FACTOID # 21: 15% of Army recruits from South Dakota are Native American, which is roughly the same percentage for female Army recruits in the state.
 
 Home   Encyclopedia   Statistics   States A-Z   Flags   Maps   FAQ   About 
 
WHAT'S NEW
 

SEARCH ALL

FACTS & STATISTICS    Advanced view

Search encyclopedia, statistics and forums:

 

 

(* = Graphable)

 

 


Encyclopedia > Buffer overflow

[[Media:Media:Example.oggMedia:Example.ogg]]

In computer security and programming, a buffer overflow, or buffer overrun, is a programming error which may result in erratic program behavior, a memory access exception and program termination, or ― especially if deliberately caused by a malicious user ― a possible breach of system security. Image File history File links Mergefrom. ... This article is about the specifics of stack-based buffer overflows. ... This article is about the specifics of stack-based buffer overflows. ... This article describes how security can be achieved through design and engineering. ... Programming redirects here. ... The terms storage (U.K.) or memory (U.S.) refer to the parts of a digital computer that retain physical state (data) for some interval of time, possibly even after electrical power to the computer is turned off. ... Exception handling is a programming language construct or computer hardware mechanism designed to handle the occurrence of some condition that changes the normal flow of execution. ...


A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data and may cause a process to crash or produce incorrect results. They can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many software vulnerabilities and form the basis of many exploits. Sufficient bounds checking by either the programmer, the compiler or the runtime can prevent buffer overflows. Look up anomaly in Wiktionary, the free dictionary. ... In computing, a process is an instance of a computer program that is being executed. ... For other uses, see Data (disambiguation). ... In computing, a buffer is a region of memory used to temporarily hold output or input data, comparable to buffers in telecommunication. ... This article does not cite any references or sources. ... A crash in computing is a condition where a program (either an application or part of the operating system) stops performing its expected function and also stops responding to other parts of the system. ... In computer security, the word vulnerability refers to a weakness or other opening in a system. ... An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). ... In computer programming, bounds checking is the name given to any method of detecting whether or not an index given lies within the limits of an array. ... A diagram of the operation of a typical multi-language, multi-target compiler. ... In computer science, runtime or run time describes the operation of a computer program, the duration of its execution, from beginning to termination (compare compile time). ...

Software Testing Portal 

Contents

Image File history File links Portal. ...

Technical description

A buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated buffer. Most commonly this occurs when copying strings of characters from one buffer to another. For other uses, see Data (disambiguation). ... In computer programming, bounds checking is the name given to any method of detecting whether or not an index given lies within the limits of an array. ... In computer science, a memory address is a unique identifier for a memory location at which a CPU or other device can store a piece of data for later retrieval. ... In computer programming and formal language theory, (and other branches of mathematics), a string is an ordered sequence of symbols. ...


Basic example

In the following example, a program has defined two data items which are adjacent in memory: an 8-byte-long string buffer, A, and a two-byte integer, B. Initially, A contains nothing but zero bytes, and B contains the number 3. Characters are one byte wide.

A B
0 0 0 0 0 0 0 0 0 3

Now, the program attempts to store the character string "excessive" in the A buffer, followed by a zero byte to mark the end of the string. By not checking the length of the string, it overwrites the value of B: The null character (also null terminator) is a character with the value zero, present in the ASCII and Unicode character sets, and available in nearly all mainstream programming languages. ...

A B
'e' 'x' 'c' 'e' 's' 's' 'i' 'v' 'e' 0

Although the programmer did not intend to change B at all, B's value has now been replaced by a number formed from part of the character string. In this example, on a big-endian system that uses ASCII, "e" followed by a zero byte would become the number 25856. If B was the only other variable data item defined by the program, writing an even longer string that went past the end of B could cause an error such as a segmentation fault, terminating the process. In computing, endianness is the byte (and sometimes bit) ordering in memory used to represent some kind of data. ... Image:ASCII fullsvg There are 95 printable ASCII characters, numbered 32 to 126. ... It has been suggested that Access violation be merged into this article or section. ...

For more details on stack-based overflows, see Stack buffer overflow.

This article is about the specifics of stack-based buffer overflows. ...

Exploitation

The techniques to exploit a buffer overflow vulnerability vary per architecture, operating system and memory region. For example, exploitation on the heap (used for dynamically allocated memory) is very different from on the call stack. An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). ... A typical vision of a computer architecture as a series of abstraction layers: hardware, firmware, assembler, kernel, operating system and applications (see also Tanenbaum 79). ... An operating system (OS) is the software that manages the sharing of the resources of a computer and provides programmers with an interface used to access those resources. ... In computer science, dynamic memory allocation is the allocation of memory storage for use in a computer program during the runtime of that program. ... In computer science, a call stack is a special stack which stores information about the active subroutines of a computer program. ...


Stack-based exploitation

Main article: Stack buffer overflow

A technically inclined and malicious user may exploit stack-based buffer overflows to manipulate the program in one of several ways: This article is about the specifics of stack-based buffer overflows. ...

  • By overwriting a local variable that is near the buffer in memory on the stack to change the behaviour of the program which may benefit the attacker.
  • By overwriting the return address in a stack frame. Once the function returns, execution will resume at the return address as specified by the attacker, usually a user input filled buffer.
  • By overwriting a function pointer,[1] or exception handler, which is subsequently executed.

With a method called "Trampolining", if the address of the user-supplied data is unknown, but the location is stored in a register, then the return address can be overwritten with the address of an opcode which will cause execution to jump to the user supplied data. If the location is stored in a register R, then a jump to the location containing the opcode for a jump R, call R or similar instruction, will cause execution of user supplied data. The locations of suitable opcodes, or bytes in memory, can be found in DLLs or the executable itself. However the address of the opcode typically cannot contain any null characters and the locations of these opcodes can vary between applications and versions of the operating system. The Metasploit Project is one such database of suitable opcodes, though only those found in the Windows operating system are listed.[2] In computing, a stack frame is a data structure used to create temporary storage for data and saved state in functions. ... Microprocessors perform operations using binary bits (on/off/1or0). ... This article is about dynamic libraries implemented by Microsoft. ... The null character (also null terminator) is a character with the value zero, present in the ASCII and Unicode character sets, and available in nearly all mainstream programming languages. ... The Metasploit Project is an open source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. ... Windows redirects here. ...


Stack-based buffer overflows are not to be confused with stack overflows. A stack overflow occurs when too many functions are called in a computer program. ...


Heap-based exploitation

Main article: Heap overflow

A buffer overflow occurring in the heap data area is referred to as a heap overflow and is exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer. A heap overflow is another type of buffer overflow that occurs in the heap data area. ... In computing, malloc is a subroutine provided in the C programming languages and C++ programming languages standard library for performing dynamic memory allocation. ...


The Microsoft JPEG GDI+ vulnerability is a somewhat recent example of the danger a heap overflow can represent to a computer user.[3] Microsoft Corporation, (NASDAQ: MSFT, HKSE: 4338) is a multinational computer technology corporation with global annual revenue of US$44. ... JPG redirects here. ... The Graphics Device Interface (GDI, sometimes called Graphical Device Interface) is one of the three core components or subsystems, together with the kernel and the Windows API for the user interface (GDI window manager) of Microsoft Windows. ...


Barriers to exploitation

Manipulation of the buffer which occurs before it is read or executed may lead to the failure of an exploitation attempt. These manipulations can mitigate the threat of exploitation, but may not make it impossible. Manipulations could include conversion to upper or lower case, removal of metacharacters and filtering out of non-alphanumeric strings. However, techniques exist to bypass these filters and manipulations; alphanumeric code, polymorphic code, Self-modifying code and return to lib-C attacks. The same methods can be used to avoid detection by Intrusion detection systems. In some cases, including where code is converted into unicode,[4] the threat of the vulnerability have been misrepresented by the disclosers as only Denial of Service when in fact the remote execution of arbitrary code is possible. A metacharacter is a character that has a general meaning instead of a literal meaning in a regular expression. ... Generally speaking, the term alphanumeric refers to anything that consists of only letters and numbers. ... In general, in computing, an alphanumeric code is a series of letters and numbers (hence the name) which are written in a form understandable and processable by a computer. ... In computer terminology, polymorphic code is code that mutates while keeping the original algorithm intact. ... In computer science, self-modifying code is code that alters its own instructions, whether or not it is on purpose, while it is executing. ... A return-to-libc attack is a computer security attack usually starting with a buffer overflow, in which the return address on the stack is replaced by the address of another function in the program. ... An Intrusion Detection System or IDS is a software tool used to detect unauthorised access to a computer system or network. ...


Practicalities of exploitation

In real-world exploits there are a variety of issues which need to be overcome for exploits to operate reliably. Null bytes in addresses, variability in the location of shellcode, differences between different environments and various counter-measures in operation.


Nop sled technique

Main article: NOP slide
Illustration of a NOP-sled payload on the stack.
Illustration of a NOP-sled payload on the stack.

A NOP-sled is the oldest and most widely known technique for successfully exploiting a stack buffer overflow.[5] It solves the problem of finding the exact address to the buffer by effectively increasing the size of the target area. To do this much larger sections of the stack are corrupted with the no-op machine instruction. At the end of the attacker supplied data, after the no-op instructions, is placed an instruction to perform a relative jump to the top of the buffer where the shellcode is located. This collection of no-ops is referred to as the "NOP-sled" because if the return address is overwritten with any address within the no-op region of the buffer it will "slide" down the no-ops until it is redirected to the actual malicious code by the jump at the end. This technique requires the attacker to guess where on the stack the NOP-sled is instead of the comparatively small shellcode.[6]


Because of the popularity of this technique many vendors of Intrusion prevention systems will search for this pattern of no-op machine instructions in an attempt to detect shellcode in use. Its important to note that a NOP-sleds does not necessarily contain only traditional no-op machine instructions; any instruction that does not corrupt the machine state to a point where the shellcode will not run can be used in place of the hardware assisted no-op. As a result it has become common practice for exploit writers to compose the no-op sled with randomly chosen instructions which will have no real effect on the shellcode execution.[7] An intrusion prevention system (a computer security term) is any device which exercises access control to protect computers from exploitation. ...


While this method greatly improves the chances that an attack will be successful, it is not without problems. Exploits using this technique still must rely on some amount of luck that they will guess offsets on the stack that are within the NOP-sled region.[8] An incorrect guess will usually result in the target program crashing and could alert the system administrator to the attacker's activities. Another problem is that the NOP-sled requires a much larger amount of memory in which to hold a NOP-sled large enough to be of any use. This can be a problem when the allocated size of the affected buffer is too small and the current depth of the stack is shallow (i.e. there is not much space from the end of the current stack frame to the start of the stack). Despite its problems, the NOP-sled is often the only method that will work for a given platform, environment, or situation; as such it is still an important technique. A system administrator, or sysadmin, is a person employed to maintain, and operate a computer system or network. ...


The jump to register technique

The "jump to register" technique allows for reliable exploitation of stack buffer overflows without the need for extra room for a NOP-sled and without having to guess stack offsets. The strategy is to overwrite the return pointer with something that will cause the program to jump to a known pointer stored within a register which points to the controlled buffer and thus the shellcode. For example if register A contains a pointer to the start of a buffer then any jump or call taking that register as an operand can be used to gain control of the flow of execution.[9]

An instruction from ntdll.dll to call the DbgPrint() routine contains the i386 machine opcode for jmp esp.
An instruction from ntdll.dll to call the DbgPrint() routine contains the i386 machine opcode for jmp esp.

In practice a program may not intentionally contain instructions to jump to a particular register. The traditional solution is to find an unintentional instance of a suitable opcode at a fixed location somewhere within the program memory. In figure E on the left you can see an example of such an unintentional instance of the i386 jmp esp instruction. The opcode for this instruction is FF E4.[10] This two byte sequence can be found at a one byte offset from the start of the instruction call DbgPrint at address 0x7C941EED. If an attacker overwrites the program return address with this address the program will first jump to 0x7C941EED, interpret the opcode FF E4 as the jmp esp instruction, and will then jump to the top of the stack and execute the attacker's code.[11] The Intel 80386 is a microprocessor which was used as the central processing unit (CPU) of many personal computers from 1986 until 1994 and later. ... Microprocessors perform operations using binary bits (on/off/1or0). ...


When this technique is possible the severity of the vulnerability increases considerably. This is because exploitation will work reliably enough to automate an attack with a virtual guarantee of success when it is run. For this reason, this is the technique most commonly used in internet worms that exploit stack buffer overflow vulnerabilities.[12] A computer worm is a self-replicating computer program, similar to a computer virus. ...


This method also allows shellcode to be placed after the overwritten return address on the Windows platform. Since executables are based at address 0x00400000 and x86 is a Little Endian architecture, the last byte of the return address must be a null, which terminates the buffer copy and nothing is written beyond that. This limits the size of the shellcode to the size of the buffer, which may be overly restrictive. DLLs are located in high memory (above 0x01000000 and so have addresses containing no null bytes, so this method can remove null bytes (or other disallowed characters) from the overwritten return address. Used in this way, the method is often referred to as "DLL Trampolining".


Protective countermeasures

Various techniques have been used to detect or prevent buffer overflows, with various tradeoffs. The most reliable way to avoid or prevent buffer overflows is to use automatic protection at the language level. This sort of protection, however, cannot be applied to legacy code, and often technical, business, or cultural constraints call for a vulnerable language. The following sections describe the choices and implementations available. Legacy code is hi source code that relates to a no-longer supported or manufactured operating system or other computer technology. ...


Choice of programming language

The choice of programming language can have a profound effect on the occurrence of buffer overflows. As of 2006, among the most popular languages are C and its derivative, C++, with an enormous body of software having been written in these languages. C and C++ provide no built-in protection against accessing or overwriting data in any part of memory; more specifically, they do not check that data written to an array (the implementation of a buffer) is within the boundaries of that array. However, the standard C++ libraries provide many ways of safely buffering data, and technology to avoid buffer overflows also exist for C. 2006 is a common year starting on Sunday of the Gregorian calendar. ... C is a general-purpose, block structured, procedural, imperative computer programming language developed in 1972 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system. ... C++ (pronounced ) is a general-purpose programming language. ...


Many other programming languages provide runtime checking and in some cases even compile-time checking which might send a warning or raise an exception when C or C++ would overwrite data and continue to execute further instructions until erroneous results are obtained which might or might not cause the program to crash. Examples of such languages include Ada, Lisp, Modula-2, Smalltalk, OCaml and such C-derivatives as Cyclone and D. The Java and .NET bytecode environments also require bounds checking on all arrays. (Python is sometimes claimed to have boundary-checked arrays but this is not entirely true since an attempt to access negative array indices, rather than generating an error or raising an exception, instead treats the array as a ring buffer, accessing elements from the far end.) Nearly every interpreted language will protect against buffer overflows, signalling a well-defined error condition. Often where a language provides enough type information to do bounds checking an option is provided to enable or disable it. Static code analysis can remove many dynamic bound and type checks, but poor implementations and awkward cases can significantly decrease performance. Software engineers must carefully consider the tradeoffs of safety versus performance costs when deciding which language and compiler setting to use. Exception handling is a programming language construct or computer hardware mechanism designed to handle the occurrence of some condition that changes the normal flow of execution. ... Ada is a structured, statically typed imperative computer programming language designed by a team led by Jean Ichbiah of CII Honeywell Bull during 1977–1983. ... Lisp is a family of computer programming languages with a long history and a distinctive fully-parenthesized syntax. ... Modula-2 is a computer programming language invented by Niklaus Wirth at ETH around 1978, as a successor to Modula, an intermediate language by him. ... For other uses, see Small talk. ... Objective Caml (OCaml) is a general-purpose programming language descended from the ML family, created by Xavier Leroy, Jérôme Vouillon, Damien Doligez, Didier Rémy and others in 1996. ... The Cyclone programming language is intended to be a safe dialect of the C programming language. ... For other programming languages named D, see D (disambiguation)#Computing. ... Java refers to a number of computer software products and specifications from Sun Microsystems that together provide a system for developing application software and deploying it in a cross-platform environment. ... Microsoft . ... Python is a general-purpose, high-level programming language. ... In computer programming, an interpreted language is a programming language whose programs may be executed from source form, by an interpreter. ... Static analysis is the term applied to the analysis of computer software that is performed without actually executing programs built from that software (analysis performed on executing programs is known as dynamic analysis). ...


Use of safe libraries

The problem of buffer overflows is common in the C and C++ languages because they expose low level representational details of buffers as containers for data types. Buffer overflows must thus be avoided by maintaining a high degree of correctness in code which performs buffer management. Well-written and tested abstract data type libraries which centralize and automatically perform buffer management, including bounds checking, can reduce the occurrence and impact of buffer overflows. The two main building-block data types in these languages in which buffer overflows commonly occur are strings and arrays; thus, libraries preventing buffer overflows in these data types can provide the vast majority of the necessary coverage. Still, failure to use these safe libraries correctly can result in buffer overflows and other vulnerabilities; and naturally, any bug in the library itself is a potential vulnerability. "Safe" library implementations include "The Better String Library" [13], Vstr [14] and Erwin.[15] The OpenBSD operating system's C library provides the strlcpy and strlcat functions, but these are more limited than full safe library implementations. OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution (BSD), a Unix derivative developed at the University of California, Berkeley. ... An operating system (OS) is the software that manages the sharing of the resources of a computer and provides programmers with an interface used to access those resources. ... A C library is a collection of libraries used in programming with the C programming language. ... The strlcpy function, developed by Todd C. Miller and Theo de Raadt for use in the C programming language, is intended to replace the function strcpy and provide a simpler and more robust interface than strncpy. ... The strlcpy function, developed by Todd C. Miller and Theo de Raadt for use in the C programming language, is intended to replace unsafe functions like strcpy and strncpy. ...


In September 2006, Technical Report 24731, prepared by the C standards committee, was published; it specifies a set of functions which are based on the standard C library's string and I/O functions, with additional buffer-size parameters. However, the efficacy of these functions for the purpose of reducing buffer overflows is disputable; it requires programmer intervention on a per function call basis that is equivalent to intervention that could make the analogous older standard library functions buffer overflow safe.[16]


Stack-smashing protection

Main article: Stack-smashing protection

Stack-smashing protection is used to detect the most common buffer overflows by checking that the stack has not been altered when a function returns. If it has been altered, the program exits with a segmentation fault. Three such systems are Libsafe,[17] and the StackGuard[18] and ProPolice[19] gcc patches. Stack-smashing protection refers to various techniques for detecting buffer overflows on stack-allocated variables as they occur and preventing them from becoming serious security vulnerabilities. ... In computer science, a call stack is a special stack which stores information about the active subroutines of a computer program. ... It has been suggested that Access violation be merged into this article or section. ... StackGuard is an extension that provides stack-smashing protection to the C compiler in the GNU Compiler Collection. ... The Stack-Smashing Protector (sometimes called SSP, formerly known as ProPolice) is an extension to the GNU Compiler Collection that helps mitigate the damage that can be done by buffer overflow-based attacks. ... The GNU Compiler Collection (usually shortened to GCC) is a set of programming language compilers produced by the GNU Project. ...


Microsoft's Data Execution Prevention mode explicitly protects the pointer to the SEH Exception Handler from being overwritten.[20] DEP controls in Windows Vista DEP causing Windows XP to end a program Data Execution Prevention (DEP) is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. ...


Stronger stack protection is possible by splitting the stack in two: one for data and one for function returns. This split is present in the Forth programming language, though it was not a security-based design decision. Regardless, this is not a complete solution to buffer overflows, as sensitive data other than the return address may still be overwritten. Forth is a programming language and programming environment, initially developed by Charles H. Moore at the US National Radio Astronomy Observatory in the early 1970s. ...


Executable space protection

Main article: Executable space protection

Executable space protection is an approach to buffer overflow protection which prevents execution of code on the stack or the heap. An attacker may use buffer overflows to insert arbitrary code into the memory of a program, but with executable space protection, any attempt to execute that code will cause an exception. In computer security, executable space protection is the marking of memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. ...


Some CPUs support a feature called NX ("No eXecute") or XD ("eXecute Disabled") bit, which in conjunction with software, can be used to mark pages of data (such as those containing the stack and the heap) as readable but not executable. The NX bit, which stands for No eXecute, is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions (or code) or for storage of data, a feature normally only found in Harvard architecture processors. ... NX stands for No eXecute. ... In computer operating systems, paging memory allocation, paging refers to the process of managing program access to virtual memory pages that do not currently reside in RAM. It is implemented as a task that resides in the kernel of the operating system and gains control when a page fault takes...


Some Unix operating systems (e.g. OpenBSD, Mac OS X) ship with executable space protection (e.g. W^X). Some optional packages include: OpenBSD is a Unix-like computer operating system descended from Berkeley Software Distribution (BSD), a Unix derivative developed at the University of California, Berkeley. ... Mac OS X (pronounced ) is a line of graphical operating systems developed, marketed, and sold by Apple Inc. ... W^X (pronounced W xor X[1]) is the name of a security feature present in the OpenBSD operating system. ...

Newer variants of Microsoft Windows also support executable space protection, called Data Execution Prevention.[24] Proprietary add-ons include: In computer security, PaX is a patch for the Linux kernel that implements least privilege protections for memory pages. ... Exec-shield is a kernel patch enabling new security features in the Linux operating system. ... The Openwall Project is a source for various software, including Openwall GNU/*/Linux (Owl), a security-enhanced GNU/Linux-based server platform. ... DEP controls in Windows Vista DEP causing Windows XP to end a program Data Execution Prevention (DEP) is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. ... Proprietary indicates that a party, or proprietor, exercises private ownership, control or use over an item of property, usually to the exclusion of other parties. ...

Executable space protection does not protect against return-to-libc attacks, or any other attack which does not rely on the execution of the attackers code. A return-to-libc attack is a computer security attack usually starting with a buffer overflow, in which the return address on the stack is replaced by the address of another function in the program. ...


Address space layout randomization

Address space layout randomization (ASLR) is a computer security feature which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space. Address space layout randomization (ASLR) is a computer security technique which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process address space. ...


Randomization of the virtual memory addresses at which functions and variables can be found can make exploitation of a buffer overflow more difficult, but not impossible. It also forces the attacker to tailor the exploitation attempt to the individual system, which foils the attempts of internet worms.[27] A similar but less effective method is to rebase processes and libraries in the virtual address space. The program thinks it has a large range of contiguous addresses; but in reality the parts it is currently using are scattered around RAM, and the inactive parts are saved in a disk file. ... A computer worm is a self-replicating computer program, similar to a computer virus. ... Rebasing is the process of creating a shared library image in such a way that it is guaranteed to use virtual memory without conflicting with any other shared libraries loadable in the system. ...


Deep packet inspection

The use of deep packet inspection (DPI) can detect, at the network perimeter, very basic remote attempts to exploit buffer overflows by use of attack signatures and heuristics. These are able to block packets which have the signature of a known attack, or if a long series of No-Operation (NOP) instructions (known as a nop-sled) is detected, these were once used when the location of the exploit's payload is slightly variable. Deep packet inspection (DPI) is a form of computer network packet filtering that examines the data part of a through-passing packet, searching for non-protocol compliance or predefined criteria to decide if the packet can pass. ... In computer science, besides the common use as rule of thumb (see heuristic), the term heuristic has two well-defined technical meanings. ...


Packet scanning is not an effective method since it can only prevent known attacks and there are many ways that a 'nop-sled' can be encoded. Attackers have begun to use alphanumeric, metamorphic, and self-modifying shellcodes to evade detection by heuristic packet scanners and Intrusion detection systems. In general, in computing, an alphanumeric code is a series of letters and numbers (hence the name) which are written in a form understandable and processable by a computer. ... In computer virus terms, metamorphic code is code that can reprogram itself. ... In computer science, self-modifying code is code that alters its own instructions, whether or not it is on purpose, while it is executing. ... A shellcode is a relocatable piece of machine code used as the payload in the exploitation of a software bug which allows an unauthorised user to communicate with the computer via the operating systems command line as a result of exploiting a vulnerability in software running on the machine. ... An Intrusion Detection System or IDS is a software tool used to detect unauthorised access to a computer system or network. ...


History of exploitation

Buffer overflows were understood as early as 1972, when the Computer Security Technology Planning Study laid out the technique: "The code performing this function does not check the source and destination addresses properly, permitting portions of the monitor to be overlaid by the user. This can be used to inject code into the monitor that will permit the user to seize control of the machine." (Page 61)[28] Today, the monitor would be referred to as the kernel.


The earliest documented hostile exploitation of a buffer overflow was in 1988. It was one of several exploits used by the Morris worm to propagate itself over the Internet. The program exploited was a Unix service called finger.[29] Later, in 1995, Thomas Lopatic independently rediscovered the buffer overflow and published his findings on the Bugtraq security mailing list.[30] A year later, in 1996, Elias Levy (aka Aleph One) published in Phrack magazine the paper "Smashing the Stack for Fun and Profit",[31] a step-by-step introduction to exploiting stack-based buffer overflow vulnerabilities. The Morris worm or Internet worm was one of the first computer worms distributed via the Internet; it is considered the first worm and was certainly the first to gain significant mainstream media attention. ... Filiation of Unix and Unix-like systems Unix (officially trademarked as UNIX®, sometimes also written as or ® with small caps) is a computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs including Ken Thompson, Dennis Ritchie and Douglas McIlroy. ... In information technology, a server is a computer system that provides services to other computing systems—called clients—over a network. ... In computer networking, the Name/Finger protocol and the Finger user information protocol are simple network protocols for the exchange of human-oriented status and user information. ... Bugtraq is an electronic mailing list dedicated to issues about computer security. ... Aleph One in 1996 Elias Levy (also known as Aleph One), was the moderator of the full disclosure vulnerability mailing list Bugtraq from May 14, 1996, until he stepped down on October 15, 2001. ... Phrack is an underground ezine made by and for hackers that has been around since November 17, 1985. ...


Since then, at least two major internet worms have exploited buffer overflows to compromise a large number of systems. In 2001, the Code Red worm exploited a buffer overflow in Microsoft's Internet Information Services (IIS) 5.0[32] and in 2003 the SQL Slammer worm compromised machines running Microsoft SQL Server 2000. [33] The Code Red worm was a computer worm released via the Internet on July 13, 2001 affecting computers running Microsofts Internet Information Server (IIS) web server. ... Microsoft Internet Information Services (IIS, formerly called Internet Information Server) is a set of Internet-based services for servers using Microsoft Windows. ... The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. ... Microsoft SQL Server is a relational database management system produced by Microsoft. ...


In 2003, buffer overflows present in licensed Xbox games have been exploited to allow unlicensed software, including homebrew games, to run on the console without the need for hardware modifications, known as modchips.[34] The PS2 Independence Exploit also used a buffer overflow to achieve the same for the PlayStation 2. More recently, the Twilight Hack accomplished the same with the Wii, using a buffer overflow in The Legend of Zelda: Twilight Princess. Year 2003 (MMIII) was a common year starting on Wednesday of the Gregorian calendar. ... The Xbox is a sixth generation era video game console produced by Microsoft Corporation. ... Homebrew is a term frequently applied only to video games that are produced by consumers on proprietary game platforms; in other words, game platforms that are not typically user-programmable, or use proprietary hardware for storage. ... Xenium Mod Chip attached to an Xbox. ... The PS2 Independence Exploit allows the execution of homebrew programs on an unmodified PlayStation 2. ... PS2 redirects here. ... The Wii (pronounced as the pronoun we, IPA: ) is the fifth home video game console released by Nintendo. ...


See also

This article is about the specifics of stack-based buffer overflows. ... A heap overflow is another type of buffer overflow that occurs in the heap data area. ... A shellcode is a relocatable piece of machine code used as the payload in the exploitation of a software bug which allows an unauthorised user to communicate with the computer via the operating systems command line as a result of exploiting a vulnerability in software running on the machine. ... A return-to-libc attack is a computer security attack usually starting with a buffer overflow, in which the return address on the stack is replaced by the address of another function in the program. ... In computer science, self-modifying code is code that alters its own instructions, whether or not it is on purpose, while it is executing. ... This article describes how security can be achieved through design and engineering. ... Many current computer systems have only limited security precautions in place. ... This is an alphabetical list of operating systems with a sharp security focus. ... PoD redirects here. ...

Notes

  1. ^ CORE-2007-0219: OpenBSD's IPv6 mbufs remote kernel buffer overflow. Retrieved on 2007-05-15.
  2. ^ The Metasploit Opcode Database. Retrieved on 2007-05-15.
  3. ^ Microsoft Technet Security Bulletin MS04-028. Retrieved on 2007-05-15.
  4. ^ Creating Arbitrary Shellcode In Unicode Expanded Strings. Retrieved on 2007-05-15.
  5. ^ Vangelis (2004-12-08). "Stack-based Overflow Exploit: Introduction to Classical and Advanced Overflow Technique" (text). Wowhacker via Neworder.
  6. ^ Balaban, Murat. "Buffer Overflows Demystified" (text). Enderunix.org.
  7. ^ Akritidis, P.; Evangelos P. Markatos, M. Polychronakis, and Kostas D. Anagnostakis (2005). "STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis.". Proceedings of the 20th IFIP International Information Security Conference (IFIP/SEC 2005), IFIP International Information Security Conference. 
  8. ^ Klein, Christian (2004-09). "Buffer Overflow" (PDF).
  9. ^ Shah, Saumil (2006). "Writing Metasploit Plugins: from vulnerability to exploit". Hack In The Box. 
  10. ^ (2007-05) Intel® 64 and IA-32 Architectures Software Developer’s Manual Volume 2A: Instruction Set Reference, A-M. Intel Corporation, 3-508. 
  11. ^ Alvarez, Sergio (2004-09-05). "Win32 Stack BufferOverFlow Real Life Vuln-Dev Process" (PDF). IT Security Consulting.
  12. ^ Ukai, Yuji; Soeder, Derek; Permeh, Ryan (2004). "Environment Dependencies in Windows Exploitation". BlackHat Japan, Japan: eEye Digital Security. 
  13. ^ The Better String Library.
  14. ^ The Vstr Homepage. Retrieved on 2007-05-15.
  15. ^ The Erwin Homepage. Retrieved on 2007-05-15.
  16. ^ CERT Secure Coding Initiative. Retrieved on 2007-7-30.
  17. ^ Libsafe at FSF.org. Retrieved on 2007-05-20.
  18. ^ StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks by Cowan et al.. Retrieved on 2007-05-20.
  19. ^ ProPolice at X.ORG. Retrieved on 2007-05-20.
  20. ^ Bypassing Windows Hardware-enforced Data Execution Prevention. Retrieved on 2007-05-20.
  21. ^ PaX: Homepage of the PaX team. Retrieved on 2007-06-03.
  22. ^ KernelTrap.Org. Retrieved on 2007-06-03.
  23. ^ Openwall Linux kernel patch 2.4.34-ow1. Retrieved on 2007-06-03.
  24. ^ Microsoft Technet: Data Execution Prevention.
  25. ^ BufferShield: Prevention of Buffer Overflow Exploitation for Windows. Retrieved on 2007-06-03.
  26. ^ NGSec Stack Defender. Retrieved on 2007-06-03.
  27. ^ PaX at GRSecurity.net. Retrieved on 2007-06-03.
  28. ^ Computer Security Technology Planning Study. Retrieved on 2007-11-02.
  29. ^ "A Tour of The Worm" by Donn Seeley, University of Utah. Retrieved on 2007-06-03.
  30. ^ Bugtraq security mailing list archive. Retrieved on 2007-06-03.
  31. ^ "Smashing the Stack for Fun and Profit" by Aleph One. Retrieved on 2007-06-03.
  32. ^ eEye Digital Security. Retrieved on 2007-06-03.
  33. ^ Microsoft Technet Security Bulletin MS02-039. Retrieved on 2007-06-03.
  34. ^ Hacker breaks Xbox protection without mod-chip. Retrieved on 2007-06-03.

Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 135th day of the year (136th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 135th day of the year (136th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 135th day of the year (136th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 135th day of the year (136th in leap years) in the Gregorian calendar. ... Year 2004 (MMIV) was a leap year starting on Thursday of the Gregorian calendar. ... is the 342nd day of the year (343rd in leap years) in the Gregorian calendar. ... PDF is an abbreviation with several meanings: Portable Document Format Post-doctoral fellowship Probability density function There also is an electronic design automation company named PDF Solutions. ... Year 2004 (MMIV) was a leap year starting on Thursday of the Gregorian calendar. ... is the 248th day of the year (249th in leap years) in the Gregorian calendar. ... PDF is an abbreviation with several meanings: Portable Document Format Post-doctoral fellowship Probability density function There also is an electronic design automation company named PDF Solutions. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 135th day of the year (136th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 135th day of the year (136th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 140th day of the year (141st in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 140th day of the year (141st in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 140th day of the year (141st in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 140th day of the year (141st in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 154th day of the year (155th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 154th day of the year (155th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 154th day of the year (155th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 154th day of the year (155th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 154th day of the year (155th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 154th day of the year (155th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 306th day of the year (307th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 154th day of the year (155th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 154th day of the year (155th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 154th day of the year (155th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 154th day of the year (155th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 154th day of the year (155th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 154th day of the year (155th in leap years) in the Gregorian calendar. ...

External links

  • An Overview and Example of the Buffer-Overflow Exploit. pps. 16-21.
  • CERT Secure Coding Standards
  • CERT Secure Coding Initiative
  • Secure Coding in C and C++
  • SANS: inside the buffer overflow attack
  • "Smashing the Stack for Fun and Profit" by Aleph One
  • "Advances in adjacent memory overflows" by Nomenumbra
  • A Comparison of Buffer Overflow Prevention Implementations and Weaknesses
  • More Security Whitepapers about Buffer Overflows
  • Chapter 12: Writing Exploits III from Sockets, Shellcode, Porting & Coding: Reverse Engineering Exploits and Tool Coding for Security Professionals by James C. Foster (ISBN 1-59749-005-9). Detailed explanation of how to use Metasploit to develop a buffer overflow exploit from scratch.
  • Computer Security Technology Planning Study, James P. Anderson, ESD-TR-73-51, ESD/AFSC, Hanscom AFB, Bedford, MA 01731 (Oct. 1972) [NTIS AD-758 206]

  Results from FactBites:
 
Buffer overflow - Wikipedia, the free encyclopedia (2214 words)
A buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated buffer.
A buffer overflow occurring in the heap data area is referred to as a heap overflow and is exploitable in a similar manner to that of stack-based overflows since memory on the heap is dynamically allocated by the application at run-time and typically contains program data.
The earliest known exploitation of a buffer overflow was in 1988.
Buffer overflow - definition of Buffer overflow in Encyclopedia (1574 words)
Buffer overflows are also a commonly exploited computer security risk—since program control data often sits in the memory areas adjacent to data buffers, by means of a buffer overflow condition the computer can be made to execute arbitrary (and potentially malicious) code that is fed to the buggy program as data.
Buffer overflows are most easily exploited when the data buffer is in the program stack, since this can lead directly to an alteration of the program's execution path.
Buffer overflows are common only in programs written in relatively low-level programming languages, such as assembly language, C, and C++ which require the programmer to manually manage the size of allocated memory.
  More results at FactBites »

 
 

COMMENTARY     


Share your thoughts, questions and commentary here
Your name
Your comments

Want to know more?
Search encyclopedia, statistics and forums:

 


Press Releases |  Feeds | Contact
The Wikipedia article included on this page is licensed under the GFDL.
Images may be subject to relevant owners' copyright.
All other elements are (c) copyright NationMaster.com 2003-5. All Rights Reserved.
Usage implies agreement with terms, 1022, m