Lecture 6 & 7: Buffer Overflow

Question 1

Give two reasons as to why buffer overflow attacks are still problematic

Answer 1

• Legacy code

- Careless programming

Question 2

Explain the “basics” of buffer overflow, why it is possible and how it works on the memory-level

Answer 2

• Caused by programming error
  
  • Allows more data stored than capacity
  • Reads more data than capacity
• Overwriting adjacent memory locations
  
  • Corruption of program data
  • Unexpected transfer of control
  • Memory access violation
  • Execution of code chosen by attacker

Question 3

Give some examples of differences between C and Python, with regards to buffer overflow

Answer 3

• C/C++
o Have high-level control structures
o But allow direct access to memory, hence are vulnerable to buffer overflow

• Java / Python / ML / Modern high-level languages
o Have a strong notion of type and valid operations
o Not vulnerable to buffer overflows
o Utilizes garbage collectors
o Has overhead, some limits on use

Question 4

Give some examples of ways in which an attacker can find opportunities for buffer overflow attacks

Answer 4

♣ Source code inspection (e.g. on GitHub log)
♣ Binary code inspection
♣ Tracing execution
♣ Fuzzing tools (random inputs)

Question 5

Explain what a “Stack Buffer overflow” is, and how it works

Answer 5

• Occurs when buffer is located on stack
• Local variables below saved frame pointer and return address
• Hence overflow of a local buffer can potentially overwrite these key control elements

Question 6

Explain what a “Return attack” is, one prerequisite for the attacker in order for it to work, and how the attack works

Answer 6

•	Attacker needs
o	Know where the function is loaded
♣	(the address is used to override the return pointer)
♣	use debugger
o	know space below the frame pointer
♣	inspection
o	know valid value for overwriting frame pointer
o	consider little-Endian vs big-Endian

Question 7

Give some examples of possible effects of a “buffer overflow” attack

Answer 7

• Victim secret exposed
• Victim data changed
• Victim control flow changed
• Victim program changed
• DOS (victim crashes)

Question 8

Explain what “Shellcode” is, in the context of “Buffer overflow” attacks

Answer 8

• Code supplied by attacker
o Often saved in buffer that is overflowed
o Traditionally transfer control to a shell

Question 9

Explain what “Global data overflow” is, and briefly describe some of its features

Answer 9

• Can attack buffer located in global data
  o May be located above program code
• No return address
  o Hence no easy transfer of control
• May have function pointers (e.g. C++ virtual tables)
• Or manipulate management data structures

Question 10

Explain what “Heap overflow” is, how it works, and shortly describe why it’s possible

Answer 10

• Attack buffer located in heap
  o Typically located above program code
  o Memory requested by programs to use in dynamic data structures (e.g. linked lists, malloc)
• Also, possible due to dangling pointers
• No return address
• May have function pointers (e.g. C++ virtual pointers)
• Or manipulate management data structures

Question 11

Explain what “Return to System Call” attack is, and how it works

Answer 11

• Attacker gains control of the system call-stack
• System-call control flow (OS) hijacked to execute arbitrary program
• Non-privileged SW executed as privileged
• Rootkit/auto-rooter

Question 12

Explain what “Return Oriented Programming” attacks are, and how they work

Answer 12

• Attacker gains control of the call stack
• Hijacks program control flow
• Executes chosen machine instruction sequences
  o Called “gadgets”
• Each gadget ends in a return instruction
• Gadgets are located within the existing program
• Chained together, gadgets allow to perform arbitrary operations

Question 13

Explain what “Code reuse” attacks are, and how they work

Answer 13

1. ROP (return oriented programming) and JOP (jump-oriented programming) attacks are usually not defeated by ISR
2. Use of memory errors to subvert victim’s control flow
3. Chain together gadgets to execute arbitrary computations

Question 14

What are “dangling pointers”, and how can they occur?

Answer 14

• Dangling pointers: do not point to a valid object of the appropriate type
o Wrong dynamic cast of pointers
o Missing update of pointers when memory is released (explicitly with free, implicitly by destroying the stack frame)
o Missing initialization of pointers

Question 15

Explain what an “Arithmetic Overflow” is, and some possible effects of it

Answer 15

• An integer, which has not been properly checked, is incremented past the maximum possible value
• It may wrap to become a very small, or negative number
• Can lead to buffer overflows, if the integer is used to compute memory offsets, array indexes etc.
Can lead to violation of security policies
• Can lead to failures
• Can lead to data corruption

Question 16

Give some examples of countermeasures to prevent “Arithmetic overflow”

Answer 16

• Static analysis (e.g. symbolic execution)
• Use of special values (e.g. NaN in Java)
• Exceptions (e.g. Math.addExact(x,y) and ArithmeticException in Java)
• Numbers with arbitrary precision (e.g. Python)

Question 17

Explain what “Virtual Memory” is

Answer 17

• Modern systems do not use directly physical addresses
• SW uses virtual addresses
• HW configuration maps virtual addresses to physical addresses
• HW configuration updatable
• HW configuration is called page tables
• HW mechanism is called Memory Management Unit

Question 18

Explain how operating systems use virtual memory to function

Answer 18

-	Memory divided in pages
o	Page tables sets memory attributes per page
-	OS configures Virtual Memory
o	Isolates processes
o	Mediate communications
o	Mediate access to HW and File System
-	OS executes in privileged mode
o	All other processes are executed unprivileged

Question 19

What are the possible effects of “buffer overflow”, remembered by the rule of thumb: “SDCVX”?

Answer 19

• [S] Access to Secret data
• [D] Corruption of program Data
• [C] Unexpected transfer of Control
• [V] Memory access Violation
• [X] EXecution of code chosen by attacker

Question 20

Give some examples of “Compile-time defenses” against buffer overflow

Answer 20

• Language
• Safe coding
• Language Extension, Safe Libraries
• Polymorphic code

Question 21

Describe how programming language can be used to defend against buffer overflow attacks

Answer 21

• Use a modern high-level program with strong typing
  o You cannot access un-typed memory
  o Not vulnerable to buffer overflow
• Compiler enforces range checks and allowed operations on variables
• Do have cost in resource
• And restrictions on access to hardware
• So still need some code in C like languages
• There can be a buffer overflow if there is a bug in the language interpreter or JIT compiler

SDCVX

Question 22

Describe how “safe coding” can be used to defend against buffer overflow attacks

Answer 22

• If using a potentially unsafe language, e.g. C
• Programmer must explicitly write safe code
  o E.g. justify why a buffer can receive in bytes
• Code review
• Check pointers yield by allocations
  o E.g. when allocation fails
• Check to have sufficient space in all buffers
  o Use fixed size buffers

SDCVX

Question 23

Explain what “Verification” is, in the context of writing code, how it works, one reason why it isn’t always used, and give an example of where it often is used

Answer 23

•	Code verification
o	Using mathematical model
o	Proving absence of bugs
•	Expensive: ~ $2000 per line of code
•	Verified execution platforms
o	Isolation kernels 
o	Software fault isolation

Question 24

Describe how “Language extension” and “Safe libraries” can be used to defend against buffer overflow attacks, and what some drawbacks are

Answer 24

• Use safer standard library variants
  o New functions, e.g. strncpy()
  o Safer re-implementation of standard functions as a library, e.g. Libsafe

o Performance penalties
o Must compile programs with special compilers

SDCVX

Question 25

Explain what “Guard pages” are, and how they can be used to protect against buffer overflow attacks

Answer 25

-	Place guard memory pages
o	Configured in MMU as illegal addresses
o	Any access aborts process
o	Can be placed between
♣	Stack frames and heap buffers
♣	Between critical regions of memory

SDX

Question 26

Give two examples of how the “Control Flow Integrity” can be preserved (a.k.a. “Stack protection”)

Answer 26

o Shadow stacks
♣ Keep copy of original call stack to see if changes have been made

CX

o Stack canaries
♣ Set small (“random”) integer number in stack, if it is gone/changed then attack is detected

DCX

Question 27

Explain what “Executable Address Space Protection” is, and why it can be used to protect against buffer overflow attacks

Answer 27

• Use virtual memory support to make some regions of memory non-executable
  o E.g., stack, heap, global data
  o Need HW support in MMU
• Long existed on SPARC/Solaris systems
• Recent on x86/ARM Linux/Unix/Windows systems

X

Question 28

Give some examples of “Run-time Defences” against buffer overflow attacks

Answer 28

• Address Space Randomisation

- Executable Address Space Protection

Question 29

Explain why “Address Space Randomisation” can help protect against buffer overflow attacks

Answer 29

Using random locations for heap, stack, and memory, will make it harder fo an attacker to figure out relative positions, and by extension, which locations to overflow.

Question 30

Explain what “Polymorphic coding” is, and how it can help protect against buffer overflow attacks

Answer 30

• It is code that in a seemingly random manner constructs things like order of arguments, data-structures, and number of instructions differently between instantiations.
• Since every instance of the application is different, a buffer overflow in one instance cannot be used in another.
• It’s difficult to predict position of functions and gadgets

SDCX