In this lesson, I'll discuss Buffer Overflows. So by the end of the lesson, you'll be able to tell me what defines a buffer overflow and describe how shellcode is used in buffer overflow attacks. What are buffer overflows? Well, buffer overflows or buffer under runs, is really in rewriting over data. So, applications run in memory. Okay. Any application that you're running; operating system, Microsoft Word, for example, any operating system we allocate memory to run applications. Memory locations can contain information or variables and program data. So if the data is overwritten, because of poor programming, other code can be injected causing the program or the operating system to actually access a certain area of memory that it shouldn't. NIST, in their glossary of key information security terms defines a buffer overflow as a condition at an interface under which more input can be placed into the buffer or data holding area than the capacity allocated, overwriting the other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system. So, think about how much memory that you actually have for, let's say, a byte, for example, okay? We have a byte worth of data. Well, let's say that through poor programming practices, I, instead of allocating a byte, don't actually tell what that's actually for, even though I'm expecting that it's going to be byte's worth the data. Let's say, I try to insert a bunch more information. So now, I'm trying to load in twice the amount of data into this little tiny space, a byte of a memory. What this does then, is let's say, there are operating system code is running over here. So now, the data that I'm pushing into this little tiny byte variable, now gets pushed over into my operating system and I gain control of what is actually executing inside the operating system through special code called shellcode. Let's talk about the basics of buffer overflow real quick. Basically, buffer overflows are worst, most prevalent type of attack in any software and have been for years and years and years. It's a programming error due to poor programming. Certain software is more vulnerable to it, programming languages, for example. But it's a programming error that allows data to be overwritten beyond the intended length of the buffer. This can overwrite memory locations, it can lead to corruption of data and then it also can lead to privilege escalation. So if we're in that, from that byte, if we're going into the operating system, we can escalate our privileges even though our program that may be allocated for that certain memory location doesn't have the privileges to execute something. Buffer overflows are found in a variety of different ways, but the overall way they're found is by either testing or what's called fuzzing. Fuzzing is where we just throw a bunch of variables at software and see what happens to the code. If it creates an error, if it creates corruption of data, then we know that we have some kind of buffer overflow happening. Attackers use this also by reverse engineering, the code itself, or perhaps looking at the program execution. Once a vulnerability is found, the attacker then can put their own data in, which is called shellcode. That shellcode can then be used to escalate the privileges in certain other parts of the operating system. So shellcode is defined as code that is used by an attacker to gain access to certain parts of the operating system. It is used in the buffer that is overwritten. So here, we have our buffer space or one byte. It's going to be executed in this memory location, the one right next to it, that is executing something else, that is not part of our program. The attacker must understand, however, in order to use the shell code, what the underlying architecture is, in order to execute that exploit and to run the shellcode effectively. Not all shellcode is going to be the same. What can attackers do with shellcode and where do they actually attack? Well, they attack systems services, network services, and also common libraries. So think about systems services running, like the overall operating system or the authentication process. What about network services like a TCP connection. So we can gather information that's flowing in and out of that system or even common libraries that the entire system uses in our application. We can then use that shellcode to do almost anything with it that we want, since we have full control over the operating system in most cases, such as launching remote sessions or launching reverse remote sessions. This is more common if we don't have access to the system. Let's say that we get into a system one way and can't get back in again because somebody shut the whole down. Well a reverse remote session, would actually initiate at the system itself and go out to another specific IP address, in order to attack that system. We can also use or attackers can also use this to tear down other defenses such as anti-virus and firewalls. Buffer overflows are prevalent because coders can be lazy. We don't have a lot of coders that do very well at looking over their own code or having other people look over their own code or looking at security audits. Coders may use lower level languages such as C, for example, instead of a higher level language like C#, which has built in controls to stop buffer overflows from happening. Programmers may also not audit their own code, test their own code, and really sacrifice security performance. There are a number of different defenses that we can use for buffer overflows. They're split into really two different ways. One is at they compile time, the other one is at runtime. So at compile time, we can use what's called Stack Protection and use a program specifically in Linux called Stackguard. And then, we can also use Safe Library use as well. So those libraries that are built into the programming language that are safe to use to minimize buffer overflows. Now, in fact, we actually updated all the Linux systems on our campus the other day because of a vulnerability in Stackguard. So, Stackguard is pretty important in protecting the overall system from buffer overflows. The other area that we can use protection is at runtime. This is memory randomization. Operating systems specifically, Microsoft have utilized other technologies, such as EMET, for example, that allows buffer overflows to be prevented by randomizing where the program data is executed. So remember, if we understand the underlying architecture, the attacker understands the underlying architecture, then they can execute shellcode. Well, if we randomize where the program is executing and where those memory locations are, attackers really can't execute it that well. So how do we protect our organization? Well, don't run all the software that you can, make sure that the software is being used appropriately, and you need to update your software. We can also use protection mechanisms, especially on the servers, like Stackguard or like EMET.
