Buffer Overflow explained

What is a Buffer Overflow?

To put it simple, it is putting too much information into a limited space. For example you declare a buffer with 8 elements in it. Now a buffer overflow would be to fill the 8-byte element buffer with 65 bytes. The problem here is that the rest 57 elements will overwrite the neigbouring memory cells. This comes particularly bad if the neigbouring memory cells are cells reserved by the operating system. If that happens then the Computer either crashes or hackers can gain higher privileges, depending on which memory area is accessed.

The Stack

You can imagine the stack like a pile of dishes in a kitchen. The last plate that is removed is the first to be served. This is the same with stacks in computers. The last thing that is pushed onto the stack will be the first that can be popped off the stack.

A stack is mostly used in programming functions. Here functional parameters and local variables of the function are put on the stack in reverse order. Two other data are pushed to the stack The frame pointer and the return address. Every function is put into a frame on the stack. For example, in most programming languages the program starts with a main function that is returned to the operating system after execution. If the main function calls another function called myFunc for instance, this function needs to know where to go back after it executed. After execution the frame pointer sets the variables back to their original state and returns to the return address. The return address is the address where the flow of code continues after the function has executed.

The Stack and Buffer Overflow

Now you might say, okay i know how the stack works, so whats the buffer overfow deal? Remember where I said that buffer overflow is simply to put more information in a defined space than expected?

Lets take the myFunc function as an example. It has buffer of 65 bytes as its parameter and a buffer of 8 bytes as its local variable. Now myFunc will attempt to fill the 8 byte buffer with the elements of the 65 byte buffer. The result is clear, it will overwrite memory areas after the 8 byte buffer. In the stack however it will overwrite the frame pointer and the return address. If you fill the 65 buffer with A’s the return address will be overwritten with 0×414141… (0×41 is hexadecimal for the ASCII symbol A). This means the function will return at the address 0×414141…. This location could be a read-only operating system area and with that the program will either crash or give the hacker higher privileges.

What can be done against Buffer Overflows?

On the programmers standpoint i would say careful programming especially with C/C++ functions. Especially the function strcpy is tricky since it does not do size checking. The function copies the content of one array into another, no matter what the sizes of both are. If the destination array is smaller than the source array, it will still do the copying.  The advice I can give is, do a lot of testing, and doing error/exception handling.

View the PDF including the code here: Buffer Overflows

Advertisement

~ by austrogeek on February 4, 2011.