buffer/stack overflow

Question 1

what is a buffer

Answer 1

a limited, contiguously allocated set of memory used for data storage
> buffer can be on stack, heap, global data

Question 2

what is buffer overflow

Answer 2

occurs when a program writes more data into a buffer (a temporary storage area in memory) than the buffer can hold. this typically happens when input data is not properly validated or sanitized.

Question 3

what is a stack

Answer 3

a data structure that follows Last-In-First-Out principle with two primary operations
> push: add element at the top
> pop: remove element at the top
as more data is added to the stack, the address values become lower

Question 4

what is a stack overflow

Answer 4

occurs when the call stack (a region of memory used to manage function calls and local variables) becomes full because of too many nested function calls or recursive calls without proper termination conditions

Question 5

what is a stack pointer

Answer 5

a register that keeps track of the location or address of the top of the call stack and defines the stack’s boundary

Question 6

what does the POP instruction do to the stack pointer

Answer 6

only changes the pointer’s value, it does not write or erase data from the stack

Question 7

what is the base pointer register

Answer 7

it is used to calculate the address of variables relative to the address of a reference point/base address

Question 8

gets(char *str)

Answer 8

read line from standard input into str

Question 9

strcat(char *dest, char *src)

Answer 9

appends src to dest (concatenate)

Question 10

strcpy(char *dest, char *src)

Answer 10

copies content of src to dest

Question 11

sprintf(char *str, char *format)

Answer 11

create a str according to the supplied format

Question 12

what happens when a function call is made

Answer 12

1. for each function, a stack frame will be created
2. stack frame will have: return address of caller, input params, local variables

Question 13

describe the IA-32 stack frame

Answer 13

1. it grows downwards
   so from higher address values to lower address values
2. ESP is at the bottom (lower value address)

Question 14

the calling convention in the stack frame

Answer 14

CALLER method
1. push parameters in order from last to first
2. push object instance
3. call method
CALLEE method
4. save registers on stack
5. execute body of method
6. copy results into eax
7. restore registers from stack
8. return from method
BACK TO CALLER
9. remove object instance from the stack
10. remove parameters from the stack

Question 15

saving and restoring registers

Answer 15

> is done by the callee method
e.g.: two registers: edi and ecx
save registers:
push ecx;
push edi;
restore registsers
pop edi;
pop ecx;

Question 16

void Alpha (){
Beta(23);
stmt…
}
void Beta(int x){
int a, b;
Gamma(55, 77);
stmt…
}
void Gamma(int m, int n){
int a;
stmt….
}

int main(){
Alpha();
stmt….
}

Answer 16

(parameter) none
return address (stmt after “Alpha()”)
caller’s (main) EBP
(local variable) none
————————-
x = 23 (parameter)
return address (stmt after “Beta(23)”)
caller’s (Alpha) EBP
a (local var)
b (local var)
————————-
n = 77 (parameter)
m = 55 (parameter)
return address (stmt after “(Gamma(55,77)”)
caller’s (Beta) EBP
a (local var)

Question 17

what is stack buffer overflow

Answer 17

when a buffer (e.g., an array) is located on the stack, and a program writes more data into the buffer than it can accommodate, it can overwrite other data on the stack, including return addresses, function pointers, or local variables

Question 18

what is a stack overflow attack

Answer 18

overwriting the saved frame pointer and return address by intentionally overflowing the buffer

Question 19

example of a stack overflow attack

Answer 19

1. a program that asks for input, saves the input in an array but does not check the size of input
2. an attacker can input too much data, which then the input will extend over the bounds of the buffer and end up overwriting the frame pointer/return address with garbage values
3. when the function attempts to transfer control to the return address, it will jump to an illegal memory location
4. this results in Segmentation Fault - abnormal termination of the program

Question 20

what are some things an attacker would overwrite during a stack buffer overflow attack

Answer 20

1. the address of any function
2. sequence of machine instructions present in the program or its associated system libraries (shell code)

Question 21

what causes buffer overflow to occur

Answer 21

1. if the data read is not appropriately handled/terminated
2. if the size of input is larger than the buffer
3. when a program can safely read, save and pass around an input, but at some point in time in another function, it will unsafely copy it
4. data merging

Question 22

explain how buffer overflow occurs because of data merging

Answer 22

imagine you have two buffers, Buffer A and Buffer B, each with a certain amount of space to store data. When you attempt to merge data into one of these buffers and the combined data from both buffers exceeds the capacity of the destination buffer, you encounter a problem. This situation can lead to data being overwritten or lost if it doesn’t fit within the available space

Question 23

example of buffer overflow because of merging

Answer 23

imagine you have two functions, one that reads input and another that displays it
in the main function, it calls the read function to read input, the read function copies input into string - this is done safely - and then the read function saves input and passes it through display function
display function has a limited buffer size, which means if the input was bigger, it will cause an overflow

Question 24

explain what is a stackguard

Answer 24

a specific type of buffer overflow protection mechanism

> has a function entry code: writes fixed canary value, often referred to as the “stack canary,” placed between the local variables and the old frame pointer on the program’s call stack
has a function exit code: checks if the canary value has not changed before continuing with the usual function exit operations of restoring the old frame pointer and transferring control back to the return address.

Question 25

requirements for a successful use of canaries

Answer 25

1. canary value should be arbitrary
2. canary value should differ across systems

Question 26

problems that may arise while using canaries

Answer 26

1. programs needing protection must be recompiled
2. stack structure has changed , may cause problems with debuggers which analyze stack frames
3. if canary value is predictable, the hacker will include the value in the shell code in the required location

Question 27

answer this: is this code safe
int bof(char *str){
char buffer[24];
strcpy(buffer, str);
return 1;
}
assume each element in stack is 4 bytes

Answer 27

stack frame:
….
str[0-3]
RETURN ADDRESS
OLD FRAME PTR
buffer[20-23]
buffer[16-19]
buffer[12-15]
buffer[8-11]
buffer[4-7]
buffer[0-3]

if length of string exceeds 24 bytes, then it can overflow and overwrite the frame pointer and the return address

Question 28

answer this: is this code safe
int checkPassword(char *pswd){
int authenticate =0;
char password[16];
int i;
for(i=0; i<=16; i++){
if(pswd[i]!=0){
password[i]=pswd[i];
}}
if((strncmp(‘secret’, password, 7) ==0){
authenticate = 1;
}
return authenticate;
}

assume every element of the stack is 1 byte

Answer 28

pswd
return address
frame pointer
authenticate = 0
password[15]
.
.
.
.
.
password[0]
i

this code is not safe because:
1. the loop will run for one more iteration - index 16 does not exist which means it can lead to overwriting of the next element in stack
2. in the case of 17 non null bytes (or more), it can overwrite the value of authenticate to a nonzero, and any nonzero = true in C

Question 29

answer this: add a canary to the following code
void vuln(){
char buf[32];
gets(buf);
}

Answer 29

1. add a canary at the start of the function that will be randomized at each run
2. at the end of the statement you want executed, check if canary still equals the start value
3. if it does not, call function HALT() which will terminate the program
   int MAGIC = rand();
   void HALT(){
   exit(1);
   }
   void vuln(){
   int canary = MAGIC;
   char buf[32];
   gets(buf);
   if(canary!=MAGIC){
   HALT();
   }
   }
4. MAGIC is a global variable, thats advantageous because it will be stored in the data segment of process memory, meaning that it will be outside of the call stack and thus the attacker will not have access to it

Question 30

answer this: does the buffer overflow occur in foo() or strcpy()
int foo(char *str){
char buffer[100];
strcpy(buffer, str);
return 1;
}

Answer 30

1. the buffer is inside foo()
2. when foo() calls strcpy(), the stack frame of strcpy() is under foo()’s
3. since the buffer is inside foo()’s stack frame, when this buffer overflows, it will not be able to affect the memory below the buffer, so it will not be able to modify strcpy()’s return address
4. in conclusion: the jumping to the malicious code occurs when strcpy() returns

str
return address(main)
old frame pointer
buffer[99]
.
.
.
buffer[0]
———————
str
buffer[0..99]
return address(return 1;)
old frame pointer

Question 31

describe the memory layout segments and what is stored in them

Answer 31

heap: dynamic memory allocation (mulloc() and free())
stack: parameter, return address, frame pointer and local variables
BSS: uninitialized global/static variables
data:(explicitly) initialized global/static variables
text: branch instructions (return), constant variables (PI), function definitions and readable code (cannot be edited)