Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade* Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole Department of Computer Science and Engineering Oregon Graduate Institute of Science & Technology** ([email protected]) http://www.cse.ogi.edu/DISC/projects/immunix Abstract the ability to inject and execute attack code. The Buffer overflows have been the most common injected attack code runs with the privileges of the vul- form of security vulnerability for the last ten nerable program, and allows the attacker to bootstrap years. More over, buffer overflow vulnerabilities whatever other functionality is needed to control dominate the area of remote network penetra- (“own” in the underground vernacular) the host com- tion vulnerabilities, where an anonymous Inter- puter. net user seeks to gain partial or total control of For instance, among the five “new” “remote to a host. If buffer overflow vulnerabilities could be effectively eliminated, a very large portion of local” attacks used in the 1998 Lincoln Labs intrusion the most serious security threats would also be detection evaluation, three were essentially social engi- eliminated. In this paper, we survey the various neering attacks that snooped user credentials, and two types of buffer overflow vulnerabilities and were buffer overflows. 9 of 13 CERT advisories from attacks, and survey the various defensive mea- 1998 involved buffer overflows [34] and at least half of sures that mitigate buffer overflow vulnerabili- 1999 CERT advisories involve buffer overflows [5]. An ties, including our own StackGuard method. We informal survey on the Bugtraq security vulnerability then consider which combinations of techniques mailing list [29] showed that approximately 2/3 of can eliminate the problem of buffer overflow respondents felt that buffer overflows are the leading vulnerabilities, while preserving the functional- cause of security vulnerability.1 ity and performance of existing systems. Buffer overflow vulnerabilities and attacks come in 1 Introduction a variety of forms, which we describe and classify in Buffer overflows have been the most common form Section 2. Defenses against buffer overflow attacks similarly come in a variety of forms, which we describe of security vulnerability in the last ten years. More over, in Section 3, including which kinds of attacks and vul- buffer overflow vulnerabilities dominate intheareaof nerabilities these defenses are effective against. The remote network penetration vulnerabilities, where an Immunix project has developed the StackGuard defen- anonymous Internet user seeks to gain partial or total sive mechanism [14, 11], which has been shown to be control of a host. Because these kinds of attacks enable anyone to take total control of a host, they represent one highly effective at resisting attacks without compromis- ing system compatibility or performance [9]. Section 4 of the most serious classes security threats. discusses which combinations of defenses complement Buffer overflow attacks form a substantial portion each other. Section 5 presents our conclusions. of all security attacks simply because buffer overflow vulnerabilitiesaresocommon[15]andsoeasyto 2 Buffer Overflow Vulnerabilities and exploit [30, 28, 35, 20]. However, buffer overflow vul- nerabilities particularly dominate in the class of remote Attacks penetration attacks because a buffer overflow vulnera- The overall goal of a buffer overflow attack is to bility presents the attacker with exactly what they need: subvert the function of a privileged program so that the attacker can take control of that program, and if the pro- *. This work supported in part by DARPA grant F30602-96-1- gram is sufficiently privileged, thence control the host. 0331, and DARPA contract DAAH01-99-C-R206. Typically the attacker is attacking a root program, and immediately executes code similar to “exec(sh)” to get **Of these authors, Crispin Cowan, Steve Beattie, and Perry a root shell, but not always. To achieve this goal, the Wagle are now with Immunix, Inc., and Calton Pu is at attacker must achieve two sub-goals: Georgia Tech. AlsopresentedasaninvitedtalkatSANS2000(System 1.The remaining 1/3 of respondants identified Administration and Network Security), http:// “misconfiguration” as the leading cause of security www.sans.org/newlook/events/sans2000.htm vulnerability. Proceedings of the Foundations of Intrusion Tolerant Systems (OASIS’03) 0-7695-0490-6/99 $17.00 1999 IEEE Previously published in the DARPA Information Survivability Conference and Exposition 2000 Proceedings 1. Arrange for suitable code to be available in the pro- weak or non-existent bounds checking on its input with gram's address space. a goal of corrupting the state of an adjacent part of the 2. Get the program to jump to that code, with suitable program’s state, e.g. adjacent pointers, etc. By over- parameters loaded into registers & memory. flowing the buffer, the attacker can overwrite the adja- cent program state with a near-arbitrary2 sequence of We categorize buffer overflow attacks is in terms of bytes, resulting in an arbitrary bypass of C’s type sys- achieving these two sub-goals. Section 2.1 describes tem3 and the victim program’s logic. how the attack code is placed in the victim program’s address space (which is where the “buffer” part comes The classification here is the kind of program state that the attacker’s buffer overflow seeks to corrupt. In from). Section 2.2 describes how the attacker overflows principle, the corrupted state can be any kind of state. a program buffer to alter adjacent program state (which For instance, the original Morris Worm [37] used a is where the “overflow” part comes from) to induce the buffer overflow against the fingerd program to cor- victim program to jump to the attack code. Section 2.3 ruptthenameofafilethatfingerd would execute. In discusses some issues in combining the code injection techniques from Section 2.1 with the control flow cor- practice, most buffer overflows found in “the wild” seek to corrupt code pointers: program state that points ruption techniques from Section 2.2. at code. The distinguishing factors among buffer over- flow attacks is the kind of state corrupted, and where in 2.1 WaystoArrangeforSuitableCodetoBein the memory layout the state is located. the Program's Address Space Activation Records: Each time a function is called, it There are two ways to arrange for the attack code to lays down an activation record on the stack [1] that be in the victim program’s address space: either inject includes, among other things, the return address that it, or use what is already there. the program should jump to when the function exits, Inject it: The attacker provides a string as input to the i.e. point at the code injected in Section 2.1. Attacks program, which the program stores in a buffer. The that corrupt activation record return addresses over- string contains bytes that are actually native CPU flow automatic variables, i.e. buffers local to the instructions for the platform being attacked. Here function, as shown in Figure 1. By corrupting the the attacker is (ab)using the victim program’s buff- return address in the activation record, the attacker ers to store the attack code. Some nuances on this causes the program to jump to attack code when the method: victim function returns and dereferences the return address. This form of buffer overflow is called a • The attacker does not have to overflow any buff- “stack smashing attack” [14, 30, 28, 35] and consti- ers to do this; sufficient payload can be injected tute a majority of current buffer overflow attacks into perfectly reasonable buffers. Function Pointers: “void (* foo)()”declares • The buffer can be located anywhere: the variable foo which is of type “pointer to func- tion returning void.” Function pointers can be allo- • onthestack(automaticvariables) cated anywhere (stack, heap, static data area) and so • on the heap (malloc’d variables) the attacker need only find an overflowable buffer • in the static data area (initialized or uninitial- adjacent to a function pointer in any of these areas ized) and overflow it to change the function pointer. Some time later, when the program makes a call It is already there: Often,thecodetodowhatthe through this function pointer, it will instead jump to attacker wants is already present in the program’s the attacker's desired location. An example of this address space. The attacker need only parameterize kind of attack appeared in an attack against the the code, and then cause the program to jump to it. superprobe program for Linux. For instance, if the attack code needs to execute “exec(“/bin/sh”)”, and there exists code in Longjmp buffers: C includes a simple checkpoint/roll- libc that executes “exec(arg)” where “arg” is a back system called setjmp/longjmp. The idiom is to string pointer argument, then the attacker need only say “setjmp(buffer)” to checkpoint, and say change a pointer to point to “/bin/sh”andjump “longjmp(buffer)”togobacktothecheck- to the appropriate instructions in the libc library point. However, if the attacker can corrupt the state [41]. of the buffer, then “longjmp(buffer)”will 2.2 Ways to Cause the Program to Jump to the 2.There are some bytes that are hard to inject, such as control Attacker's Code characters and null bytes that have special meaning to I/O All of these methods seek to alter the program’s libraries, and thus may be filtered before they reach the control flow so that the program will jump to the attack program’s memory. code. The basic method is to overflow a buffer that has 3.That this is possible is an indication of the weakness of C’s type system. Proceedings of the Foundations of Intrusion Tolerant Systems (OASIS’03) 0-7695-0490-6/99 $17.00 1999 IEEE Previously published in the DARPA Information Survivability Conference and Exposition 2000 Proceedings ize the code.