What Is a Stack Buffer Overflow?
In information security and programming, a buffer overflow or buffer overflow is an exception where a program writes data into a buffer beyond the boundaries of the buffer and overwrites adjacent memory locations.
Buffer is a memory area dedicated to storing data, usually when moving a program from one program block to another, or between programs. Buffer overflows can often be triggered by malformed inputs; if all inputs are assumed to be less than a certain size and the buffer is created to that size, an abnormal transaction that produces more data may cause it to write to the end of the buffer. If this overwrites adjacent data or executable code, it may cause program behavior to be unstable, including memory access errors, erroneous results, and crashes.
The use of buffer overflows is a well-known security hole. In many systems, the program's memory layout or the entire system is clearly defined. By sending data designed to cause a buffer overflow, it is possible to write to an area known to hold executable code and replace it with malicious code, or to selectively overwrite data related to the state of the program, resulting in non-original programmers . Buffers are common in operating system (OS) code, so they can perform elevated attacks and gain unlimited access to computer resources. In 1988 the famous Morris worm used it as one of its attack techniques.
Programming languages typically associated with buffer overflows include C and C ++, which do not provide built-in protection from accessing or overwriting data in any part of memory, nor does it automatically check data written to arrays (built-in buffer type) Whether it is on the bounds of the array. Boundary checking prevents buffer overflows, but requires additional code and processing time. Modern operating systems use various techniques to combat malicious buffer overflows, especially by randomizing the memory layout, or deliberately leaving space between buffers and looking for actions to write to these areas ("canary") [1]
As early as 1972, computer security technology planning research came up with a technique: "The code that performs this function does not properly check the source and destination addresses, allowing some monitors to overwrite, so buffer overflows are understood and partially publicly recorded .User. This can be used to inject code into the monitor, allowing the user to control the machine. ". The display will be called the kernel.
The earliest recorded malicious attack on buffer overflows was in 1988. It is one of several vulnerabilities in which the Morris worm spreads itself on the Internet. The program is exploited as a service called finger on Unix. Later, in 1995, Thomas Lopatic independently rediscovered buffer overflows and published his findings on the Bugtraq secure mailing list. A year later, in 1996, Elias Levy (also known as Aleph One) published an article entitled "Smashing the Stack for Fun and Profit" in Phrack Magazine, which gradually introduced the use of stack-based buffer overflow vulnerabilities.
Since then, at least two major Internet worms have used buffer overflows to disrupt large numbers of systems. In 2001, the Code Red worm exploited a buffer overflow in Microsoft Internet Information Services (IIS) 5.0. In 2003, the SQL Slammer worm destroyed a machine running Microsoft SQL Server 2000.
In 2003, a buffer overflow in licensed Xbox games has been exploited, allowing unlicensed software (including home-made games) to run on the console without hardware modifications, called modchips. PS2 Independence Exploit also uses a buffer overflow to achieve the same functionality of PlayStation 2. Using buffer overflows in "The Legend of Zelda: Twilight Princess", Twilight hackers achieved the same functionality on Wii.
Because of insufficient boundary checks, data written to the buffer can also corrupt a data value in a memory address adjacent to the target buffer when a buffer overflow occurs. This can happen when copying data from one buffer to another without first checking if the data fits in the destination buffer.
Example: More information about stack-based overflow: stack buffer overflow. In the example shown below in C, the program has two variables that are adjacent in memory: an 8-byte long string buffer A and a two-byte big-endian byte B.
char A [8] = "";
unsigned short B = 1979;
Initially, A contained only zero bytes and B contained the number 1979.
| Variable name | A | B |
| value | [null string] | 1979 |
| hex value | 00 00 00 00 00 00 00 00 | 07 BB |
The program tried to store the ASCII-encoded null-terminated character string "excess" in the A buffer.
strcpy (A, "excessive");
The "excessive" length is 9 characters and is encoded as 10 bytes, including the null terminator, but A can only occupy 8 bytes. If the length of the string is not checked, it will also overwrite the value of B:
| Variable name | A | B |
| value | "e" "x" "c" "e" "s" "s" "i" "v" | 25856 |
| hex value | 65 78 63 65 73 73 69 76 | 65 00 |
The value of B has been inadvertently replaced with a number formed from a partial string. In this example, "e" followed by a zero byte will become 25856. Writing data at the end of the allocated memory can sometimes be detected by the operating system to generate a segmentation fault error that terminates the process.
To prevent a buffer overflow in this example, you can use strncpy to replace the call to strcpy. Strncpy takes the maximum capacity of A as an additional parameter and ensures that no more than this amount of data is written to A:
strncpy (A, "excessive", sizeof (A));
Note that the above code is also fine; although buffer overflow is prevented this time, if the length of the source string is greater than or equal to the size of the buffer (the third parameter passed to the function), the strncpy library function will Terminates the target buffer, so A is not null-terminated in this case and cannot be considered a valid C-style string.
1.The choice of programming language;
2.Use secure libraries;
3.Buffer overflow protection;
4.Pointer protection;
5.Executable space protection;
6. Randomized address space layout;
7.Deep packet inspection;
8.Test.
