next up previous
Next: Related work Up: Protecting from stack-smashing attacks Previous: Introduction


Attack Scenarios and their Classification

The buffer overflow vulnerability appears where an application needs to read external information such as a character string, the receiving buffer is relatively small compared to the possible size of the input string, and the application doesn't check the size. The buffer allocated at run-time is placed on a stack, which keeps the information for executing functions; such as local variables, argument variables, and the return address. The overflowing string can alter such information. This also means that an attacker can change the information as he wants to. For example, he can inject a series of machine language commands as a string that also leads to the execution of the attack code by changing the return address to the address of the attack code. The ultimate goal is usually to get control of a privileged shell by such methods.

Figure 1 shows a typical stack structure after a function is called. The stack pointer points at the top of stack, which is at the bottom in the figure. The programming language C uses the area from the top of the stack in the following order: local variables, the previous frame pointer, the return address, and arguments of the function. This data is called the frame of the function, which represents the status of the function. The frame pointer locates the current frame and the previous frame pointer stores the frame pointer of the caller function.

Figure 1: Stack Structure
\begin{figure*}\centering \begin{tabular}{l\vert c\vert l}
& & $\uparrow$ stri...
...grightarrow$ & & $\downarrow$ stack growth \\
\end{tabular}\par\end{figure*}

The function foo (see Figure 2) is a vulnerable function, which produces the stack structure such as shown in Figure 1. It reads the content of the environment variable ``HOME'' into the ``buffer'' which has a size of 128 bytes. Since the function strcpy doesn't check the size of the output, it can copy more than 128 bytes of data to the ``buffer''. Imagine the ``HOME'' variable has this string: 128 bytes of 41, 1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, and 3. This will assign 128 character 'A's, 0x01010101, 0x02020202, and 0x03030303 into the ``buffer'', ``lvar'', the previous frame pointer, and the return address respectively. (We assume that 32-bit variables are used by default and that C language notation is used.) When the function foo finishes it's operations and returns to the caller based on this memory arrangement, it will go back to the address 0x03030303, which isn't the caller address. If malicious code is located at the address, it is executed with the same privilege level as the application.

Figure 2: Sample function having Buffer Overflow Vulnerability
\begin{figure}\centering\begin{verbatim}void foo()
{
long *lvar;
char buffer...
........
strcpy (buffer, getenv (''HOME''));
.......
}\end{verbatim} \end{figure}

We will now introduce a classification of attack methods, how an attacker acquires control of the application. In the first category the target of the attack is to show in the stack. The following lists the data stored in this area and describes the attack method used.


next up previous
Next: Related work Up: Protecting from stack-smashing attacks Previous: Introduction
Etoh
2000-11-08