Buffer Overflows

The goal when testing for buffer and integer overflows is to cause the computer to write outside allocated memory, often by using values that are longer than the application might expect. In the sample test cases, <BO> is used to indicate places where a buffer overflow is attempted by supplying long input as part of the data. Refer to Chapter 8.

Sample Test Cases

Test Case

Description

<BO> : folder file.txt

Attempt to overflow the drive letter of a file path .

C: <BO> file.txt

Attempt to overflow the name of a folder.

C: folder <BO> .txt

Attempt to overflow the filename.

C: folder file. <BO>

Attempt to overflow the extension.

<BO> ://www.server.com/file.txt

Attempt to overflow the protocol portion of a URL.

http:// <BO> /file.txt

Attempt to overflow the server name.

http://www. <BO> .com/file.txt

Attempt to overflow portions of the server name.

http://server/ <BO> .txt

Attempt to overflow the filename.

http://server /file. <BO>

Attempt to overflow the extension.

http://server/file.asp? <BO>

Attempt to overflow the query string.

http://server /file.asp? <BO> value

Attempt to overflow part of the query string parameter names .

http://server /file.asp?name <BO>

Attempt to overflow the query string parameter values.

0 0 0 0String

Alter the length preceding the string by making it small.

0x7f 0xff 0xff 0xffString

Alter the length preceding a string by making it large.

Remove the null terminator

Hope the copy routine will keep copying.

Run code analysis tools like lint

Many code-based and runtime tools can help catch buffer flow errors in code.

Fuzz

Fuzzing the input data can help identify issues.

MAX input length

Identify the expected max length of a value.

(MAX 1) input length

Try one less than the expected max length of a value.

(MAX 1) input length

Try one more than the expected max length of a value.

(MAX n ) input length

Keep incrementing the number of max bytes expected one at a time until application error.

Try string input 2 n long

Sometimes allocations are 2 n .

Try numeric input 2 15, 2 16, 2 31, 2 32 in value

Doing so can help spot integer overflows.



Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net