Stack and Heap Overflows

Ungraded Quiz

• Explain how a stack-based buffer overflow attack works
• Explain how a heap-based buffer overflow attack works
• Why would an attacker use a heap spray attack?

Relevance

• Both stack and heap overflow attacks are REALLY common — see CVE list

Stack-Based Buffer Overflow Attacks

• Understand memory layout of a process — see Figure 6.3, page 166
  • A buffer is allocated in BSS using a C declaration such as: static int bufferX[4]
• Understand how a process uses the stack — see Figure 6.4, page 167
• In a stack overflow, the attacker tries to write code to the stack and get the OS to execute it
• see Example, Buffer Overflow, page 167, Figure 6.5, page 168
• understand what a no-op sled is and why an attacker would use it

Heap-based Buffer Overflow Attacks

• Dangerous when the heap is both writeable and executable
• see Figure 6.6, page 169 to understand why an attacker writing to the heap is dangerous
• see Figure 6.7, page 169 for an example of overwriting a function pointer
• understand the types of state that can be corrupted
  • jump table — see below
  • setjump — seee Wikipedia page on setjump
• understand exploit steps
• understand elements of a heap spraying attack — see Figure 6.8, page 170

Jump table:

MyJump(int c)
{
   switch(state)
   {
      case 0:
         goto func0label;
      case 1:
         goto func1label;
      case 2:
         goto func2label;
   }
}