breakpoint the stack buffer overflow from executing malicious code like SQL Slammer worm

From: Peter Huang (yinrong@rogers.com)
Date: 02/09/03

  • Next message: Paul Starzetz: "Eggdrop arbitrary connection vulnerability" 
    From: "Peter Huang" <yinrong@rogers.com>
To: "David Litchfield" <david@ngssoftware.com>
Date: Sun, 9 Feb 2003 00:39:05 -0500

    Hi, David and others:

    For the past few days, I have done a few experiments and some research on
    ways to prevent the buffer overflow exploitation. I believe the following
    compiler option (if implemented and used) should make the exploitation of
    stack buffer overflow by "jmp esp" method impossible (as far as I know) to
    execute a piece of malicious code on Intel-Inside PC. The buffer
    vulnerability, if exists, still overflows to be trapped by this mechanism if
    being pumped too much.

    For a function like:

    Void testVoid (void)
    {
            do something here and the stack overflows such as sprintf in ssnetlib.dll
    in SQL 2000 server (pre-SP3)
    }

    The compiler inserts the following opcodes before "ret".

    Mov ecx, [esp]
    Cmp word ptr [ecx], 0FFE4h ; check for "jmp esp"
    Jnz realRet
    Mov byte ptr [esp+4], 0cch ; stack has been overflowed and function
    ; will breakpoint (no need to go on anyway)
    RealRet:
            ret

    For a function like:

    Void testParametered(int I, int i2, int i3 ...)
    {
            do something here and the stack overflows such as sprintf in ssnetlib.dll
    in SQL 2000 server (pre-SP3)
    }

    The compiler inserts the following opcode before "ret"
            Mov byte ptr[esp+4], 0cch ; if return address is not overwritten,
                                        ; then this will be discarded by opcode such
    as
                                        ; "add esp, xx" down the execution path.
                                        ; Otherwise, the exploitation code injected
    onto the stack,
                                        ; which happens before this move, will
                                        ; cause a breakpoint trap to happen due to the
                                        ; "jmp esp" method exploited by the buffer
    overflow.
            Ret

    Normally, both above functions continue normally. However, if the stack is
    overflowed due to some software bugs under exploitation attack, then the
    mechanism listed above will generate breakpoint trap and the execution of
    malicious code is stopped.

    Unfortunately, it will definitely increase the executable image size and
    some runtime hit (should not be much because of the cache lines are still
    valid etc.). Some might think that this creates some false illusion of
    security. However, it does dam the overflow to what has been overflowed and
    prevent the overflow from spreading so that we do not have to hear others
    say:" dam it".

    Here is what I got:

    Best regards

    Peter Huang
    http://members.rogers.com/yinrong/articles/Prevent.htm

    Relevant Pages

    • Re: Adding Older Versions of GCC To The Tool Chain ... safely?!?!
      ... doing optimizing? ... The original "vulnerability" report, not just the Heise article, uses ... There is by definition no such thing as 'an unsigned overflow', ... and a C compiler is still free to do whatever it chooses. ...
      (comp.os.linux.development.apps)
    • Re: extended operators
      ... between the sequence point X and the last sequence point. ... Perhaps it should be a macro, defined in a new header, that expands to some implementation-defined expression (possibly involving compiler magic). ... So you'd mandate specific restrictions on generated code in the presence of calls to _carry, even if the compiler is able to prove that it can perform an optimization without changing the effect? ... The ``result'' member is set to the sum of x and y; unlike an ordinary "+" operator, the result is well defined even on overflow. ...
      (comp.std.c)
    • Re: operators similar to functions?
      ... undefined behaviour; however the compiler cannot know that. ... probably has a pretty good idea of the consequences of overflow ... The HAL StinkWad represents an opposite pole in system design. ...
      (comp.lang.c)
    • A bit of confusion with conversions
      ... why did compiler decide to sign-extend sb - ... overflow checking context (aka under the control of checked/unchecked ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: where exactly c++,c fail and Ada gets thru
      ... The simplistic answer is for each ranged type R, ... basically done by partial specializing on whether overflow is possible. ... tried to shove it into a variable without enough digits, ... for speed if their compiler supported inline assembly). ...
      (comp.lang.ada)
    • Quantcast