Finding Buffer Overflows

These are the examples of operations that may be vulnerable to buffer overflows:

  • strcpy

  • strcat

  • gets / fgets

  • scanf / fscanf

  • printf

  • vsprintf

  • memcpy

Any function which carries out the following operations may be vulnerable to buffer overflows:

  • Does not properly validate inputs before operating

  • Does not check input boundaries

However, buffer overflows are problems of unsafe languages. All interpreted languages such as C#, Visual Basic, .Net, Java, etc. are safe from such vulnerabilities.

Moreover, buffer overflows can be triggered by any of the following buffer operations:

  • User input

  • Data loaded from a disk

  • Data from network

If we want to find buffer overflows manually, it can be very time consuming. However, we will document some of the techniques that make this process easier, such as:

  • If you are a developer and you have access to the source code, such as statistic analysis tools (splint, Cppcheck, etc.). Such tools will try to detect not only buffer overflows but also some other types of errors.

Other techniques are the followings:

  • When a crash occurs, be prepared to hunt for the vulnerability with a debugger. Some companies use cloud-fuzzing to brute-force crashing (using file-based inputs). Whenever a crash is found, it is recorded for further analysis

  • A dynamic analysis tool like a fuzzer or tracer, which tracks all executions ant the data flow, help in finding problems

Fuzzing is a software testing technique that provides invalid data, i.e., unexpected or random data as input to a program. Input can be in any form such as:

  • Command line

  • Network data

  • Databases

  • Keyboard/mouse input

  • Parameters

  • File input

  • Shared memory regions

  • Environment variables

This technique basically works by supplying a random data to the program, and then the program is checked for incorrect behavior such as:

  • Memory hogging (excessive use of memory)

  • CPU hogging

  • Crashing

Whenever inconsistent behavior is found, all related information is collected, which will later be used by operator to recreate the case and hunt-down/solve the problem.

However, fuzzing is an exponential problem and is also resource-intensive, and therefore, in reality, it cannot be used to test all the cases.

Some fuzzing frameworks:

2.1 Finding Buffer Overflows in Binary Programs

Let's see how to identify a buffer overflow after the crash of the application.

2.2 Code Observation

2.3 Overflow the Buffer

Another tool that will help you identify buffer overflows is IDA Pro. You can download a free non-commercial edition.

PreviousBuffer OverflowNextExploiting Buffer Overflow

Last updated