Buffer overflow is a very common, very dangerous vulnerability, widely existed in various operating systems and applications. With buffer overflow attacks, it can lead to failure of the program, the system, restart, and other consequences. More seriously, it can be used to perform unauthorized instructions, and even obtain system privileges, in which various illegal operations can be made. Buffer overflow attacks There are multiple English names: Buffer overflow, Buffer Overrun, SMASH The Stack, Trash The Stack, Scribble The Stack, Mangle The Stack, Memory Leak, Overrun Screw; They refer to the same attack. The first buffer overflows the attack - MORRIS worm, which has caused more than 6,000 network servers in the world.
This article will analyze the principle of buffer overflow; study various types of buffer overflow vulnerabilities and attack methods; finally, it will also focus on various defense methods to eliminate the impacts caused by these vulnerabilities.
First, the principle of buffer overflow
Write the content of its length through the buffer buffer, resulting in overflow of the buffer, so that the program's stack is destroying the program to perform other instructions to achieve the purpose of attack. The reason for causing buffer overflow is that the parameters that the user input is not carefully checked in the program. For example, the following procedure:
Void function (char * str) {
Char buffer [16];
STRCPY (BUFFER, STR);
}
The above STRCPY () will directly click the contents in the STR COPY to the buffer. As long as the length of the STR is greater than 16, it will cause the buffer overflow to run an error. Standard functions with problems such as Strcpy have strcat (), sprintf (), vSprintf (), gets (), scanf (), etc.
Of course, it is necessary to fill things in the buffer to cause it to overflow generally only "segmentation fault), and cannot achieve the purpose of attack. The most common means is to make the program run a user shell by manufacturing a buffer overflow, and perform other commands via the shell. If the program belongs to root and has a SuID permission, an attacker gets a shell with root privileges that can operate anything.
The reason why the buffer overflow attack is a common security attack means is that the buffer overflow vulnerability is too common and is easy to implement. Moreover, the main means of buffer overflows into remote attacks The reason is that the buffer overflow vulnerability gives an attacker what he wants: implant and execute the attack code. The implanted attack code runs a program that has a buffer overflow vulnerability at a certain permissions, thereby obtaining control of the attacked host.
There are two types of buffers overflow in the 1998 Lincoln Laboratory to assess intrusion detection. In the 13 suggestions of CERT in 1998, it was related to the buffer overflow. In 1999, at least half of the recommendations were related to the buffer overflow. In Bugtraq's survey, 2/3 of the respondent believes that the buffer overflow vulnerability is a very serious security issue.
There are many forms of buffer overflow vulnerabilities and attacks, and they will describe and classify them in the second section. According to the corresponding defense means, the attack method is different, and will be described in Section IV, which includes effective defense means for each attack type.
Second, the buffer overflow vulnerability and the attack buffer overflow attack is to disturb the functions of the program with certain privileges, which makes the attacker to obtain the control of the program, if the program has sufficient permissions, then the entire host It was controlled. In general, the attacker attacks the root program, then performs the "Exec (SH" execution code to get the shell of root privileges. In order to achieve this, an attacker must reach the following two goals: 1. Arrange the appropriate code in the address space of the program.
2. Let the program jump to the address space of the invader arranged by appropriate initialization registers and memory.
Buffer overflow attacks are classified according to both objectives. At the 2nd .1 section, it will describe how the attack code is placed in the address space of the attacked program. At the time. 2, the attacker will introduce the attacker overflow, and the transfer to the attack code (this is the "overflow"). In the second .3, the code arrangement and control program execution process will be implemented in the first two quarters.
II .1 Method for arrangeing the appropriate code in the address space of the program
There are two ways to arrange an attack code in the attacked program address space:
1, implant:
The attacker enters a string to the attacked program, and the program will put this string into the buffer. The data contained in this string is a command sequence that can be run on this attacked hardware platform. Here, the attacker stores the attack code with a buffer that is attacked. The buffer can be set anywhere: stack (STACK, automatic variable), heap (HEAP, dynamically assigned memory area) and static data area.
2, use the existing code:
Sometimes, the code that the attacker wants is already in the attacked program, and the attacker has to pass some parameters to the code. For example, the attack code requires "EXEC (" / bin / sh ")", and the code in the libc library executes "EXEC (Arg)", where arg makes a pointer parameter to a string, then the attacker as long as the attacker The incoming parameter pointer changes to "/ bin / sh".
II .2 Method for transferring the program to the attack code
All of these methods are seeking to change the execution process of the program, so that it jumps to the attack code. The most basic thing is to overflow a buffer without a boundary check or other weakness, which disrupts the normal execution order of the program. By overflowing a buffer, an attacker can rewrite the adjacent program space with a violent approach and directly skip the system's inspection.
The classification of the classification is a program space type of buffer overflows from the attacker. In principle, it can be any space. In fact, many buffer overflows to seek changing program pointers with violence. The difference between such programs is that the breakthrough and different positioning of memory spaces. There are three main types: 1, Activation Records:
Whenever a function call occurs, the caller will leave an activity record in the stack, which contains the address returned at the end of the function. The attacker allows the return address to the attack code by overflowing the auto variable in the stack. By changing the process of returning the program, when the function call is over, the program jumps to the address set by the attacker, not the original address. Such buffers overflows are called stack overflow attacks, which are currently the most commonly used buffer overflow attack mode.
2, function pointer (Function Pointers):
Function pointer can be used to locate any address space. For example: "VOID (* foo) ()" declares a function pointer variable foo in return value to Void. Therefore, an attacker simply finds a buffer near the function pointer in any space, then overflows this buffer to change the function pointer. At some point, when the program comes from the function pointer, the program is implemented according to the attacker's intention. Its attack example is the SuperProbe program under the Linux system. 3, long jump buffer (longjmp buffers):
In the C language contains a simple inspection / recovery system called setjmp / longjmp. It means that "SetJMP (Buffer" is set in the inspection point, and "longjmp (buffer)" is used to recover the inspection point. However, if an attacker can enter the space of the buffer, "longjmp (buffer" is actually a code that jumps to the attacker. Like a function pointer, the longjmp buffer can point to anywhere, so an attacker has to do to find a buffer that can overflow. A typical example is the buffer overflow vulnerability of Perl 5.003; the attacker first enters the longjmp buffer used to restore buffers, and then induce the recovery mode, so that the Perl interpreter jumps to the attack code.
II .3 Code Implantation and Process Control Technology The simpler and common buffer overflow attack type is integrated in a string to integrate code implantation and activity record technology. The attacker locates a free automatic variable, then transmits a large string to the program, which is incorporated into the code while changing the buffer overflow. This is a template that is attacked by Levy. Because C is very common to open a small buffer for users and parameters, this vulnerability attack is very common.
Code implantation and buffer overflow do not have to be completed within one action. Attackers can place code in a buffer, which is a buffer that cannot overflow. The attacker then transfer the program's pointer by overflowing another buffer. This method is generally used to solve the case where the buffer that can be overflow is not large (not all of the code).
If an attacker tries to use the already resident code instead of an implantation code, they usually have to call the code as a parameter. For example, some code segments in LIBC (almost all C processes must be connected) execute "Something", where Somthing is the parameter. The attacker then uses the buffer overflows the parameters of the program, and then exploits the other buffer overflow to point the program pointer to the specific code segment in the libc.
Third, the experimental analysis of the buffer overflow attack
In January 2000, the Cerberus security team issued a buffer overflow vulnerability in Microsoft's IIS 4/5. Attacking the vulnerability, allowing the web server to crash, and even get super authority execution arbitrary code. At present, Microsoft IIS 4/5 is a mainstream web server program; thus, the buffer overflow vulnerability has a great threat to the security of the website; its description is as follows:
The browser proposes an HTTP request to IIS. After the domain name (or IP address), add a file name, which is a suffix by ".htr". So IIS believes that the client is requesting a ".htr" file, ". Htr" extension file being imaged as an ISAPI (Internet Service API) application, IIS will reset to all requests for ".htr" resources to ISM.DLL programs ISM.DLL opens this file and execute it.
The file name contained in the request submitted by the browser is stored in the local variable buffer. If it is very long, more than 600 characters, it will cause local variable buffers overflow, override the return address space, make IIS crash. Further, an aligned code is implanted in the 2K buffer shown in Figure 1, which can be operated in system super authority. Fourth, the method of preventing the attack attack
Buffer overflow attacks account for the vast majority of remote network attacks, which allows an anonymous Internet user to have the opportunity to get part or all of the controls of a host. If the buffer overflows can effectively eliminate the buffer overflow, a large part of the security threat can be relieved.
There are currently four basic methods to protect buffers from attacks and impacts from buffer overflow.
In the four.11, the operation system is not executed by the operating system, thereby preventing an attacker implantation attack code.
In the four .2, it introduces a method for enforcing the correct code.
In the four .3, the boundary check using the compiler is described to achieve the protection of the buffer. This method makes the buffer overflow impossible, thus completely eliminating the threat of buffer overflow, but relatively considerable cost.
In the four .4, an indirect method is described, which performs integrity check prior to the failure of the program pointer. Although this method does not make all buffer overflow failures, it prevents most buffer overflow attacks. then
At the four .5, the compatibility and performance advantages of this protection method are analyzed.
Four .1 Non-executed buffers cannot be executed by the data segment address space of the attacked program, so that the attacker cannot perform the code that is implanted by the attack program input buffer, this technology is called non-executable buffering District technology. In the early Unix system design, only the program code is permitted in the code segment. However, the recent UNIX and MS Windows systems are often dynamically placed in the data segment in the data segment, which is also the root source of the buffer overflow. In order to keep the compatibility of the program, it is impossible to make the data segment of all programs cannot be implemented.
However, you can set the stack data segment to be unauthorized so that the compatibility of the program can be guaranteed. Linux and Solaris have released kernel patches in this regard. Because there is almost no legal program stores code in the stack, this approach does not generate any compatibility issues, except for two special cases in Linux, the executable code must be placed in the stack:
(1) Signal delivery:
LINUX executes the code to send UNIX signals to the process by initiating an interrupt to the process stack release code and initiate an interrupt. The patch of non-performing buffers is to allow the buffer to be executed when the signal is transmitted.
(2) GCC's online reuse:
The study found that GCC placed executable code in the stack area as an online reuse. However, shutting down this feature does not have any problems, only some of the features don't seem to be used.
The protection of non-performing stacks can effectively deal with buffer overflow attacks that implant the code implanted automatic variables, and there is no effect on other forms of attacks. This protection can be skipped by reference to a pointer to a resident program. Other attacks can be used to skip the code implant or static data segments.
IV .2 Writing the correct code
Writing the right code is a very meaningful job, specialty like writing C language style freedom, which is easy to errors, which is caused by the pursuit of performance and ignores the correctness. Despite the long time, people know how to write a safe program, the procedures with security vulnerabilities still appear. So people have developed some tools and techniques to help programmakers write safely correct procedures.
The easiest way is to use GREP to search for the source of libraries to generate a library of vulnerabilities, such as calls to StrCPY and SPRINTF, and these two functions do not check the length of the input parameters. In fact, there are such problems in the standard libraries of each version C.
In addition, people have also developed some advanced check-in tools such as Fault Injection. The purpose of these tools is to spill out some buffers to find out security vulnerabilities in some buffers randomly. There are also some static analysis tools to detect the existence of buffer overflow. Although these tools help programmers develop a safer program, these tools cannot find all buffer overflow vulnerabilities due to the characteristics of C language. Therefore, the detection error can only be used to reduce the possibility of buffer overflow, and it does not completely eliminate its existence.
