CSC 2400: Computer Systems Stack Buffer Overflow Attacks Summary - - PowerPoint PPT Presentation

csc 2400 computer systems stack buffer overflow attacks
SMART_READER_LITE
LIVE PREVIEW

CSC 2400: Computer Systems Stack Buffer Overflow Attacks Summary - - PowerPoint PPT Presentation

Feb 26, 2024 415 likes •577 views

CSC 2400: Computer Systems Stack Buffer Overflow Attacks Summary Invoking a function ! CALL : call the function ! RET : return from the instruction Stack Frame for a function call includes ! Function arguments ! Return address ! Local

slide-1
SLIDE 1

CSC 2400: Computer Systems Stack Buffer Overflow Attacks

slide-2
SLIDE 2

Summary

  • Invoking a function

! CALL: call the function ! RET: return from the instruction

  • Stack Frame for a function call includes

! Function arguments ! Return address ! Local variables ! Saved registers

  • Base pointer EBP

! Fixed reference point in the Stack Frame ! Useful for referencing arguments and local variables

slide-3
SLIDE 3

Function Calls

  • main calls add3

! Push arguments on the stack ! Push return address on stack ! Jump to add3 ! Allocate local variables on stack, save registers, etc.

  • Returning to main

! Clear the stack frame for add3 ! Pop return address from stack

int add3(int a, int b, int c) { int d; d = a + b + c; return d; } int main() { int sum, avg; sum = add3(3, 4, 5); avg = sum / 3; return avg }

Return Addr. Address

ESP

5 4 3 Stack Frame for add3

Return Address

Stack Frame for main

slide-4
SLIDE 4

Computer Malware

  • Normal stack
  • Low
  • Address
  • High
  • Address

buffer valid address New Return Address Malicious code

  • Buffer Overflow Attack

buffer Saved EBP Return Address

  • Overflowed
  • region

q

Stack buffer overflow attacks:

q

Heap buffer overflow are also common (overwrite pointer addresses)

slide-5
SLIDE 5

EBP EBP-4

Return Address (0x08048424) Old EBP buf[0] buf[1] buf[2] buf[3]

slide-6
SLIDE 6

EBP EBP-4

Return Address (0x08048424) Old EBP buf[0] buf[1] buf[2] buf[3] Return Address (0x08048424) Old EBP 0x31 0x32 0x33 0x00 Before gets After gets

slide-7
SLIDE 7

EBP EBP-4

Return Address (0x08048424) Old EBP buf[0] buf[1] buf[2] buf[3] Return Address (0x08048424) ... 0x31 0x32 0x33 0x34 Before gets After gets 0x00

slide-8
SLIDE 8

EBP EBP-4

Return Address (0x08048424) Old EBP buf[0] buf[1] buf[2] buf[3] Return Address (0x08048424) 0x31 0x32 0x33 0x34 Before gets After gets 0x35 0x36 0x37 0x00

slide-9
SLIDE 9

EBP EBP-4

Return Address (0x08048424) Old EBP buf[0] buf[1] buf[2] buf[3] 0x31 0x32 0x33 0x34 Before gets After gets 0x30 0x30 0x30 0x30 0x35 0x36 0x37 0x38 0x00

slide-10
SLIDE 10

EBP EBP-4

Return Address (0x08048472) Old EBP buf[0] buf[1] buf[2] buf[3] 0x38373635 0x00000000 0x31 0x32 0x33 0x34 0x00

Before gets After gets

slide-11
SLIDE 11

EBP EBP-4

Return Address (0x08048472) Old EBP buf[0] buf[1] buf[2] buf[3] Address of Fire Some valid address 0x00 0x00 0x00 0x00

Before gets After gets

slide-12
SLIDE 12

#include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking } int main (int argc, char **argv) { foo(argv[1]); return 0; }

13

slide-13
SLIDE 13

14

slide-14
SLIDE 14

15

slide-15
SLIDE 15

16