What is Buffer Overflow ?
Buffer overflow has been the most common form of a security vulnerability in the last ten years. Moreover, buffer overflow vulnerabilities dominate in the area of remote network penetration vulnerabilities, where an anonymous Internet user seeks to gain partial or total control of a host. Because these kinds of attacks enable anyone to take total control of a host, they represent one of the most serious classes of security threats. It happens when a program tries to fill a block of memory (a memory buffer) with more data than a buffer is supposed to hold. Buffers are essentially the areas of storage that temporarily hold data while it is being transferred from one location to another.
So in the above image, we see a stack where it is only capable of holding 8 characters but we passed it with 2 more characters and the extra two bytes will act as a command to the kernel and it will dump. So a hacker sends malicious inputs to a vulnerable application, they can force the application to execute malicious code to take control of the machine or crash the system. Buffer overflow vulnerabilities are known to be caused by programmer mistakes that are easy to understand but much harder to avoid and protect against.
Types of Buffer Overflow
It occurs when a program writes to a memory address on the program’s call stack outside the intended data structure. Since it has a fixed-length buffer:-
- A local variable that is near the buffer in memory on the stack to change the behavior of the program may benefit the attacker.
- The return address in a stack frame. Once the function returns, execution will resume at the return address as specified by the attacker, usually a user input-filled buffer.
- A function pointer, or exception handler, is subsequently executed.
It occurs in the heap data area and maybe introduced accidentally by an application programmer, or it may result from a deliberate exploit. In either case, the overflow occurs when an application copies more data into a buffer than the buffer was designed to contain. The factors which benefit hackers are:-
- Since “Heap” is a “free store” that is a memory space, where dynamic objects are allocated, it can be used to execute commands.
- The heap is the memory space that is dynamically allocated new(), malloc(), and calloc() functions; it is different from the memory space allocated for stack and code.
- Dynamically created variables (i.e., declared variables) are created on the heap before the execution program is initialized to zeros and are stored in the memory until the life cycle of the object has been completed.
How to protect from Buffer Overflow?
The general concept is to make the data segment of the victim program’s address space non-executable, making it impossible for attackers to execute the code they inject into the victim program’s input buffers.
Array Bounds Checking-
While injecting code is optional for a buffer overflow attack, the corruption of control flow is essential. Thus unlike non-executable buffers, array bounds checking completely stop buffer overflow vulnerabilities and attacks. If arrays cannot be overflowed at all, then array overflows cannot be used to corrupt adjacent program states.
Code Pointer Integrity Checking-
The goal of code pointer integrity checking is subtly different from bounds checking. Instead of trying to prevent corruption of code pointers code pointer integrity checking seeks to detect that a code pointer has been corrupted before it is dereferenced. Thus while the attacker succeeds in corrupting a code pointer, the corrupted code pointer will never be used because the corruption is detected before each use.