Analysis and Protection of buffer overflow Principle

Source: Internet
Author: User

In recent years, hacker attacks have frequently occurred, especially buffer overflow, which accounts for the vast majority of network remote attacks. this type of attack can allow anyone to gain full control of the system host, so it represents a very serious attack.

Buffer overflow attacks are common because they are too common and easy to implement. This is an inevitable problem in the software development history. the buffer zone vulnerability is caused by memory leakage because the programmer did not check the memory space when writing the program. Let's take a look at it below:

I. Cognition of Buffer Overflow

Buffer overflow is a means of system attacks. By writing code that exceeds its length in the program buffer zone, this will cause overflow and damage its stack, attackers can execute the Code already arranged in the address space of the program to achieve the goal. generally, hackers attack the root program and execute code similar to exec (sh) to obtain the root shell. it has two serious consequences:

1. overwrite the adjacent units of the stack. Cause program execution to fail, which can cause system crash.

2. Execute the recognition command code and obtain the system root privilege.

Nowadays, many people use C or C ++ to write programs, but too many people ignore the array boundary check and type security check, so most of today's overflow is related to the C language, overflow functions in C language may be: char s [n], strlen (s), strcpy (dst, src), p = malloc (n), strcat (s, suffix) and so on, so we should try to avoid using these dangerous functions, even if they are used, we must make a strict check. for easy understanding, let's look at a simple program:

/*
* Example. c
* Written by Devil_Angel <Devil___Angel@126.com>
* Gcc-o example. c
*/
Void func (char * str)
{
Char buf [8];
Strcpy (buf, str );
Printf ("% sn", buf );
}
Int main (int argc, char * argv [])
{
If (argc> 1)
Func (argv [1]);
} // End of main


During input, this program directly sends the str size to the array buf without checking it. Once the input exceeds the length of the buf, the simplest overflow occurs, of course, overflow like this generally only causes the Segmentation fault error, but cannot achieve the purpose of the attack. there is no further in-depth analysis here, but there is a general concept of overflow, and further analysis will be conducted in the future.

Ii. Buffer overflow vulnerability attack methods

The most common attack means is to run a User shell by creating a buffer overflow, and execute other commands through the shell. if the program inputs root and has suid permissions, the attacker can obtain a shell with root permissions and perform arbitrary operations on the system. next I will introduce how to control the program jump to the attack code:

· Activate Records)

In a program, every function call occurs, and an Activation Records is left in the stack. It includes the address returned when the function ends. Attackers can exploit these automatic variables to direct the address to the attack program code. by changing the return address of the program, the program jumps to the address set by the attacker at the end of the call, instead of the original address. this type of overflow is called stacks mashing attack.

· Function Pointers)

Void (* foo) (1) defines a variable foo that returns the Function pointer. Function Pointers can be used to locate any address space. therefore, you only need to find an overflow buffer near Function Pointers in any space, and then overflow it to change Function Pointers. at a certain point in time, when a program calls a Function through Function Pointers, the process of the program is implemented according to the hacker's intention (typical overflow programs include the Superprobe program in Linux ).

· Longjmpbuffers)

The C language contains a simple test/recovery system called setjmp/longjmp. set setjmp (buffer) at the test point and use longjmp (buffer) for restoration. however, If attackers can access the buffer space, longjmp (buffer) actually jumps to the attacker's program code. for Function Pointers, The longjmp buffer can point anywhere. Therefore, the attacker must find a buffer that can overflow.

The most common is to integrate the code embedding and opening records in a string. attackers can locate or provide overflow automatic variables, and then send a super-large string to the program. When the buffer overflow changes, the program code is embedded when the opening record is opened, so as to intrude into the system.

Iii. remote buffer overflow attacks

There are many methods to deal with buffer overflow attacks, but the following are also the most common and important methods:

1. Write strict code

Writing correct and strict code is a meaningful but time-consuming task. People with C programming or assembly language experience will have a deep understanding. Although software development has gone through a short time, however, vulnerability programs still exist, so people have developed some tools and technologies to help experienced programmers write secure programs. for example, advanced error checking tools, such as faultinjection. these tools are designed to search for code security vulnerabilities by manually generating random Buffer Overflow. however, due to the C language features, these tools cannot identify all buffer overflow vulnerabilities. therefore, the error detection technology can only be used to reduce the buffer overflow vulnerability and cannot completely eliminate its existence. the elimination of Errors still depends on programmers.

2. unexecutable stack data segment

The broken address space in the operating system is not executable, so that the attacker cannot execute the implanted attack code. However, the attacker does not necessarily need to implant the attack code to implement the buffer overflow attack, therefore, this method still has many weaknesses.

3. Use the boundary check of the program Compiler

Inserting code is one aspect that causes buffer overflow, and changing the program execution process is another aspect. the use of compiler boundary checks makes Buffer Overflow impossible, completely eliminating the threat of buffer overflow, but it is relatively costly.

4. pointer integrity check

The program pointer integrity check and boundary check are slightly different. the program pointer integrity check is performed before the program pointer is changed. therefore, even if the attacker successfully changes the pointer of the program, it will also become invalid because of the previously detected pointer changes. This way, although it cannot solve all the problems, it does prevent most buffer attacks, in addition, this method has a great advantage in performance and has good compatibility.

In the long run, to fundamentally eliminate the buffer overflow attack, the problem can be solved only by modifying the programming mode or CPU system. however, with the rapid development of information technology and people's increasing emphasis on network security, there will always be a day to address buffer overflow attacks.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.