νν

 Security in CS1: Buffer Overflow
Buffer Overflow Overview

The buffer overflow attack is a concept which is difficult to teach in CS1 because most attacks invlove the system stack. Here we present a buffer-overflow attack which only requires knowledge of arrays. The attack was found in a 1987 paper by Young and Mchugh: "Coding for a Believable Specification to Implementation Mapping"

Below we provide a PowerPoint demonstration of the buffer-overflow attack. From the demonstration you can see how the data are written beyond the allocated end of a buffer and overwrite login information in memory. Using this buffer-overflow attack, somebody can compromise your password-protected system without knowing the password. The only thing the attacker needs to know is the password encryption rule which is public knowledge. Since the encryption method is not relevant in this attack, we use the simplistic ROT13 rules to encrypt the password.

The normal login process in this case is:

  1. User enters name. Computer stores name.
  2. Using entered name the computer looks up the encrypted password in a table, and stores the password for comparison.
  3. User enters password. Computer stores unencrypted password.
  4. Computer encrypts entered password, and stores encrypted password.
  5. Computer compares the encrypted password from the table with the encryption of the password the user entered. If they match, allow entry.

The attack differs slightly:

  1. User enters name. Computer stores name.
  2. Using entered name the computer looks up the encrypted password in a table, and stores the password for comparison.
  3. User enters a LONG password. Computer stores unencrypted password,
    • the long password extends past the password boundary so it overflows into the next stored word which happens to be the encrypted password from the table.
    • The user cleverly crafts the overflowed characters to match the encryption of the entered password.
  4. Computer encrypts entered password, and stores encrypted password.
  5. Computer compares the encrypted password from the table (now overwritten) with the encryption of the password the user entered. If they match (which they are guaranteed to do so in the attack), allow entry.

Two errors allow this attack, and both are needed for the attack to succeed:

  1. The encrypted password is fetched from the table before the user enters a password.
  2. The encrypted password from the table is stored adjacent to the entered password.

Play the demo below to observe the standard login followed by the attack.

For more information about buffer-overflow attacks, here are some links:

windowsecurity.com

linuxjournal.com

νν

νν

Download the Demonstration

Please download the demonstration by clicking the image below.

νν

νν

νν

Sample Code

Here we provide code so you can see what the faulty login process might look like (an actual login session would differ).

Sample code in C.

Sample code in C++.