Stack Buffer Overflow
How it works ?
A buffer overflow occurs when a program tries to store more data in a buffer (a temporary storage area in memory) than it is designed to hold. This can cause the data to overwrite other parts of memory, potentially allowing an attacker to execute arbitrary code or crash the program.
Here is an example of a buffer overflow vulnerability in C:
char buffer[16];
printf("Enter a string: ");
scanf("%s", buffer);Here is a diagram showing the buffer in memory:
address | values
------------+-------------------------------------------------------------------
| +------------------------- buffer ---------------------------+
0xffffd280: | | 0x01 0x00 0x00 0x00 0x54 0xd3 0xff 0xff |
0xffffd288: | | 0x5c 0xd3 0xff 0xff 0xad 0x62 0x55 0x56 |
| +------------------------------------------------------------+
0xffffd290: | 0xb0 0xd2 0xff 0xff 0x00 0x00 0x00 0x00
0xffffd298: | 0x00 0x00 0x00 0x00 0x46 0xce 0xdd 0xf7
... | ...Initially, the buffer occupies a 16-byte area in memory and is empty. When the user enters the string "ABCDEFGHIJKLMNOPQRSTUVWCYZ", it is stored in the buffer, causing a buffer overflow because the string is 26 bytes long, which is more than the size of the buffer which is 16 bytes:
address | values
------------+-------------------------------------------------------------------
| +------------------------- buffer ---------------------------+
0xffffd280: | | 0x41 0x42 0x43 0x44 0x45 0x46 0x47 0x48 |
0xffffd288: | | 0x49 0x50 0x51 0x52 0x53 0x54 0x55 0x56 |
| +------------------------------------------------------------+
| +------------------------ OVERFLOW --------------------------+
0xffffd290: | | 0x57 0x58 0x59 0x60 0x61 0x62 0x63 0x64 |
| | +----------------------------------------------+
0xffffd298: | | 0x65 0x66 | 0x00 0x00 0x46 0xce 0xdd 0xf7
| +-------------+
... | ...How to prevent ?
There are several ways to prevent buffer overflow vulnerabilities in your programs. Some of the most common methods include the following:
Use safe string functions: Instead of using the standard C string functions, which do not perform bounds checking, you can use safe string functions such as strncpy(), strncat(), and snprintf() that allow you to specify the maximum number of characters to copy or concatenate. This ensures that the destination buffer will not be overflowed.
char buffer[16];
// Use strncpy() to copy at most 15 characters from src to buffer
strncpy(buffer, src, 15);
// Use strncat() to concatenate at most 15 characters from src to buffer
strncat(buffer, src, 15);
// Use snprintf() to write at most 15 characters from src to buffer
snprintf(buffer, 15, "%s", src);Check the length of input strings: Before copying input strings into a buffer, you should check their length to ensure that they do not exceed the size of the buffer. If the input string is too long, you can either truncate it or allocate a larger buffer to hold it.
char buffer[16];
// Use scanf() to read at most 50 characters into buffer
scanf("%15s", buffer);Use a modern compiler: Modern compilers, such as GCC and Clang, have features that can help prevent buffer overflows. For example, they can automatically insert runtime checks to ensure that buffer accesses do not exceed the bounds of the allocated memory.
// Use the -fstack-protector flag when compiling with GCC or Clang
gcc -fstack-protector myprogram.c
clang -fstack-protector myprogram.cLast updated