What Is Buffer Overflow?

Types of Buffer Overflow Attacks

A buffer overflow attack exploits buffer overflow vulnerabilities. A buffer overflow occurs when the volume of data exceeds the storage capacity of the system buffer, thereby damaging the program stack, compromising the program, shutting down the system, or enabling the program to execute other instructions. Buffer overflow attacks fall into the following types:

• Stack overflow: It occurs if the memory allocated on the stack exceeds the stack capacity during program execution. A stack is a last in first out (LIFO) data structure used to store temporary variables during program execution. When the stack overflows, the program stops execution immediately and displays a corresponding error message. Stack overflow attacks are the most common type of buffer overflow attacks. For a stack overflow attack to be carried out, programs must write data to the stack and the size of the written data must not be controlled.
• Heap overflow: It occurs when the memory allocated dynamically by the program exceeds the heap size. A heap is a first in first out (FIFO) data structure used to store data that is required for a long time during program running. When the heap overflows, even if the program does not stop execution immediately, the program may be unstable or even crash. In malicious attacks, attackers may use heap buffer overflow to execute arbitrary code or obtain sensitive information.
• Format string overflow: In programming languages, when the format string function is used to generate character strings and the format string is customized by users, attackers can forge the format string and use the features of the *printf() series functions to snoop on the content in the stack space. Ultra-long input can cause conventional buffer overflow, or it can use %n to overwrite the pointer or return address.
• Integer overflow: Each integer type in a computer language has a value range. An integer overflow occurs when an arithmetic operation attempts to create a numeric value outside of the range that can be represented with a given number of digits — either higher than the maximum (overflow) or lower than the minimum representable value (underflow). For example, a 16-bit integer ranges from –32768 (–2¹⁵) to +32767 (2¹⁵ – 1). In this case, an overflow occurs when 32767 is incremented by 1 and an underflow occurs when –32768 is decremented by 1. Most integer overflows cannot directly exploit vulnerabilities triggered by items, such as integer ranges and symbols. However, if the integer variable determines operations such as memory allocation, it can be indirectly exploited as a vulnerability.
• Unicode overflow: It creates a buffer overflow by inserting unicode characters into an input that expects ASCII characters. ASCII and unicode are encoding standards that let computers represent text. Because there are so many more characters available in unicode, many unicode characters are larger than the largest ASCII character. The unicode overflow can change the way the program works, resulting in further security problems.

How Do Attackers Exploit Buffer Overflows?

An attacker can feed a carefully crafted input into a program to cause the program to try and store the input in a buffer. The input can then overwrite portions of memory connected to the buffer space. If the memory layout of the program is well-defined, the attacker can intentionally overwrite areas known to contain executable code, and replace the code with their own executable code, which can make the program work in a way that it was not intended to. Buffer overflow attacks are typically launched as follows:

1. Inject attack code.
2. Jump to the attack code.
3. Execute the attack code.

The attacker can exploit many methods. The following describes two commonly used methods for launching buffer overflow attacks:

• Stack overflow attacks are used to damage stack data.

  The attacker can exploit buffer overflow vulnerabilities to damage objects, including ARG (actual parameter when the function is called), RETADDR (address of the next operation instruction in the memory), EBP (stack frame status value before the function is called), and LOCVAR (local variable in this function).

  A common stack overflow exploit is to change the value of RETADDR and store the address of the attack code injected into the stack or the addresses of some privileged system functions in the code area to RETADDR. If the value of RETADDR is changed, after the function is called, the program jumps to the address designed by the attacker to execute the instructions that the attacker wants to execute. In this way, the attacker obtains the system control permission, which can have serious consequences. EBP is also often targeted. The attacker constructs a virtual stack frame whose RETADDR points to the attack code, and then overflows with the EBP value of the current stack frame. The overflowed EBP value becomes the address of the constructed virtual stack frame. Finally, the constructed virtual stack is used. After the current stack frame is executed, so too is the virtual stack frame. Then, the program jumps to the location to which the RETADDR value of the virtual stack frame points. By doing so, the program finally jumps to the address designed by the attacker to execute attack instructions.

• Heap overflow attacks are used to damage heap data.

  Memory allocation in the heap is dynamic and discontinuous, making it difficult for attackers to predict addresses. Although launching heap overflow attacks is more difficult than launching stack overflow attacks, they can still be launched by attackers using certain techniques.

  Dword Shoot attack: Dword Shoot can write any data to any position in the memory. One word is equal to four bytes. That is, a program is executed to write four bytes of data to a 4-byte address to implement malicious operations. Dword Shoot attacks use Dword Shoot to perform malicious operations. Both Linux and Windows manage heaps with doubly linked lists. Each allocated memory block consists of three parts: head pointer, tail pointer, and memory data. Heap memory management includes allocation and release. When the heap memory M is released, M is removed from the linked list and the M→head→tail=M→tail operation is performed. If an attacker overflows into memory space adjacent to M, modifies the head pointer of M to point to a specifically designed virtual node, and alters the tail pointer of M to point to a designated location (for example, shellcode), the tail pointer of the virtual node will then point to the shellcode after the M→head→tail=M→tail operation is performed. As a result, the tail pointer that calls the virtual node turns to shellcode. Another operation M→tail→head=M→head during the removal from the linked list can also be used to implement attacks.

  Heap spraying attack: Heap spraying is a technique used by the attacker in exploits to enable the execution of arbitrary code. It works by adding a large amount of slide code (meaningless instructions that do not affect program execution but occupy memory space so that attack instructions can be executed) in front of the shellcode to form an injection code segment. Then, the attacker applies for a large amount of memory from the system, repeatedly injects code segments to fill up the memory, and uses other vulnerability attack techniques to control the program flow. In this way, the program jumps to the heap and executes the shellcode, after which the core attack instructions in the shellcode are executed to obtain the system control permission.

How Can Buffer Overflow Attacks Be Prevented?

Buffer overflow attacks are the most common type of remote network attacks. Such attacks can enable an anonymous Internet user to gain partial or total control over a host. If buffer overflow vulnerabilities could be effectively eliminated, a very huge portion of security threats would also be addressed. There are several basic methods to protect the buffer from buffer overflow attacks and impacts. The specific methods are as follows:

• Checking the integrity: Perform the checking before the program pointer becomes invalid.
• Randomizing the address space: Arrange the address space positions in the key data area randomly. Typically, buffer overflow attacks require the locations of executable code, which is almost impossible after the address space is randomized.
• Preventing data execution: Mark some areas of memory as executable or non-executable to prevent attacks that run code in non-executable areas.
• Writing secure code: Use a compiler that can help identify unsafe functions or errors, and use the compiler's bounds functionality checking to protect the buffer. Avoid using functions that do not check the buffer (for example, in the C language, replace gets() with fgets()). Use built-in protected languages or use special security programs in the language code to prevent buffer overflow vulnerabilities.

Despite the preceding preventive measures, new buffer overflow vulnerabilities can still be detected. When a new vulnerability is detected, engineers need to fix the affected software and ensure that users of the software can obtain patches in time.

How Does Huawei Help Defend Against Buffer Overflow Attacks?

Huawei offers a rich portfolio of security solutions and products to address the increasing complexity of network environments. These solutions enable quick detection of security risks and reduce the impact of buffer overflows.

• HiSec Insight Security Situation Awareness System

  HiSec Insight enables the capability of disabling code execution on memory pages to prevent buffer overflow vulnerabilities and enhance system security. The memory address randomization mechanism is enabled to randomize the layout of linear areas such as heaps, stacks, and shared library mappings. This makes it more difficult for attackers to predict destination addresses and prevents attackers from directly locating attack code, thereby preventing overflow attacks.

• HiSecEngine USG6000E and 6000F Series AI Firewalls

  HiSecEngine USG6000E and 6000F series AI firewalls help implement strict control on inbound and outbound traffic to defend against intranet and Internet threats. With content security functions such as application identification, IPS, antivirus, URL filtering, and mail filtering, the USG series AI firewalls can effectively block buffer overflow attacks, thus protecting servers and users on the intranet from threats. In addition, through signature database update, the HiSecEngine USG6000E and 6000F series AI firewalls can obtain the latest threat intelligence in time to accurately detect and defend against vulnerability exploits.