Let's understand buffer overflows and how they are used to gain backdoor access to your system.
Why Talk About Buffer Overflows?
Because so-called buffer overflows are the most common vector of attack in all sorts of cyber crimes, and account for 80% of all attacks. This includes the May 2017 global ransomware attack called WannaCry, the 2014 Heartbleed bug that impacted two-thirds of all servers on the Internet, and even the "worst of the worst" attacks with funny names like Stuxnet, Duqu, Flame, Red October, and Shamoon.
But Why Do I Need to Know About This?
You don’t need to know how the engine in your car works to drive, but if you do it makes you a better driver and car owner. You will know your car's limitations and what it should and shouldn't do. You will also be able to better maintain your car.
If you understand buffer overflow, you understand the threat. You understand it starts in software, and you can evaluate proposed solutions to defend against it.
So What Is a Buffer?
Here is some memory in a computer:
There’s lots of it, but our little diagram is showing only 48 bytes. Each byte can hold a character or 8 bits of zero or one. These days, we measure memory in gigabytes. A gigabyte is 1000 million bytes. Memory is used to store applications and all the data those applications need to operate.
The operating system owns memory—it’s a resource like hard drives, access to the network, the keyboard, the mouse, and the screen. When the programmer wants to use some memory, he asks the operating system to give him a chunk using a run-time routine called malloc (memory allocator). Such a ‘chunk’ of memory is called a buffer. Buffers are needed all the time in applications.
For example, if the programmer is asking the user for a social security number, he will call the malloc routine to create a buffer that holds 9 digits. As long as there is free memory, the operating system will give it to him. The programmer will give this buffer a name that is easy to remember, like ssn.
Let’s say the programmer next needs a place to store the user’s password to access the program’s services. He asks for another buffer of 16 bytes (characters) to hold a typical-size password. This buffer he calls pwd, and it is placed right next to the ssn buffer he just created. Let’s show that next.
Because buffers for subsequent data storage are frequently placed adjacent to each other, it is very important that each obeys its size limits and does not ‘leak’ or overflow data. This buffer overflow can happen if the programmer stores something that is longer than the amount of space allocated, or if he asks for user input but neglects to carefully check that the input data fits in the allocated buffer.
The Point of Attack
The last paragraph points to exactly what the problem is and where the buffer overflow attack can occur. While vigilant programmers know to check that all inputs fit in their prescribed buffers, it’s incredibly easy to forget this step.
As in, “I’m just adding this quick feature and once I get it working, I will go back and make sure all those extra things like checking size of inputs are done.”
That quick feature that works becomes part of the released product when the programmer is pressured to move on to other things before he has a chance to incorporate that vital check.
Meanwhile there are legions of attackers that probe for these unprotected buffers, and many of them use their own armies of automated mini-programs called 'bots.'Bots are software applications that run automated tasks (scripts) over the Internet, and they are usually used for good purposes. Bots that do the bidding of cyber attackers, however, are increasingly common.
In our example, a bad bot will test if the program checks that only 9 characters are input for the social security number. When it sees that there is no check, it reports back to the attacker who then knows he has found an opening for his attack.
After getting the bot’s report, the attacker sets up his attack. Since he has done enough analysis to understand that the password buffer sits right after the social security buffer, his plan is to write nine random characters into the ssn input and then keep going to write ‘password123’ into the pwd password buffer.
At this point, he can access the application as a user and enter ‘password123’ to gain full access to everything the application can do. He's in, and all bets are off.
That Seemed Easy. How Can It Be Stopped?
Yes, it is easy. That’s why 80% of all attacks coming in over the network start with a buffer overflow. A solution is not nearly as easy. We cannot assume programs will ever be free of bugs like the one described here.
Fortunately, Dover Microsystems has built a solution that we describe here. Dover's CoreGuard hardwires cybersecurity directly into the silicon of the host processor and protects against all classes of network-based attacks. With the growing IoT market, the security of all connected devices has become a top priority. Dover hopes to make buffer overflows a thing of the past, bringing security and safety to all embedded systems.
Want more of CEO Jothy Rosenberg's technical explanations? Follow Dover's blog for frequent updates.