Lecture 3: Buffer Overflows
- Playlist (length: 1:16:12)
- Optional: Some students have found these slides from Matthias Vallentin helpful: Normal x86 function call, a crash, a control-flow diversion, and code injection.
Buffer Overflow Analogy
What part of the airline ticketing system might be broken? How might you fix it?
In the last example of vulnerable code (with a function pointer), what should the attacker input as their name to take over control of the program? Assume the code the attacker wants to run is more than 20 bytes long.
Memory-Unsafe Languages are Dangerous
What are the four parts of C memory? What part of memory would a variable be stored if I define it: 1) outside any function, 2) as a local variable in a function, and 3) by calling malloc?
Note: The 61C review lecture has a review of C memory layout if you want a refresher.
x86 Function Call
What two values are saved on the stack when x86 calls a function? Why do we need to save these values?
Note: For more details on x86 function calls, consult the 61C review lecture.
Intro to Buffer Overflows
Overwriting the Return Address
Suppose there is a vulnerable local variable that the attacker can overflow at address X on the stack, and the return address of this stack frame is at address Y. What could the attacker input into the buffer to take over control of the program? (You can use expressions like X+Y or Y-12 in your answer.)
Note: You don’t need to know the specifics of number representation for projects or exams. You should know that 0xffffffff (a binary string of all 1s) is a very large number when interpreted as an unsigned integer, and -1 when interpreted as a signed integer.
Integer Overflow Vulnerability
Format String Vulnerability
Q2 on Homework 2 has some practice on format string vulnerabilities.
Vulnerabilities Outside the Stack
Note: You should know conceptually that the heap can be overflowed in C++ to take control of the program, but since C++ is not a prerequisite for the course, we won’t test you on C++ heap overflows on exams or projects.
Making Exploits Robust
What are some defenses we might use to stop buffer overflow attacks?