How do buffer overflow attacks work?

A buffer overflow results from programming errors and testing failures and is common to all operating systems. These flaws permit attacking programs to gain control over other computers by sending long strings with certain patterns of data. Over half of the security advisories from CERT, e.g. the August 2001 "Code Red", trace to this widespread weakness of the software industry. This module of Java applets is developed to educate student and industrial programmers to avoid the practices that cause buffer overflows as one step controlling the continuing effects of this avoidable problem.

Funding Source: NSF Award No. 0113627,  "Increasing Security Expertise in Aviation-oriented Computing Education: A Modular Approach", at Embry-Riddle Aeronautical University in Prescott, Arizona. 

This module is still in progress with additional educational evaluation and technical content to be added. As is, the module may be used by an instructor knowledgeable about runtime envrionments and C programming in classes such as: operating systems, C/C++ and assembly programming, compiler and software tools, surveys of programming languages, and computer security.

Contacts: For questions, comments, or source code for the buffer overflow module, Jed Crandall. General comments and feedback to Dr. Susan Gerhart.

Background reading: For basic prerequisuite knowledge of buffer overflows a good reading is http://www.rsasecurity.com/rsalabs/technotes/buffer/buffer_overflow.html

Module Structure: Each module uses an abstract machine with a small memory (on the right) showing the run-time stack.

For the abstract machine, there are some assumptions the user should be made aware of. (1) all library functions, such as gets() and puts(), are compiled inline and therefore don't require a function call, (2) allocation for a function's parameters and for its local variables takes place at the same time, and the return address is put on the stack last, (3) the stack grows "up" in memory, (4) it does not necessarily reflect the workings of any architecture or C compiler. 

Module Applets: Each applet requires Java 1.3 plug-in. Click the animation buttons at the top.

  • Jumps: An introduction to the way languages like C use stack frames to store local variables, pass variables from function to function by value and by reference, and also return control to the calling subroutine when the called subroutine exits. This uses pseudocode in the place of C. 
  • Stacks: The same as above but using C instead of pseudocode. 
  • Spock: Demonstrates what is commonly called a "variable attack" buffer overflow, where the target is data. 
  • Smasher: Demonstrates a "stack attack," more commonly refered to as "stack smashing." 
  • StackGuard: This demo shows how the StackGaurd compiler can help prevent "stack attacks." 
  • bodemo: This is a mock attack on a linux system demonstrating how an attacker can get a root shell. 
  • its4demo: Shows the output of ITS4, a static analyzer, on two different C programs. 



© Embry-Riddle Aeronautical University, 20 June 2002