Buffer over-run vulnerabilities

From: AndyJ (andy_at_wild-flower.co.uk)
Date: 02/25/04 

Date: 25 Feb 2004 02:38:46 -0800

Just a thought (from a complete newbie)...

Firstly, If I understand correctly, a Buffer Over-run *Vulnerability*
occurs when data is inserted into a buffer (patch of memory) without
first checking whether or not the amount of data will fit into the
allocated space. Any data beyond the length of the buffer "spills
over" into the memory following the buffer, overwriting its contents.

Secondly, IIUC, a Buffer Over-run *Exploit* exists when there is a
section of program code stored in memory at some point after the
buffer, and the overflowing data contains executable program code that
will spill over into the area containing the program code.
Subsequently, the attacked program is then 'persuaded' to run the
injected code (by causing it to follow a given path of logic that
eventually leads to the processor executing the code). This code can,
of course, perform actions other than those which the program was
originally intended to perform.

Am I right on those two? Close enough, maybe? (I am not a C/C++
programmer, but I do program).

So, a question: Under Linux, is the arrangement of a program's data
segments in memory determined at *compile* time or *load* time?

Either way, is there a way to *randomise* (or otherwise perturb) the
locations at which the code is actually loaded into memory, so that
you could never be sure of the sequence? This would, of course, break
any programs which do pointer-arithmetic that rely on where things are
'supposed' to go, but would this be very often? Is this practise not,
in fact 'bad style' anyway?

My point is, can Buffer Over-run Exploits be 'cut off at the pass', so
to speak, or is this just fantasy?

-andyj

Relevant Pages

  • Re: Discovering variable types...
    ... >- but I suppose MS expect us to use wrappers ... memory allocations for your variables from disk as well. ... >They most certainly are of fixed size, changing the size of a String ... >>me to keep buffer size and current postion right in the memory block. ...
    (comp.lang.pascal.delphi.misc)
  • Re: Discovering variable types...
    ... >memory it points to is on the heap. ... sequentially reading data, if one is randomly reading records, then a ... >project is what's prompting me to improve disk access. ... from a memory buffer I can do it in about a second. ...
    (comp.lang.pascal.delphi.misc)
  • Re: Multicast Directshow Graph Bridging, COW Rustling, & the Use of Portable Holes in Cartoon Ph
    ... memory to share buffer pools across processes and works pretty well. ... You get two basic Direct Show filters, ... issue each GMF-source a virtual memory alias with COW ...
    (microsoft.public.win32.programmer.directx.video)
  • Re: PCI bus-master and large contiguous memory buffers
    ... I built my scatter gather list in SRAM that was on my device, ... could have done it in system memory had I needed to. ... interrupt when a buffer was filled, the application would save the buffer to ... beginning of the recording I made a device IO control call to my driver. ...
    (microsoft.public.development.device.drivers)
  • Re: PCI bus-master and large contiguous memory buffers
    ... As soon as device reaches the end of the buffer ... Sure, I am developing both PCI adapter and device driver, so, it is ... not afford reinitializing DMA on my device after every transfer. ... x86 CPU memory management structures I never tried to dig into Windows ...
    (microsoft.public.development.device.drivers)