|Tutorial on Buffer Overflow Attacks
Ashley Hall and Huiming Yu
Department of Computer Science
North Carolina A&T State University
This tutorial discusses what a buffer overflow attack is, how a buffer overflow attack is implemented, the effects of a buffer overflow attack, and ways to prevent buffer overflow attacks. Real world buffer overflow attack cases are presented.
With the increasing use of the internet and web applications, there is also an increase in exploitation approaches against these methods of communication. Many vulnerabilities in software continue to make it easier for attackers to harm software systems. Many of these vulnerabilities are caused by simple mistakes in application creation and server setup. Vulnerabilities such as the SQL injection, cross site scripting, and buffer overflow are a few of the most frequently seen attacks and can result in very damaging effects.
In various locations and settings, buffer overflow attacks have been launched and have caused problems. Buffer overflow attacks are mostly targeted towards popular sites and software. From Microsoft software to social networking sites, there have been several attacks which have been found to be caused by a buffer overflow exploit. In 2003, singer Madonna’s website was hacked by an attacker. The singer had reportedly made statements of her distaste for Internet piracy and released many fake MP3s for download onto various file-trading services before her album was released. In return, hackers exploited a buffer overflow on her website. The attackers replaced the contents of www.madonna.com with links to real MP3s of Madonna’s album . This shows that buffer overflow vulnerabilities are found in different areas and buffer overflow attacks can be harmful in different settings.
Buffer overflows are one of the most common forms of software security vulnerability.
A buffer overflow attack is an exploit that takes advantage of a program that is waiting on a user's input. The input that is placed in the buffer is beyond the buffer’s allocated size. This causes information to be overwritten, which can lead to a system crashing or an attacker implementing damaging code .
This tutorial will give students a better understanding of what a buffer overflow attack is, how it is implemented, what effects it may cause, and ways to prevent buffer overflow attacks.
What is a Buffer Overflow Attack?
o understand buffer overflow attacks, students must first understand what a buffer overflow is. A buffer overflow is a vulnerability, a weakness which may allow a threat to exploit the software program. A simple analogy that may describe what a buffer overflow is may be overfilling a glass with water. In this case, the glass is compared to a buffer and the water is compared to the various values that may be put into a buffer. If there is too much water put into the glass, the water in turn overflows onto the surface holding the glass causing a mess. In this analogy, the surface holding the glass can be compared to a computer’s memory space. When the contents of a buffer are overflowed, the overflow can overwrite a portion of a computer’s memory. The information stored at this memory location could possibly be lost forever. Included in this information that is lost is the list of instructions that tell the program, which has placed information in the buffer, where to go and what to do next. The program will not be able to pick up where it left off or finish its tasks as it is lost.
Figure 1. An Analogy Example
A buffer overflow attack or exploit is a threat that exploits buffer overflow vulnerabilities. For several reasons, attackers may create carefully crafted scripts that take advantage of buffer overflows. Somewhere in this script instructions are given to the program that loses its way during the buffer overflow. From there on the program is instructed to do whatever the attacker has decided which can be very dangerous. This not only allows an attacker’s dangerous script to be executed, but it also prevents the original program from completing its task.
Buffer overflows may be found locally or remotely. This means a buffer overflow can be found in a simple calculator application or in email or web servers. Most attacks usually target a specific application and/or operating system, which suggests that an understanding of the differences in these specifics is important. Most buffer overflow vulnerabilities are found in software created using languages in which a developer would be able to use pointers freely. Two of the most common languages are C and C++ .
Exploits can lead to very damaging effects no matter whom or what the target may be. Buffer overflow exploits can cause many effects, including an application crashing, a computer crashing, a denial of service, and triggering of running mobile code. Buffer overflow attacks can also lead to Internet worms, intrusion, and other programs or scripts to assist in exploitation. Many attackers use exploits to damage software or to gain or expose private information .
Types of Buffer Overflows
There are several types of buffer overflows. Buffer overflow attacks can result in varying damaging effects in software, on a computer, or on a server. Two of the best known buffer overflow exploits are the overflow of the stack and heap corruption .
3.1 Stack Overflows
Stack overflows have been considered the most common type of error that can be remotely exploitable. Stack overflows are caused by a lack of separation in data and structures that control the data. Of the different types of buffer overflows, stack overflows have been considered the easiest to exploit. Though they are the easiest to exploit, there has been a decrease in the amount of stack overflows in software due to the attention that has been placed on these types of buffer overflow vulnerabilities .
Figure 2 is an example of program. simplestack.c takes a user entry and uses the strcpy() function
to copy the content entered by the user into a variable, buffer. The strcpy() function is one among several functions of the Standard C Library that have been shown to allow buffer overflows. The function allows a value greater than the size limit for the buffer to be assigned. Figure 2 shows the contents of the stack during the compilation of this program. If the user’s input is 51 bytes long, 1 byte of the value for buffer in main() will overflow into the space allocated on the stack for the argument buffer in funct(). If the user’s input is great enough, it may overflow into the Extended Instruction Pointer, which is the aim of an attacker. When the attacker has control of the EIP, it can be directed to anywhere the attacker desires. Program simplestack.c stores a user entry into character variable buffer which has an allocated size of 512 bytes. The stack contents show the order of values on the stack, assuming an Intel x86 processor is used. EIP is the extended instruction pointer containing the address of the next instruction. This is the pointer the attacker wants to control. EBP is the extended base pointer which points to the top of the stack. ESP is the extended stack pointer which points to current stack position, allows pop and push .
3.2 Heap Overflows
Heap overflow vulnerabilities can be as damaging as stack overflows. Heap overflow vulnerabilities are being seen more in software as stack overflow vulnerabilities in software decline. A heap is an area in memory, similar to a stack. Unlike a stack, the heap’s memory is dynamically allocated. A heap also does not use an EIP. So, instead of targeting the EIP, attackers target other areas in dynamic buffers. Sometimes it may be hard to realize that an overflow has occurred in a heap because of the way memory is allocated and deallocated. When one function allocates a specific space on the heap, it remains allocated until that space has been deallocated. This is because dynamically allocated memory must be explicitly allocated and deallocated. For example, in C the malloc() function is used to allocate a space and the free() function is used to deallocate the space. When an overflow occurs on the heap, the program does not always crash. It may not be noticed until the memory space is later referenced .
Figure 3 is an example of a simple heap overflow vulnerability. The program allocates space for two character pointer variables, input and output. The values for output and input are assigned using the strcpy() function, which is a big issue. Figure 4.2.1 shows the contents of the heap with an input value within the buffer size on the left and shows the contents of the heap with an input value greater than the buffer size on the right. As shown on the right, this results in a heap overflow. The content of input’s memory space overflows into the control information and output memory spaces.
Real World Buffer Overflow Attack Cases
4.1 Morris Worm
The Morris worm is considered to be the first worm as it was the first to gain much media attention because of its effects. The worm was written by a student of Cornell University named Robert Morris and was distributed in November of 1988. It was distributed from Massachusetts Institution of Technology to disguise its original source. The cost of the damage was estimated to be between ten and hundred million dollars. In the end, Robert Morris was convicted of violating the Computer Fraud and Abuse Act. He was required to do three years of probation, pay a 10 thousand dollar fine, and community service .
Simple Heap Example
Figure 3. A Example of Heap Overflow
The worm took advantage of several vulnerabilities in UNIX. The worm could be executed on one computer multiple times. After executing many times, it could slow a computer’s processor tremendously. Computers could be slowed to the point of not being able to operate. The result of the worm was a denial of service attack. The portion that used a buffer overflow attack was used if the previous step of using remote shell code failed. The buffer overflow vulnerability that was taken advantage of was the gets() function in UNIX’s finger service. The finger service provides information about the users logged in to a UNIX system. This portion of the worm affected VAX systems. The gets() function is a flawed Standard C Library function, which should not have been used .
Wii Twilight Hack
There are many team and individual game and console hackers working to create exploits everyday. The popular Sony Playstation and Microsoft Xbox 360 have both been targets of hackers hoping to be able to run different operating systems and homebrew games on consoles. Homebrew games are video games produced by consumers. Hackers create exploits after discovering vulnerabilities mostly in memory cards and video games approved by the game console’s producer. Homebrew games gained popularity as consumers realized they would save money as they would not have to purchase many of the homebrew games.
The Nintendo Wii system, another popular gaming console, was hacked to allow homebrew gaming also. A hacker team, Team Twiizers, discovered a buffer overflow vulnerability in the video game Twilight Princess. The team created a specially crafted save file, which they stored on a SD memory card. The Twilight Princess game’s player horse name value is overflowed by this save file which causes a crash. In the team’s specially crafted code, the Wii system is told to run a loader from the SD memory card. After the game crashes, the Wii system loads this program, which may be a program to launch a homebrew game. This exploit has versions that can be executed on Wii System Menu 3.3 and 3.4. Team Twiizers has released step-by-step instructions explaining how to exploit the vulnerability on the Wiibrew website. Nintendo has patched the vulnerability starting at Wii System Menus 4.0 and any newer versions .
Buffer Overflow Attack Prevention
Buffer overflows are vulnerabilities. They continue to be a problem for software security. Proper securing of software should seek to ensure goals of confidentiality, integrity, authentication, availability, and non- repudiation. Buffer overflow vulnerabilities affect the assurance of several of these goals. Buffer overflows are not always easy to discover and even when an overflow is discovered, it can be difficult to reverse its effects. By finding ways of recognizing and preventing buffer overflow vulnerabilities, many of these buffer overflow attacks can be prevented. Several practices, such as the use of non-executable stacks, use of buffer bound checking compilers, and the secure and proper writing and testing of code can help to prevent attacks.
Many researchers have suggested that a possible method for preventing buffer overflow vulnerabilities would be to eliminate the use of specific programming languages, such as C and C++, which are susceptible to buffer overflow vulnerabilities. Though this would eliminate many problems with buffer overflows with the possibility of having automatic bounds checking, this would in reality cause problems with efficiency. Though C and C++ have issues with buffer overflows, they also have several advantages when compared to other languages. Many people continue to use these languages because they already have a large user community and do not require as much system memory as they do not support garbage collection . Another reason for many companies to continue use of C and C++ would be the cost and time it would take for a team to learn and/or migrate to other languages.
A very important method of preventing buffer overflow attacks would be improving the security in code and not using flawed standard library functions. As seen in the previous examples of buffer overflow vulnerabilities, the C function strcpy() can cause problems with buffer overflows. A programmer could simply use the strncpy() function instead of the strcpy() function to eliminate this problem. The strncpy() function only allows for copying within the buffer size . This change improves code security as well as uses an improved standard library function.
Other methods of prevention include the use of non-executable stacks and buffer bound checking compilers. Many buffer overflow exploits rely on the use of executable stacks. This would require the operating system’s kernel to be recompiled and patched. This method would ensure that any exploit that requires the use of an executable stack, would not be successful . Buffer bound checking compilers and compiler enhancement add-ons help to prevent overflows by stopping the program execution when too much has been put into a buffer. Many commonly used compilers have optimized compiler versions to include buffer bound checking.
One of the simplest ways of preventing many buffer overflow issues is keeping up with software updates and patches. No software is completely secure because there may always be someone figuring out a way to wreak havoc. Knowing what is happening with the software being used and frequently applying patches may help to prevent many security problems.
Buffer overflow attacks have been causing problems in software, computers, and servers for several years. To eliminate buffer overflows, the creators of software must understand what buffer overflows are, how buffer overflow attacks are implemented, what effects can be caused, and how to prevent buffer overflow vulnerabilities so that the attacks will not happen. Much of this information has been available for some time now but buffer overflow attacks continue to be seen. In order for this to stop, software developers must actually learn this information and use it when they create software. This is the only way buffer overflows will be eliminated.
 J. Foster, O. Vitaly, and N. Bhalla, Buffer overflow attacks: detect, exploit, prevent. Rockland, MA: Syngress, 2005.
 United States of America. National Institute of Standards and Technology. Glossary of Key Information Security Terms, NIST IR 7298. Washington, DC: U.S. Government Office, 2006.
 H. Orman, “The Morris Worm: A Fifteen-Year Perspective,” IEEE Security & Privacy, vol. 1, no. 5, pp. 35-43, Sept 2003.
 Wii Brew Wiki, “Twilight Hack,” 2009. [Online]. Available: http://wiibrew.org/wiki/Twilight_Hack
 M. Donaldson, “Inside the Buffer Overflow Attack: Mechanism, Method, & Prevention,” GSEC, ver. 1.3, 2002. [Online]. Available: http://www.sans.org/reading_room/whitepapers/securecode/inside_the_buffer_overflow_attackmechanism_method__prevention_386