Stack and Heap Overflow

TNS Seminar Winter Semester 2006/2007 Nicolas Martenet

Table of Content

Introduction Stack Overflow Heap Overflow Conclusion

TNS Seminar Stack and Heap Overflow

Introduction

Writing good programs need to understand how hackers attacks In this presentation: Stack and Heap based attacks Explanations How to Exploit How to Prevent

TNS Seminar Stack and Heap Overflow

The Memory

Remember the memory organisation

TNS Seminar Stack and Heap Overflow

The Memory
test.h 1) int MAXBUFSIZE = 10; test.c #include test.h 2) int noInitNum; void test_function(int a, int b){ int numberA = a; int numberB = b; } int main(){ char buffer[MAXBUFSIZE]; 3) 4) } int numA = 1; int numB = 2; test_function(1, 2)

1) is a global initalized variable, so MAXBUFSIZE is stored in data segment 2) is a non-initialized variable, so it's stored in bss segment 3) is a variable stored in the heap segment 4) is a call to test_function, so the parameters, the return address, the stack framepointer are stored in the stack.

TNS Seminar Stack and Heap Overflow

Stack Overflow

Main idea: overwrite the return address to take control Need: User Input Root Access (SUID bit)

TNS Seminar Stack and Heap Overflow

Stack Overflow

Picture from Transparent Run-Time Defense Against Stack Smashing Attacks by Arash Baratloo and Navjot Singh, Bell Labs Research
TNS Seminar Stack and Heap Overflow 7

Stack Overflow - Problem

Don't know the return address location Don't know the attack code location Don't know the buffer size

TNS Seminar Stack and Heap Overflow

Stack Overflow - Solutions

Don't know the return address location

The buffer is filled with a repetition of the return address of malicious code

Don't know the attack code location

The buffer is filled with a repetition of NOP Use the stack pointer to estimate the new address
9

TNS Seminar Stack and Heap Overflow

Stack Overflow - Solutions

Before

After

TNS Seminar Stack and Heap Overflow

10

Stack Overflow - Solutions

Don't know the buffer size

If the buffer is too small to contain shell code, NOP and return address: Use the arguments of the program Use the environment variable

TNS Seminar Stack and Heap Overflow

11

Prevent Stack Overflow

Always check the user input Tools to detect Stack Overflow Warning when using functions below

TNS Seminar Stack and Heap Overflow

12

Heap Overflow

Main Idea: Overwrite an important variable stored after an overflowable buffer Harder to exploit because depends on the system memory allocator implementation

TNS Seminar Stack and Heap Overflow

13

Heap Overflow

The heap is used to store variables dynamically allocated by the application (malloc). The data section initalized at compile-time The bss section contains uninitialized data and is allocated at run-time. No rules, only memory space Only datas

TNS Seminar Stack and Heap Overflow

14

Heap Overflow

TNS Seminar Stack and Heap Overflow

15

Heap Overflow - Problem

Don't know the size of the buffer Don't know the address to write Depends of the operating system

TNS Seminar Stack and Heap Overflow

16

Heap Overflow - Solutions

Don't know the size of the buffer

Test with different values

Don't know the address to write

Use environment variable

Depends of the operating system

Must know the OS very well

TNS Seminar Stack and Heap Overflow

17

Heap Overflow - Prevent

Always check the user input Test completly the program

TNS Seminar Stack and Heap Overflow

18

Conclusion Stack Overflow

Stack overflow is very known and there exist mechanism directly in os to prevent them New C library are defined Tools to detect overflow Easy to prevent for developer

TNS Seminar Stack and Heap Overflow

19

Conclusion Heap Overflow

Heap overflow are dangerous because they are less known More difficult to defend and detect More difficult to exploit

TNS Seminar Stack and Heap Overflow

20