A New Class of Buffer Overflow Attacks

In this paper, we focus on a class of buffer overflow vulnerabilities that occur due to the "placement new'' expression in C++. "Placement new'' facilitates placement of an object/array at a specific memory location. When appropriate bounds checking is not in place, object overflows may occur. Such overflows can lead to stack as well as heap/data/bss overflows, which can be exploited by attackers in order to carry out the entire range of attacks associated with buffer overflow. Unfortunately, buffer overflows due to "placement new'' have neither been studied in the literature nor been incorporated in any tool designed to detect and/or address buffer overflows. In this paper, we show how the "placement new'' expression in C++ can be used to carry out buffer overflow attacks -- on the stack as well as heap/data/bss. We show that overflowing objects and arrays can also be used to carry out virtual table pointer subterfuge, as well as function and variable pointer subterfuge. Moreover, we show how "placement new" can be used to leak sensitive information, and how denial of service attacks can be carried out via memory leakage.

[1]  Vitaly Osipov,et al.  Format String Attacks , 2005 .

[2]  Tzi-cker Chiueh,et al.  A Binary Rewriting Defense Against Stack based Buffer Overflow Attacks , 2003, USENIX Annual Technical Conference, General Track.

[3]  H. Spiifford,et al.  Crisis and Aftermath , 1999 .

[4]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[5]  Dennis Hollingworth,et al.  Protection Analysis: Final Report , 1978 .

[6]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[7]  Matt Bishop,et al.  Testing C Programs for Buffer Overflow Vulnerabilities , 2003, NDSS.

[8]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[9]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[10]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[11]  Jon A. Rochlis,et al.  With microscope and tweezers: the worm from MIT's perspective , 1989, Commun. ACM.

[12]  Bjarne Stroustrup,et al.  The Design and Evolution of C , 1994 .

[13]  Matt Bishop,et al.  A Taxonomy of Buffer Overflow Preconditions , 2010 .

[14]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[15]  Robert C. Seacord,et al.  Secure coding in C and C , 2005 .

[16]  Wouter Joosen,et al.  Code injection in C and C++: a survey of vulnerabilities and countermeasures , 2004 .

[17]  John Wilander,et al.  A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention , 2003, NDSS.

[18]  R. P. Abbott,et al.  Security Analysis and Enhancements of Computer Operating Systems , 1976 .

[19]  David E. Evans,et al.  Static detection of dynamic memory errors , 1996, PLDI '96.

[20]  Kyung-Suk Lhee,et al.  Buffer overflow and format string overflow vulnerabilities , 2003, Softw. Pract. Exp..

[21]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.