is detected it should be patched. This makes the testing approach useful for software that is in development, but less useful for legacy software that is no longer maintained or supported.
==History==
Buffer overflows were understood and partially publicly documented as early as 1972, when the Computer Security Technology Planning Study laid out the technique: "The code performing this function does not check the source and destination addresses properly, permitting portions of the monitor to be overlaid by the user. This can be used to inject code into the monitor that will permit the user to seize control of the machine."<ref>{{cite web |title=Computer Security Technology Planning Study |page=61 |url=http://csrc.nist.gov/publications/history/ande72.pdf |access-date=2007-11-02 |archive-url=https://web.archive.org/web/20110721060319/http://csrc.nist.gov/publications/history/ande72.pdf |archive-date=2011-07-21 |url-status=dead}}</ref> Today, the monitor would be referred to as the kernel.
The earliest documented hostile exploitation of a buffer overflow was in 1988. It was one of several exploits used by the [[Morris worm]] to propagate itself over the Internet. The program exploited was a [[Service (systems architecture)|service]] on [[Unix]] called [[Finger protocol|finger]].<ref>{{cite web |title="A Tour of The Worm" by Donn Seeley, University of Utah |url=http://world.std.com/~franl/worm.html |access-date=2007-06-03 |archive-url=https://web.archive.org/web/20070520233435/http://world.std.com/~franl/worm.html <!-- Bot retrieved archive --> |archive-date=2007-05-20}}</ref> Later, in 1995, Thomas Lopatic independently rediscovered the buffer overflow and published his findings on the [[Bugtraq]] security mailing list.<ref>{{cite web |title=Bugtraq security mailing list archive |url=http://www.security-express.com/archives/bugtraq/1995_1/0403.html |access-date=2007-06-03 |archive-url=https://web.archive.org/web/20070901222723/http://www.security-express.com/archives/bugtraq/1995_1/0403.html <!-- Bot retrieved archive --> |archive-date=2007-09-01}}</ref> A year later, in 1996, [[Elias Levy]] (also known as Aleph One) published in ''[[Phrack]]'' magazine the paper "Smashing the Stack for Fun and Profit",<ref>{{cite web |title="Smashing the Stack for Fun and Profit" by Aleph One |url=https://phrack.org/issues/49/14 |access-date=2025-03-06}}</ref> a step-by-step introduction to exploiting stack-based buffer overflow vulnerabilities.
Since then, at least two major internet worms have exploited buffer overflows to compromise a large number of systems. In 2001, the [[Code Red worm]] exploited a buffer overflow in Microsoft's [[Internet Information Services]] (IIS) 5.0<ref>{{cite web |title=eEye Digital Security |url=http://research.eeye.com/html/advisories/published/AL20010717.html |access-date=2007-06-03 |archive-date=2009-06-20 |archive-url=https://web.archive.org/web/20090620085700/http://research.eeye.com/html/advisories/published/AL20010717.html |url-status=dead }}</ref> and in 2003 the [[SQL Slammer]] worm compromised machines running [[Microsoft SQL Server 2000]].<ref>{{cite web |title=Microsoft Technet Security Bulletin MS02-039 |website=[[Microsoft]] |url=http://www.microsoft.com/technet/security/bulletin/ms02-039.mspx |access-date=2007-06-03 |archive-url=https://web.archive.org/web/20080307052903/http://www.microsoft.com/technet/security/bulletin/ms02-039.mspx |archive-date=2008-03-07 |url-status=dead}}</ref>
In 2003, buffer overflows present in licensed [[Xbox (console)|Xbox]] games have been exploited to allow unlicensed software, including [[homebrew (video games)|homebrew games]], to run on the console without the need for hardware modifications, known as [[modchip]]s.<ref>{{cite web |url=http://www.gamesindustry.biz/content_page.php?aid=1461 |archive-url=https://web.archive.org/web/20070927210513/http://www.gamesindustry.biz/content_page.php?aid=1461 |archive-date=2007-09-27 |title=Hacker breaks Xbox protection without mod-chip |access-date=2007-06-03}}</ref> The [[PS2 Independence Exploit]] also used a buffer overflow to achieve the same for the [[PlayStation 2]]. The Twilight hack accomplished the same with the [[Wii]], using a buffer overflow in ''[[The Legend of Zelda: Twilight Princess]]''.
==See also==
{{colbegin|colwidth=20em}}
* [[
* [[
* [[
* [[Computer security]]
* [[End-of-file]]
* [[
* [[
* [[
* [[
* [[Safety-critical system]]
* [[Security-focused operating system]]
* [[Self-modifying code]]
* [[Software quality]]
* [[Shellcode]]
* [[Stack buffer overflow]]
* [[Uncontrolled format string]]
{{colend}}
==References==
{{Reflist|30em|refs=
<ref name="neworder">{{cite journal|author=Vangelis |title=Stack-based Overflow Exploit: Introduction to Classical and Advanced Overflow Technique |publisher=Wowhacker via Neworder |date=2004-12-08 |url=http://www.neworder.box.sk/newsread.php?newsid=12476 |format=text |url-status=dead |archive-url=https://web.archive.org/web/20070818115455/http://www.neworder.box.sk/newsread.php?newsid=12476 |archive-date=August 18, 2007 }}</ref>
<ref name="enderunix">{{cite journal
| last = Balaban
| first = Murat
| title = Buffer Overflows Demystified
| publisher = Enderunix.org
| url = http://www.enderunix.org/docs/en/bof-eng.txt
| archive-url = https://web.archive.org/web/20040812221752/http://enderunix.org/docs/en/bof-eng.txt
| url-status = usurped
| archive-date = August 12, 2004
| format = text }}</ref>
<ref name="Akritidis1">{{cite conference
|first = P.
|last = Akritidis
|author2 = Evangelos P. Markatos
|author3 = M. Polychronakis
|author4 = Kostas D. Anagnostakis
|title = STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis.
|book-title = Proceedings of the 20th IFIP International Information Security Conference (IFIP/SEC 2005)
|publisher = IFIP International Information Security Conference
|year = 2005
|url = http://dcs.ics.forth.gr/Activities/papers/stride-IFIP-SEC05.pdf
|access-date = 2012-03-04
|archive-url = https://web.archive.org/web/20120901034404/http://dcs.ics.forth.gr/Activities/papers/stride-IFIP-SEC05.pdf
|archive-date = 2012-09-01
|url-status = dead
}}</ref>
<ref name="klein1">{{cite journal
|last = Klein
|first = Christian
|title = Buffer Overflow
|date = September 2004
|url = http://c0re.23.nu/~chris/presentations/overflow2005.pdf
|url-status = dead
|archive-url = https://web.archive.org/web/20070928011639/http://c0re.23.nu/~chris/presentations/overflow2005.pdf
|archive-date = 2007-09-28
}}</ref>
<ref name="shah">{{cite conference
| first = Saumil
| last = Shah
| title = Writing Metasploit Plugins: from vulnerability to exploit
| book-title = Hack In The Box
| year = 2006
| ___location = Kuala Lumpur
| url = http://conference.hitb.org/hitbsecconf2006kl/materials/DAY%201%20-%20Saumil%20Shah%20-%20Writing%20Metasploit%20Plugins.pdf
| access-date = 2012-03-04 }}</ref>
<ref name="intel1">{{cite book
| title = Intel 64 and IA-32 Architectures Software Developer's Manual Volume 2A: Instruction Set Reference, A-M
| publisher = Intel Corporation
| date = May 2007
| archive-date = 2007-11-29
| pages = 3–508
| url = http://developer.intel.com/design/processor/manuals/253666.pdf
| archive-url = https://web.archive.org/web/20071129123212/http://developer.intel.com/design/processor/manuals/253666.pdf }}</ref>
<ref name="packetstorm1">{{cite journal
| last = Alvarez
| first = Sergio
| title = Win32 Stack BufferOverFlow Real Life Vuln-Dev Process
| publisher = IT Security Consulting
| date = 2004-09-05
| url = http://packetstormsecurity.org/papers/Win2000/Intro_to_Win32_Exploits.pdf
| access-date = 2012-03-04
}}</ref>
<ref name="Yuji1">
{{cite conference
| first = Yuji
| last = Ukai |author2=Soeder, Derek |author3=Permeh, Ryan
| title = Environment Dependencies in Windows Exploitation
| book-title = BlackHat Japan
| publisher = eEye Digital Security
| year = 2004
| ___location = Japan
| url = https://www.blackhat.com/presentations/bh-asia-04/bh-jp-04-ukai-eng.ppt
| access-date = 2012-03-04 }}</ref>}}
==External links==
* [https://raykoid666.wordpress.com/2009/11/28/remote-buffer-overflow-from-vulnerability-to-exploit-part-1/ "Discovering and exploiting a remote buffer overflow vulnerability in an FTP server"] by Raykoid666
* [https://www.phrack.org/issues/49/14.html#article "Smashing the Stack for Fun and Profit"] by Aleph One
* {{cite journal | url=https://iac.dtic.mil/iatac/download/Vol7_No4.pdf | date=2005-05-02 | archive-url=https://web.archive.org/web/20060927225105/https://iac.dtic.mil/iatac/download/Vol7_No4.pdf | archive-date=2006-09-27 | url-status=dead | title=An Overview and Example of the Buffer-Overflow Exploit | pages=16–21 | volume=7 | issue=4 | journal=IAnewsletter | publisher=[[Information Assurance Technology Analysis Center]] | access-date=2019-03-17 | first=Isaac | last=Gerg }}
* [https://www.securecoding.cert.org/ CERT Secure Coding Standards]
* [https://www.cert.org/secure-coding CERT Secure Coding Initiative]
* [https://www.cert.org/books/secure-coding Secure Coding in C and C++]
* [https://www.sans.org/reading_room/whitepapers/securecode/386.php SANS: inside the buffer overflow attack]
* [https://web.archive.org/web/20130126024851/https://www.awarenetwork.org/etc/alpha/?x=5 "Advances in adjacent memory overflows"] by Nomenumbra
* [https://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf A Comparison of Buffer Overflow Prevention Implementations and Weaknesses]
* [https://web.archive.org/web/20090817230359/https://doc.bughunter.net/buffer-overflow/ More Security Whitepapers about Buffer Overflows]
* [https://web.archive.org/web/20071129123212/https://www.syngress.com/book_catalog/327_SSPC/sample.pdf Chapter 12: Writing Exploits III] from ''Sockets, Shellcode, Porting & Coding: Reverse Engineering Exploits and Tool Coding for Security Professionals'' by James C. Foster ({{ISBN|1-59749-005-9}}). Detailed explanation of how to use Metasploit to develop a buffer overflow exploit from scratch.
* [https://web.archive.org/web/20110721060319/https://csrc.nist.gov/publications/history/ande72.pdf Computer Security Technology Planning Study], James P. Anderson, ESD-TR-73-51, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (October 1972) [NTIS AD-758 206]
* [https://web.archive.org/web/20170905183149/https://www.exploit-db.com/docs/18346.pdf "Buffer Overflows: Anatomy of an Exploit"] by Nevermore
* [https://www.cansecwest.com/csw08/csw08-holtmann.pdf Secure Programming with GCC and GLibc] {{Webarchive|url=https://web.archive.org/web/20081121103054/https://cansecwest.com/csw08/csw08-holtmann.pdf |date=2008-11-21 }} (2008), by Marcel Holtmann
* [https://www.helviojunior.com.br/it/security/criacao-de-exploits/criacao-de-exploits-parte-0-um-pouco-de-teoria/ "Criação de Exploits com Buffer Overflor – Parte 0 – Um pouco de teoria "] (2018), by Helvio Junior (M4v3r1ck)
{{Memory management navbox}}
{{Authority control}}
{{DEFAULTSORT:Buffer Overflow}}
[[Category:Software bugs]]
[[Category:Computer memory]]
[[Category:Computer security exploits]]
[[Category:Articles with example C code]]
| |||