From Buffer Overflows to Control Flow Attacks

In my previous article, I demonstrated how a simple buffer overflow attack could be used to bypass a password check. The attack in my Circuit Cellar #426 article worked because you were able to overwrite a “secret” password, meaning you had control over what the password comparison checked against.

But when discussing buffer overflows, the more common attack would just be to overwrite the stack itself. In fact, most compilers even have an option to enable a “stack protector” specifically to prevent this type of attack.

The previous article introduced the setup for a buffer overflow, and in this article I’m going to extend the previous work to show you how that stack protector works. This is a feature you can turn on for your own systems, but I wanted to specifically show you why they aren’t a perfect shield that will detect all buffer overflows. In fact it won’t even detect the buffer overflow from my previous article!

I specifically wanted to introduce this attack to demonstrate that embedded systems often have more attack vectors to consider than “normal” software. Compiling code for a Linux or Windows host can be fairly consistent, but embedded systems have more variability.

In this article I’ll also show you how a buffer overflow can overwrite the stack, and how you can test this yourself using low-cost hardware. This specific example is something I challenged my graduate student Brian Peters to experiment with—in fact he made an even more complex attack, which I’ll discuss at the end of this article, but it will show you what is possible beyond what you might think of as a normal buffer overflow attack.

HARDWARE SETUP