Buffer overflow - Wikipedia

In information security and programming, a buffer overflow, or buffer overrun, is an anomaly ... Programming languages commonly associated with buffer overflows include C ... Bufferoverflow FromWikipedia,thefreeencyclopedia Jumptonavigation Jumptosearch Anomalyincomputersecurityandprogramming Visualizationofasoftwarebufferoverflow.DataiswrittenintoA,butistoolargetofitwithinA,soitoverflowsintoB. Ininformationsecurityandprogramming,abufferoverflow,orbufferoverrun,isananomalywhereaprogram,whilewritingdatatoabuffer,overrunsthebuffer'sboundaryandoverwritesadjacentmemorylocations. Buffersareareasofmemorysetasidetoholddata,oftenwhilemovingitfromonesectionofaprogramtoanother,orbetweenprograms.Bufferoverflowscanoftenbetriggeredbymalformedinputs;ifoneassumesallinputswillbesmallerthanacertainsizeandthebufferiscreatedtobethatsize,thenananomaloustransactionthatproducesmoredatacouldcauseittowritepasttheendofthebuffer.Ifthisoverwritesadjacentdataorexecutablecode,thismayresultinerraticprogrambehavior,includingmemoryaccesserrors,incorrectresults,andcrashes. Exploitingthebehaviorofabufferoverflowisawell-knownsecurityexploit.Onmanysystems,thememorylayoutofaprogram,orthesystemasawhole,iswelldefined.Bysendingindatadesignedtocauseabufferoverflow,itispossibletowriteintoareasknowntoholdexecutablecodeandreplaceitwithmaliciouscode,ortoselectivelyoverwritedatapertainingtotheprogram'sstate,thereforecausingbehaviorthatwasnotintendedbytheoriginalprogrammer.Buffersarewidespreadinoperatingsystem(OS)code,soitispossibletomakeattacksthatperformprivilegeescalationandgainunlimitedaccesstothecomputer'sresources.ThefamedMorriswormin1988usedthisasoneofitsattacktechniques. ProgramminglanguagescommonlyassociatedwithbufferoverflowsincludeCandC++,whichprovidenobuilt-inprotectionagainstaccessingoroverwritingdatainanypartofmemoryanddonotautomaticallycheckthatdatawrittentoanarray(thebuilt-inbuffertype)iswithintheboundariesofthatarray.Boundscheckingcanpreventbufferoverflows,butrequiresadditionalcodeandprocessingtime.Modernoperatingsystemsuseavarietyoftechniquestocombatmaliciousbufferoverflows,notablybyrandomizingthelayoutofmemory,ordeliberatelyleavingspacebetweenbuffersandlookingforactionsthatwriteintothoseareas("canaries"). Contents 1Technicaldescription 1.1Example 2Exploitation 2.1Stack-basedexploitation 2.2Heap-basedexploitation 2.3Barrierstoexploitation 2.4Practicalitiesofexploitation 2.4.1NOPsledtechnique 2.4.2Thejumptoaddressstoredinaregistertechnique 3Protectivecountermeasures 3.1Choiceofprogramminglanguage 3.2Useofsafelibraries 3.3Bufferoverflowprotection 3.4Pointerprotection 3.5Executablespaceprotection 3.6Addressspacelayoutrandomization 3.7Deeppacketinspection 3.8Testing 4History 5Seealso 6References 7Externallinks Technicaldescription[edit] Abufferoverflowoccurswhendatawrittentoabufferalsocorruptsdatavaluesinmemoryaddressesadjacenttothedestinationbufferduetoinsufficientboundschecking.Thiscanoccurwhencopyingdatafromonebuffertoanotherwithoutfirstcheckingthatthedatafitswithinthedestinationbuffer. Example[edit] Furtherinformationonstack-basedoverflows:Stackbufferoverflow InthefollowingexampleexpressedinC,aprogramhastwovariableswhichareadjacentinmemory:an8-byte-longstringbuffer,A,andatwo-bytebig-endianinteger,B. charA[8]=""; unsignedshortB=1979; Initially,Acontainsnothingbutzerobytes,andBcontainsthenumber1979. variablename A B value [nullstring] 1979 hexvalue 00 00 00 00 00 00 00 00 07 BB Now,theprogramattemptstostorethenull-terminatedstring"excessive"withASCIIencodingintheAbuffer. strcpy(A,"excessive"); "excessive"is9characterslongandencodesto10bytesincludingthenullterminator,butAcantakeonly8bytes.Byfailingtocheckthelengthofthestring,italsooverwritesthevalueofB: variablename A B value 'e' 'x' 'c' 'e' 's' 's' 'i' 'v' 25856 hex 65 78 63 65 73 73 69 76 65 00 B'svaluehasnowbeeninadvertentlyreplacedbyanumberformedfrompartofthecharacterstring.Inthisexample"e"followedbyazerobytewouldbecome25856. Writingdatapasttheendofallocatedmemorycansometimesbedetectedbytheoperatingsystemtogenerateasegmentationfaulterrorthatterminatestheprocess. Topreventthebufferoverflowfromhappeninginthisexample,thecalltostrcpycouldbereplacedwithstrlcpy,whichtakesthemaximumcapacityofA(includinganull-terminationcharacter)asanadditionalparameterandensuresthatnomorethanthisamountofdataiswrittentoA: strlcpy(A,"excessive",sizeof(A)); Whenavailable,thestrlcpylibraryfunctionispreferredoverstrncpywhichdoesnotnull-terminatethedestinationbufferifthesourcestring'slengthisgreaterthanorequaltothesizeofthebuffer(thethirdargumentpassedtothefunction),thereforeAmaynotbenull-terminatedandcannotbetreatedasavalidC-stylestring. Exploitation[edit] Thetechniquestoexploitabufferoverflowvulnerabilityvarybyarchitecture,byoperatingsystemandbymemoryregion.Forexample,exploitationontheheap(usedfordynamicallyallocatedmemory),differsmarkedlyfromexploitationonthecallstack. Stack-basedexploitation[edit] Mainarticle:Stackbufferoverflow Atechnicallyinclinedusermayexploitstack-basedbufferoverflowstomanipulatetheprogramtotheiradvantageinoneofseveralways: Byoverwritingalocalvariablethatislocatednearthevulnerablebufferonthestack,inordertochangethebehavioroftheprogram Byoverwritingthereturnaddressinastackframetopointtocodeselectedbytheattacker,usuallycalledtheshellcode.Oncethefunctionreturns,executionwillresumeattheattacker'sshellcode. Byoverwritingafunctionpointer[1]orexceptionhandlertopointtotheshellcode,whichissubsequentlyexecuted Byoverwritingalocalvariable(orpointer)ofadifferentstackframe,whichwillbeusedbythefunctionwhichownsthatframelater.[2] Theattackerdesignsdatatocauseoneoftheseexploits,thenplacesthisdatainabuffersuppliedtousersbythevulnerablecode.Iftheaddressoftheuser-supplieddatausedtoaffectthestackbufferoverflowisunpredictable,exploitingastackbufferoverflowtocauseremotecodeexecutionbecomesmuchmoredifficult.Onetechniquethatcanbeusedtoexploitsuchabufferoverflowiscalled"trampolining".Inthattechnique,anattackerwillfindapointertothevulnerablestackbuffer,andcomputethelocationoftheirshellcoderelativetothatpointer.Then,theywillusetheoverwritetojumptoaninstructionalreadyinmemorywhichwillmakeasecondjump,thistimerelativetothepointer;thatsecondjumpwillbranchexecutionintotheshellcode.Suitableinstructionsareoftenpresentinlargecode.TheMetasploitProject,forexample,maintainsadatabaseofsuitableopcodes,thoughitlistsonlythosefoundintheWindowsoperatingsystem.[3] Heap-basedexploitation[edit] Mainarticle:Heapoverflow Abufferoverflowoccurringintheheapdataareaisreferredtoasaheapoverflowandisexploitableinamannerdifferentfromthatofstack-basedoverflows.Memoryontheheapisdynamicallyallocatedbytheapplicationatrun-timeandtypicallycontainsprogramdata.Exploitationisperformedbycorruptingthisdatainspecificwaystocausetheapplicationtooverwriteinternalstructuressuchaslinkedlistpointers.Thecanonicalheapoverflowtechniqueoverwritesdynamicmemoryallocationlinkage(suchasmallocmetadata)andusestheresultingpointerexchangetooverwriteaprogramfunctionpointer. Microsoft'sGDI+vulnerabilityinhandlingJPEGsisanexampleofthedangeraheapoverflowcanpresent.[4] Barrierstoexploitation[edit] Manipulationofthebuffer,whichoccursbeforeitisreadorexecuted,mayleadtothefailureofanexploitationattempt.Thesemanipulationscanmitigatethethreatofexploitation,butmaynotmakeitimpossible.Manipulationscouldincludeconversiontoupperorlowercase,removalofmetacharactersandfilteringoutofnon-alphanumericstrings.However,techniquesexisttobypassthesefiltersandmanipulations;alphanumericshellcode,polymorphiccode,self-modifyingcodeandreturn-to-libcattacks.Thesamemethodscanbeusedtoavoiddetectionbyintrusiondetectionsystems.Insomecases,includingwherecodeisconvertedintoUnicode,[5]thethreatofthevulnerabilityhasbeenmisrepresentedbythedisclosersasonlyDenialofServicewheninfacttheremoteexecutionofarbitrarycodeispossible. Practicalitiesofexploitation[edit] Inreal-worldexploitsthereareavarietyofchallengeswhichneedtobeovercomeforexploitstooperatereliably.Thesefactorsincludenullbytesinaddresses,variabilityinthelocationofshellcode,differencesbetweenenvironmentsandvariouscounter-measuresinoperation. NOPsledtechnique[edit] Mainarticle:NOPslide IllustrationofaNOP-sledpayloadonthestack. ANOP-sledistheoldestandmostwidelyknowntechniqueforexploitingstackbufferoverflows.[6]Itsolvestheproblemoffindingtheexactaddressofthebufferbyeffectivelyincreasingthesizeofthetargetarea.Todothis,muchlargersectionsofthestackarecorruptedwiththeno-opmachineinstruction.Attheendoftheattacker-supplieddata,aftertheno-opinstructions,theattackerplacesaninstructiontoperformarelativejumptothetopofthebufferwheretheshellcodeislocated.Thiscollectionofno-opsisreferredtoasthe"NOP-sled"becauseifthereturnaddressisoverwrittenwithanyaddresswithintheno-opregionofthebuffer,theexecutionwill"slide"downtheno-opsuntilitisredirectedtotheactualmaliciouscodebythejumpattheend.ThistechniquerequirestheattackertoguesswhereonthestacktheNOP-sledisinsteadofthecomparativelysmallshellcode.[7] Becauseofthepopularityofthistechnique,manyvendorsofintrusionpreventionsystemswillsearchforthispatternofno-opmachineinstructionsinanattempttodetectshellcodeinuse.ItisimportanttonotethataNOP-sleddoesnotnecessarilycontainonlytraditionalno-opmachineinstructions;anyinstructionthatdoesnotcorruptthemachinestatetoapointwheretheshellcodewillnotruncanbeusedinplaceofthehardwareassistedno-op.Asaresult,ithasbecomecommonpracticeforexploitwriterstocomposetheno-opsledwithrandomlychoseninstructionswhichwillhavenorealeffectontheshellcodeexecution.[8] Whilethismethodgreatlyimprovesthechancesthatanattackwillbesuccessful,itisnotwithoutproblems.ExploitsusingthistechniquestillmustrelyonsomeamountofluckthattheywillguessoffsetsonthestackthatarewithintheNOP-sledregion.[9]Anincorrectguesswillusuallyresultinthetargetprogramcrashingandcouldalertthesystemadministratortotheattacker'sactivities.AnotherproblemisthattheNOP-sledrequiresamuchlargeramountofmemoryinwhichtoholdaNOP-sledlargeenoughtobeofanyuse.Thiscanbeaproblemwhentheallocatedsizeoftheaffectedbufferistoosmallandthecurrentdepthofthestackisshallow(i.e.,thereisnotmuchspacefromtheendofthecurrentstackframetothestartofthestack).Despiteitsproblems,theNOP-sledisoftentheonlymethodthatwillworkforagivenplatform,environment,orsituation,andassuchitisstillanimportanttechnique. Thejumptoaddressstoredinaregistertechnique[edit] The"jumptoregister"techniqueallowsforreliableexploitationofstackbufferoverflowswithouttheneedforextraroomforaNOP-sledandwithouthavingtoguessstackoffsets.Thestrategyistooverwritethereturnpointerwithsomethingthatwillcausetheprogramtojumptoaknownpointerstoredwithinaregisterwhichpointstothecontrolledbufferandthustheshellcode.Forexample,ifregisterAcontainsapointertothestartofabufferthenanyjumporcalltakingthatregisterasanoperandcanbeusedtogaincontroloftheflowofexecution.[10]Aninstructionfromntdll.dlltocalltheDbgPrint()routinecontainsthei386machineopcodeforjmpesp. Inpracticeaprogrammaynotintentionallycontaininstructionstojumptoaparticularregister.Thetraditionalsolutionistofindanunintentionalinstanceofasuitableopcodeatafixedlocationsomewherewithintheprogrammemory.InfigureEontheleftisanexampleofsuchanunintentionalinstanceofthei386jmpespinstruction.TheopcodeforthisinstructionisFFE4.[11]Thistwo-bytesequencecanbefoundataone-byteoffsetfromthestartoftheinstructioncallDbgPrintataddress0x7C941EED.Ifanattackeroverwritestheprogramreturnaddresswiththisaddresstheprogramwillfirstjumpto0x7C941EED,interprettheopcodeFFE4asthejmpespinstruction,andwillthenjumptothetopofthestackandexecutetheattacker'scode.[12] Whenthistechniqueispossibletheseverityofthevulnerabilityincreasesconsiderably.Thisisbecauseexploitationwillworkreliablyenoughtoautomateanattackwithavirtualguaranteeofsuccesswhenitisrun.Forthisreason,thisisthetechniquemostcommonlyusedinInternetwormsthatexploitstackbufferoverflowvulnerabilities.[13] ThismethodalsoallowsshellcodetobeplacedaftertheoverwrittenreturnaddressontheWindowsplatform.Sinceexecutablesaremostlybasedataddress0x00400000andx86isaLittleEndianarchitecture,thelastbyteofthereturnaddressmustbeanull,whichterminatesthebuffercopyandnothingiswrittenbeyondthat.Thislimitsthesizeoftheshellcodetothesizeofthebuffer,whichmaybeoverlyrestrictive.DLLsarelocatedinhighmemory(above0x01000000)andsohaveaddressescontainingnonullbytes,sothismethodcanremovenullbytes(orotherdisallowedcharacters)fromtheoverwrittenreturnaddress.Usedinthisway,themethodisoftenreferredtoas"DLLtrampolining". Protectivecountermeasures[edit] Varioustechniqueshavebeenusedtodetectorpreventbufferoverflows,withvarioustradeoffs.Themostreliablewaytoavoidorpreventbufferoverflowsistouseautomaticprotectionatthelanguagelevel.Thissortofprotection,however,cannotbeappliedtolegacycode,andoftentechnical,business,orculturalconstraintscallforavulnerablelanguage.Thefollowingsectionsdescribethechoicesandimplementationsavailable. Choiceofprogramminglanguage[edit] AssemblyandC/C++arepopularprogramminglanguagesthatarevulnerabletobufferoverflow,inpartbecausetheyallowdirectaccesstomemoryandarenotstronglytyped.[14]Cprovidesnobuilt-inprotectionagainstaccessingoroverwritingdatainanypartofmemory;morespecifically,itdoesnotcheckthatdatawrittentoabufferiswithintheboundariesofthatbuffer.ThestandardC++librariesprovidemanywaysofsafelybufferingdata,andC++'sStandardTemplateLibrary(STL)providescontainersthatcanoptionallyperformboundscheckingiftheprogrammerexplicitlycallsforcheckswhileaccessingdata.Forexample,avector'smemberfunctionat()performsaboundscheckandthrowsanout_of_rangeexceptioniftheboundscheckfails.[15]However,C++behavesjustlikeCiftheboundscheckisnotexplicitlycalled.TechniquestoavoidbufferoverflowsalsoexistforC. Languagesthatarestronglytypedanddonotallowdirectmemoryaccess,suchasCOBOL,Java,Python,andothers,preventbufferoverflowfromoccurringinmostcases.[14]ManyprogramminglanguagesotherthanC/C++provideruntimecheckingandinsomecasesevencompile-timecheckingwhichmightsendawarningorraiseanexceptionwhenCorC++wouldoverwritedataandcontinuetoexecutefurtherinstructionsuntilerroneousresultsareobtainedwhichmightormightnotcausetheprogramtocrash.ExamplesofsuchlanguagesincludeAda,Eiffel,Lisp,Modula-2,Smalltalk,OCamlandsuchC-derivativesasCyclone,RustandD.TheJavaand.NETFrameworkbytecodeenvironmentsalsorequireboundscheckingonallarrays.Nearlyeveryinterpretedlanguagewillprotectagainstbufferoverflows,signalingawell-definederrorcondition.Oftenwherealanguageprovidesenoughtypeinformationtodoboundscheckinganoptionisprovidedtoenableordisableit.Staticcodeanalysiscanremovemanydynamicboundandtypechecks,butpoorimplementationsandawkwardcasescansignificantlydecreaseperformance.Softwareengineersmustcarefullyconsiderthetradeoffsofsafetyversusperformancecostswhendecidingwhichlanguageandcompilersettingtouse. Useofsafelibraries[edit] TheproblemofbufferoverflowsiscommonintheCandC++languagesbecausetheyexposelowlevelrepresentationaldetailsofbuffersascontainersfordatatypes.Bufferoverflowsmustthusbeavoidedbymaintainingahighdegreeofcorrectnessincodewhichperformsbuffermanagement.Ithasalsolongbeenrecommendedtoavoidstandardlibraryfunctionswhicharenotboundschecked,suchasgets,scanfandstrcpy.TheMorriswormexploitedagetscallinfingerd.[16] Well-writtenandtestedabstractdatatypelibrarieswhichcentralizeandautomaticallyperformbuffermanagement,includingboundschecking,canreducetheoccurrenceandimpactofbufferoverflows.Thetwomainbuilding-blockdatatypesintheselanguagesinwhichbufferoverflowscommonlyoccurarestringsandarrays;thus,librariespreventingbufferoverflowsinthesedatatypescanprovidethevastmajorityofthenecessarycoverage.Still,failuretousethesesafelibrariescorrectlycanresultinbufferoverflowsandothervulnerabilities;andnaturally,anybuginthelibraryitselfisapotentialvulnerability."Safe"libraryimplementationsinclude"TheBetterStringLibrary",[17]Vstr[18]andErwin.[19]TheOpenBSDoperatingsystem'sClibraryprovidesthestrlcpyandstrlcatfunctions,butthesearemorelimitedthanfullsafelibraryimplementations. InSeptember2007,TechnicalReport24731,preparedbytheCstandardscommittee,waspublished;[20]itspecifiesasetoffunctionswhicharebasedonthestandardClibrary'sstringandI/Ofunctions,withadditionalbuffer-sizeparameters.However,theefficacyofthesefunctionsforthepurposeofreducingbufferoverflowsisdisputable;itrequiresprogrammerinterventiononaperfunctioncallbasisthatisequivalenttointerventionthatcouldmaketheanalogousolderstandardlibraryfunctionsbufferoverflowsafe.[21] Bufferoverflowprotection[edit] Mainarticle:Bufferoverflowprotection Bufferoverflowprotectionisusedtodetectthemostcommonbufferoverflowsbycheckingthatthestackhasnotbeenalteredwhenafunctionreturns.Ifithasbeenaltered,theprogramexitswithasegmentationfault.ThreesuchsystemsareLibsafe,[22]andtheStackGuard[23]andProPolice[24]gccpatches. Microsoft'simplementationofDataExecutionPrevention(DEP)modeexplicitlyprotectsthepointertotheStructuredExceptionHandler(SEH)frombeingoverwritten.[25] Strongerstackprotectionispossiblebysplittingthestackintwo:onefordataandoneforfunctionreturns.ThissplitispresentintheForthlanguage,thoughitwasnotasecurity-baseddesigndecision.Regardless,thisisnotacompletesolutiontobufferoverflows,assensitivedataotherthanthereturnaddressmaystillbeoverwritten. Pointerprotection[edit] Bufferoverflowsworkbymanipulatingpointers,includingstoredaddresses.PointGuardwasproposedasacompiler-extensiontopreventattackersfrombeingabletoreliablymanipulatepointersandaddresses.[26]TheapproachworksbyhavingthecompileraddcodetoautomaticallyXOR-encodepointersbeforeandaftertheyareused.Theoretically,becausetheattackerdoesnotknowwhatvaluewillbeusedtoencode/decodethepointer,hecannotpredictwhatitwillpointtoifheoverwritesitwithanewvalue.PointGuardwasneverreleased,butMicrosoftimplementedasimilarapproachbeginninginWindowsXPSP2andWindowsServer2003SP1.[27]Ratherthanimplementpointerprotectionasanautomaticfeature,MicrosoftaddedanAPIroutinethatcanbecalled.Thisallowsforbetterperformance(becauseitisnotusedallofthetime),butplacestheburdenontheprogrammertoknowwhenitisnecessary. BecauseXORislinear,anattackermaybeabletomanipulateanencodedpointerbyoverwritingonlythelowerbytesofanaddress.Thiscanallowanattacktosucceediftheattackerisabletoattempttheexploitmultipletimesorisabletocompleteanattackbycausingapointertopointtooneofseverallocations(suchasanylocationwithinaNOPsled).[28]Microsoftaddedarandomrotationtotheirencodingschemetoaddressthisweaknesstopartialoverwrites.[29] Executablespaceprotection[edit] Mainarticle:Executablespaceprotection Executablespaceprotectionisanapproachtobufferoverflowprotectionwhichpreventsexecutionofcodeonthestackortheheap.Anattackermayusebufferoverflowstoinsertarbitrarycodeintothememoryofaprogram,butwithexecutablespaceprotection,anyattempttoexecutethatcodewillcauseanexception. SomeCPUssupportafeaturecalledNX("NoeXecute")orXD("eXecuteDisabled")bit,whichinconjunctionwithsoftware,canbeusedtomarkpagesofdata(suchasthosecontainingthestackandtheheap)asreadableandwritablebutnotexecutable. SomeUnixoperatingsystems(e.g.OpenBSD,macOS)shipwithexecutablespaceprotection(e.g.W^X).Someoptionalpackagesinclude: PaX[30] ExecShield[31] Openwall[32] NewervariantsofMicrosoftWindowsalsosupportexecutablespaceprotection,calledDataExecutionPrevention.[33]Proprietaryadd-onsinclude: BufferShield[34] StackDefender[35] Executablespaceprotectiondoesnotgenerallyprotectagainstreturn-to-libcattacks,oranyotherattackwhichdoesnotrelyontheexecutionoftheattackerscode.However,on64-bitsystemsusingASLR,asdescribedbelow,executablespaceprotectionmakesitfarmoredifficulttoexecutesuchattacks. Addressspacelayoutrandomization[edit] Mainarticle:Addressspacelayoutrandomization Addressspacelayoutrandomization(ASLR)isacomputersecurityfeaturewhichinvolvesarrangingthepositionsofkeydataareas,usuallyincludingthebaseoftheexecutableandpositionoflibraries,heap,andstack,randomlyinaprocess'addressspace. Randomizationofthevirtualmemoryaddressesatwhichfunctionsandvariablescanbefoundcanmakeexploitationofabufferoverflowmoredifficult,butnotimpossible.Italsoforcestheattackertotailortheexploitationattempttotheindividualsystem,whichfoilstheattemptsofinternetworms.[36]Asimilarbutlesseffectivemethodistorebaseprocessesandlibrariesinthevirtualaddressspace. Deeppacketinspection[edit] Mainarticle:Deeppacketinspection Theuseofdeeppacketinspection(DPI)candetect,atthenetworkperimeter,verybasicremoteattemptstoexploitbufferoverflowsbyuseofattacksignaturesandheuristics.Theseareabletoblockpacketswhichhavethesignatureofaknownattack,orifalongseriesofNo-Operationinstructions(knownasaNOP-sled)isdetected,thesewereonceusedwhenthelocationoftheexploit'spayloadisslightlyvariable. PacketscanningisnotaneffectivemethodsinceitcanonlypreventknownattacksandtherearemanywaysthataNOP-sledcanbeencoded.Shellcodeusedbyattackerscanbemadealphanumeric,metamorphic,orself-modifyingtoevadedetectionbyheuristicpacketscannersandintrusiondetectionsystems. Testing[edit] Checkingforbufferoverflowsandpatchingthebugsthatcausethemnaturallyhelpspreventbufferoverflows.Onecommonautomatedtechniquefordiscoveringthemisfuzzing.[37]Edgecasetestingcanalsouncoverbufferoverflows,ascanstaticanalysis.[38]Onceapotentialbufferoverflowisdetected,itmustbepatched;thismakesthetestingapproachusefulforsoftwarethatisindevelopment,butlessusefulforlegacysoftwarethatisnolongermaintainedorsupported. History[edit] Bufferoverflowswereunderstoodandpartiallypubliclydocumentedasearlyas1972,whentheComputerSecurityTechnologyPlanningStudylaidoutthetechnique:"Thecodeperformingthisfunctiondoesnotcheckthesourceanddestinationaddressesproperly,permittingportionsofthemonitortobeoverlaidbytheuser.Thiscanbeusedtoinjectcodeintothemonitorthatwillpermittheusertoseizecontrolofthemachine."[39]Today,themonitorwouldbereferredtoasthekernel. Theearliestdocumentedhostileexploitationofabufferoverflowwasin1988.ItwasoneofseveralexploitsusedbytheMorriswormtopropagateitselfovertheInternet.TheprogramexploitedwasaserviceonUnixcalledfinger.[40]Later,in1995,ThomasLopaticindependentlyrediscoveredthebufferoverflowandpublishedhisfindingsontheBugtraqsecuritymailinglist.[41]Ayearlater,in1996,EliasLevy(alsoknownasAlephOne)publishedinPhrackmagazinethepaper"SmashingtheStackforFunandProfit",[42]astep-by-stepintroductiontoexploitingstack-basedbufferoverflowvulnerabilities. Sincethen,atleasttwomajorinternetwormshaveexploitedbufferoverflowstocompromisealargenumberofsystems.In2001,theCodeRedwormexploitedabufferoverflowinMicrosoft'sInternetInformationServices(IIS)5.0[43]andin2003theSQLSlammerwormcompromisedmachinesrunningMicrosoftSQLServer2000.[44] In2003,bufferoverflowspresentinlicensedXboxgameshavebeenexploitedtoallowunlicensedsoftware,includinghomebrewgames,torunontheconsolewithouttheneedforhardwaremodifications,knownasmodchips.[45]ThePS2IndependenceExploitalsousedabufferoverflowtoachievethesameforthePlayStation2.TheTwilighthackaccomplishedthesamewiththeWii,usingabufferoverflowinTheLegendofZelda:TwilightPrincess. Seealso[edit] Billionlaughs Bufferover-read Codingconventions Computersecurity End-of-file Heapoverflow Pingofdeath Portscanner Return-to-libcattack Safety-criticalsystem Security-focusedoperatingsystem Self-modifyingcode Softwarequality Shellcode Stackbufferoverflow Uncontrolledformatstring References[edit] ^"CORE-2007-0219:OpenBSD'sIPv6mbufsremotekernelbufferoverflow".Retrieved2007-05-15. ^"ModernOverflowTargets"(PDF).Retrieved2013-07-05. ^"TheMetasploitOpcodeDatabase".Archivedfromtheoriginalon12May2007.Retrieved2007-05-15. ^"MicrosoftTechnetSecurityBulletinMS04-028".Microsoft.Archivedfromtheoriginalon2011-08-04.Retrieved2007-05-15. ^"CreatingArbitraryShellcodeInUnicodeExpandedStrings"(PDF).Archivedfromtheoriginal(PDF)on2006-01-05.Retrieved2007-05-15. ^Vangelis(2004-12-08)."Stack-basedOverflowExploit:IntroductiontoClassicalandAdvancedOverflowTechnique".WowhackerviaNeworder.Archivedfromtheoriginal(text)onAugust18,2007.{{citejournal}}:Citejournalrequires|journal=(help) ^Balaban,Murat."BufferOverflowsDemystified"(text).Enderunix.org.{{citejournal}}:Citejournalrequires|journal=(help) ^Akritidis,P.;EvangelosP.Markatos;M.Polychronakis;KostasD.Anagnostakis(2005)."STRIDE:PolymorphicSledDetectionthroughInstructionSequenceAnalysis."(PDF).Proceedingsofthe20thIFIPInternationalInformationSecurityConference(IFIP/SEC2005).IFIPInternationalInformationSecurityConference.Archivedfromtheoriginal(PDF)on2012-09-01.Retrieved2012-03-04. ^Klein,Christian(September2004)."BufferOverflow"(PDF).Archivedfromtheoriginal(PDF)on2007-09-28.{{citejournal}}:Citejournalrequires|journal=(help) ^Shah,Saumil(2006)."WritingMetasploitPlugins:fromvulnerabilitytoexploit"(PDF).HackInTheBox.KualaLumpur.Retrieved2012-03-04. ^Intel64andIA-32ArchitecturesSoftwareDeveloper'sManualVolume2A:InstructionSetReference,A-M(PDF).IntelCorporation.May2007.pp. 3–508.Archivedfromtheoriginal(PDF)on2007-11-29. ^Alvarez,Sergio(2004-09-05)."Win32StackBufferOverFlowRealLifeVuln-DevProcess"(PDF).ITSecurityConsulting.Retrieved2012-03-04.{{citejournal}}:Citejournalrequires|journal=(help) ^ Ukai,Yuji;Soeder,Derek;Permeh,Ryan(2004)."EnvironmentDependenciesinWindowsExploitation".BlackHatJapan.Japan:eEyeDigitalSecurity.Retrieved2012-03-04. ^abhttps://www.owasp.org/index.php/Buffer_OverflowsBufferOverflowsarticleonOWASPArchived2016-08-29attheWaybackMachine ^"vector::at-C++Reference".Cplusplus.com.Retrieved2014-03-27. ^"Archivedcopy".wiretap.area.com.Archivedfromtheoriginalon5May2001.Retrieved6June2022.{{citeweb}}:CS1maint:archivedcopyastitle(link) ^"TheBetterStringLibrary". ^"TheVstrHomepage".Archivedfromtheoriginalon2017-03-05.Retrieved2007-05-15. ^"TheErwinHomepage".Retrieved2007-05-15. ^InternationalOrganizationforStandardization(2007)."Informationtechnology–Programminglanguages,theirenvironmentsandsystemsoftwareinterfaces–ExtensionstotheClibrary–Part1:Bounds-checkinginterfaces".ISOOnlineBrowsingPlatform. ^"CERTSecureCodingInitiative".ArchivedfromtheoriginalonDecember28,2012.Retrieved2007-07-30. ^"LibsafeatFSF.org".Retrieved2007-05-20. ^"StackGuard:AutomaticAdaptiveDetectionandPreventionofBuffer-OverflowAttacksbyCowanetal"(PDF).Retrieved2007-05-20. ^"ProPoliceatX.ORG".Archivedfromtheoriginalon12February2007.Retrieved2007-05-20. ^"BypassingWindowsHardware-enforcedDataExecutionPrevention".Archivedfromtheoriginalon2007-04-30.Retrieved2007-05-20. ^"12thUSENIXSecuritySymposium–TechnicalPaper".www.usenix.org.Retrieved3April2018. ^"ProtectingagainstPointerSubterfuge(Kinda!)".msdn.com.Archivedfromtheoriginalon2010-05-02.Retrieved3April2018. ^"USENIX-TheAdvancedComputingSystemsAssociation"(PDF).www.usenix.org.Retrieved3April2018. ^"ProtectingagainstPointerSubterfuge(Redux)".msdn.com.Archivedfromtheoriginalon2009-12-19.Retrieved3April2018. ^"PaX:HomepageofthePaXteam".Retrieved2007-06-03. ^"KernelTrap.Org".Archivedfromtheoriginalon2012-05-29.Retrieved2007-06-03. ^"OpenwallLinuxkernelpatch2.4.34-ow1".Archivedfromtheoriginalon2012-02-19.Retrieved2007-06-03. ^"MicrosoftTechnet:DataExecutionPrevention".Archivedfromtheoriginalon2006-06-22.Retrieved2006-06-30. ^"BufferShield:PreventionofBufferOverflowExploitationforWindows".Retrieved2007-06-03. ^"NGSecStackDefender".Archivedfromtheoriginalon2007-05-13.Retrieved2007-06-03. ^"PaXatGRSecurity.net".Retrieved2007-06-03. ^"TheExploitant-Securityinfoandtutorials".Retrieved2009-11-29. ^Larochelle,David;Evans,David(13August2001)."StaticallyDetectingLikelyBufferOverflowVulnerabilities".USENIXSecuritySymposium.32. ^"ComputerSecurityTechnologyPlanningStudy"(PDF).p. 61.Archivedfromtheoriginal(PDF)on2011-07-21.Retrieved2007-11-02. ^""ATourofTheWorm"byDonnSeeley,UniversityofUtah".Archivedfromtheoriginalon2007-05-20.Retrieved2007-06-03. ^"Bugtraqsecuritymailinglistarchive".Archivedfromtheoriginalon2007-09-01.Retrieved2007-06-03. ^""SmashingtheStackforFunandProfit"byAlephOne".Retrieved2012-09-05. ^"eEyeDigitalSecurity".Retrieved2007-06-03. ^"MicrosoftTechnetSecurityBulletinMS02-039".Microsoft.Archivedfromtheoriginalon2008-03-07.Retrieved2007-06-03. ^"HackerbreaksXboxprotectionwithoutmod-chip".Archivedfromtheoriginalon2007-09-27.Retrieved2007-06-03. Externallinks[edit] "DiscoveringandexploitingaremotebufferoverflowvulnerabilityinanFTPserver"byRaykoid666 "SmashingtheStackforFunandProfit"byAlephOne Gerg,Isaac(2005-05-02)."AnOverviewandExampleoftheBuffer-OverflowExploit"(PDF).IAnewsletter.InformationAssuranceTechnologyAnalysisCenter.7(4):16–21.Archivedfromtheoriginal(PDF)on2006-09-27.Retrieved2019-03-17. CERTSecureCodingStandards CERTSecureCodingInitiative SecureCodinginCandC++ SANS:insidethebufferoverflowattack "Advancesinadjacentmemoryoverflows"byNomenumbra AComparisonofBufferOverflowPreventionImplementationsandWeaknesses MoreSecurityWhitepapersaboutBufferOverflows Chapter12:WritingExploitsIIIfromSockets,Shellcode,Porting&Coding:ReverseEngineeringExploitsandToolCodingforSecurityProfessionalsbyJamesC.Foster(ISBN 1-59749-005-9).DetailedexplanationofhowtouseMetasploittodevelopabufferoverflowexploitfromscratch. ComputerSecurityTechnologyPlanningStudy,JamesP.Anderson,ESD-TR-73-51,ESD/AFSC,HanscomAFB,Bedford,MA01731(October1972)[NTISAD-758206] "BufferOverflows:AnatomyofanExploit"byNevermore SecureProgrammingwithGCCandGLibcArchived2008-11-21attheWaybackMachine(2008),byMarcelHoltmann "CriaçãodeExploitscomBufferOverflor–Parte0–Umpoucodeteoria"(2018),byHelvioJunior(M4v3r1ck) vteMemorymanagement Memorymanagementasafunctionofanoperatingsystem Hardware Memorymanagementunit(MMU) Translationlookasidebuffer(TLB) Input–outputmemorymanagementunit(IOMMU) Virtualmemory Demandpaging Memorypaging Pagetable Virtualmemorycompression Memorysegmentation Protectedmode Realmode Virtual8086mode x86memorysegmentation Memoryallocation dlmalloc Hoardmalloc jemalloc mimalloc ptmalloc Manualmemorymanagement Staticmemoryallocation Cdynamicmemoryallocation newanddelete(C++) Garbagecollection AutomaticReferenceCounting Boehmgarbagecollector Cheney'salgorithm Concurrentmarksweepcollector Finalizer Garbage Garbage-firstcollector Mark-compactalgorithm Referencecounting Tracinggarbagecollection Strongreference Weakreference Memorysafety Bufferoverflow Bufferover-read Danglingpointer Stackoverflow Issues Fragmentation Memoryleak Unreachablememory Other Automaticvariable InternationalSymposiumonMemoryManagement Region-basedmemorymanagement Memorymanagement Virtualmemory Automaticmemorymanagement Memorymanagementalgorithms Memorymanagementsoftware Authoritycontrol:Nationallibraries Germany Retrievedfrom"https://en.wikipedia.org/w/index.php?title=Buffer_overflow&oldid=1091848261" Categories:SoftwarebugsComputermemoryComputersecurityexploitsHiddencategories:CS1errors:missingperiodicalWebarchivetemplatewaybacklinksCS1maint:archivedcopyastitleArticleswithshortdescriptionShortdescriptionisdifferentfromWikidataArticleswithGNDidentifiersArticleswithexampleCcode Navigationmenu Personaltools NotloggedinTalkContributionsCreateaccountLogin Namespaces ArticleTalk English Views ReadEditViewhistory More Search Navigation MainpageContentsCurrenteventsRandomarticleAboutWikipediaContactusDonate Contribute HelpLearntoeditCommunityportalRecentchangesUploadfile Tools WhatlinkshereRelatedchangesUploadfileSpecialpagesPermanentlinkPageinformationCitethispageWikidataitem Print/export DownloadasPDFPrintableversion Languages العربيةČeštinaDeutschΕλληνικάEspañolEuskaraفارسیFrançais한국어BahasaIndonesiaItalianoעבריתLatviešuLombardMagyarMalagasyമലയാളംNederlands日本語NorskbokmålPolskiPortuguêsРусскийSlovenčinaSuomiSvenskaTürkçeУкраїнськаTiếngViệt粵語中文 Editlinks