Buffer Overflow Attack
–Vulnerability in Heap
Dr.
Satyendra Kurariya1,
1Assistant Professor, Department of P.G Studies in
Computer Science and Application
Mata Gujri Mahila Maha Vidhalaya, Jabalpur Madhya Pradesh (India)
Email:
satyekurariya@gmail.com,
9131748476
ABSTRACT
We advise a paper
which indicates a heap attack due to buffer over .Buffer overflow attack is the
oldest and maximum pervasive attack technique. A buffer overflow takes place
while a method or program attempts to put in writing more statistics to a set
buffer, or duration block of reminiscence than the buffer is allotted to hold.
Since buffers are layout to incorporate a defined quantity of records, the
extra information can revoke statistics values in memory deal with which is
adjacent to the destination buffer till and unless this system include enough
bounds checking to flag or discard information while an excessive amount of is
despatched to a reminiscence buffer. Buffer overflow attacks are classify into
two categories: Heap and stack based attack .The time period heap outline pool
of memory utilized in dynamic allocation for run time environment and the heap
based totally attack define the flooded reminiscence space reserved for a
software, but the problem arrives when appearing such an assault it make the
situation critical.
Keywords: Buffer overflow, Doubly linked list, Heap allocation,
Heap function, Memory Allocation, Vulnerability, doubly linked
list .
INTRODUCTION
A
heap overflow or heap overrun is forms of buffer go with the flow attack that
occurs in heap organization. Heap overflow
attack is exploitable in a very completely different manner to it of
stack-based whole assault. Memory at the heap is dynamically allocated by the
software at run-time surroundings and normally incorporate program statistics.
Exploitation is accomplished in this corrupting statistics within the specific
manner to motive the application to overwrite inner systems which include
linked list pointers [1]. The canonical heap overflow approaches revoke dynamic
reminiscence allocation linkage (which includes malloc Meta records) and makes.
Use
of the following pointer alternate to head down a program operate pointer.
Example older versions of Linux have two buffers allocated next to each other or
on the far side the boundary of the primary buffer permits revoke Meta
information within the second buffer [2]. By assigning the value of the first buffer bit as an in-use bit to zero
of the second buffer and set the length of that bit too little negative worth
which permit null bytes to be derived, once the program calls free() the
primary buffer can arrange to merge these 2 buffers into one buffer[3]. Once
this happens, the buffer that's assumed to be freed is going to be expected to
carry 1st eight bytes of the once allotted buffer.
The final variety of buffer flow attack is to exploitation of buffer allotted
in heap .Heap collision is achieved by two pointer backward pointer and forward
pointer. Berkelium written into FD and might be accustomed revoke a pointer.
SOURCE
OF PROBLEM
A buffer may be a contiguous space of
memory inside a pc which will hold multiple instances of a similar knowledge
sort. The explanation for the buffer overflow is that the pc exceeds the
capability of the buffer itself once it fills the buffer with knowledge. The
overflow knowledge square measure overlaid on the legal knowledge (data,
pointer of succeeding instruction, destination of the perform, etc.). Buffer
overflows is divided into stack-based buffer overflows, heap-based buffer
overflows, and whole number overflow [4].
Heap-based
buffer overflows: The heap is memory that's dynamically allotted whereas the
program is running. The user typically requests memory through malloc, new,
etc. and operates the allotted memory through the came back beginning address
pointer. Once exploitation it, it ought to be discharged by free, delete, etc.
as a part of the memory otherwise it'll cause a memory leak. The heap blocks
within the same heap square measure sometimes contiguous in memory. If
information is written to AN allotted heap block, the information overflow
exceeds the dimensions of the heap block, inflicting the information overflow
to hide the neighbors behind the heap block [5].
The
heap implementation divides the heap into workable chunks and a music that
plenty is unfastened and in use. Each chunk consists of a header shape and
unfastened area (the buffer throughout which statistics is positioned).The
header shape includes statistics regarding chew length and preceding bite size.
The pointer got here back via the malloc ( ) choice to allot the primary chunk.
The scale and prev_size 4-byte worth are used for heap implementation to live
music of the heap style. Note that I even have drawn right here heap diagrams
the wrong way up (when in comparison with the previous stack diagrams),
therefore 0xffffffff is downward during this Fig .2. The size of the thing is
no quite without a doubt keep the scale of this chew and it additionally check
and specify whether or not or not the previous bite is loose or not [5]. If a
bit is allotted, then the scale of thing in the next chunk has its least
crucial bit set, otherwise bit is cleared. This bit is assumed because of the
PREV_INUSE flag; it specifies whether or not or no longer or not the preceding
chew is in use. As soon as a program no longer desires a buffer assigned
through malloc ( ), it passes the cope with of the buffer to the loose ( )
operate. The chunk is de-allocated, developing it available on the market for
resultant calls to malloc ( ). Once a chunk is freed, the subsequent
circumstance takes place [6].The PREV_INUSE bit is cleared from the size factor
of the following chew, indicating that this bite is unfastened for allocation.
The addresses of the preceding and next loose chunks are positioned in the
bite's facts section, mistreatment bkp (backward) and fdp (forward) pointers.
DETECTING HEAP
OVERFLOW
• Adding
the sizes
•
Removing the second chunk from the doubly-linked list
Defragmentation operation of two chunks :
·
first
adding the sizes
·
victimization
the subsequent unlink () below.
#define ulink(Pt,
BackK, ForP) \ outline doubly link list
{
ForP = Pt->fdp; \ forward pointer
BackK = Pt->bkp; \ backward pointer
ForP->bkp = BackK; \ removing backward chunk
BacK->fdp = ForP; \
removing forward chunk
}
This means that in certain circumstances, the memory pointed
to by fdp+16 is
overwritten with bkp,
and the memory pointed to by bkp+12 is
overwritten with the value of fdp (where fdp and bkp are pointers in the
chunk)[8]. These circumstances include:
·
A chunk is freed
·
The next chunk seemed to be free (the PREV_INUSE flag is
unset on succeeding chunk after).
If there's an opening that heap buffer will be overflow,
you'll be able to write the chunk header of consequent chunk on the heap, that
permits you to force these conditions to be true that successively permits you
to jot down four discretional bytes anyplace in memory (because you management
the fdp and bkp pointer)[9].
PROPOSED SOLUTION
FOR HEAP OVERFLOW
Here, we used two 40-byte buffers (buffer1 and buffer2) are assigned on the
heap. Buffer1 is
used to store user-supplied input from gets
() and buffer1 is
deallocated with free ( ) before
the program exits. There is no checking imposed on the data fed into buffer1 by gets ( ), so a heap overflow
can occur. Fig. 3. shows the heap when buffer1 and buffer2 are allocated.
int main(void)
{
char *buffer1,
*buffer2;
buffer1 = malloc(40);
buffer2 = malloc(40);
gets(buffer1);
free(buffer1);
exit(0);
}
To pass the buffer2 chunk
to unlink ( ) with
fake fdp and bkp values, you need to
overwrite the size element in the buffer2 chunk header so the
least significant bit (PREV_INUSE)
is unset. In all of this, you have a few constraints to adhere to [11]:
·
prev_size and size are added to
pointers inside free( ),
so they must have small absolute values (i.e., be small positive or small
negative values)
·
fd (next free chunk value)
+ size + 4
they must point to a value that has cleared
least significant bit .
·
There must be a no
NULL (\0) bytes in
the overflow string, or gets
( ) will stop copying data in the buffer [12].
Because free(
) de-allocates buffer1, it seems to check and
verify that whether the next forward
chunk is free or not if it detect free then by checking the PREV_INUSE flag found in the third chunk (not displayed in these
diagrams)[13]. Because the scale component of the second chunk (buffer2) is -4,
the heap implementation reads the PREV_INUSE flag from the second chunk, basic
mental process it is the third Next, the unlink ( ) macro tries to consolidate
the chunks into a brand new larger chunk, process the pretend fdp and bkp pointers
[14]. As free ( ) invokes the unlink ( ) macro to switch the doubly coupled
list of free chunks, the subsequent occurs:
• Fdp+12 is overwritten with
bkp.
• Bkp+8 is overwritten with
fdp.
This means that you simply
will revoke a 4-byte word of your selection, anyplace in memory. You recognize
from smashing the stack that revoke a saved instruction pointer on the stack
will cause whimsical code execution, however the stack moves around heaps, and
this can be tough to try and do from the heap. Ideally, you would like to
revoke an address that is at a continuing location in memory. Prudently, the
UNIX viable File Format (ELF) provides many such phases of memory, two of that
are:
• The international Offset
Table (GOT); contains the assorted address of functions [15].
•.dtor the destructor i.e. contains address of functions that
provide free memory space after successful execution of a program.
For the needs of this
instance, i am going to write the address of the exit ( ) operate within the
GOT. When the program calls exit
( ) at the end of main
( ), execution jump to whatever address it revoke to exit () the
address. If you overwrite they GOT entry for exit
( ) with the address of shell code you supply, you must
remember that the address of exit
( )'s GOT entry is written in the form of 8 bytes into your shell
code, meaning that you need to jump over this word with a jump. +10 processor
instruction [16].
They needed to set the next chunk variables and pointers to
the following:
·
fdp = GOT address of exit( ) - 12
·
bkp = the shellcode address
(buff1 in
this case)
Fig.5 shows the desired layout of the heap after the program
has called gets ( ) with
the crafted 0xfffffffc values
for prev_size, size, fdp, and bkp placed into
the buffer2 chunk
[17].
Although these ways have
effectively detected buffer overflow vulnerabilities to a definite extent, the
standard analysis ways of code buffer overflow vulnerabilities have the issues
of huge time overhead, path explosion and lack of dynamic code analysis.
Effectively
we are able to write the GOT entry for exit ( ) (located at 0x8044578) which
contain the address of buff1 (0x80495f8), and the next address i.e. shell code
is dead once exit ( ) is termed by the program
CONCLUSION
The buffer overflow attack invented
for used in hacking circles. It uses input to a poorly enforced, however (in
intention) fully harmless application, usually with administrator privileges.
The buffer overflow attack results from the given input that is no longer than
the implementer supposed. It causes some of the data to leak out the buffers,
which can cause some data to corrupt or overwrite the holding data.
FUTURE SCOPE
Buffer overflow
vulnerabilities are caused when a program puts data into a buffer but forgets
to check the buffer boundary. It does not seem that such a mistake can cause a
big problem, other than crashing the program. As we can see from this chapter,
when a buffer is located on the stack, a buffer overflow problem can cause the
return address on the stack to be overwritten, resulting in the program to jump
to the location specified by the new return address. But, once we area unit
exploitation this idea to beat vulnerability to makes humanoid system too weak
to defense attacks and defend privacy. It’s a necessity to gauge the protection
risk dropped at the system.
ACKNOWLEDGEMENT
We would wish to convey the anonymous reviewers for his or
her perceptive comments.
REFERENCES
1.
IOSR Journal of
Computer Engineering (IOSRJCE) ISSN : 2278-0661 Volume 1, Issue 1 (May-June
2012), PP 10-23 www.iosrjournals.org
2.
Buffer Overflow
Attacks on Linux Principles Analyzing and Protection ZhiminGuJiandong Yao Jun
Qin Department of Computer Science, Beijing Institute of Technology (Beijing
100081).
3.
Manish Prasad and Tzi-cker Chiueh. A Binary Rewriting Defense
Against Stack Based Buffer Overflow Attacks. In Proceedings of the 2003 USENIX
Annual Technical Conference, San Antonio, TX, June 2003.
4.
Jun Xu, Zbigniew Kalbarczyk, Sanjay Patel,
and Ravishankar K. Iyer. Architecture Support for Defending Against Buffer
Overflow Attacks. In 2002 Workshop on Evaluating and Architecting System
dependabilitY (EASY-2002). University of Illinois at Urbana-Champaign, October
2002.
5.
Tzi-cker Chiueh and Fu-Hau Hsu. RAD: A
Compile-Time Solution to Buffer Overflow Attacks. In Proceedings of the 21st
International Conference on Distributed Computing Systems (ICDCS ’01), Mesa,
AZ, April 2001.
6. David Larochelle and David
Evans. Statically Detecting Likely Buffer Overflow Vulnerabilities. In
Proceedings of the 2001 USENIX Security Symposium, August 2001.
7.
B.A. Kuperman, C.E. Brodley, H. Ozdoganoglu,
T.N. Vijaykumar, and A. Jalote, “Detecting and Prevention of Stack Buffer
Overflow Attacks,” Comm. ACM, vol. 48, no. 11, 2005.
8.
“X. Xu, R. Zhao,
and L. Yan, “Research and progress in software metrics,” Journal of Information
Engineering University, vol. 15, no. 5, pp. 622–627, 2014..
9. S. Rahimi and M. Zargham, “Vulnerability scrying method for software
vulnerability discovery prediction without a vulnerability database,” IEEE
Transactions on Reliability, vol. 62, no. 2, pp. 395–407, 2013.
10. Butler M., Postel J.B., Chase D., Goldberger J. and
Reynolds J.K, 1985, Post Office
Protocol - Version 2.RFC 937.
11. Case J., Fedor M., Schoffstall J. and Davin J., 1988, A Simple Network Management Protocol,
RFC 1067.
12. Caraher K. and Repsher G., 2009, Dancer on the
Frontline, Empty CDW-G Federal
Cybersecurity Report.
13. Cashell B., Jackson W.D., Jickling M. and Webel B.,
2004, The Economic Impact of Cyber-Attacks, CRS Report for Congress.
14. Debar M. D. and Andreas W., 1999, towards taxonomy of
intrusion-detection systems. Computer Networks, 31(9):805–822.
15. P. K. Shamal, K. Rahamathulla, and A. Akbar, “A study
on software vulnerability prediction model,” in Proceedings of the 2nd IEEE
International Conference on Wireless Communications, Signal Processing and
Networking, WiSPNET '17, pp. 703–706, 2017.
16. Security and Communication Networks Volume 2019,
Article ID 8391425, 13 pages https://doi.org/10.1155/2019/8391425.
17. M. Frieb, A. Stegmeier, J. Mische et al., “Lightweight
hardware synchronization for avoiding buffer overflows in network-on-chips,” in
Proceedings of the International Conference on Architecture of Computing
Systems, pp. 112–126, Springer, Cham, Switzerland, 2018.