Let us first understand what Buffers are…
A buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Buffers are memory storage regions that temporarily hold data while it is being transferred from one location to another.
These buffers typically live in RAM memory. Computers frequently use buffers to help improve performance; most modern hard drives take advantage of buffering to efficiently access data, and many online services also use buffers. For example, buffers are frequently used in online video streaming to prevent interruption. When a video is streamed, the video player downloads and stores perhaps 20% of the video at a time in a buffer and then streams from that buffer. This way, minor drops in connection speed or quick service disruptions won’t affect the video stream performance.
Buffers are designed to contain specific amounts of data. Unless the program utilizing the buffer has built-in instructions to discard data when too much is sent to the buffer, the program will overwrite data in memory adjacent to the buffer.
-
What Are Buffer Overflow Attacks?
A buffer overflow, or buffer overrun, occurs when more data is put into a fixed-length buffer than the buffer can handle. The extra information, which has to go somewhere, can overflow into adjacent memory space, corrupting or overwriting the data held in that space. This overflow usually results in a system crash, but it also creates the opportunity for an attacker to run arbitrary code or manipulate the coding errors to prompt malicious actions.
For example, a buffer for log-in credentials may be designed to expect username and password inputs of 8 bytes, so if a transaction involves an input of 10 bytes (that is, 2 bytes more than expected), the program may write the excess data past the buffer boundary.
An attacker can deliberately feed a carefully crafted input into a program that will cause the program to try and store that input in a buffer that isn’t large enough, overwriting portions of memory connected to the buffer space. If the memory layout of the program is well-defined, the attacker can deliberately overwrite areas known to contain executable code. The attacker can then replace this code with his own executable code, which can drastically change how the program is intended to work.
Here is an example. If the overwritten part in memory contains a pointer (an object that points to another place in memory) the attacker’s code could replace that code with another pointer that points to an exploit payload. This can transfer control of the whole program over to the attacker’s code.
-
What is the root reason for buffer overflow attacks?
Certain coding languages are more susceptible to buffer overflow than others. Low-level programming languages such as C, C++, Fortran, Assembly, etc have no built-in protections against accessing or overwriting data in their memory.
Most operating systems such as Windows, Mac OSX, and Linux ALL contain code written in one or both (C and C++) of these languages. So the unfortunate reality is that buffer overflow attacks, as a class of security threat, are not likely to go away any time soon. It’s just a question of how well security professionals can proactively address the problem or deal with it when it arises in a new form.However, more modern languages like JavaScript, Java, PERL, PHP, Python, and C# have built-in features that help reduce the chances of buffer overflow, but cannot prevent it altogether.
-
Many kinds of buffer overflow attacks are possible
-
Stack attacks. The buffer here is the stack, a fairly small chunk of memory that programs use to manage call returns (among other things). By overwriting key areas of the stack with too much data, the attacker manages to trick the program to return to (that is, execute) his own code, located elsewhere in RAM, as opposed to the correct code. Stack overflows are the most common, well-known of all buffer overflow attacks.
-
Heap attacks. The heap is a much larger chunk of memory used to store more complex data such as images, or text, that relates to the program. The premise here is similar to the previous, but is trickier for the attacker to implement because the heap isn’t directly used to determine where in memory executable code is located.
-
Arithmetic attacks. These buffer overflow attacks emerge from the way C handles signed vs. unsigned numbers. Specifically, it’s possible to convert a negative (signed with -) number that requires little memory space to a much larger unsigned number that requires much more memory. A crash subsequently occurs and can be leveraged to yield an attack.
-
Format attacks. Text strings, rather like signed numbers, are sometimes converted automatically from a smaller format to a larger (such as by operating systems that require Unicode values). This means attackers can design a buffer overflow attack that exceeds the buffer length if the programmer hasn’t been careful to take into account the larger format.
-
Buffer Overflow and the Web
However, even programmers who use high-level languages should know and care about buffer overflow attacks. Their programs are often executed within operating systems that are written in C or use runtime environments written in C, and this C code may be vulnerable to such attacks. In order to see how a buffer overflow vulnerability may affect a programmer using such a high-level programming language, you can analyze CVE-2015-3329 – a real-life security vulnerability, which was discovered in the PHP standard library in 2015. Fortunately, this vulnerability was discovered in 2015 and fixed.
In 2014 also a threat known as ‘heartbleed’ exposed hundreds of millions of users to attack because of a buffer overflow vulnerability in SSL software.
-
How to Avoid Buffer Overflow ?
Buffer overflow vulnerabilities are caused by programmer mistakes that are easy to understand but much harder to avoid and protect against.
Luckily, modern operating systems have runtime protections which help mitigate buffer overflow attacks. Here are common protections that help mitigate the risk of exploitation:
-
Address Space Randomization - Randomly rearranges the address space locations of key data areas of a process. Buffer overflow attacks generally rely on knowing the exact location of important executable code, randomization of address spaces makes that nearly impossible.
-
Data Execution Prevention (DEP) - Marks certain areas of memory either executable or non-executable, preventing an exploit from running code found in a non-executable area.
-
Structured exception handler overwrite protection (SEHOP)
Software developers can also take precautions against buffer overflow vulnerabilities by writing in languages that have built-in protections or using special security procedures in their code.
Despite precautions, new buffer overflow vulnerabilities continue to be discovered by developers, sometimes in the wake of a successful exploitation. When new vulnerabilities are discovered, engineers need to patch the affected software and ensure that users of the software get access to the patch.
-
Guys, I have tried my best to deliver you the most important pieces of information regarding the Buffer Overflow Attacks. I welcome your views about this post.
Please leave me your thoughts in the comment section.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM