Edit WYSIWYGattachfile Attach PDF Raw View►More Actions▼More Actions

Restore topic to revision: You will be able to review the topic before saving it to a new revision

Copy text and form data to a new topic (no attachments will be copied though).
Name of copy:
You will be able to review the copied topic before saving

Rename/move topic... scans links in all public webs (recommended)
Rename/move topic... scans links in CBI_ComputerSecurity web only
Delete topic... scans links in all public webs (recommended)
Delete topic... scans links in CBI_ComputerSecurity web only

Revision Date Username Comment
1207 Apr 2015 - 15:32ThomasMisa 
1105 Mar 2015 - 14:08sever408? 
1005 Mar 2015 - 14:05sever408? 
923 Feb 2015 - 12:20sever408? 
816 Nov 2014 - 17:02ThomasMisa 
716 Nov 2014 - 17:01ThomasMisa 
630 Oct 2014 - 17:59ThomasMisa 
530 May 2014 - 16:28ThomasMisa 
425 Feb 2014 - 10:05norqu036? 
311 Feb 2014 - 11:13norqu036? 
earlier first

Render style:     Context:

 History: r12 < r11 < r10 < r9 < r8
[X] Hide this message.
Notice: On June 30, 2016, UMWiki service will be decommissioned. If you have information in UMWIki that needs to be preserved, you should make plans to move it before that date. Google Sites is anticipated to be the most popular and appropriate alternative for users because it offers a more modern and user-friendly interface and unlimited capacity. To learn more about the features of Google Sites and other alternatives, and to identify which one best fits your needs, see the University’s Website Solution Selection Guide. If you have concerns or would like help regarding this change and your options, please contact Technology Help at help@umn.edu
You are here: UMWiki>CBI_ComputerSecurity Web>Mechanisms>MechanismsBufferOverflow (07 Apr 2015, ThomasMisa)

Current Activitieslock Who is Who?lock People Programs Publications CSHW_2014 Systems Events Mechanisms

Buffer Overflow

"A buffer overflow is the computing equivalent of trying to pour two liters of water into a one-liter pitcher: some water is going to spill out and make a mess."(1) A buffer overflow, sometimes called a buffer overrun, occurs when a program that is writing data to a buffer (a sequential section of memory) writes data past the buffer's boundary and into adjacent memory. The Multics operating system created in the 1960s was particularly secure against buffer overflows due to a variety of checks built into the system's software (written in PL/I) and hardware. By contrast, some computing languages such as Pascal, C, and C++ do not require programmers to pre-define the buffer sizes, which means that the compiler has no way to know the proper boundaries of memory addresses. Even in programming languages that do define buffer sizes, such as C#, Java, and Visual Basic, there is no way to check every single circumstance owing to the heavy use of "pointers" in modern programming.(2)

Example of a buffer overflow attack

The images below are representations of a computer's memory while it's running a program. The squares labelled buffer refer to a place that a user can place a string of characters.

Figure 1: Intended buffer behavior
Figure 2: Buffer overflow attack
I am sorry for this terrible hack, but if you want to keep the borders nice, PLEASE DO NOT DELETE THIS.

Figure 1 shows us how a buffer is supposed to work: the user places an expected number of characters into the buffer, and the program continues to operate as expected. Figure 2 shows us a buffer overflow attack, which allows a hacker to redirect the program to produce behavior that the program wasn't designed to perform, such as give full administrator access to the system.

Consequences of buffer overflows

Overflows may cause serious problems. When an overflow occurs, the damage it causes depends on what exactly is in the memory that gets overwritten. If the program overflows into either the user's data space or the user's program area, the consequences are limited solely to the user and to the program in question. If the space contained already-used data or an already-performed program instruction, there might be no detectable effect. Errors or inaccuracies in the program might result, depending on the nature of the data overwritten.

A more troubling issue is when a buffer overflow can overwrite a return address, which effectively tells the computer where to find its next set of instructions. An attacker can use this exploit to seize control of a program by redirecting the computer to malicious instructions, possibly allowing them to gain full control over the system. Other suitable targets for overflow attacks are "pointers" to functions or variables, essentially allowing an attacker to switch out one function for another without the computer knowing the difference. Because they are difficult to identify, buffer overflows are the target of many forms of malicious code, including the SQLSlammer worm (sometimes called the Sapphire worm).(3) Defences against buffer overflow attacks include canaries and ASLR (address space location randomization).

Buffer overflows and the Morris worm

The Morris worm used buffer overflows as one of three lines of its attack. The worm sent a "specially constructed string of 536 bytes" to fingerd, a daemon running in the background of UNIX machines that normally provides network users with information about other users. The buffer overflow altered the return for the main routine, pointing to an alternate location in the buffer where malicious code was placed. When the main return was called, the code that was actually executed -- execve ("/bin/sh", 0, 0) -- connected the worm to a remote shell via a TCP connection, thus starting a new round of possible infections.(4)

More information

Smashing the Stack For Fun And Profit, a thorough technical examination of buffer overflow attacks. (http://www.phrack.org/issues/49/14.html#article)


1 , 2 , 3 : Charles P. Pfleeger and Shari Lawrence Pfleeger, Security in Computing. 3rd Edition, New Jersey: Prentice Hall, 2003.

4 : E. H. Spafford. "The Internet Worm: Crisis and Aftermath." Communications of the ACM 32 no. 6 (June 1989): 678-687.

Topic revision: r12 - 07 Apr 2015 - 15:32:20 - ThomasMisa
Signed in as lewi0740 (NicLewis) | Sign out
UMWiki UMWiki
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding UMWiki? Send feedback