computer security and penetration testing chapter 12 buffer overflows

Download Computer Security and Penetration Testing Chapter 12 Buffer Overflows

Post on 30-Dec-2015

220 views

Category:

Documents

1 download

Embed Size (px)

TRANSCRIPT

  • Computer Security and Penetration TestingChapter 12Buffer Overflows

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*ObjectivesDescribe buffer overflowList types of buffer overflowsIdentify techniques used to cause a buffer overflowComprehend techniques used to detect buffer overflow conditionsUnderstand methods used in preventing buffer overflows

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Buffer OverflowsBuffer overflowCondition common to structured programming languages such as the C languageHappens when input applied to a variable is larger than the memory allotted to that variableWhen an attacker sends input in excess of the expected range of the valueThe target system will either crash or execute the malicious code sent by the attacker

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Standard Execution of a C programmain functionEntry point to the detailed code in the applicationResponsible for calling other functionsEach of which executes a particular task, and may call other functions in turnFunctions use variables to store values that may be stored temporarily or permanentlyOnce a function has completed, the program control returns to the calling or invoking function

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Standard Execution of a C program (continued)Buffer overflow bug targets the variables that are used by functions to store valuesVariables are assigned a fixed memory space to store the dataBuffer overflow has a goal of overloading the memory space provided to the variableExtra characters are stored in a memory space that is not assigned to the variable

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Standard Execution of a C program (continued)Function with an overloaded variable is not able to determine the function that called itCould result in the crashing of the programHackers are able to manipulate the value provided to the variable So it is stored in a specific memory space to execute some predetermined malicious codeBuffer overflows are not always intentional attacks

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Standard Execution of a C program (continued)Avoiding buffer overflowsCheck to see that no value greater than the memory assigned to the variable is specified for itDefine the sequence of steps that the program has to follow in case of a buffer overflowExecutable space protectionOn some specific operating systems, the kernel can be patched in such a way that running processes are not affected by buffer overflow conditions

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Types of Buffer OverflowsBuffer overflows can be divided into two categories: stack overflow and heap overflow

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Stack OverflowPrograms use a memory stack area to store values for variablesStack is intended to ensure that there is sufficient memory space for all functions to operateOccasionally the stack is insufficient to complete the functions and an error is generatedStack stores details regarding the function that called the currently executing functionInformation can be lost after the stack is corrupted

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Stack Overflow (continued)Hackers write the code for a buffer overflow in such a manner thatThe code to which a functions pointers are indicating is code of the hackers choosingProcess of an exploitHacker searches for a chance to overflow the bufferHacker determines memory assigned to the variableHacker specifies a value greater than the maximum capacity of the variableVariable takes the value

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Stack Overflow (continued)Hacker checks for some specific functions to ascertain the possibility of a buffer overflowstrcpyscanffgetswstrcpywstrncatsprintfgetsstrcat

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Heap OverflowsA heap is similar to a stackProvides memory to the application various functionsProvides a permanent memory spaceData stored in a heap can be used throughout various functions and commandsA heap is randomly accessed because it stores values staticallySize of a heap usually grows as new variables values are introduced

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Heap Overflows (continued)

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Heap Overflows (continued)Heap overflow is known as the corruption of the instruction pointerInstruction pointer points to the memory area where the function to be executed is stored

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*More Methods for Causing a Buffer OverflowTraditional methods includeProviding input values that are greater than the memory allocated for a variableThis section details two other methods:Character-set decodingNybble-to-byte compression

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Character-Set DecodingUses the characters that are read differently by the computer and acquire larger spaceAdditional bytes of data may cause the input value to exceed the memory limitation of the variableApplicable to situations in which the user specifies a value from an HTML pageBecomes a weakness whenever a back-end script reads the codeAnd, after expanding the value, results in a buffer overflow

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Character-Set Decoding (continued)

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Character-Set Decoding (continued)Size of the stack is computer-dependentBuffer overflow may not happen until a value that exceeds the stack size is specifiedBuffer overflow may occur when verification for the length of the input value is made at the client-side And the back-end script accepts it without performing checksDouble validationIndicates to potential hackers that buffer overflow exploits are not possible on your Web site

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Character-Set Decoding (continued)

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Nybble-to-Byte CompressionCompression of data that is passed as input value to variables of the function that might be overflowedMethod uses the buffer in a more efficient manner with a higher amount of dataFocus is to minimize code sizeSo hackers can double the amount of code in buffer

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Buffer Overflows: Detection and PreventionIdentify programming practices and functions that are potentially vulnerable to buffer overflow

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Detecting Buffer OverflowIdentify the functions and variables that can lead to buffer overflowsCheck the reaction of the application whenever a large set of character data is supplied to a variableFunction may include length verificationAnd thus return an error message if the data exceeds the expected sizeCan be a painstaking, tedious processBecause all variables that accept values must be checked

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Detecting Buffer Overflow (continued)Precaution should be taken to ensure that the input data is provided in the correct formatFor interactive Web pagesConsider that the hidden data is also a part of the input that is given to the stringWhen specifying the input dataIt is important to check that no NULL characters (empty fields) are being passed

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Preventing Buffer OverflowAfter a buffer overflow exploit has been detectedThe probability of its existence in other applications by the same vendor is higherBug is typically fixed by programming the functions to perform an input validity checkProviding a null terminator will prevent the buffer overflow evenIf additional values have been specified

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Preventing Buffer Overflow (continued)Consider developing specific programming guideline policies for your organizationHaving, understanding, and applying secure-coding best practices may not be entirely foolproofOptions are available to avoid the use of function calls that are vulnerable to buffer overflows

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Preventing Buffer Overflow (continued)

    Computer Security and Penetration Testing

  • Computer Security and Penetration Testing*Preventing Buffer Overflow (continued)Checks must be made to validate the input value

Recommended

View more >