CS1
Buffer Overflow – "Data gone wild"
Background
Summary:Buffer overflow occurs when data is input or written beyond the allocated
bounds of an buffer, array, or other object causing a program crash or a vulnerability
that hackers might exploit.
Description: A buffer overflow occurs when data is written beyond the boundaries of a
fixed length buffer overwriting adjacent memory locations which may include other
buffers, variables and program flow data. Considered the “nuclear bomb” of the
software industry, the buffer overflow is one of the most persistent security
vulnerabilities and frequently used attacks.
Risk – How can it happen?: Writing outside the bounds of a block of allocated memory
can corrupt data, crash the program, or allow the execution of malicious code.
Example of Occurrence: A buffer overflow in a 2004 version of AOL's AIM instantmessaging software exposed users to buffer overflow vulnerabilities. If a user posted a
URL in their “I'm away” message, any of his or her friends who clicked on that link might
be vulnerable to attack. AOL's response was to suggest that users update to a new
version that would fix the bug.
Paul Roberts “AOL IM 'Away' message flaw deemed critical”, Inforworld, August 9, 2004
http://www.infoworld.com/article/04/08/09/HNaolimflaw_1.html
Example in Code:
public class Overflow {
public static void main(String[] args) {
int[] vals = new int[10];
for (int i =0; i < 20; i++) {
vals[i] = i;
}
}
}
When this program is run, the loop counter will exceed the value of a suitable index for
the array. When the assignment statement tries to store a value in vals[10], buffer
overflow occurs. The result is unpredictable. Depending on the operating system and
the specific nature of the overflow, it may not cause any apparent problems, or it will
cause the program to crash.
How can I avoid buffer overflow problems?
Make sure you have enough space: Before copying data to a fixed size block, make
© 2009 Towson University
1
CS1
sure it is large enough to hold the data that you are going to copy. If it is not large
enough, do not copy more data than your available space can hold. If your program is
not able to continue properly after filling the available space, you may have to find some
way to recover from the error.
Validate indices: If you have an integer variable, verify that it is within the proper
bounds before you use it as an index to an array. This validation is particularly
important for any values that might have been provided as user input or other untrusted
input, such as information that might be read from a file or from a network connection.
When possible, use buffer-size accessors: Loops that iterate over arrays need to know
the size of the array. Using a variable with the wrong value or the incorrect constant
value can lead to buffer overflows. Some languages - including Java – provide
operators that can be used to retrieve the size of an array. Using these operators can
help you avoid some of these problems
Use alternative data structures that reduce the risk of overflows: Many buffer overflow
vulnerabilities can be avoided by using vectors or other structures instead of traditional
arrays. When possible, use ArrayLists and iterators instead of arrays and integerindexed loop. Note that these tools will not prevent you from running into trouble: you
will still have to write your code carefully and correctly. However, they can reduce your
risk of buffer overflow vulnerabilities.
© 2009 Towson University
2
CS1
Laboratory/Homework Assignment:
import java.util.Scanner;
public class Overflow2 {
public static void main(String[] args) {
Scanner scan = new Scanner(System.in);
int[] vals = new int[10];
System.out.println("How many values should be stored in the array? ");
int count = scan.nextInt();
for (int i = 0; i < count; i++ ) {
vals[i] = count-i;
}
System.out.println("Which value do you wish to retrieve? ");
int which = scan.nextInt();
System.out.println("Your value is " +vals[which]);
}
}
1. Run and compile the above program. Describe the results. What happens if you
type “3” for the first prompt? 7? 12? 20? What happens if you type 10 for the
first prompt and then 3, 7, 12, and 20 for the second prompt?
2. Complete the checklist below for this program.
3. List the potential buffer overflow errors.
4. Provide example inputs that might cause buffer overflow problems
5. What strategies might you use to remove potential buffer overflow vulnerabilities
from this program?
6. Write a program that reads at most 10 temperatures (stored as floating point
values) from a file. Your program should include the following elements:

A prompt asking the user for the name of the file containing the temperatures

A method to read the temperatures into an array.

A method that prints the temperatures

A method that computes the average temperature

A main that uses each of these methods.
If there are more than 10 values, your program should ignore any values after the
first 10. If there are no values in the file, an appropriate error message should be
© 2009 Towson University
3
CS1
printed.
Test this program with files containing the following sets of values. Indicate the
average that you get in each case. Your program should handle each of these
cases appropriately.
a.
b.
c.
d.
Empty file
40.3 35.8 29.6 45 17.8 19.2 38.6 31.5 27.8 39.9
19.2 38.6 31.5 27.8 39.9
40.3 35.8 29.6 45 17.8 19.2 38.6 31.5 27.8 39.9 19.7 22.6 18.8
7. Complete the checklist below for your program. Did you find any vulnerabilities? If
so, list them and revise the program to eliminate them.
Security Checklist:
Security Checklist
Vulnerability
Buffer Overflow
Course
CS1
Task – Check each line of code
Completed
1. Finding Arrays:
1.1 Underline each array declaration
1.2. For each array, underline all subsequent references
2. Index Variables – legal range for an array of size n is 0 <= i < n
2.1 For each underlined access that uses a variable as an index, write the legal range
next to it.
2.2 For each index marked in 2.1, underline all occurrences of that variable.
2.3. Mark with a V any assignments, inputs or operations that may modify these index
variables. Does your code verify that these operations will result in an index value that
is within the appropriate bounds? If not, you may have a vulnerability.
3. Loops that modify index variables
3.1 Find loops that modify variables used to index arrays. For any index that occurs as
part of a loop conditional, underline the loop limit. For example, if i < max is the
conditional in a for loop, underline max
3.2. Write the legal range of the array index next to the loop limit as you did in step 2.1.
Mark with a V if the loop limit could exceed the legal range of the array index. Watch
out for loop that go until i <=max , as the largest valid index is max-1
3.3 If either the upper or lower loop limit is a variable, it must be checked just as
indices are checked in Step 2
Shaded areas indicate vulnerabilities!
© 2009 Towson University
4
CS1
Discussion
1.
2.
3.
4.
5.
6.
Describe the buffer overflow problem.
Give three real life examples of buffer overflow attacks (research on the web).
What can result from a buffer overflow?
List three ways you could potentially overflow a buffer in your program.
How could you prevent a buffer overflow from occurring in your program?
Buffer overflows can be troublesome if they are used by attackers to run their
own code. What sort of things might an atacker try to do if he or she were able to
run any code they wanted on a computer?
© 2009 Towson University
5