[[Kategorie:Themenabend]]
{{Themenabend|
TITEL= Buffer Overflows |
UNTERTITEL= |
TERMIN= |
ORT= |
THEMA= |

REFERENTEN= [[Benutzer: Sven | Sven]], [[Carsten Grohmann]] und [[Benutzer:Caldrin | Caldrin ]] |
C3D2WEB= |
TOPIC= siehe unten |
SLIDES= |
}}

== Gliederung ==
* Speicherlayout
* Klassische stackbasierte Angriffe
* Framepointer overwrite
* BSS-Overflow
* Heap-Overflow

==Link-Sammlung (Allgemein)==
* [http://www.heise.de/security/artikel/37958/0 Buffer-Overflows und andere Sollbruchstellen]
* [http://krecher.p15153225.pureserver.info/bufferoverflows.pdf Vortrag über Buffer Overflows von Stefan Krecher]]

==Audit-Tools==
* [http://lclint.cs.virginia.edu/ Splint (C)]
* [http://www.securesoftware.com/download_rats.htm RATS Rough Auditing Tool for Security (C, C++, PHP, Perl & Python)]
* [http://www.dwheeler.com/flawfinder/ Flawfinder (C/C++)]
* [http://www.cigital.com/its4/ ITS4 (C/C++)]
* [http://www.striker.ottawa.on.ca/~aland/pscan/ PScan (C)]
* [http://perens.com/FreeSoftware/ ElectricFence - malloc() debugger]
* [http://www.parasoft.com/products/wizard/ CodeWizard (commercial)]

== Exploit-Programmierung==
* [http://phrack.org/show.php?p=49&a=14 Smashing the Stack for fun and Profit]
* [http://www.w00w00.org/files/articles/heaptut.txt w00w00 on Heap Overflows]
* [http://www.jikos.cz/jikos/remotesploits.html How to write remote exploits]
* [http://www.nextgenss.com/papers/non-stack-bo-windows.pdf Non-Stack Overflows on Windows]
* [http://www.nextgenss.com/papers/defeating-w2k3-stack-protection.pdf Defeating Microsoft Windows 2003 Stack Protection]
* [http://www.nextgenss.com/papers/exploitvariation.pdf Variations in Exploit methods between Linux and Windows]
* [http://www.nextgenss.com/papers/unicodebo.pdf Exploitation of UNICODE Buffer Overflows]
* [http://www.nextgenss.com/papers/win32format.doc Windows 2000 Format String Vulnerabilities]
* [http://www.nextgenss.com/papers/sparc.zip Buffer Overflows on SPARC Architecture]
* [http://www.nextgenss.com/papers/bufferoverflowpaper.rtf Buffer Overflows for Beginner]
* [http://www.phrack.org/show.php?p=55&a=8 Frame Pointer Overwrite]
* [http://www.phrack.org/show.php?p=56&a=14 Exploiting Non-adjacent Memory Spaces]
* [http://www.mindsec.com/files/remotefmt-howto.txt Howto remotely and automatically exploit a format bug]
* [http://www.phrack.org/show.php?p=61&a=6 Advanced Doug Lea's malloc exploits]
* [http://www.phrack.org/phrack/56/p56-0x05 Bypassing Stackguard and Stackshield]
* [http://www.cs.ucsb.edu/~jzhou/security/formats-teso.html Exploiting Format String Vulnerabilities]
* [http://www.phrack.org/phrack/57/p57-0x09 Once upon a free()...]
* [http://www.phrack.org/phrack/58/p58-0x04 The advanced return-into-lib(c) exploits]
* [http://www.securiteam.com/exploits/alpha-bof.txt Buffer overflow exploit in the alpha linux]
* [http://www.insecure.org/stf/mudge_buffer_overflow_tutorial.html Howto write Buffer Overflows]

==Protection==
* Static Analysis
** [http://citeseer.nj.nec.com/wagner00first.html A first step towards automated detection of buffer overrun vulnerabilities]
** [http://citeseer.nj.nec.com/dor01cleanness.html Cleanness Checking of String Manipulations in C Programs via Integer Analysis]
** [http://lclint.cs.virginia.edu/usenix01.pdf Statically detecting likely buffer overflow vulnerabilities]
** [http://www.research.att.com/~christof/papers/preprint-SRDS2001.pdf Detecting heap smashing attacks through fault containment wrappers]
** [http://www.infosys.tuwien.ac.at/Staff/chris/doc/2002_08.ps Accurate Buffer Overflow Detection via Abstract Payload Execution]
** [http://www.ida.liu.se/~johwi/research_publications/paper_nordsec2002_john_wilander.pdf A Comparison of Publicly Available Tools for Static Intrusion Prevention]
** [http://www.cs.tau.ac.il/~msagiv/cssv.pdf CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C]
** [http://www.cs.wisc.edu/wpis/papers/fse03.ps Protecting C Programs from Attacks via Invalid Pointer Dereferences]
** [http://www.ecsl.cs.sunysb.edu/brew.htm A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks]
** [http://www.cs.wisc.edu/wisa/papers/safeTR1467/cj03.pdf Static Analysis of Executables to Detect Malicious Patterns]
** [http://seclab.cs.sunysb.edu/addr_obfs/docs/ao.pdf Address Obfuscation: An Approach to Combat Buffer Overflows, Format-String Attacks, and More]

* Compiler Patches
** [http://www.cs.ubc.ca/local/reading/proceedings/spe91-95/spe/vol22/issue4/spe757js.pdf Adding run-time checking to the portable c compiler]
** [http://www.trl.ibm.com/projects/security/ssp/main.html Protecting from stack smashing attacks]
** [http://www.doc.ic.ac.uk/~phjk/BoundsChecking.html Bounds Checking for C]
** [http://www.immunix.org/stackguard.html StackGuard: Automatic adaptive detection and prevention of buffer overflowattacks]
** [http://www.angelfire.com/sk/stackshield/ Stack Shield: A "stack smashing" technique protection tool for linux]
** [http://www.cc.gatech.edu/classes/AY2002/cs8803d_spring/papers/RAD.pdf Rad: A compiletime solution to buffer overflow attacks]
** [http://www.trl.ibm.com/projects/security/ssp/ GCC extension for protecting applications from stack-smashing attacks]
** [http://www.cse.ogi.edu/~crispin/pointguard_usenix_security2003.pdf Protecting pointers from buffer overflow vulnerabilities]

* C Library Patches
** [ftp://ftp.lucky.net/pub/unix/local/libc-letter FreeBSD Stack Integrity Patch]
** [http://www.usenix.org/publications/library/proceedings/usenix2000/general/full_papers/baratloo/baratloo.pdf Transparent run-time defense against stack smashing attacks (Libsafe - Libverify)]
** [http://www.immunix.org/formatguard.pdf FormatGuard: Automatic Protection From printf Format String Vulnerabilities]
** [http://www.zork.org/safestr/ Safe C String Library]
** [http://www.lexa.ru/snar/libparanoia/ Libparanoia]

* Kernel / OS Patches
** [http://www.openwall.com/linux Non-executable user stack]
** [http://stackghost.cerias.purdue.edu/ StackGhost: Hardware Facilitated Stack Protection]
** [http://pax.grsecurity.net/ PaX]
** [http://www.cs.berkeley.edu/~mmc/papers/tr.pdf Mitigating Buffer Overflows by Operating System Randomization]
** [http://www.crhc.uiuc.edu/~junxu/Papers/TechReport_TRR_UILU-ENG-03-2207.pdf Transparent runtime randomization for security]

==Shellcode==
* [http://www.phrack.org/show.php?p=61&a=9 Polymorphic Shellcode Engine]
* [http://www.mindsec.com/files/art-shellcode.txt The Art of Writing Shellcode]
* [http://www.enderunix.org/documents/en/sc-en.txt Designing Shellcode Demystified]
* [http://www.phrack.org/show.php?p=61&a=11 Building IA32 'Unicode-Proof' Shellcodes]

==Vulnerabilities==
* [http://online.securityfocus.com/archive/1/71598 JPEG COM Marker Processing Vulnerability in Netscape Browsers]