Section 18.175 Buffer Overflow

Question 1

Buffer Overflow

Answer 1

Occurs when data exceeds allocated memory, potentially enabling unauthorised access or code execution

■ Common initial attack vector in data breaches

● 85% of data breaches used buffer overflow as the initial vector

■ Attackers exploit the excess data written beyond buffer boundaries to manipulate program execution

Question 2

Buffer

Answer 2

A temporary storage area where a program stores its data

■ They have a defined memory capacity, just like a glass holding a limited amount
of water

■ Overflowing a buffer results in data spilling into adjacent memory locations,
causing unintended consequences

Question 3

Buffer Overflow Attack - Technical Aspects

Stack

Answer 3

Programs have a reserved memory area called a stack to store data during
processing

■ The stack uses a “first in, last out” organisation

■ Stack contains return addresses when a function call instruction is received

■ Attackers aim to overwrite the return address with their malicious code’s address

Question 4

Smashing the Stack

Answer 4

Attackers aim to overwrite the return address with a pointer to their malicious
code

■ When the non-malicious program hits the modified return address, it runs the
attacker’s code

■ This gives attackers a command prompt on the victim’s system for remote code execution

Question 5

NOP Slide

Answer 5

Attackers fill the buffer with NOP (No-Operation) instructions

■ The return address slides down the NOP instructions until it reaches the
attacker’s code

Question 6

Mitigations against Buffer Overflow Attack

Answer 6

Address Space Layout Randomization (ASLR)

● Helps prevent attackers from guessing return pointer addresses

● Randomises memory addresses used by well-known programs, making it
harder to predict the location of the attacker’s code