Buffer Overflow –”Data Gone Wild” – CS1


Background

Summary:

Buffer overflow occurs when data is input or written beyond the allocated bounds of a buffer, array, or other object causing a program crash or a vulnerability that hackers might exploit.

Description:

A buffer overflow occurs when data is written beyond the boundaries of a fixed length buffer overwriting adjacent memory locations which may include other buffers, variables and program flow data. Considered the “nuclear bomb” of the software industry, the buffer overflow is one of the most persistent security vulnerabilities and frequently used attacks.

Risk – How Can It Happen?

Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or allow the execution of malicious code. However, Java is designed to avoid buffer overflow by checking the bounds of a buffer (like an array) and preventing any access beyond those bounds. Even though Java may prevent a buffer overflow from becoming a security issue, it is essential for all programmers to understand the concepts described below.

Example of Occurrence:

Buffer Overflow

A buffer overflow in a 2004 version of AOL’s AIM instant-messaging software exposed users to buffer overflow vulnerabilities. If a user posted a URL in their “I’m away” message, any of his or her friends who clicked on that link might be vulnerable to attack. AOL’s response was to suggest that users update to a new version that would fix the bug.

Paul Roberts “AOL IM ‘Away’ message flaw deemed critical”, Infoworld, August 9, 2004 http://www.infoworld.com/article/04/08/09/HNaolimflaw_1.html

Example in Code:

public class Overflow {
  public static void main(String[] args) {
    int[] vals = new int[10];

    for (int i =0; i < 20; i++) {
      vals[i] = i;
    }
  }
}

When this program is run, the loop counter will exceed the value of a suitable index for the array. When the assignment statement tries to store a value in vals[10], buffer overflow occurs. The result is unpredictable. Depending on the operating system and the specific nature of the overflow, it may not cause any apparent problems, or it will cause the program to crash. Buffer Overflow can occur in many languages. In Java, the code results in an ArrayIndexOutOfBoundsException.

Code Responsibly – How Can I Avoid Buffer Overflow And Out of Bounds Problems?

  1. Mind your Indices!
    1. Validate your input. Always check values that are input as an array index.
    2. Check your loops! Especially watch the limit, beware of off-by-one errors.
    3. Check any methods that may modify an array index.
  2. Make sure you have enough space: Before copying data to a fixed size block, make sure it is large enough to hold the data that you are going to copy. If it is not large enough, do not copy more data than your available space can hold. If your program is not able to continue properly after filling the available space, you may have to find some way to recover from the error.
  3. Validate indices: If you have an integer variable, verify that it is within the proper bounds before you use it as an index to an array. This validation is particularly important for any values that might have been provided as user input or other untrusted input, such as information that might be read from a file or from a network connection.
  4. When possible, use buffer-size accessors: Loops that iterate over arrays need to know the size of the array. Using a variable with the wrong value – or the incorrect constant value – can lead to buffer overflows. Some languages -such as Java – provide operators that can be used to retrieve the size of an array. Using these operators can help you avoid some of these problems.
  5. Use alternative data structures that reduce the risk of overflows: Many buffer overflow vulnerabilities can be avoided by using vectors or other structures instead of traditional arrays. When possible, use vectors and iterators instead of arrays and integer-indexed loops. Note that these tools will not prevent you from running into trouble: you will still have to write your code carefully and correctly. However, they can reduce your risk of buffer overflow vulnerabilities.

Lab Assignment

Program 1

import java.util.Scanner;

public class Overflow2 {
  public static void main(String[] args) {

    Scanner scan = new Scanner(System.in);
    int[] vals = new int[10];

    System.out.println("How many values should be stored in the array? ");
    int count = scan.nextInt();

    for (int i = 0; i < count; i++ ) {
      vals[i] = count-i;
    }

    System.out.println("Which value do you wish to retrieve? ");
    int which = scan.nextInt();

    System.out.println("Your value is " +vals[which]);
  }
}

Lab Questions:

  1. Type*, compile, and run the above program. Describe the results. What happens if you type “3” for the first prompt? 7? 12? 20? What happens if you type 10 for the first prompt and then 3, 7, 12, and 20 for the second prompt?
  2. Complete the security checklist for this program (print the checklist).
  3. List places where the bounds checking should occur.
  4. Provide example inputs that might cause array index out of bounds exception.
  5. Rewrite the above program to include the appropriate bounds checking.

Program 2

  1. Create the following java file:
    import java.io.*;  // for File
    import java.util.*;  // for Scanner
    public class ReadTemps
    {
        public static void main (String[] args) throws FileNotFoundException
        {
          Scanner inFile = new Scanner(new File("temps.txt"));  //open
          double[] temps = new double[10];
          int numTemps = 0;
    
          while (inFile.hasNextDouble())
          {
            temps[numTemps] = inFile.nextDouble();
            numTemps++;
          }
          System.out.println(numTemps + " temperatures were read.");
    
        }
    }
    
  2. Create the following temps. txt file:
    30.0 30.1 30.2 30.3 30.4 30.5 30.6 20.7 30.8 30.9
  3. Run the program. It should list 10 temperatures as being read.
  4. Change temps .txt to the following:
    30.0 30.1 30.2 30.3 30.4 30.5 30.6 20.7 30.8 30.9 31.0 31.2
  5. What happened and why?
  6. Modify the program to fix the problem. DO NOT change the size of the array! Hint: Add a check to the loop.

*Copying and pasting programs may result in syntax errors and other inconsistencies. It is recommended you type each program.

Security Checklist

Security Checklist

Vulnerability:Buffer Overflow Course: CS1
Task – Check each line of code Completed
1. Finding Arrays:
1.1 Underline each array declaration
1.2 For each array, underline all subsequent references
2. Index Variables – legal range for an array of size n is 0 <= i < n
2.1 For each underlined access that uses a variable as an index, write the legal range next to it.
2.2 For each index marked in 2.1, underline all occurrences of that variable.
2.3. Circle any assignments, inputs or operations that may modify these index variables.
2.4. Mark with a V any array that is indexed by a circled index variable.
3. Loops that modify index variables
3.1 Find loops that modify variables used to index arrays. For any index that occurs as part of a loop conditional, underline the loop limit. For example, if i < max is the conditional in a for loop, underline max
3.2. Write the legal range of the array index next to the loop limit as you did in step 2.1. Mark with a V if the loop limit could exceed the legal range of the array index. Watch out for loop that go until i <=max , as the largest valid index is max-1
3.3 If the upper or lower loop limit is a variable, it must be checked just as indices are checked in Step 2
Highlighted areas indicate vulnerabilities!
 

Discussion Questions

  1. Describe the buffer overflow problem.
  2. What happens if you exceed the size of an array in Java? Do you consider this robust behavior?
  3. List three ways you could potentially overflow a buffer or exceed the size of an array in your program.
  4. How could you prevent a buffer overflow or out of bounds error from occurring in your program?
Further Work (optional – check with your instructor if you need to answer the following questions)
  1. Give three real life examples of buffer overflow attacks (research on the web).
  2. What can result from a buffer overflow?
  3. Buffer overflows can be troublesome if they are used by attackers to run their own code. What sort of things might an attacker try to do if he or she were able to run any code they wanted on a computer?


 
Copyright © Towson University