• Definition:
  • A buffer overflow (or overrun) is a situation in which a program uses locations adjacent to a buffer (i.e., beyond one or both of the boundaries of a buffer).
• An Issue:
  • People frequently limit the definition of a buffer overflow to situations in which data is written to locations adjacent to the buffer
  • We will include both reading and writing since reading beyond the boundary can lead to harm (e.g., confidentiality and availability)
• Common (in Memory) Buffer Overflows in C:
  • When explicitly using an array
  • When using a string (i.e., implicitly using an array)

• A Common Idiom:
  • Pass an array and its length as different parameters
    (e.g., main(int argc, char* argv[]))
• The Problem:
  • A length that is too large might be passed in (or the length might be increased locally)

• Another Common Idiom:

  • void operation(int array[])
    {
        int length = sizeof(array) / sizeof(array[0]);
        for (int i=0; i<length; i++)
        {
            // Operate on array[i]
        }
    }
    

• The Problem:
  • array is a parameter and, so, is a pointer type
  • Hence, sizeof(array) is the size of an int *, not the size of the array

• A Common Idiom:
  • Use a special value to indicate the last element of the array (e.g., -1 in an array of non-negative integers)
• The Problem:
  • The sentinel can be omitted or misspecified

• Recall:
  • C has character types char and wchar_t
  • A string in C is a contigous sequence of characters terminated by (and including) a sentinel character (the null character '\0')
• Data Structure:
  • Strings are stored in arrays
  • The length of the string is (i.e., should be) at least one less than the length of the array

• A Common Practice:
  • Use gets() to read characters (until it reaches a newline or end-of-stream character)
• An Example:

  • char     line[81];
    
    gets(line);
    

• The Problem:
  • An attacker can enter an indeterminate number of characters making it impossible to ensure that the buffer is large enough

• A Common Practice:
  • Copy a source string into a target/destination string using strcpy()
• An Example:

  • int main(int argc, char* argv[])
    {
        char    file_name[65];
        char   *temp;
    
        temp = argv[1] ? argv[1] : "";
        strcpy(file_name, temp);
    }
    

• The Problem:
  • The attacker can supply a string that is too long (i.e., a file name that is longer than 64 characters in this example)

• A Common Practice:
  • Use strcat() to append a source string to a target string
• The Problem:
  • The target might not be long enough to hold the result

• A Common Practice:
  • Use sprintf() to create a (formatted) string
• An Example:

  • char     line[81];
    
    sprintf(line, "%2d: %s\n", i, user_input);
    

• The Problem:
  • sprintf() assumes that the buffer it is passed is large enough and the attacker might provide a string that is too long (i.e., longer than 80 - 2 - 2 - 1 = 75 characters in this example)

• Some Common Practices:
  • Not allocating memory for the null character (i.e., an off-by-one error when calculating the size)
  • Forgetting to include the null character (though there is space for it)
  • Using strncpy() to copy the first n characters from the source to the target when the source contains n or more characters (which results in a non-null terminated string)
• Some Problems That Arise:
  • strlen() uses the null character to determine the length of the string so any function that uses strlen() will have problems
  • Other functions (e.g., strcpy()) iterate until a null character is encountered so will have problems

char     a[10], b[10];

strncpy(a, "0123456789", 10); // a will not be null-terminated

strcpy(b, a);                 // b will probably overflow
  

• The Issue:
  • By overflowing a buffer the attacker can corrupt memory that is being used to store information of various kinds
• A Common Attack Vector:
  • User input

• The Issue:
  • By overflowing a buffer the attacker can corrupt the value of a pointer and, if the pointer is used in an assignment statement, corrupt the arbitrary address it now points to
• Sketch of an Example:

  • ...
    char  buffer[BUFFER_SIZE];
    long  value = ...;
    long* p     = ...;
    strncpy(buffer, argv[1], length); // Potential overflow into p
    *p = value;                       // Assign value to the address pointed to by p
    ...
    

• The Issue:
  • By overflowing a buffer the attacker can corrupt the value of function pointer and, if the function pointer is used subsequently, transfer control to arbitrary code
• Sketch of an Example:

  • ...
    static int   value = ...;
    static char  buffer[BUFFER_SIZE];
    static void  (*f)(int i);
    f = &some_function;
    strncpy(buffer, argv[1], length); // Potential overflow into f
    (void)(*f)(value);                // Execute the code pointed to by f
    ...
    

• The Issue:
  • By overflowing a buffer the attacker can overwrite data in the memory allocated to the execution stack
• Ramifications:
  • The values of automatic variables can be modified
  • Program execution can be terminated
  • Arbitrary code can be executed

• A Memory Corruption Example:
  • cexamples/bufferoverflow/windows/string_overflow_data.c

    #include <stdio.h>
    #include <string.h>
    
    char    eid[9];    // 8 characters plus '\0'
    int     grade;
    
    
    int main(int argc, char* argv[])
    {
      // Initialize
      strcpy(eid, "bernstdh");
      grade = 100;
      printf("EID: %8s  Grade: %d\n", eid, grade);
    
      // Copy user input into the eid
      strcpy(eid, "bernstdh  \x08\x08");     // 0x08 is ASCII backspace
      printf("EID: %8s  Grade: %d\n", eid, grade);
    }
            

• A Sample Windows/Intelx86 Execution:
  • Address of eid: 0x0804a030
  • Address of grade: 0x0804a024

• Notes:
  • Though eid only requires 9 bytes, space actually exists for 12 (for alignment reasons)
  • Intelx86 is little-endian
• Memory (Before and After):
  •