Just because it’s made of awesome

One of my classes this semester is ECE 4112: Internetwork Security.

Really, that’s just a euphemism for “Hacking 101.”

This week’s lab is all about buffer overflow exploits. Without succumbing too wholly to nerdspeak, buffers are intermediary data receptacles for information that is being processed somehow. Say, information coming in over a network connection, or even a blog entry submitted on a website form. All this data is stored in a buffer to be processed.

Maliciously overflowing that buffer with more information than it has space to handle can incite some rather interesting and alarming consequences. Simple enough in concept, but in order to actually execute such an exploit, one must possess very specific knowledge of how a program implements its data buffer. Specifically, knowledge of memory organization is a must.

As a warm-up exercise, we created a simple program in C that executed a harmless buffer overflow (“harmless” in the sense that we didn’t try to escalate our privileges or corrupt data) that had the effect of skipping a line of code in the program entirely. Here’s the code:

#include <stdio.h>
#include <stdlib.h>

void function(int a, int b, int c) {
  char buffer1[5];
  char buffer2[10];
  int* ret;

  ret = buffer1 = 28;
  (*ret) += 10;

void main() {  /* yes, yes, main() is void and it should be int... */
  int x;
  x = 0;
  function(1, 2, 3);
  x = 1;
  printf("%d\n", x); /* print the value of the variable x */

Essentially, when “main()” executes, it creates a variable called “x” and sticks the value of 0 in it. Then “function()” is called with parameters 1, 2, and 3, respectively. Utilizing knowledge of how the stack grows and where static variables are allocated, we do a bit of pointer arithmetic (oh so dangerous, but oh SO GLORIOUS…LY NERDTACULAR) and align the “ret” pointer to point to the actual executing program.

Except, it’s pointing at the line of code after “x = 1.”

So, in essence, “function()” is called, but when it comes back to that line, with the pointer arithmetic and subsequent program counter modifications, the next line that is executed is the “printf()” statement. So the value printed out is 0!

Pretty slick, huh.

Even more interesting…I’ve tested this code on both Linux and BSD machines, and it only works as I’ve specified here on the Linux machines. BSD must implement the stack differently, as the program executes as it is supposed to: the value of “x” that is printed is 1. Yet another example of how platform-dependent C really is.

…and I think that’s enough nerdulance for one day. I have a…food…in the oven.


About Shannon Quinn

Oh hai!
This entry was posted in Academics, Programming. Bookmark the permalink.

5 Responses to Just because it’s made of awesome

  1. eksith says:

    Must… Resist… Urge… Aaaaaaarrrgh!

    Actually this will only work on systems with no buffer check or any system that runs apps in userland (where no one cares if you detonate a nuke or something).

    Win95 – XP systems might run it quite happily, but Vista has something called DEP (Data Execution Prevention) which is technically capable of overriding and shutting down any program that it thinks is “acting funny”. Memory juggling of this calibre would set off some alarms.

    Of course that depends on how the user has setup DEP.

    On OpenBSD this would be impossible as every app gets scrutinised during run-time for buffer overflows. Plus the system runs in protected memory.

  2. magsol says:

    Hey, this is how I learn! 🙂 I appreciate your feedback.

    I realize I forgot to mention that simple yet oh-so-important caveat: no bounds checking = feasible for buffer overflows. Any attempts in Java, for instance, would fail miserably (as far as I know, anyway).

    I did not know about DEP. Very interesting. Vista did a good job with security…but I hope I’m not stepping on any toes if I declare that I don’t think it did a very good job at much else.

    And I also was not aware that BSD/OS X (which is what I ran the snippet on) actually did bounds checking.

    For someone who claims not to like technology (hope you don’t mind if I scanned your WordPress :P), you certainly have scoped out the object of your dislike. I do enjoy learning these facts from someone more knowledgeable and experienced than myself, though, so I appreciate your input. 🙂

  3. eksith says:

    Glad you liked my ramblings 😉

    OS X is actually based on FreeBSD, which is a pretty secure system on its own, but not as secure as OpenBSD. Those guys are paranoid beyond all reason. I wouldn’t be surprised at all if the military uses OpenBSD for some of their most secure stuff.

    As for Vista… well… we shall see.
    I’m actually learning to run C# apps on Linux.

    I’m no tech guru, really. A lot of stuff, I taught myself.
    Which would explain why I call some things, that “doohickey” or “thingamajig” or “doodad”.. I’m sure I’ll learn the real terms for them if I took a class for it, but for now, I have to settle for people asking me “What the devil are you talking about?!” 😉

  4. magsol says:

    I knew OS X had a FreeBSD core (in tandem with the Mach kernel), but I wasn’t as educated in the differences between FreeBSD and OpenBSD. I’ll have to do some more tinkering around with the latter.

    Haha, I’m slated to receive my undergraduate degree in CS in August, and yet I still refer to things as “whatchamacallits” and “that thing at the place with the person and I’ll never forget it.” 😛

    Somewhat off-topic, but I’m insanely curious: how did you happen to stumble across this quiet corner of the intarwubs? It’s pretty cool that someone of your level of technical expertise has taken an interest in reading, but I was just wondering how you found me in the first place.

  5. eksith says:

    I’m very interested in new blogs. Particularly ones started by someone in the IT or CS fields.

    Whenever a new blog is created it’s a good opportunity to find something new that isn’t just focused on work, but fun! This area really needs some fresh perspectives.

    I’m pretty sick and tired of old timers sticking to the same way of doing things. New blogs are a good way to find something completely unorthodox or some completely new methods. Even if they seem risky or break a few protocols.

    I sure won’t find it in any IT meeting, but I might run across it by bumping into someone with fresh eyes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s