Lecture 3: Memory Safety Vulnerabilities

Buffer Overflow Analogy


What part of the airline ticketing system might be broken? How might you fix it?



Vulnerable Code


In the last example of vulnerable code (with a function pointer), what should the attacker input as their name to take over control of the program? Assume the code the attacker wants to run is more than 20 bytes long.



Memory-Unsafe Languages are Dangerous

What are the four parts of C memory? What part of memory would a variable be stored if I define it: 1) outside any function, 2) as a local variable in a function, and 3) by calling malloc?


Note: The 61C review lecture has a review of C memory layout if you want a refresher.



x86 Function Call


What two values are saved on the stack when x86 calls a function? Why do we need to save these values?


Note: For more details on x86 function calls, consult the 61C review lecture.



Intro to Buffer Overflows



Overwriting the Return Address


Suppose there is a vulnerable local variable that the attacker can overflow at address X on the stack, and the return address of this stack frame is at address Y. What could the attacker input into the buffer to take over control of the program? (You can use expressions like X+Y or Y-12 in your answer.)



Signed/Unsigned Vulnerability


Note: You don’t need to know the specifics of number representation for projects or exams. You should know that 0xffffffff (a binary string of all 1s) is a very large number when interpreted as an unsigned integer, and -1 when interpreted as a signed integer.



Integer Overflow Vulnerability



Format String Vulnerability


Q2 on Homework 2 has some practice on format string vulnerabilities.



Vulnerabilities Outside the Stack


Note: You should know conceptually that the heap can be overflowed in C++ to take control of the program, but since C++ is not a prerequisite for the course, we won’t test you on C++ heap overflows on exams or projects.



Making Exploits Robust


What are some defenses we might use to stop buffer overflow attacks?