Definition of Buffer Overflow

Buffer overflows  = buffer overruns

Buffer overflow is an event that occurs when we have:

—Fixed-length data buffer (e.g., string)

—At least one value intended for buffer is written outside that buffer’s boundaries (usually past its end)

Some definitions also include reading outside buffer

NIST’s definition:
“A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.”

Buffer Overflow: A Well Known Problem

• Noted in “Computer Security Technology Planning Study” (1972)

• If exploitable

—Attacker can often completely control program

—Attacker can typically cause denial-of-service

– Many defenses simply downgrade from “control program” to DoS

• Still of major concern due to

—legacy of widely deployed buggy codes

—careless programming techniques

• 2 Types:

—Stack overrun.  Buffer in stack; attack is called “stack smashing”

—Heap overrun.  Buffer in heap; attack is called “heap smashing”

Buffer overflow Examples

• 1988: Morris worm – took down Internet

— – via gets() in fingerd command

• 1998: University of Washington IMAP (mail) server

• 1999: RSA crypto reference implementation

— – Subverted PGP, OpenSSH, Apache’s ModSSL, etc.

• 2001: Code Red worm – buffer overflow in Microsoft’s Internet Information Services (IIS) 5.0

• 2003: SQL Slammer worm compromised machines running Microsoft SQL Server 2000

• ~2008: Twilight hack – unlocks Nintendo Wii consoles

— – Creates a strange long horse name for “The Legend of Zelda: Twilight Princess” that includes a program

Importance of Buffer Overflow

• “Practically every worm that has been unleashed in the Internet has exploited a buffer overflow vulnerability in some networking software.”*

A Real Buffer Overflow Example:
telnet service

• The Telnet protocol (telnet command) allows a user to establish a terminal session on a remote machine for the purpose of executing commands there.

• telnet is not a secure service, so, remote terminal sessions are now created with the SSH command

• But it is still used:

—- By human users to gain terminal access to other hosts

—- For some computer-to-computer exchanges within networks

How TELNET Works?

• Telnet server monitors port 23 for incoming connection requests from Telnet clients

• a client runs telnet program to establish a connection with a remote server

• the client sends its socket number to the server

• Socket number = IP + port number

• The server receives the client socket number and send beck its own socket number

Attack on Telnet

• (10 Feb 2007) US-CERT (United States Computer Emergency Readiness Team) issued the following Vulnerability Note:

Vulnerability Note VU#881872

OVERVIEW: A vulnerability in the Sun Solaris telnet daemon (in.telnetd) could allow a remote attacker to log on to the system with elevated privileges.

Description: The Sun Solaris telnet daemon may accept authentication information vis the USER environment variable. However, the daemon does not properly sanitize this information before passing it

on to the login program and login makes unsafe assumptions about the information. This may allow a remote attacker to trivially bypass the telnet and login authentication mechanisms. …..

This vulnerability is being exploited by a worm …

• (31 Dec 2004) CISCO issued the following security advisory:

Cisco Security Advisory: Cisco Telnet Denial of Service Vulnerability

Document ID: 61671

Revision 2.4

Summary:

A specifically crafted TCP connection to a telnet or a revers e telnet port of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet, remote shell (RSH), secure shell (SSH), and in some cases HTTP access to the Cisco device.  Data Link Switching (DLSw) and protocol translation connections may also be affected.  Telnet, reverse telnet, RSH, SSH, DLSw and protocol translation sessions established prior to exploitation are not affected.

….

This vulnerability affects all Cisco devices that permit access via

telnet or reverse telnet…….

….

Telnet, RSH, and SSH are used for remote management of Cisco I

OS devices. …

• (7 Feb 2002) Microsoft released the following security bulletin:

Microsoft Security Bulletin MS02-

Problem:  A vulnerability exists in some Microsoft Telnet Se

rver products that may cause a denial-of-service or allow an attacker to execute code on the system.

Platform:  Telnet Service in Microsoft Windows 2000

Damage:    A successful attack could cause the Telnet Server to fail, or in some cases, may allow an attacker to execute

code of choice on the system.

…..

Vulnerability Assessment:  The risk is HIGH.  Exploiting this vulnerability may allow an attacker

complete control of the system.

Summary:

Unchecked buffer in telnet server could lead to arbitrary code execution

…..

The server implementation ….. contains unchecked buffers in code that handles the processing of telnet protocol options

Buffer Overflow Basics

• Caused by programming error

• Allows more data to be stored than capacity available in a fixed sized buffer

— – buffer can be on stack, heap, global data

• Overwriting adjacent memory locations

— – corruption of program data

— – unexpected transfer of control

— – memory access violation

— – execution of code chosen by attacker

Programming languages & buffer overflow

• Some languages allow buffer overflow

— – C, C++, Objective-C, Vala, Forth, assembly language

• Most languages counter buffer overflow…

— – Ada strings, Pascal: Detect/prevent overflow

— – Java, Python, perl, Ada unbounded_string: Auto-resize

• Using other languages doesn’t give immunity

— – Most language implementations are in C/C++

— – Many libraries/components/OSs include C/C++

— – Some languages/compilers allow disabling protection

• Including languages C# and Ada

— – Choosing another language helps – but not completely

ادامه مطلب و دانلود مقاله

References

Avinash Kak, Buffer Overflow Attack, Computer & Network Security, Purdue University, April 2016.

David A. Wheeler, Secure Software Design & Programming: Low-level attacks (Buffer overflow and friends), SWE 681/ISA 681, George Mason University, Aug 2014.

Hossein Saiedian, Computer Security: Principles and Practice, Chapter 10: Buffer Overflow, University of Kansas, Fall 2014.

UO Security Club, Stack Buffer Overflow, Fall 2014.

Introduction

– Static analyzer of a code is similar to spell checker!

– A clean detected by an static analysis doesn’t guarantee that this code is perfect;

– It just indicates that it is free of certain kinds of common problems

– Security problems can result from

—the same kind of simple mistakes that lead a good speller to occasionally make a typo

—lack of understanding about what secure programming needs.

Capabilities of Static Analysis

Static analysis tools apply checks thoroughly and consistently, without any of the bias that a programmer might have

—about which pieces of code are “interesting” from a security perspective or

—which pieces of code are easy to exercise through dynamic testing.

By examining the source code, static analysis tools can often point to the root cause of a security problem, not just one of its symptoms.

This is important for making sure that vulnerabilities are fixed properly

Static analysis can find errors early in development, even before the program is run for the first time.

—reduces the cost of fixing the error

—the quick feedback cycle can help programmer

A programmer has the opportunity to correct mistakes he or she wasn’t previously aware could even happen.

static analysis tool act as a means of knowledge transfer.

When a new attack is discovered, static analysis tools make it easy to recheck a large body of code

—Some security defects exist in software for years before they are discovered, which makes the ability to review legacy code for newly discovered types of defects invaluable.

Limitations of Static Analysis

false positive is a problem reported in a program when no problem actually exists.

false negative: a problem exists in the program, but the tool does not report it.

The most common complaint against static analysis tools is too many false positives, AKA false alarms. (too much noise)

—False positives are certainly undesirable, but from a security perspective, false negatives are much worse.

For a static analysis tool to catch a defect, the defect must be visible in the code.

—It is often hard to derive the design vulnerabilities only form the implementation.

Categories of Static Analysis Tools

Static analysis is used more widely than many people realize, partially because there are many kinds of static analysis tools

Categories

—- Type checking

—- Style checking

—- Program understanding

—- Program verification

—- Property checking

—- Bug finding

—- Security review

Type Checking

The most widely used form of static analysis

Most programmers are familiar with

The rules of the type checking are typically defined by the programming language and enforced by the compiler

So, programmer gets little say in when the analysis is performed or how the analysis works.

Type checking removes entire categories of programming mistakes

Type checking suffers from false positives and false negatives just like all other static analysis techniques

Interestingly, programmers rarely complain about a type checker’s limitations

Type Checking False Positive Examples

Style Checking

Style Checkers generally enforce a pickier and more superficial set of rules than a type checker.

Pure style checkers enforce rules related to whitespace, naming, deprecated functions, commenting, program structure, ….

Because many programmers are attached to their own version of good style, most style checkers are quite flexible about the set of rules they enforce.

The errors produced by style checkers often affect the readability and the maintainability of the code but do not indicate that a particular error will occur

Over time, some compilers have implemented optional style checks

Many open source and commercial style checkers are available. a famous one is lint

ادامه مطلب و دانلود مقاله

References

Secure Programming with Static Analysis, Brian Chess, Jacob West, 2008, Chapters 2, 3 ,4.