Buffer Overflow Attacks

• The basic operation of a buffer overflow
  • Use the buffer overflow error to have the program write data (which is probably actually instructions) in the wrong place.
  • Have the system somehow execute this data to gain enhanced privileges.
• The attacker first realizes that there is the opportunity for a buffer overflow to occur.
• They then replace code somewhere
  • This could be in the system space (See Figure 3-3 page 139)
  • Or it could be in user space, but the data causes a jump to privileged mode.
• They then cause the operating system to execute a command in privileged mode.
  • This is a called an escalation of privilege.
  • And this allows the attacker to run code in privilege mode.
• The Stack and function calls
  • Each time a function is called, an activation record or stack frame is pushed onto the runtime stack.
  • Usually this record contains
    • Information about managing the stack. (Saved stack pointer and frame pointer)
    • The return address for the function call.
    • Parameters
    • local variables to the function.
  • By changing the return address, an attacker can change where the program jumps to when the function returns.
  • By overflowing a local string or array (a local variable) the attacker can overwrite not only the return address but information beyond that.
• The book points out that this might take some work
  • Finding a buffer you can overflow
  • Finding where the return address is stored
  • Getting the data there.
• But persistent attackers with knowledge should be able to accomplish this in a matter of days.