This video is about Buffer Overflow. After starting the introduction about, what is the buffer overflow. We'll talk about, buffer overflow and the local variables, and the global variables and that dynamic memory. And we'll complete with a short conclusion and a summary about, what we see in this video. Introduction. In C and C ++, arrays are implemented in a very effective way. So the generated code, used the base address of the area, had enough set that is compute from the index and directly access the data. So to avoid any performance lost, because it does not validate the index value. So it's easy for C and C++ program to access outside of the boundary of an array. Some compilers, when the size of the array is known, will do some static analysis and code, and try to catch some possible overflow. But, it's really first not out compiler and it's not always easy to catch some such risk with the static code analysis. Because, the indexes must probably not a constant, can be a variable knowing what this variable campaign is not easy from static analysis. Buffer overflow and local variables. Once again, the best way to see what happened when we coz a buffer overflow over a local variable, is to look to a simple. The bill, local example is about buffer overflow when working with local variables. The code of the sample is very, very simple, the code create three, local variable. All three are charged from some sites. After that, the code will initialize this three variable using a letter. So, I feel diary with the same letter for each local variable. Next step, if an argument has passed to the executable, it will be taken as an offset, in order to write someplace or in the local variable B. Or outside it, if the index cause a buffer overflow or buffer on the floor. After that, I will write the code display, the contents of the variable, but also a large place before the local variable B. And also, a large place after the local variable B. So it will help us to know with the local variable A or local variable C, is near the local variable B, in the memory of the computers. We used the dump function from the basement to do the desk dump. And definitely, the code verify, if variable A B or C have been changed from the initiate, NCL is a value. We'll now, run the program in the divide configuration and just started a program. The result is there, so we saw that, yes we have the variable B that contains 10 letter. And just next to it, we have also the variable A and C under the the same spot in the memory, so under stack the exemption stack. If we want it in the release. We also saw that, the variable are near one of the each other on the memory stack. They are even nearest, just because they don't have the guard that, the code add when we are in debug version. Just to see how the guard is working, will just get back in the debug. And in fact, well, start the program for the common line, so we will be able to pass very quickly index and codes, buffer overflow will flow easily. So I am going to the debug folder will now be able to tell the executable and passed and index to indicate where in the variable B, I want to include the letter D. So here we saw that, I changed the data at offset zero in the local variable. If I increase the index, I can code a buffer overflow, so what we'll do. [SOUND] And yes, the code detect the error, because they get the guard that was put just after the look at the variable B, have been modified by the buffer overflow. This guard will not work, if the modification that corruption caused by the buffer overflow, foul completely inside another variable. So if we. Let's say, like that. [SOUND] Oops, my index was not large enough to fall in the local variable. Okay, so we'll try again. And now we see that yes, we corrupt the value of the variable eight. But the guard has not been changed, so the corruption error has not been detected By the code. The verified function high culled from the code that certainly from the example, code air just detect the change. I can also provide a menace in the X, so I can go this way. So why the buffer underflow corrupt the memory, just before the like how variable B in the memory of the computers. Again, if the corruption, occur completely inside another variable, the guard is not able to do the job, and the error was not detected. So the guard is good thing, but I will not catch all their possible buffer overflow. The other thing is that if we run in release, so I changed the directory to go when they are released directory, I will just make sure that I compiled the project and release. Yes, it was my bike, okay, so I can run it. The variable are nearest because they don't have the guard, they have some space but it's just because of the memory alignment. All variable put on the stack must be aligned, and on the eight byte boundary. So, we have to keep some extra byte when we was a variable, that is 10 bytes in size. And then if I do a corruption like the first time, We start the corruption in the variable B. And I think you are right down there with the monetary, but there are not detected by the code, because the code do not have guard and displace. Just another note about the code of this variable. When I given index the value that the code, right, in the B variables, is that wrestle function? Another function that is a static function that defined just at the hand of this source file. This function do only two things display a message, that escaped its function has been executed and exit the program. What we need to understand when we talk about buffer overflow and local variable, is that when we do a the buffer overflow on a local variable, it's possible for the code to overwrite the return address of the function. So, this will cause a change in the exemption path when the function will return, so at the return of the function rather to return to the calling function, we will go execute at some address that have been written in the return address, and that we can experience that, we will just increase the index by four until we reach the time where we override the return address. Four, no problem, eight no problem again it's no more, because we are still inside the b valuable 12, so we get out of the b valuable. We get the problem there. The buffer also, it has been detected in the bargain, the compiler had code to put guard before and after each area. Very local variable but in release they don't do that, in order to reduce the amount of memory needed to run the program, but they still included guard just between all the local variable and the return address, because we want to protect the return address. And here you can know you saw that when I use the index 2020, the buffer overflow a cure and replace the return address by the address of the function, and you can see air that other function have been cow. So the skull is clearly coz by the buffer overflow we just goes, just a quick summary about what we saw and example, when we have a local variable, the size of the various constant. The index is below zero or above the maximum, they called the access order that up, so the doubt that have not been intended to be access. You can access other local variable in the same function, like how valuable of calling function, space used for variable of previously called function can also be accessed this way, and it can even change the return address of the current function. So with the hacker find a way to cauz, this buffer overflow they will be most probably able to or retrieve information. You should not, or change data, it shall not change your return address and change Asian path, so may be must probably execute code that it should not be able to execute. When running in debug contribution, the compiler will add guard. I run like all variables not how local variable but local variable that are [INAUDIBLE] and the code will check at the end of the function just before the function returns. If the guard value have been changed, if yes, the program will be stopped and a rare message will then shown the buffer overflow. Even there hacker can get something done before the function returns. Even in release configuration, the corporate area I had passed. It will have some verification. The verification are less, Cut intensive than the one we use in debugging, but are still very efficient. So on Windows, if we go in the project property page in the C/C++ section. You can find both two properties that control how the code decided to protect the stack against buffer overflow. They have one in the general section. The property is named SDL check. If we implement it, if we set it to yes and by default, it's enabled. It will include the more testing, And also we have in the code generation, that's security check property, that in produce security code for the local variable. If you use gcc, they also have the same concept. But you have to enable it or disable it using not configuration file but option. And they have both option, an option to disable or enable. By default the stack protector is on. So again, don't disable it. They do the same kind of protection. The next slide will explain the kind of protection that are headed when enabling this option for the both type of compiler. How do the complier protect their stack? The first thing they do and we talked about that when we look through that example, is that they had guard just between the local variable area on that stack and the return address. This way if a buffer overflow a code, it will most probably corrupt the guard at the same time it corrupt the return address. And before returning, the function code will verify the value of the guard. And if the guard has been modified, it will not let the function return to a bad return address. The compiler will still change the order of the local variable. So they will put, first, the single variable. When I talk about single variables, it's simply variable that are not array. So we'll flag the integer value with pointer or something like that, and after we'll just put all the array together. Array that is higher than the address of the single variable. The compiler do that because usually the buffer overflow occur with index that is, Above the maximum and not below the minimum. Principally, it's meaning that's the case when index are unsigned variable. And even when index is not unsigned variable, it's mainly to occur with a value that is above the maximum. So this way the single variable will not be in the risk by the overflow. Even more, they will change the order between the array just to make sure that the array that are modified first are address lower than other array. This with the modification of the first array cause overflow and overwrite the value in the second area. This array will be changed by the legit code, so the overflow would not have any consequence. Buffer overflow and global variable. Once again, we'll go to look at one example named BO_Global. The BO Global example is very similar to the BO Local. So they're called create three valuable. Instead to be a local variable, it's a global variable. Initially, it's the variable, also lead to a change to a code of buffer overflow by taking an offset from the command line. If we don't overwrite the data with the address of the connection because we are not on the exemptions stack. So we have no chance to be able to overwrite the return address. So we just want to close the buffer overflow with other letter that is simpler to see in the example later on. And after that, we dumped that up and we verify if some variable have been corrupted. First, okay, let me set it as a StartUp Project. Yes, and I will compile it in Debug. Going back to the Debug folder, I will execute it, just change at index 0. It's not a buffer overflow which is a change of the variable, SB. So yes, we saw the D that's indicated yes, we changed the variable. We saw that in the bargain, we don't have the guard between the valuable. The guards are not hit added by the code when we deal with global variable, or in release, or in the byte. It's all variable output next one to each other in the memory. So again, it cause a buffer overflow and just go at the hand of the B variable. And yes, I haven't been right. And then just after the end of the B variable, I did not corrupt the C variable because I'm just handed two byte, added by the computer just to to respect the data requirement. I had two more byte as index and yes, I've been able to write into the other global variable. I can do an underflow. So going with a menace index and yes, we saw that we Code the correction here. We saw that buffer overflow can occur when working with global variable as as they can occur when we work with local variable. We also saw that the compiler does not help us at all. And we saw that if a buffer overflow occur when we work with global variable, other global variable will be corrected or access. Buffer overflow and dynamic memory. The example for that is BO_dynamic. The example is very similar to the two previous. First we the code allocate tree space, treat memory space that we keep the address and the variables help pointers. We insist each one using one letter. Again, if the the user give an f. Set we just you just have set to access the variable B. So not cool B in this case, but the index one. And after that we dumped the memory around the variable B, and finally you will release the memory. So in the book to start, we'll just make sure we compel the yeah. We are in the Dubai folder, so I can start the executable first time without modifying anything. So we saw that the variable B that have been allocated that's something someplace in their memory. And we also saw that worry about eight that had been also allocated in the somewhere. We don't see the variable C. Just because they have been allocated outside the diarrhea of memory that the code displays. If I start the same exemption again, I said that we get the same thing. So yes, I can cause a buffer overflow. So if I meant I did, I called the executable with a mini subs upset maybe 56. So yeah writing data year. So yes, buffer overflow can occur when we deal with. It's not like memory you went before or procure other memory on the ape can be corrupted, but how so all the memory between the block that the library used to manage? The block of allocated or free memory can be corrupt and if this happens it will be no more possible for the program to allocate or release memory. So the program would be clearly unstable. We just try now buffer overflow back just at the hand of of the variable. So I have said 10, and we saw that the cut the detect the problem. So yes, in the bag, the library that managed the dynamic memory. The function Maddock and the function of three will add memory guard at the beginning of the block of memory allocated memory and at the end of the block. So if we have a buffer overflow this will be catch by the memory guard but this memory guard will just be checked by the code when we freak Damien Marie so it can be too late. So the problem can already have been exploited by make use of software worker. I now want to know if the code also had the memory guard when I'm running and release so I changed for the release version and I will execute the same comments. Giving the index 10 this way with do a buffer overflow just at the end of the fireboat and we see that the card is not detecting the buffer overflow. So we can now know that the memory guard are not present when we are running in that and already smoked. When working with dynamic memory. Overflow is also possible if they occur they will corrupt data. Another block of allocated memory, corrupt or access data in memory previously elected. But now release if we correct this memory, it's not really a problem. But if we access them, they must probably contain valid data because the part of the program that used it did not clear it. So yes, it's still a problem for the security because it could create a death alec. We can help, so when it's mainly what happened when we do, cover flow on the dynamic memory. Corrupt the chain that the library used to maintain the list of allocated and free block of memories. So this will clearly make the program unstable because they will not know more longer be able to allocate our free memory because of this data corruption when running and debugging mode. The library that managed a member of the dynamic memory L pass. They will be they will initialize the memory with the value city as we saw in the previous video so itself and mainly it adds guard to know if we have a buffer overflow. The guard is just checked when the memory is released. So again, Medicis software or occur may already have time to retrieve some data change from that or at least call the program to crash before we detect the genetic memory buffer of our friends. We have already talked about the apron and a musician and it's it's time to talk about it again. Apron organization is very important in order to protect not against buffer overflow because apron organization will never protect us against buffer overflow. But they will make it very difficult for some malicious people to take advantage of buffer overflow occurring at the genetic memory level. This way, if we change that or it will not be the same data that will be changed every ejection of the program. So it will be not easy to predict what we can change in the program are wish data we can retrieve using buffer overflow up this way on windows and on Linux. The synchronization is enabled by default. So just don't forget to enable it if you disable it when you divide conclusion. How to avoid buffer flow. First control the index. So if the index come from that are received from the user received from another system or receiver over the network. Always verified about european decks before next Singapore, buffer. It's not just valued for indexes. Also valued for size. So if you copy the content of a buffer to another buffer, make sure you don't copy too much data for the receiving buffer or so. Index in the large week. Also using unsigned variable for Index. Make one, do the validation easier but also unit completely their risk for a buffer underflow with a negative index. In this video we discussed about buffer overflow with an area but buffer overflow are also common when working with restoring strings are just chart area. So it's exactly the same concept that occurs,but the next video will be about C string. So yes, it would also talk about buffer overflow, but in the special case of the system.
