Buffer Overflow Tutorial: A Brief Overview of an All-Too-Common Vulnerability

IStock_000015265862_Large

As far back as 2003, buffer overflow attacks constituted a full 23% of all identifiable digital vulnerabilities. Today, buffer overflow attacks still pose a substantial threat with last year’s vulnerability – known as “Ghost” – allowing attackers to essentially take control of business’ online systems. Other common Internet worms such as Slapper, Code Red, or Slammer also involve buffer overflow as part of their attack method.

Given the risks that buffer overflow attacks pose, understanding exactly what buffer overflow attacks are as well as how to address them is crucial to online security.

What is a buffer overflow attack?

A buffer overflow attack involves exploiting the “input streams memory allocation” function (i.e., the buffer) of an online function form with an abnormally long stream of characters. This type of attack normally takes advantage of improper input checking or poor coding.

As a simple illustration, imagine that a programmer creates a name form field with a pre-defined memory limit of 25 characters (that is, 25 bytes of information). Attackers can easily take advantage of this 25 character limit by entering additional characters into the input stream (the function field). When this happens, those additional characters allow the attacker to “step” into memory that was outside of the original allocated region. Often this “step” is unintentional and involves no malicious intent by the user. However, when the user is malicious, overflowing the input field can result in a program malfunction or even crash the system itself.

Even more detrimental, however, overflown inputs can also be used to send unauthorized commands and program executions to an unguarded system. This is precisely where serious security risks from buffer overflow attacks arise.

How do buffer overflows effect security and performance?

A recent example of just such a buffer overflow attack is Ghost.

Ghost utilizes the input function “gethostbyname,” which translates domain names into their numerical IP addresses. This function is included in all GNU C libraries, which in turn is included in every Linux Operating System.

Ghost exploits the small amount of memory input the “gethostbyname” function normally contains. When the “gethostbyname” function experiences an overflow, additional memory not associated with the original function is overwritten thus allowing the attacker to either crash the OS itself or to execute code remotely that they otherwise would not have access to.

Simply put, Ghost gives an attacker code-level control of your system or its dependent server.

What’s more, the “gethostbyname” function occurs whenever a system performs a name-to-number lookup. This can include everyday activities like using email services or even posting to a site.

Fortunately, there are ways to mitigate Ghost. Mitigation techniques include identifying vulnerable systems, deploying reactionary process, and prioritizing remediation on asset-critical systems. Most notably, Unified Security Management (USM) works by scanning your inputs for vulnerabilities that require patching. In addition to the detection of vulnerabilities, USMs can also monitor attacker attempts.

Aside from Ghost, an attacker has other ways of compromising or infecting systems or servers through a stack.

System processes typically involve memory blocks that contains three segments: the code, the data, and the stack. The stack holds the information for each function’s call and includes a return address that tell the system where to return to in the code once a function is complete. An attacker can cause an overflow using a specific input or command buffer to overwrite the return address toward their own malicious code instead of the originally called function. In this way, once again, attackers can manipulate entire systems at the code level.

Why isn’t a firewall enough?

A buffer overflow attack can be prevented or mitigated with proper coding practices or boundary checking on input received from users.

If an input exceeds the allocated number of characters then the buffer size should be truncated or blocked. Unfortunately, dynamically increasing the size of the number of allocated bytes is not an option as a user can force the program to allocate an abnormally large amount of memory, which may lead to other vulnerabilities such as program crashes.

Firewalls themselves, while essential security measures, cannot detect the length of these buffers and therefore cannot determine whether or not the user entered a valid size. Most intrusion detection and prevention systems likewise cannot enforce mitigation tactics against buffer overflow attacks.

bufferoverflow
So, how do you protect yourself against buffer overflow attacks?

Unfortunately, as John Clark, Deputy Head of Department (Research), for University of York explains: “To make buffer overflows a thing of the past will require an enormous amount of due diligence – systematic, thorough code review and testing – as new code is written. But the sheer volume of code that exists, such as the potentially 15-year-old lines that include this flaw, never mind that being written anew, should give some indication of the scale of the task.”

Thankfully, Imperva SecureSphere is specially designed to protect against buffer overflow attacks by learning the exact size constraint of each parameter that is sent to a function. SecureSphere also monitors attempts to send abnormally long streams of characters that would be used for malicious purposes and enforces correlations rules that allow for easier detection of an overflow attack.

In place of such an “enormous amount of due diligence,” you can learn more about how Imperva secures your systems against buffer overflow attacks here.