Lecture 3: Buffer Overflows

Buffer Overflow Analogy

What part of the airline ticketing system might be broken? How might you fix it?

Vulnerable Code

In the last example of vulnerable code (with a function pointer), what should the attacker input as their name to take over control of the program? Assume the code the attacker wants to run is more than 20 bytes long.

Memory-Unsafe Languages are Dangerous

What are the four parts of C memory? What part of memory would a variable be stored if I define it: 1) outside any function, 2) as a local variable in a function, and 3) by calling malloc?

Note: The 61C review lecture has a review of C memory layout if you want a refresher.

x86 Function Call

What two values are saved on the stack when x86 calls a function? Why do we need to save these values?

Note: For more details on x86 function calls, consult the 61C review lecture.

Intro to Buffer Overflows

Overwriting the Return Address

Suppose there is a vulnerable local variable that the attacker can overflow at address X on the stack, and the return address of this stack frame is at address Y. What could the attacker input into the buffer to take over control of the program? (You can use expressions like X+Y or Y-12 in your answer.)

Signed/Unsigned Vulnerability

Note: You don’t need to know the specifics of number representation for projects or exams. You should know that 0xffffffff (a binary string of all 1s) is a very large number when interpreted as an unsigned integer, and -1 when interpreted as a signed integer.

Integer Overflow Vulnerability

Format String Vulnerability

Q2 on Homework 2 has some practice on format string vulnerabilities.

Vulnerabilities Outside the Stack

Note: You should know conceptually that the heap can be overflowed in C++ to take control of the program, but since C++ is not a prerequisite for the course, we won’t test you on C++ heap overflows on exams or projects.

Making Exploits Robust

What are some defenses we might use to stop buffer overflow attacks?