Buffer overflow attacks Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
Buffer Overflow Attacks Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
History:Morris Worm and Buffer Overflow Worm was released in 1988 by Robert Morris -Graduate student at Cornell.son of NSA chief scientist -Convicted under Computer Fraud and Abuse Act,sentenced to 3 years of probation and 400 hours of community service Now a computer science professor at MIT Worm was intended to propagate slowly and harmlessly measure the size of the Internet Due to a coding error,it created new copies as fast as it could and overloaded infected machines $10-100M worth of damage One of the worm's propagation techniques was a buffer overflow attack against a vulnerable version of fingerd on VAX systems By sending special string to finger daemon,worm caused it to execute code creating a new worm copy 一 Unable to determine remote OS version,worm also attacked fingerd on Suns running BSD,causing them to crash(instead of spawning a new copy) 2
2 History: Morris Worm and Buffer Overflow Worm was released in 1988 by Robert Morris ─ Graduate student at Cornell, son of NSA chief scientist ─ Convicted under Computer Fraud and Abuse Act, sentenced to 3 years of probation and 400 hours of community service ─ Now a computer science professor at MIT Worm was intended to propagate slowly and harmlessly measure the size of the Internet Due to a coding error, it created new copies as fast as it could and overloaded infected machines $10-100M worth of damage One of the worm’s propagation techniques was a buffer overflow attack against a vulnerable version of fingerd on VAX systems ─ By sending special string to finger daemon, worm caused it to execute code creating a new worm copy ─ Unable to determine remote OS version, worm also attacked fingerd on Suns running BSD, causing them to crash (instead of spawning a new copy)
Buffer Overflow These Days Most common cause of Internet attacks -Over 50%of advisories published by CERT(computer security incident report team)are caused by various buffer overflows Morris worm (1988):overflow in fingerd -6,000 machines infected CodeRed (2001):overflow in MS-IIS server -300,000 machines infected in 14 hours SQL Slammer (2003):overflow in MS-SQL server -75.000 machines infected in 10 minutes(!!) 3
3 Buffer Overflow These Days Most common cause of Internet attacks ─ Over 50% of advisories published by CERT (computer security incident report team) are caused by various buffer overflows Morris worm (1988): overflow in fingerd ─ 6,000 machines infected CodeRed (2001): overflow in MS-IIS server ─ 300,000 machines infected in 14 hours SQL Slammer (2003): overflow in MS-SQL server ─ 75,000 machines infected in 10 minutes (!!)
Attacks on Memory Buffers Buffer is a data storage area inside computer memory (stack or heap) -Intended to hold pre-defined amount of data If more data is stuffed into it,it spills into adjacent memory -If executable code is supplied as"data",victim's machine may be fooled into executing it-we'll see how .Code will self-propagate or give attacker control over machine First generation exploits:stack smashing Second gen:heaps,function pointers,off-by-one Third generation:format strings and heap management structures 4
4 Buffer is a data storage area inside computer memory (stack or heap) ─ Intended to hold pre-defined amount of data ● If more data is stuffed into it, it spills into adjacent memory ─ If executable code is supplied as “data”, victim’s machine may be fooled into executing it – we’ll see how ● Code will self-propagate or give attacker control over machine First generation exploits: stack smashing Second gen: heaps, function pointers, off-by-one Third generation: format strings and heap management structures Attacks on Memory Buffers
Stack Buffers Suppose Web server contains this function void func(char *str){ Allocate local buffer char buf[126]; (126 bytes reserved on stack) strcpy(buf,str) Copy argument into local buffer When this function is invoked,a new frame with local variables is pushed onto the stack Stack grows this way buf ret sfp rame of the。 Top of addr str calling function stack Local variables Pointer to Execute Arguments previous code at frame this address after func() finishes 5
5 Stack Buffers Suppose Web server contains this function void func(char *str) { char buf[126]; strcpy(buf,str); } When this function is invoked, a new frame with local variables is pushed onto the stack Allocate local buffer (126 bytes reserved on stack) Copy argument into local buffer Top of stack Stack grows this way buf sfp ret addr str Local variables Frame of the calling function Execute code at this address after func() finishes Pointer to Arguments previous frame