A buffer overflow
results from programming errors and testing failures and is common to
all operating systems. These flaws permit attacking programs to gain
control over other computers by sending long strings with certain patterns
of data. Over half of the security advisories from CERT, e.g. the August 2001 "Code Red", trace to
this widespread weakness of the software industry. This module of Java
applets is developed to educate student and industrial programmers to
avoid the practices that cause buffer overflows as one step controlling
the continuing effects of this avoidable problem.
The module may
be used by an instructor knowledgeable about runtime envrionments and
C programming in classes such as: operating systems, C/C++ and assembly
programming, compiler and software tools, surveys of programming languages,
and computer security.
Instructor's
guide to the module: View Instructors'
Guide for Demonstrating Buffer Overflows, with tips and info on
presenting the module.
Download
specific presentations, quizzes, and defense tools at Buffer
Overflow Resources.
Download
the Complete Module:
The complete download (~20 Mb) consists of:
- An Interactive
Authorware piece (executable program for Windows)
- Buffer overflow
demos (requires Java)
- Presentation-Ready
Powerpoints (requires Powerpoint)
- Defense tools
- Exercises
- Online Demos
- Quizzes
Buffer
Overflow Demos: Each applet requires Java 1.3 plug-in. Click on
the link to open the demo, then click the animation buttons at the top
of the screen. You may need to wait a moment for the applet to load.
For more detailed help, download a powerpoint presentation on How
to use the Demo applets.
You can download
all of the demos in one archived file to run locally on your computer:
BOallDemos.tar (660 kb) or BOallDemos.zip
(120 kb)
Or view each
demo online:
- Stacks:
An introduction to the way languages like C use stack frames to store
local variables,
pass variables from function to function by value and by reference,
and also return control to the calling subroutine when the called
subroutine exits.
- Spock:
Demonstrates what is commonly called a "variable attack" buffer overflow,
where the target is data.
- Smasher:
Demonstrates a "stack attack," more commonly refered to as "stack
smashing."
- StackGuard:
This demo shows how the StackGaurd compiler can help prevent "stack
attacks."
- bodemo:
This is a mock attack on a linux system demonstrating how an attacker
can get a root shell.
- its4demo:
Shows the output of ITS4, a static analyzer, on two different C programs.
- Jumps:
Shows how stacks are used to keep track of subroutine calls.
Demo Structure:
Each buffer overflow demo uses an abstract machine with a small
memory (displayed on the right side of the screen) showing the run-time
stack.
For the abstract
machine, there are some assumptions the user should be made aware
of. (1) all library functions, such as gets() and puts(), are compiled
inline and therefore don't require a function call, (2) allocation
for a function's parameters and for its local variables takes place
at the same time, and the return address is put on the stack last,
(3) the stack grows "up" in memory, (4) it does not necessarily
reflect the workings of any architecture or C compiler.
Background reading:
For basic prerequisuite knowledge of buffer overflows a good reading
is http://www.rsasecurity.com/rsalabs/technotes/buffer/buffer_overflow.html.
Contacts:
For questions, comments, or general feedback to Dr.
Susan Gerhart (gerharts@erau.edu).
Feedback:
We would like to hear from you about how you used the buffer overflow
materials. Please use our Buffer
Overflow feedback form to submit feedback online, or go to the Feedback
index to report on your use of other modules in this series.
