Buffer overflow principle analysis and protection-vulnerability warning-the black bar safety net

ID MYHACK58:62200818046
Type myhack58
Reporter 佚名
Modified 2008-01-07T00:00:00


【Abstract】this article from the programming language itself of the defect,is not robust to the perspective,a detailed analysis of buffer overflow attacks the basic principles,describes hackers exploit buffer vulnerabilities system attacks the General process,finally and briefly discussed several prevent overflow attacks policy.

【Keywords】buffer overflow; program jump; long jump buffer;

In recent years,hacker attacks occur frequently,especially the buffer overflow vulnerability attacks occupy network remote to attack the vast majority. Because such attacks can make anyone to get the host system full control,so it represents a class of very severe attacks.

Buffer overflow attacks was common,because it is all too common,and easy to implement, this is completely a software development history of the inevitable problems. A buffer vulnerability is the programmer writing a program does not check the memory space,causing memory leaks and causing,in the following we first briefly look at it:

Aunderstanding buffer overflow

Buffer overflow is a system of attack means,by in the program buffer write exceeds the length of the code,causing overflow,thus destroying its stack,so that program execution the attacker in the program address space in the already scheduled code,in order to achieve its purpose. General hacking root program,and then perform similar to the exec(sh)of the code to get the root shell. It resulted in two serious consequences:

1. Cover the stack to the adjacent unit. So that the program execution failed, serious can lead to system crash.

2. Executable to recognize the instruction code,and finally to obtain the system root Super permissions.

Now a lot of people use C or C++Program,but at the same time too many people ignore of which array bounds checking and type safety checking,so most of today's overflow and the C language, the C language, it is possible to produce overflow of the function:char s[n],strlen(s) strcpy(dst, src),p=malloc(n),strcat(s,suffix), etc., so we want as much as possible to avoid the use of these dangerous function,even if use,also be sure to do a rigorous check. For easy understanding,let's look at a simple program:


  • example. c

  • written by Devil_Angel <Devil___Angel@126.com>

  • gcc –o example example. c

void func(char * str)


char buf[8];

strcpy(buf, str);



int main(int argc, char * argv[])


If(argc >1)

}//end of main

The program in input,and not to the str of the size of the check will be sent directly into the array buf,once the input exceeds the buf length,it produced the most simple of the overflow,of course, like this overflow usually only occurs Segmentation fault error,but can not achieve the purpose of the attack. Here and no further in-depth analysis,just let everyone on the overflow have a rough concept,in the future will do further analysis.

Second, thebuffer overflow exploit

The most common means of attack is by making a buffer overflow causes the program to run a user shell,by the shell to execute other commands. If the program enter the root and have suid permissions,the attacker gained a root access shell,in this case it is possible for the system to operate freely. Below I'll introduce how to control the program jumps to attack code:

l open the record(Activation Records)

In the program,each function call occurs,the stack will leave a Activation Records,which includes the end of the function return address,an attacker by the overflow of these automatic variables,so that the address points to the attack program code. By changing the program of the return address,when the call ends,the program jumps to the attacker to set the address,instead of the original address. This overflow is referred to as stacks mashing attack.

l The function pointer(Function Pointers)

void(*foo)(1)Definition a function returns a pointer to the variable foo, Function Pointers can be used to locate any address space. So just in any space within the Function Pointers found near one can overflow the buffer,and then overflow it to change the Function Pointers. In a moment,when the program through Function Pointers when the function is called,program flow will press the hacker's intentions realized(a typical spill procedures:for Linux Superprobe program).

l length of the jump buffer(Longjmpbuffers)

In the C language,contains a simple test/recovery system,known as setjmp/longjmp. Namely, in the inspection point set setjmp(buffer),longjmp(buffer)to recover. But if the attacker is able to enter the buffer space,then the longjmp(buffer)is actually a jump to the attacker's program code. Like Function Pointers, longjmp buffers can point to anywhere,so an attacker has to do is find the one for the overflow of the buffer.

The most common is in a string combination Code of the implant and open the record. An attacker locate or provide overflow automatic variables,and then to pass a large string,in the trigger buffer overflow to change the open records when implanted in the program code,thereby achieving the invasion of the purpose of the system.

Third, theresponse to remote buffer overflow attacks

To deal with buffer overflow attacks a lot,but common is also the most important to have about four ways:

1. Write strict code

Write the correct strict code is a meaningful but very time-consuming work, there is C programming or Assembly language experience will be deep,although software development has experienced a not short time,but the vulnerability of the program still exists,so people have developed some tools and techniques to help inexperienced programmers to write secure programs. For example, advanced Troubleshooting tools,such as faultinjection etc. These tools aims by artificially randomly generating some of the buffer overflow to find the code for security vulnerabilities. But since the C language features,these tools cannot identify all of the buffer overflow vulnerability. So,the debugging techniques can be used to reduce the buffer overflow vulnerability,and can not completely eliminate its presence. Error elimination or rely on programmers to write.

2. Non-implementation of the stack data segment

ByOSwhen the data break address space is not executed,so that the attacker can not perform is implanted attack code,but the attacker does not necessarily have to be implanted attack code to implement buffer overflow attacks,so this way there is still a lot of weaknesses.

3. Use of the program, the compiler's bounds checking

The implantation code is caused by a buffer overflow in one aspect,to change the program execution flow is on the other hand. And the use of the compiler bounds checking so that buffer overflow is impossible to achieve,thereby completely eliminating the buffer overflow threat,but relatively expensive.

4. Pointer integrity checking

Program pointer integrity checking, and bounds checking is slightly different. Program pointer integrity checking in the program the pointer is changed before the detection. Therefore,even if the attacker successfully changes the program pointer,also due to previously detected pointer of change and failure,although this does not solve all problems,but it does prevent most of the buffer zone to attack,and this method is in the performance has great advantages,compatibility is also very good.

In the long run,to fundamentally eliminate the buffer overflow attacks,the need for a programming mode or the CPU system of fundamental modifications in order to solve the problem. However,with the rapid development of Information Technology and people on the network security degree of attention continues to deepen, buffer overflow attacks there will always be solved one day.


[1] hack maximum exposure. [Beauty]Joel Scambray,Stuart McClure,George Kurtz.

[2] The Art and Science of C. [us]Eric S. Roberts,Stanford University.

[3]buffer overflow principle and protection. The Chinese Academy of Sciences Graduate School of Jiang Tao.