Buffer Overflow's
-
As I'm a network administrator in my full time job and a programmer in my spare time, I'm curious about Buffer Overflow's. I've seen many security vulnerabilty's released as an exploit of a Buffer Overflow. What exactly does this mean, and how can I as a programmer prevent them from happening? Thanks! Frank "Keyboard Error - Press F1 to Continue"
-
As I'm a network administrator in my full time job and a programmer in my spare time, I'm curious about Buffer Overflow's. I've seen many security vulnerabilty's released as an exploit of a Buffer Overflow. What exactly does this mean, and how can I as a programmer prevent them from happening? Thanks! Frank "Keyboard Error - Press F1 to Continue"
consider this old practice. char input[20]; scanf("%s",input); if you enter upto 20char its ok, but over 20chars causes the buffer to overflow and exception is raised.
-
consider this old practice. char input[20]; scanf("%s",input); if you enter upto 20char its ok, but over 20chars causes the buffer to overflow and exception is raised.
In terms of prevention, look for strsafe.h on the MSDN web-site. 99.9% of the time, the buffer overflow attack is possible because someone was lax about checking what was being copied into a buffer, either because their routine doesn't know how big a buffer it's been given, or they just didn't bother. It has to be said that the new features of the VS.NET C++ compiler help, but the problem is that the developer is likely to take the view that their code is safe because it didn't flag up as an overrun when it was tested. The real question is: can it be made to overrun? Steve S
-
As I'm a network administrator in my full time job and a programmer in my spare time, I'm curious about Buffer Overflow's. I've seen many security vulnerabilty's released as an exploit of a Buffer Overflow. What exactly does this mean, and how can I as a programmer prevent them from happening? Thanks! Frank "Keyboard Error - Press F1 to Continue"
A buffer overflow is simply when you write past the end of a buffer. This typically means that you overwrite whatever was on the stack before the buffer. The major problem here is how the program stack is organised on an x86 system. The return address of a called function is stored on the stack by the CALL instruction. Overwriting the return address can cause the program to jump to a different address. If the attacker knows where the buffer is located in memory, he can write program code to the buffer, and cause the program to jump to an address in the buffer, executing the code he put there. Strictly speaking this is a stack buffer overflow. The return address gets overwritten because the stack grows downwards in memory (towards lower addresses), whereas string operations proceed upwards in memory (towards higher addresses). It's also possible to cause a heap buffer overflow, but this is usually less serious. However, if the attacker manages to overwrite a C++ object's vtable pointer, and the program calls a virtual function, he can again redirect the program's execution. You can avoid buffer overflows by checking your buffer code. Be wary of calls to
strcpyor any other function that performs an uncounted copy operation. Check that the sizes you've passed to counted copy operations are correct - some Windows functions take counts of elements, while others take counts of bytes. If you're working withWCHARs orTCHARs, remember that they can be 2 bytes in size (and therefore you need to divide the result ofsizeofbysizeof(WCHAR)for an element-oriented function). If you ensure that you only ever write an amount of data less than or equal to the size of the buffer, you will never have a buffer overflow. Stability. What an interesting concept. -- Chris Maunder -
A buffer overflow is simply when you write past the end of a buffer. This typically means that you overwrite whatever was on the stack before the buffer. The major problem here is how the program stack is organised on an x86 system. The return address of a called function is stored on the stack by the CALL instruction. Overwriting the return address can cause the program to jump to a different address. If the attacker knows where the buffer is located in memory, he can write program code to the buffer, and cause the program to jump to an address in the buffer, executing the code he put there. Strictly speaking this is a stack buffer overflow. The return address gets overwritten because the stack grows downwards in memory (towards lower addresses), whereas string operations proceed upwards in memory (towards higher addresses). It's also possible to cause a heap buffer overflow, but this is usually less serious. However, if the attacker manages to overwrite a C++ object's vtable pointer, and the program calls a virtual function, he can again redirect the program's execution. You can avoid buffer overflows by checking your buffer code. Be wary of calls to
strcpyor any other function that performs an uncounted copy operation. Check that the sizes you've passed to counted copy operations are correct - some Windows functions take counts of elements, while others take counts of bytes. If you're working withWCHARs orTCHARs, remember that they can be 2 bytes in size (and therefore you need to divide the result ofsizeofbysizeof(WCHAR)for an element-oriented function). If you ensure that you only ever write an amount of data less than or equal to the size of the buffer, you will never have a buffer overflow. Stability. What an interesting concept. -- Chris Maunder