Today i’m going to be writing a little short article about Buffer Overflow attacks and why software developed in lower-level languages like C are vulnerable to them. This article is primarily aimed at users who do not have a great deal of Software Development knowledge.
Your first question may well be - “What’s a buffer overflow?”. That’s a really great question and i’m goiong to start by using a little analogy I come up with right now while writing this article. So, the analogy goes:
We have friend A and friend B. They’re allowed to talk to each other, and do, but can only communicate in 5 word exhanges. And eveerryyything they say between each other is trusted by each party to be the truth. For example:
* friend A * How are you doing today?
* friend B * I’m doing great, thank you.
Generally speaking, these rules could quite easily be abided by, with both parties agreeing to speak in 5 word exchanges. No problem so far!
Now let’s imagine *friend B * continues speaking:
*friend A* How are you doing today?
*friend B* I’m doing great, thank you. The sky is green.
Now in this case, “I’m doing great, thank you.” is the expected 5 word response, but there’s actually 4 extra words here “The sky is green”.
As the communication is ‘trusted’ and *friend A* implicitly believes everything B says, *friend A* now believes the sky is green...
Okay, maybe the analogy wasn’t perfect but i’m sure you get the idea.
Now from a slightly more technical view.
Let’s say we have a variable, username. As memory management is manual when programming in C, we have to assign a ‘buffer’ when inputting data to this variable. The buffer is defined as a size in bytes for the maximum amount of data that specific variable is assigned to hold.
When data is inputted by the user, it’s so important we check the size of the data inputted from the user before the user data is assigned to the variable.
The reason for this is *bounds-checking*. In C, theres no automatic check that the user hasn’t entered more data than expected so there’s an opportunity for the user to attempt a Buffer Overflow attack in order to fully take-over the process. Essentially what the attacker is looking to do is ‘overflow’ the buffer assigned to the variable, and start writing into *other memory* on the target system/process.
If we are able to overwrite the value of the PC (Program Counter) (which controlls the next memory address to be executed) we are able to redirect the execution of said process to another memory address.
Researchers will often use patterned input, such as AAAABBBBCCCCDDDDEEEEFFF...etc and then check ‘panic logs’ to establish the value of the Program Counter after the program inevitably crashes (We’re writing random data into the memory). The program counter value contained in the ‘panic log’ will contain a hex value of the letter which matched.
For example, if the PC is 0x44 (D in ASCII), we would repeat the process of using the pattered input but this time replace DDDD with a memory address and the program execution would continue elsewhere!
Do note, this is likely to lead the program to crash. If we’re replacing the PC with the value of function X, yes it’ll execute. But what is the function going to return to? We’d need to figure some way of having the process return back to the original value of the PC at the time we exploited the Buffer Overflow Opportunity.
Anyway, I know that article may seem a little random but I just thought i’d share it! ❤️ Hope y’all are looking forward to WWDC later today.