Scribd
Upload
46 views60 pages

3.5 Buffer Overflow, Integer and Heap Overflow

Uploaded by

dangkhacthanh15042002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
46 views60 pages

3.5 Buffer Overflow, Integer and Heap Overflow

Uploaded by

dangkhacthanh15042002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 60

Background BufferOverflow Integer and Heap Overflow Summary

CS 6V81-05: System Security and Malicious Code Analysis


Buffer Overflow, Integer and Heap Overflow

Zhiqiang Lin

Department of Computer Science


University of Texas at Dallas

April 11th , 2012


Background Buffer Overflow Integer and Heap Overflow Summary

Outline

1 Background

2 Buffer Overflow

3 Integer and Heap Overflow

4 Summary
Outline

1 Background

2 Buffer Overflow

3 Integer and Heap Overflow

4 Summary
Background Buffer Overflow Integer and Heap Overflow Summary

IA32 Stack

Region of memory Stack“Bottom”


managed with stack
discipline
Grows toward lower
addresses
Register %esp indicates
lowest stack address
address of top element Stack
Pointer
%esp

Stack “Top”
Background Buffer Overflow Integer and Heap Overflow Summary

IA32 Stack Pushing

Pushing Stack“Bottom”

pushl src
Fetch operand at Src
Decrement %esp by 4
Write operand at
address given by %esp

Stack
Pointer
%esp -4

Stack “Top”
Background Buffer Overflow Integer and Heap Overflow Summary

IA32 Stack Popping

Popping Stack“Bottom”

popl dest
Read operand at
address given by %esp
Increment %esp by 4
Write to Dest

Stack
Pointer
%esp
+4

Stack “Top”
Background Buffer Overflow Integer and Heap Overflow Summary

Procedure Call Example

804854e: e8 3d 06 00 00 call 8048b90 <main>


8048553: 50 pushl %eax

0x110 0x110
0x10c 0x10c
0x108 123 0x108 123
0x104

%esp 0x108 %esp 0x108

%eip 0x804854e %eip 0x804854e

%eip is program counter


Background Buffer Overflow Integer and Heap Overflow Summary

Procedure Call Example

804854e: e8 3d 06 00 00 call 8048b90 <main>


8048553: 50 pushl %eax

call 8048b90

0x110 0x110
0x10c 0x10c
0x108 123 0x108 123
0x104

%esp 0x108 %esp 0x108

%eip 0x804854e %eip 0x804854e

%eip is program counter


Background Buffer Overflow Integer and Heap Overflow Summary

Procedure Call Example

804854e: e8 3d 06 00 00 call 8048b90 <main>


8048553: 50 pushl %eax

call 8048b90

0x110 0x110
0x10c 0x10c
0x108 123 0x108 123
0x104

%esp 0x108 %esp 0x104


0x108

%eip 0x804854e %eip 0x804854e

%eip is program counter


Background Buffer Overflow Integer and Heap Overflow Summary

Procedure Call Example

804854e: e8 3d 06 00 00 call 8048b90 <main>


8048553: 50 pushl %eax

call 8048b90

0x110 0x110
0x10c 0x10c
0x108 123 0x108 123
0x104 0x8048553

%esp 0x108 %esp 0x104


0x108

%eip 0x804854e %eip 0x804854e

%eip is program counter


Background Buffer Overflow Integer and Heap Overflow Summary

Procedure Call Example

804854e: e8 3d 06 00 00 call 8048b90 <main>


8048553: 50 pushl %eax

call 8048b90

0x110 0x110
0x10c 0x10c
0x108 123 0x108 123
0x104 0x8048553

%esp 0x108 %esp 0x104


0x108

%eip 0x804854e %eip 0x8048b90


0x804854e

%eip is program counter


Background Buffer Overflow Integer and Heap Overflow Summary

Procedure Return Example

8048591: c3 ret

ret

0x110 0x110
0x10c 0x10c
0x108 123 0x108 123
0x104 0x8048553 0x8048553

%esp 0x104 %esp 0x108


0x104

%eip 0x8048591 %eip 0x8048553


0x8048591

%eip is program counter


Background Buffer Overflow Integer and Heap Overflow Summary

Call Chain Example

 Code Structure
Call Chain
yoo(…)
{
• yoo

who(); who(…)
{ who

• • • •
} amI(); amI(…) amI amI
• • • {
amI(); •
• amI
• • •
} amI();

• amI
 Procedure amI recursive }
Background Buffer Overflow Integer and Heap Overflow Summary

Call Chain Example

Contents
Local variables
Return information yoo

Temporary space who

Management amI
Space allocated when enter procedure
“Set-up” code
Deallocated when return
“Finish” code

Pointers
Stack pointer %esp indicates stack top
Frame pointer %ebp indicates start of
current frame
Background Buffer Overflow Integer and Heap Overflow Summary

Stack Operation



Frame

Pointer
Call Chain %ebp
yoo(…) yoo
{ Stack
• yoo Pointer
• %esp
who();


}
Background Buffer Overflow Integer and Heap Overflow Summary

Stack Operation




Call Chain
who(…) yoo
{ Frame
• • • yoo Pointer
amI(); %ebp
who
• • •
who Stack
amI();
Pointer
• • •
%esp
}
Background Buffer Overflow Integer and Heap Overflow Summary

Stack Operation




Call Chain
amI(…) yoo
{
• yoo
• who
amI(); Frame
who
• Pointer
• %ebp
} amI amI
Stack
Pointer
%esp
Background Buffer Overflow Integer and Heap Overflow Summary

Stack Operation




Call Chain
amI(…) yoo
{
• yoo
• who
amI();
who


amI amI
} Frame
Pointer
amI %ebp
amI
Stack
Pointer
%esp
Background Buffer Overflow Integer and Heap Overflow Summary

Stack Operation




Call Chain
amI(…) yoo
{
• yoo
• who
amI(); who


} amI amI

amI
amI
Frame
amI Pointer
%ebp
amI
Stack
Pointer
%esp
Background Buffer Overflow Integer and Heap Overflow Summary

Stack Operation




Call Chain
amI(…) yoo
{
• yoo
• who
amI();
who


amI amI
} Frame
Pointer
amI %ebp
amI
Stack
amI Pointer
%esp
Background Buffer Overflow Integer and Heap Overflow Summary

Stack Operation




Call Chain
amI(…) yoo
{
• yoo
• who
amI(); Frame
who
• Pointer
• %ebp
} amI amI
Stack
Pointer
amI %esp

amI
Background Buffer Overflow Integer and Heap Overflow Summary

Stack Operation




Call Chain
who(…) yoo
{ Frame
• • • yoo Pointer
amI(); %ebp
who
• • •
who Stack
amI();
Pointer
• • •
%esp
} amI

amI

amI
Background Buffer Overflow Integer and Heap Overflow Summary

Stack Operation




Call Chain
amI(…) yoo
{
• yoo
• who
• Frame
who
• Pointer
} %ebp
amI amI amI
Stack
Pointer
amI %esp

amI
Background Buffer Overflow Integer and Heap Overflow Summary

Stack Operation




Call Chain
who(…) yoo
{ Frame
• • • yoo Pointer
amI(); %ebp
who
• • •
who Stack
amI();
Pointer
• • •
%esp
} amI amI

amI

amI
Background Buffer Overflow Integer and Heap Overflow Summary

Stack Operation



Frame

Pointer
Call Chain %ebp
yoo(…) yoo
{ Stack
• yoo Pointer
• %esp
who(); who


} amI amI

amI

amI
Background Buffer Overflow Integer and Heap Overflow Summary

IA32/Linux Stack Frame

Current Stack Frame (“Top” to


Bottom)
Parameters for function about
Caller
to call Frame
“Argument build” Arguments
Local variables Frame Pointer Return Addr
(%ebp) Old%ebp
If can’t keep in registers
Saved register context Saved
Old frame pointer Registers
+
Caller Stack Frame Local
Variables
Return address
Pushed by call Argument
instruction StackPointer Build
(%esp)
Arguments for this call
Background Buffer Overflow Integer and Heap Overflow Summary

IA32 Linux Memory Layout

Stack
Runtime stack (8MB limit) FF
Stack
E. g., local variables
8MB
Heap
Dynamically allocated storage
When call malloc(), calloc(),
new()
Data
Statically allocated data
E.g., arrays & strings declared
in code
Text
Executable machine Heap
instructions Data
Upper 2 hex digits Text
Read-only 08
= 8 bits of address
00
Background Buffer Overflow Integer and Heap Overflow Summary

Memory Allocation Example

char big_array[1<<24]; /* 16 MB */
char huge_array[1<<28]; /* 256 MB*/ FF
Stack
int beyond;
char *p1, *p2, *p3, *p4;

int useless() { return 0; }

int main()
{
p1 = malloc(1 <<28); /* 256 MB */
p2 = malloc(1 << 8); /* 256 B */
p3 = malloc(1 <<28); /* 256 MB */
p4 = malloc(1 << 8); /* 256 B */
/* Some print statements ... */
} Heap
Data
Where does everything go? 08
Text
00
Background Buffer Overflow Integer and Heap Overflow Summary

IA32 Example Addresses

address range ~232


FF Stack

$esp 0xffffbcd0
p3 0x65586008
p1 0x55585008
p4 0x1904a110
p2 0x1904a008
&p2 0x18049760
&beyond 0x08049744
big_array 0x18049780
huge_array 0x08049760
main() 0x080483c6
80
useless() 0x08049744
final malloc() 0x006be166 Heap

Data
malloc() is dynamicall ylinked
Text
address determined at runtime
08
00
Outline

1 Background

2 Buffer Overflow

3 Integer and Heap Overflow

4 Summary
Background Buffer Overflow Integer and Heap Overflow Summary

Internet Worm and IM War


November, 1988
Internet Worm attacks thousands of Internet hosts.
How did it happen?
July, 1999
Microsoft launches MSN Messenger (instant messaging
system).
Messenger clients can access popular AOL Instant
Messaging Service (AIM) servers

AIM
client

MSN MSN AIM


server client server

AIM
client
Background Buffer Overflow Integer and Heap Overflow Summary

Internet Worm and IM War (cont.)

August 1999
Mysteriously, Messenger clients can no longer access AIM
servers.
Microsoft and AOL begin the IM war:
AOL changes server to disallow Messenger clients
Microsoft makes changes to clients to defeat AOL changes.
At least 13 such skirmishes.
How did it happen?
The Internet Worm and AOL/Microsoft War were both
based on stack buffer overflow exploits!
many library functions do not check argument sizes.
allows target buffers to overflow.
Background Buffer Overflow Integer and Heap Overflow Summary

String Library Code

Implementation of Unix function gets()


/* Get string from stdin */
char *gets(char *dest)
{
int c = getchar();
char *p = dest;
while (c != EOF && c != ’\n’) {
*p++ = c;
c = getchar();
}
*p = ’\0’;
return dest;
}

No way to specify limit on number of characters to read


Similar problems with other library functions
strcpy, strcat: Copy strings of arbitrary length
scanf, fscanf, sscanf, when given %s conversion
specification
Background BufferOverflow Integer and Heap Overflow Summary

Vulnerable Buffer Code

/* Echo Line */
void echo()
{
char buf[4]; /* Way too small! */
gets(buf);
puts(buf);
}

void call_echo() {
echo();
}

unix>./bufdemo
Type a string:1234567
1234567

unix>./bufdemo
Type a string:12345678
Segmentation Fault

unix>./bufdemo
Type a string:123456789ABC
Segmentation Fault
Background BufferOverflow Integer and Heap Overflow Summary

Buffer Overflow Disassembly

echo
80485c5: 55 push %ebp
80485c6: 89 e5 mov %esp,%ebp
80485c8: 53 push %ebx
80485c9: 83 ec 14 sub $0x14,%esp
80485cc: 8d 5d f8 lea 0xfffffff8(%ebp),%ebx
80485cf: 89 1c 24 mov %ebx,(%esp)
80485d2: e8 9e ff ff ff call 8048575 <gets>
80485d7: 89 1c 24 mov %ebx,(%esp)
80485da: e8 05 fe ff ff call 80483e4 <puts@plt>
80485df: 83 c4 14 add $0x14,%esp
80485e2: 5b pop %ebx
80485e3: 5d pop %ebp
80485e4: c3 ret

call echo
80485eb: e8 d5 ff ff ff call 80485c5 <echo>
80485f0: c9 leave
80485f1: c3 ret
Background Buffer Overflow Integer and Heap Overflow Summary

Buffer Overflow Stack

/* Echo Line */
Before call to gets void echo()
{
Stack Frame char buf[4]; /* Way too small! */
for main gets(buf);
puts(buf);
}

echo:
Return Address pushl %ebp # Save %ebp on stack
movl %esp, %ebp
Saved %ebp %ebp pushl %ebx # Save %ebx
subl $20, %esp # Allocate stack space
Saved %ebx leal -8(%ebp),%ebx # Compute buf as %ebp-8
movl %ebx, (%esp) # Push buf on stack
[3] [2] [1] [0] buf call gets # Call gets
. . .
Stack Frame
for echo
Background BufferOverflow Integer and Heap Overflow Summary

Buffer Overflow Stack Example


unix> gdb bufdemo
(gdb) break echo
Breakpoint 1 at 0x80485c9
(gdb) run
Breakpoint 1, 0x80485c9 in echo ()
(gdb) print /x $ebp
$1 = 0xffffd678
(gdb) print /x *(unsigned *)$ebp
$2 = 0xffffd688
(gdb) print /x *((unsigned *)$ebp + 1)
$3 = 0x80485f0

Before call to gets Before call to gets


Stack Frame Stack Frame 0xffffd688
formain formain

Return Address 08 04 85 f0
Saved %ebp ff ff d6 88 0xffffd678
Saved%ebx Saved%ebx
[3] [2] [1] [0] buf xx xx xx xx buf
Stack Frame Stack Frame
forecho forecho

80485eb: e8 d5 ff ff ff call 80485c5 <echo>


80485f0: c9 leave
Background Buffer Overflow Integer and Heap Overflow Summary

Buffer Overflow Stack Example #1

Before call to gets Input 1234567


Stack Frame 0xffffd688 Stack Frame 0xffffd688
for main for main

08 04 85 f0 08 04 85 f0
ff ff d6 88 0xffffd678 ff ff d6 88 0xffffd678
Saved %ebx 00 37 36 35
xx xx xx xx buf 34 33 32 31 buf
Stack Frame Stack Frame
for echo for echo

Overflow buf, and corrupt %ebx,


but no problem
Background Buffer Overflow Integer and Heap Overflow Summary

Buffer Overflow Stack Example #2

Before call to gets Input 12345678


Stack Frame 0xffffd688 Stack Frame 0xffffd688
for main for main

08 04 85 f0 08 04 85 f0
ff ff d6 88 0xffffd678 ff ff d6 00 0xffffd678
Saved %ebx 38 37 36 35
xx xx xx xx buf 34 33 32 31 buf
Stack Frame Stack Frame
for echo for echo

Base pointer corrupted


. . .
80485eb: e8 d5 ff ff ff call 80485c5 <echo>
80485f0: c9 leave # Set %ebp to corrupted value
80485f1: c3 ret
Background Buffer Overflow Integer and Heap Overflow Summary

Buffer Overflow Stack Example #3

Before call to gets Input 123456789!”#


Stack Frame 0xffffd688 Stack Frame 0xffffd688
for main for main

08 04 85 f0 08 04 85 00
ff ff d6 88 0xffffd678 43 42 41 39 0xffffd678
Saved %ebx 38 37 36 35
xx xx xx xx buf 34 33 32 31 buf
Stack Frame Stack Frame
for echo for echo

Return address corrupted

80485eb: e8 d5 ff ff ff call 80485c5 <echo>


80485f0: c9 leave # Desired return point
Background Buffer Overflow Integer and Heap Overflow Summary

Buffer Overflow Stack Example #3


Stack after call to gets()

void foo(){
foo stack frame
bar(); return
... address
} A B

int bar() { pad


data written
char buf[64];
by gets()
gets(buf);
... exploit bar stack frame
return ...; code
B
}

Input string contains byte representation of executable


code
Overwrite return address A with address of buffer B
When bar() executes ret, will jump to exploit code
Background Buffer Overflow Integer and Heap Overflow Summary

Exploits Based on Buffer Overflows

Buffer overflow bugs allow remote machines to execute


arbitrary code on victim machines
Internet worm
Early versions of the finger server (fingered) used gets()
to read the argument sent by the client:
Worm attacked fingerd server by sending phony argument:
finger “exploit-code padding new-return-address”
exploit code: executed a root shell on the victim machine
with a direct TCP connection to the attacker.
Background Buffer Overflow Integer and Heap Overflow Summary

Exploits Based on Buffer Overflows

Buffer overflow bugs allow remote machines to execute


arbitrary code on victim machines
IM War
AOL exploited existing buffer overflow bug in AIM clients
exploit code: returned 4-byte signature (the bytes at some
location in the AIM client) to server.
When Microsoft changed code to match signature, AOL
changed signature location.
Background Buffer Overflow Integer and Heap Overflow Summary

Code Red Exploit Code


Starts 100 threads running
Spread self
Generate random IP addresses & send attack string
Between 1st & 19th of month
Attack www.whitehouse.gov
Send 98,304 packets; sleep for 4-1/2 hours; repeat
Denial of service attack
Between 21st & 27th of month
Deface server’s home page
After waiting 2 hours
Background Buffer Overflow Integer and Heap Overflow Summary

Avoiding Overflow Vulnerability

/* Echo Line */
void echo()
{
char buf[4]; /* Way too small! */
gets(buf);
puts(buf);
}

Use library routines that limit string lengths


fgets instead of gets
strncpy instead of strcpy
Don’t use scanf with %s conversion specification
Use fgets to read the string
Or use %ns where n is a suitable integer
Background Buffer Overflow Integer and Heap Overflow Summary

System-Level Protections

Randomized stack offsets unix> gdb bufdemo


(gdb) break echo
At start of program, allocate
random amount of space on stack (gdb) run
Makes it difficult for hacker to (gdb) print /x $ebp
predict beginning of inserted code $1 = 0xffffc638

Nonexecutable code segments (gdb) run


(gdb) print /x $ebp
In traditional x86, can mark region $2 = 0xffffbb08
of memory as either “read-only” or
(gdb) run
“writeable” (gdb) print /x $ebp
Can execute anything readable $3 = 0xffffc6a8

X86-64 added explicit “execute”


permission
Background Buffer Overflow Integer and Heap Overflow Summary

Stack Canaries

Idea
Place special value (“canary”) on stack just beyond buffer
Check for corruption before exiting function
GCC Implementation
-fstack-protector
-fstack-protector-all

unix>./bufdemo-protected
Type a string:1234
1234

unix>./bufdemo-protected
Type a string:12345
*** stack smashing detected ***
Background Buffer Overflow Integer and Heap Overflow Summary

Protected Buffer Disassembly

echo
804864d: 55 push %ebp
804864e: 89 e5 mov %esp,%ebp
8048650: 53 push %ebx
8048651: 83 ec 14 sub $0x14,%esp
8048654: 65 a1 14 00 00 00 mov %gs:0x14,%eax
804865a: 89 45 f8 mov %eax,0xfffffff8(%ebp)
804865d: 31 c0 xor %eax,%eax
804865f: 8d 5d f4 lea 0xfffffff4(%ebp),%ebx
8048662: 89 1c 24
mov %ebx,(%esp)
8048665: e8 77 ff ff ff
call 80485e1 <gets>
804866a: 89 1c 24
mov %ebx,(%esp)
804866d: e8 ca fd ff ff
call 804843c <puts@plt>
8048672: 8b 45 f8
mov 0xfffffff8(%ebp),%eax
8048675: 65 33 05 14 00 00 00
804867c: 74 05 xor %gs:0x14,%eax
je 8048683 <echo+0x36>
804867e: e8 a9 fd ff ff
call 804842c <FAIL>
8048683: 83 c4 14 add $0x14,%esp
8048686: 5b pop %ebx
8048687: 5d
pop %ebp
8048688: c3
ret
Background Buffer Overflow Integer and Heap Overflow Summary

Setting Up Canary

Before call to gets /* Echo Line */


void echo()
Stack Frame {
char buf[4]; /* Way too small! */
for main gets(buf);
puts(buf);
}

Return Address echo:


. . .
Saved %ebp %ebp movl %gs:20, %eax # Get canary
Saved %ebx movl %eax, -8(%ebp) # Put on stack
xorl %eax, %eax # Erase canary
Canary . . .

[3] [2] [1] [0] buf


Stack Frame
for echo
Background Buffer Overflow Integer and Heap Overflow Summary

Checking Canary

Before call to gets /* Echo Line */


void echo()
Stack Frame {
char buf[4]; /* Way too small! */
for main gets(buf);
puts(buf);
}

Return Address echo:


. . .
Saved %ebp %ebp movl -8(%ebp), %eax # Retrieve from stack
Saved %ebx xorl %gs:20, %eax # Compare with Canary
je .L24 # Same: skip ahead
Canary call stack_chk_fail # ERROR
.L24:
[3] [2] [1] [0] buf . . .

Stack Frame
for echo
Background Buffer Overflow Integer and Heap Overflow Summary

Canary Example

Before call to gets Input 1234


Stack Frame Stack Frame
for main for main

Return Address Return Address


Saved %ebp %ebp Saved %ebp %ebp
Saved %ebx Saved %ebx
03 e3 7d 00 03 e3 7d 00
[3] [2] [1][0] buf 34 33 32 31 buf
Stack Frame Stack Frame
for echo for echo

(gdb) break echo


(gdb) run
Benign corruption!
(gdb) stepi 3
(gdb) print /x *((unsigned *) $ebp - 2) (allows programmers to make
$1 = 0x3e37d00 silent off-by-one errors)
Outline

1 Background

2 Buffer Overflow

3 Integer and Heap Overflow

4 Summary
Background Buffer Overflow Integer and Heap Overflow Summary

What are the common features of integer overflow


vulnerabilities?

an untrusted source

an incomplete
unsigned int x = read_int();
if ( x > 0x7fffffff ) check
abort();
unsigned int s = x*sizeof(int); an integer overflow
char* p=malloc(s);
read_int_into_buf(p, x);

a sensitive
a heap overflow
operation
followed
Background Buffer Overflow Integer and Heap Overflow Summary

CVE-2008-5238(Xine)

an untrusted source
……
if (version == 4) {
const uint16_t sps = _X_BE_16 (this->header+44) ? : 1;
this->w = _X_BE_16 (this->header+42);
this->h = _X_BE_16 (this->header+40);
this->cfs = _X_BE_32 (this->header+24);
this->frame_len = this->w * this->h;
this->frame_size = this->frame_len * sps;
this->frame_buffer = calloc(this->frame_size, 1);
……

a sensitive
operation
Background BufferOverflow Integer and Heap Overflow Summary

CVE-2008-1722(CUPS)

an untrusted source

a n in c o m plete
png_get_IHDR(pp, info, &width, &height, &bit_depth, &co l or _t y p e,
&interlace_type, &compression_type, &filter_type);
{
……
check
if (width == 0 || width > CUPS_IMAGE_MAX_WIDTH ||
height == 0 || height > CUPS_IMAGE_MAX_HEIGHT)
{//error
return (1);
} an integer overflow
img->xsize = width;
img->ysize = height;
……
if (color_type == PNG_COLOR_TYPE_GRAY ||color_type ==
PNG_COLOR_TYPE_GRAY_ALPHA)
in = malloc(img->xsize * img->ysize);
else
in = malloc(img->xsize * img->ysize * 3);
……
} a55sensitive
operation 55
Background Buffer Overflow Integer and Heap Overflow Summary

CVE-2008-2430(VLC)

an untrusted source

……
if( ChunkFind( p_demux, "fmt ", &i_size ) )
{
msg_Err( p_demux, "cannot find 'fmt ' chunk" );

}
goto error;
an incomplete
if( i_size < sizeof( WAVEFORMATEX ) - 2 )
{
check
msg_Err( p_demux, "invalid 'fmt ' chunk" );
goto error;
}
stream_Read( p_demux->s, NULL, 8 );
an integer overflow
/* Cannot fail */

/* load waveformatex */
p_wf_ext = malloc( EVEN( i_size ) + 2 );
……

a sensitive
operation
Background Buffer Overflow Integer and Heap Overflow Summary

What’s the essential feature of integer overflow


vulnerabilities?

an untrusted source

an incomplete
unsigned int x = read_int();
if ( x > 0x7fffffff )
check
abort();
unsigned int s = x*sizeof(int); an integer overflow
char* p=malloc(s);
read_int_into_buf(p, x);

a sensitive
operation
Outline

1 Background

2 Buffer Overflow

3 Integer and Heap Overflow

4 Summary
Background Buffer Overflow Integer and Heap Overflow Summary

Summary

Software vulnerabilities
1 Cannot be avoided (software complexity)
2 Memory bugs (buffer overflow, integer overflow) are
dangerous
3 Tons of research has been carried out to stop memory
bugs
4 Stack, and integer and heap overflow can be stopped.
Background Buffer Overflow Integer and Heap Overflow Summary

References

http://en.wikipedia.org/wiki/Buffer_overflow Smashing
the Stack for Fun and Profit by Aleph One
A Comparison of Buffer Overflow Prevention
Implementations and Weaknesses (Blackhat 2004)
http://www.cs.cmu.edu/afs/cs/academic/class/15213-
f10/www/lectures/08-machine-advanced.pdf
...

You might also like