Hubbry Logo
Stack buffer overflowStack buffer overflowMain
Open search
Stack buffer overflow
Community hub
Stack buffer overflow
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Stack buffer overflow
Stack buffer overflow
Stack buffer overflow
View on Wikipedia
from Wikipedia

In software, a stack buffer overflow or stack buffer overrun occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer.[1][2] Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer. This almost always results in corruption of adjacent data on the stack, and in cases where the overflow was triggered by mistake, will often cause the program to crash or operate incorrectly. Stack buffer overflow is a type of the more general programming malfunction known as buffer overflow (or buffer overrun).[1] Overfilling a buffer on the stack is more likely to derail program execution than overfilling a buffer on the heap because the stack contains the return addresses for all active function calls.

A stack buffer overflow can be caused deliberately as part of an attack known as stack smashing. If the affected program is running with special privileges, or accepts data from untrusted network hosts (e.g. a webserver) then the bug is a potential security vulnerability. If the stack buffer is filled with data supplied from an untrusted user then that user can corrupt the stack in such a way as to inject executable code into the running program and take control of the process. This is one of the oldest and more reliable methods for attackers to gain unauthorized access to a computer.[3][4][5]

Exploiting stack buffer overflows

[edit]

The canonical method for exploiting a stack-based buffer overflow is to overwrite the function return address with a pointer to attacker-controlled data (usually on the stack itself).[3][6] This is illustrated with strcpy() in the following example: 

#include <string.h>

void foo(char* bar) {
    char c[12];

    strcpy(c, bar); // no bounds checking
}

int main(int argc, char* argv[]) {
    foo(argv[1]);
    return 0;
}

This code takes an argument from the command line and copies it to a local stack variable c. This works fine for command-line arguments smaller than 12 characters (as can be seen in figure B below). Any arguments larger than 11 characters long will result in corruption of the stack. (The maximum number of characters that is safe is one less than the size of the buffer here because in the C programming language, strings are terminated by a null byte character. A twelve-character input thus requires thirteen bytes to store, the input followed by the sentinel zero byte. The zero byte then ends up overwriting a memory location that's one byte beyond the end of the buffer.)

The program stack in foo() with various inputs:

A. - Before data is copied.
B. - "hello" is the first command line argument.
C. - "AAAAAAAAAAAAAAAAAAAA\x08\x35\xC0\x80" is the first command line argument.

In figure C above, when an argument larger than 11 bytes is supplied on the command line foo() overwrites local stack data, the saved frame pointer, and most importantly, the return address. When foo() returns, it pops the return address off the stack and jumps to that address (i.e. starts executing instructions from that address). Thus, the attacker has overwritten the return address with a pointer to the stack buffer char c[12], which now contains attacker-supplied data. In an actual stack buffer overflow exploit the string of "A"'s would instead be shellcode suitable to the platform and desired function. If this program had special privileges (e.g. the SUID bit set to run as the superuser), then the attacker could use this vulnerability to gain superuser privileges on the affected machine.[3]

The attacker can also modify internal variable values to exploit some bugs. With this example: 

#include <stdio.h>
#include <string.h>

void foo(char* bar) {
    float myFloat = 10.5; // Addr = 0x0023FF4C
    char c[28]; // Addr = 0x0023FF30

    // Will print 10.500000
    printf("myFloat value = %f\n", myFloat);

    /* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       Memory map:
       @ : c allocated memory
       # : myFloat allocated memory

           *c                      *myFloat
       0x0023FF30                  0x0023FF4C
           |                           |
           @@@@@@@@@@@@@@@@@@@@@@@@@@@@#####
      foo("my string is too long !!!!! XXXXX");

    memcpy will put 0x1010C042 (little endian) in myFloat value.
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/

    memcpy(c, bar, strlen(bar));  // no bounds checking...

    // Will print 96.031372
    printf("myFloat value = %f\n", myFloat);
}

int main(int argc, char* argv[]) {
    foo("my string is too long !!!!! \x10\x10\xc0\x42");
    return 0;
}

There are typically two methods that are used to alter the stored address in the stack - direct and indirect. Attackers started developing indirect attacks, which have fewer dependencies, in order to bypass protection measures that were made to reduce direct attacks.[7]

[edit]

A number of platforms have subtle differences in their implementation of the call stack that can affect the way a stack buffer overflow exploit will work. Some machine architectures store the top-level return address of the call stack in a register. This means that any overwritten return address will not be used until a later unwinding of the call stack. Another example of a machine-specific detail that can affect the choice of exploitation techniques is the fact that most RISC-style machine architectures will not allow unaligned access to memory.[8] Combined with a fixed length for machine opcodes, this machine limitation can make the technique of jumping to the stack almost impossible to implement (with the one exception being when the program actually contains the unlikely code to explicitly jump to the stack register).[9][10]

Stacks that grow up

[edit]

Within the topic of stack buffer overflows, an often-discussed-but-rarely-seen architecture is one in which the stack grows in the opposite direction. This change in architecture is frequently suggested as a solution to the stack buffer overflow problem because any overflow of a stack buffer that occurs within the same stack frame cannot overwrite the return pointer. However, any overflow that occurs in a buffer from a previous stack frame will still overwrite a return pointer and allow for malicious exploitation of the bug.[11] For instance, in the example above, the return pointer for foo will not be overwritten because the overflow actually occurs within the stack frame for memcpy. However, because the buffer that overflows during the call to memcpy resides in a previous stack frame, the return pointer for memcpy will have a numerically higher memory address than the buffer. This means that instead of the return pointer for foo being overwritten, the return pointer for memcpy will be overwritten. At most, this means that growing the stack in the opposite direction will change some details of how stack buffer overflows are exploitable, but it will not reduce significantly the number of exploitable bugs.[citation needed]

Protection schemes

[edit]
Main article: Buffer overflow protection

Over the years, a number of control-flow integrity schemes have been developed to inhibit malicious stack buffer overflow exploitation. These may usually be classified into three categories:

  • Detect that a stack buffer overflow has occurred and thus prevent redirection of the instruction pointer to malicious code.
  • Prevent the execution of malicious code from the stack without directly detecting the stack buffer overflow.
  • Randomize the memory space such that finding executable code becomes unreliable.

Stack canaries

[edit]
Further information: Canary value

Stack canaries, named for their analogy to a canary in a coal mine, are used to detect a stack buffer overflow before execution of malicious code can occur. This method works by placing a small integer, the value of which is randomly chosen at program start, in memory just before the stack return pointer. Most buffer overflows overwrite memory from lower to higher memory addresses, so in order to overwrite the return pointer (and thus take control of the process) the canary value must also be overwritten. This value is checked to make sure it has not changed before a routine uses the return pointer on the stack.[2] This technique can greatly increase the difficulty of exploiting a stack buffer overflow because it forces the attacker to gain control of the instruction pointer by some non-traditional means such as corrupting other important variables on the stack.[2]

Nonexecutable stack

[edit]
Main article: Executable space protection

Another approach to preventing stack buffer overflow exploitation is to enforce a memory policy on the stack memory region that disallows execution from the stack (W^X, "Write XOR Execute"). This means that in order to execute shellcode from the stack an attacker must either find a way to disable the execution protection from memory, or find a way to put their shellcode payload in a non-protected region of memory. This method is becoming more popular now that hardware support for the no-execute flag is available in most desktop processors.

While this method prevents the canonical stack smashing exploit, stack overflows can be exploited in other ways. First, it is common to find ways to store shellcode in unprotected memory regions like the heap, and so very little need change in the way of exploitation.[12]

Another attack is the so-called return to libc method for shellcode creation. In this attack the malicious payload will load the stack not with shellcode, but with a proper call stack so that execution is vectored to a chain of standard library calls, usually with the effect of disabling memory execute protections and allowing shellcode to run as normal.[13] This works because the execution never actually vectors to the stack itself.

A variant of return-to-libc is return-oriented programming (ROP), which sets up a series of return addresses, each of which executes a small sequence of cherry-picked machine instructions within the existing program code or system libraries, sequence which ends with a return. These so-called gadgets each accomplish some simple register manipulation or similar execution before returning, and stringing them together achieves the attacker's ends. It is even possible to use "returnless" return-oriented programming by exploiting instructions or groups of instructions that behave much like a return instruction.[14]

Randomization

[edit]

Instead of separating the code from the data, another mitigation technique is to introduce randomization to the memory space of the executing program. Since the attacker needs to determine where executable code that can be used resides, either an executable payload is provided (with an executable stack) or one is constructed using code reuse such as in ret2libc or return-oriented programming (ROP). Randomizing the memory layout will, as a concept, prevent the attacker from knowing where any code is. However, implementations typically will not randomize everything; usually the executable itself is loaded at a fixed address and hence even when ASLR (address space layout randomization) is combined with a non-executable stack the attacker can use this fixed region of memory. Therefore, all programs should be compiled with PIE (position-independent executables) such that even this region of memory is randomized. The entropy of the randomization is different from implementation to implementation and a low enough entropy can in itself be a problem in terms of brute forcing the memory space that is randomized.

Bypass countermeasures

[edit]

The previous mitigations make the steps of the exploitation harder. But it is still possible to exploit a stack buffer overflow if some vulnerabilities are presents or if some conditions are met.[15]

Stack canary bypass

[edit]
Information leak with format string vulnerability exploitation
[edit]

An attacker is able to exploit the format string vulnerability for revealing the memory locations in the vulnerable program.[16]

Non executable stack bypass

[edit]

When Data Execution Prevention is enabled to forbid any execute access to the stack, the attacker can still use the overwritten return address (the instruction pointer) to point to data in a code segment (.text on Linux) or every other executable section of the program. The goal is to reuse existing code.[17]

Rop chain
[edit]

Consists to overwrite the return pointer a bit before a return instruction (ret in x86) of the program. The instructions between the new return pointer and the return instruction will be executed and the return instruction will return to the payload controlled by the exploiter.[17][clarification needed]

Jop chain
[edit]

Jump Oriented Programming is a technique that uses jump instructions to reuse code instead of the ret instruction.[18]

Randomization bypass

[edit]

A limitation of ASLR realization on 64-bit systems is that it is vulnerable to memory disclosure and information leakage attacks. The attacker can launch the ROP by revealing a single function address using information leakage attack. The following section describes the similar existing strategy for breaking down the ASLR protection.[19]

Notable examples

[edit]
  • The Morris worm in 1988 spread in part by exploiting a stack buffer overflow in the Unix finger server.[20]
  • The Slammer worm in 2003 spread by exploiting a stack buffer overflow in Microsoft's SQL server.[21]
  • The Blaster worm in 2003 spread by exploiting a stack buffer overflow in Microsoft DCOM service.
  • The Witty worm in 2004 spread by exploiting a stack buffer overflow in the Internet Security Systems BlackICE Desktop Agent.[22]
  • There are a couple of examples of the Wii allowing arbitrary code to be run on an unmodified system. The "Twilight hack" which involves giving a lengthy name to the main character's horse in The Legend of Zelda: Twilight Princess,[23] and "Smash Stack" for Super Smash Bros. Brawl which involves using an SD card to load a specially prepared file into the in-game level editor. Though both can be used to execute any arbitrary code, the latter is often used to simply reload Brawl itself with modifications applied.[24]

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Stack buffer overflow

View on Grokipedia
from Grokipedia
A stack-based buffer overflow, also known as a stack buffer overflow, is a software vulnerability that arises when a program attempts to write more data to a fixed-size buffer allocated on the call stack—typically for local variables—than the buffer can accommodate, resulting in the overwriting of adjacent memory locations on the stack. This overflow often stems from the use of unsafe functions like strcpy in languages such as C or C++, which lack built-in bounds checking, allowing input data to exceed the buffer's capacity and corrupt nearby stack data structures. Such vulnerabilities pose severe security risks, as the overwritten memory may include critical elements like function return addresses, enabling attackers to hijack program control flow and execute arbitrary code, a technique historically exploited in attacks like the Morris worm or modern return-oriented programming (ROP) chains. The consequences can range from denial-of-service crashes due to resource exhaustion to integrity violations, confidentiality breaches, and unauthorized access control bypasses, with a high likelihood of successful exploitation in unmitigated systems. Stack-based overflows differ from other buffer overflow types, such as heap-based ones, primarily in their memory location— the stack's LIFO structure makes them particularly amenable to control-flow manipulation compared to the heap's dynamic allocation. To detect stack-based buffer overflows, developers can employ automated static analysis tools that identify vulnerable patterns in source code or fuzzing techniques that generate diverse inputs to trigger crashes, both of which demonstrate high effectiveness. Prevention strategies emphasize secure coding practices, including the use of bounds-checked functions (e.g., strncpy), compiler-enabled protections like stack canaries to detect overwrites at runtime, and address space layout randomization (ASLR) to complicate exploitation by randomizing memory addresses. Broader mitigations involve transitioning to memory-safe programming languages like Rust or Java, which inherently prevent such overflows through automatic memory management, alongside rigorous testing with tools such as AddressSanitizer and root cause analysis of historical vulnerabilities to eliminate entire classes of defects.

Fundamentals

Definition and Causes

A stack buffer overflow occurs when a program writes more data to a fixed-size buffer allocated on the call stack than the buffer can hold, resulting in the overwriting of adjacent memory locations. This vulnerability typically arises in local variables or function parameters stored on the stack, where insufficient bounds checking allows excess data to spill over into neighboring stack regions. Unlike heap-based overflows, which target dynamically allocated memory managed by the heap, stack buffer overflows specifically affect the contiguous, fixed-layout memory of the call stack, making them particularly dangerous due to the proximity of critical control data. The primary causes of stack buffer overflows stem from programming errors that fail to validate input sizes against buffer capacities. Common culprits include the use of unsafe C library functions such as strcpy(), gets(), and sprintf(), which perform no bounds checking and blindly copy or read input until a null terminator or end-of-file is encountered. Additional causes involve off-by-one errors in array indexing, improper loop controls that exceed buffer limits, or assumptions about input data lengths without verification, often in memory-unsafe languages like C or C++. Such overflows can lead to severe consequences, including data corruption in adjacent stack areas, program crashes via segmentation faults or denial-of-service conditions, and security breaches through the hijacking of control flow, such as overwriting return addresses to execute arbitrary code. In exploitable cases, attackers may leverage these vulnerabilities for unauthorized code execution, potentially compromising system integrity, confidentiality, or availability. The concept of stack buffer overflows gained widespread attention in computer security following the 1996 Phrack magazine article "Smashing the Stack for Fun and Profit" by Aleph One, which detailed their mechanics and exploitation potential.

Stack Frame Structure

The call stack operates as a last-in, first-out (LIFO) data structure in computer architectures, primarily used to manage function invocations by storing local variables, function parameters, and essential control data such as return addresses and saved registers. In most systems, including the x86 architecture, the stack grows downward from higher memory addresses to lower ones, with the stack pointer (e.g., ESP in x86) tracking the current top of the stack. This organization allows efficient allocation and deallocation of stack frames during function calls and returns, where each frame represents the state of an active function. A typical stack frame in x86 begins with the function prologue, where the caller's base pointer (EBP) is saved and the current stack pointer (ESP) is copied to EBP to establish the frame's base; space for local variables is then allocated by subtracting from ESP. Key components include local variables and buffers positioned at the lower (base) end of the frame, followed by the saved EBP at an offset like EBP - 0 (or aligned), the return address immediately above it (e.g., at EBP + 4), and function parameters pushed in reverse order (right-to-left for CDECL convention) above the return address in the caller's frame. The frame size varies depending on the function's local variable requirements and compiler optimizations, often ranging from tens to hundreds of bytes. The layout can be visualized as follows, with higher addresses at the top (older stack data) and lower addresses at the bottom (newer allocations), assuming a 32-bit x86 system:

Higher Addresses (Stack Top/Grows Downward) +-------------------+ | Function Parameters | | (pushed before call)| +-------------------+ | Return Address | ← Overwritten in overflow | (pushed by CALL) | +-------------------+ | Saved EBP | ← Frame pointer to caller +-------------------+ | Local Variables | | (e.g., int x) | +-------------------+ | Buffer | ← Vulnerable array, e.g., char buf[64] | (at EBP - offset) | +-------------------+ Lower Addresses (Current ESP)

Higher Addresses (Stack Top/Grows Downward) +-------------------+ | Function Parameters | | (pushed before call)| +-------------------+ | Return Address | ← Overwritten in overflow | (pushed by CALL) | +-------------------+ | Saved EBP | ← Frame pointer to caller +-------------------+ | Local Variables | | (e.g., int x) | +-------------------+ | Buffer | ← Vulnerable array, e.g., char buf[64] | (at EBP - offset) | +-------------------+ Lower Addresses (Current ESP)

This structure places buffers among local variables near the frame's base, making the saved EBP and return address susceptible to sequential overwrites if a buffer overflow occurs, as excess data propagates upward toward higher addresses. Some modern compilers insert a canary value (a placeholder for stack protection) between locals and the saved EBP to detect such corruption, though this is not part of the base frame layout. Without bounds checking, overflows can extend beyond the current frame, corrupting adjacent frames and potentially destabilizing the program's control flow.

Exploitation Techniques

Basic Overflow Exploitation

In a basic stack buffer overflow exploitation, an attacker provides input that exceeds the allocated size of a stack-based buffer, causing the excess data to overwrite adjacent memory regions on the stack, including the return address of the function. This return address, which is stored as part of the stack frame to indicate where execution should resume after the function completes, can be replaced with an attacker-controlled value, such as the address of malicious code known as shellcode. By redirecting the program's control flow to this shellcode, the attacker can execute arbitrary instructions, potentially gaining unauthorized access or escalating privileges. The exploitation process typically involves several steps. First, the attacker crafts a payload consisting of padding to fill the buffer and reach the return address, followed by the desired return address pointing to the shellcode's location, a NOP (no-operation) sled—a sequence of harmless instructions that provides a buffer for slight address misalignments—and the shellcode itself, often placed earlier in the payload to increase the chances of successful redirection. Second, this payload is supplied as input to trigger the vulnerable function, such as through a network packet or user input. Third, upon function return, the CPU jumps to the overwritten address, sliding through the NOP sled if necessary before executing the shellcode. A representative example involves a vulnerable C program with a small stack buffer and an unsafe string copy function like strcpy(). Consider the following code snippet:

c

#include <stdio.h> #include <string.h> void vulnerable_function(char *input) { char buffer[12]; // 12-byte stack buffer strcpy(buffer, input); // No bounds checking printf("Buffer content: %s\n", buffer); } int main(int argc, char **argv) { if (argc > 1) { vulnerable_function(argv[1]); } return 0; }

#include <stdio.h> #include <string.h> void vulnerable_function(char *input) { char buffer[12]; // 12-byte stack buffer strcpy(buffer, input); // No bounds checking printf("Buffer content: %s\n", buffer); } int main(int argc, char **argv) { if (argc > 1) { vulnerable_function(argv[1]); } return 0; }

If an input longer than 12 bytes is provided—such as 20 bytes of padding followed by a return address and shellcode—the strcpy() call overflows the buffer, overwriting the return address. For instance, an input designed to spawn a shell on Unix-like systems might redirect execution to shellcode that executes /bin/sh, granting the attacker an interactive shell. Successful exploitation requires the attacker to know or guess the memory address where the shellcode will reside, which was feasible in older systems with fixed stack addresses but became more challenging with later protections. A historical instance of this technique occurred in the Morris worm of 1988, which exploited a stack buffer overflow in the Unix fingerd daemon by sending 537 bytes to overflow its 512-byte buffer, allowing remote code execution on VAX systems running 4.3 BSD.

Code Injection Methods

In stack buffer overflow exploits, code injection involves embedding attacker-controlled machine code, known as shellcode, directly into the overflowing buffer to achieve arbitrary code execution upon control flow hijacking. This technique relies on overwriting the buffer beyond its allocated size to place the shellcode in memory, followed by altering the return address to redirect execution to it. Shellcode typically consists of compact assembly instructions tailored to the target architecture and operating system, such as spawning a command shell or escalating privileges. Shellcode placement commonly follows a NOP sled—a sequence of no-operation (NOP) instructions (e.g., 0x90 on x86)—to accommodate small inaccuracies in the overwritten return address. The NOP sled is positioned at the beginning of the overflow payload, with the shellcode appended immediately after, ensuring that execution "slides" through the harmless NOPs to reach the functional code even if the jump lands slightly off-target. For instance, in a 612-byte buffer, approximately half may be filled with NOPs to maximize the landing zone, while the shellcode (e.g., 46 bytes for spawning /bin/sh on i386/Linux) occupies the remainder. This setup handles address offset variations without requiring precise memory layout knowledge. To avoid termination by string-handling functions, shellcode is crafted without null bytes (\x00), using alternative instructions like XOR operations for zeroing registers. Injection occurs through vulnerable input mechanisms, such as unsafe C library functions like gets() or strcpy(), which copy user-supplied data from standard input or arguments without bounds checking. An attacker provides an oversized payload via stdin or environment variables, overflowing the local buffer and embedding the NOP sled and shellcode in the process's stack space. For example, a 517-byte input to a 12-byte buffer can inject a full payload, including the sled and shellcode, directly into the vulnerable function's frame. Upon function return, the corrupted stack frame causes the instruction pointer to jump to the NOP sled's address, sliding execution to the shellcode, which then runs with the vulnerable process's privileges—often leading to a shell prompt or privilege escalation. Common payloads invoke system calls like execve("/bin/sh") to launch an interactive shell, using techniques such as pushing strings onto the stack and invoking interrupts (e.g., int &#36;0x80 on Linux x86). This flow assumes the basic overwrite of the return address to initiate the redirect. These methods have significant limitations, as they require the stack to be both writable (for injection) and executable (for running the code), a default in early systems but prohibited by modern protections like non-executable stacks (e.g., W^X policies). Small buffer sizes may not accommodate full shellcode, and address guessing remains probabilistic without debugging access. To address constrained space, egg-hunter shellcode—a compact scanner (e.g., 32-64 bytes)—can be injected instead, searching memory for a tagged "egg" pattern marking the larger payload's location elsewhere, such as in environment variables. This multistage approach, which safely traverses virtual address space to avoid invalid pages, enables execution in limited-buffer scenarios.

Platform Variations

Stack Growth Directions

In most computer architectures, the call stack grows downward, meaning the stack pointer decreases in memory address as new frames are pushed onto the stack. This is the case for widely used architectures such as x86 and ARM, where the stack typically starts at a high memory address and expands toward lower addresses. In such systems, local buffers within a stack frame are allocated below the return address in memory. When a buffer overflow occurs, excess data writes upward toward higher memory addresses, sequentially corrupting the saved return address and potentially higher stack frames (those of calling functions at lower addresses). This predictable propagation facilitates reliable exploitation, as attackers can craft payloads to overwrite control data in a linear fashion relative to the buffer's position. Upward stack growth, where the stack pointer increases in address as frames are added, is far less common and appears primarily in certain historical or specialized systems, such as the HP-PA (PA-RISC) architecture under HP-UX and some embedded processors. In these configurations, the stack expands from lower to higher addresses, reversing the typical layout of stack frames. Local buffers are positioned such that overflows write toward lower memory addresses, potentially corrupting lower frames (caller frames at higher addresses) before reaching the return address. However, the return address remains vulnerable, requiring attackers to craft reverse-directed payloads—starting from the end of the exploit string and placing the target address first—to achieve control flow hijacking. This adaptation does not provide inherent security benefits, as the relative positioning of buffers and control data can still be exploited with adjusted techniques, and empirical analyses indicate no measurable reduction in buffer overflow vulnerabilities across architectures with differing growth directions. The direction of stack growth can be determined by examining assembly code, particularly the function prologue and epilogue instructions. Tools like objdump allow disassembly of binaries to inspect stack pointer adjustments: downward growth typically involves subtracting from the stack pointer (e.g., sub &#36;0x20, %esp on x86), while upward growth adds to it. This inspection reveals the architecture's convention without runtime execution.

Architecture and OS Differences

Stack buffer overflows exhibit significant variations across architectures and operating systems due to differences in calling conventions, which dictate how parameters and return addresses are managed on the stack. In the traditional x86 (32-bit) architecture, common calling conventions such as cdecl and stdcall pass all function parameters on the stack, positioning them immediately above local variables in the stack frame; this layout facilitates overwriting parameters during a buffer overflow targeting local buffers, potentially altering function behavior without directly hijacking control flow. In contrast, the x86-64 architecture under the System V ABI (used by Linux and Unix-like systems) passes the first six integer or pointer parameters in registers (RDI, RSI, RDX, RCX, R8, R9), with additional parameters pushed onto the stack; this reduces stack-based parameter storage, making direct overwriting of arguments less straightforward, though overflows can still corrupt saved registers or the return address. Similarly, the Microsoft x64 calling convention (Windows) uses registers RCX, RDX, R8, and R9 for the first four parameters, shifting more reliance to registers and complicating parameter-targeted exploits compared to 32-bit x86. Reduced Instruction Set Computing (RISC) architectures, such as MIPS, emphasize register usage to minimize memory accesses, with calling conventions passing the first several arguments in registers (e.g., A0-A3 in MIPS o32 ABI) rather than on the stack; this decreases overall stack frame size and reliance on stack storage for temporaries, but vulnerabilities persist when compiler optimizations spill excess variables or registers to the stack during overflows. For instance, in MIPS, local buffers are allocated on the stack via stack pointer adjustments in the function prologue, allowing overflows to overwrite the return address (stored in $ra) despite the register-heavy design. Operating system behaviors further influence stack overflow dynamics, particularly in alignment and thread management. Both Windows and Linux on x86-64 enforce 16-byte stack alignment at function entry to optimize SIMD operations (e.g., SSE/AVX instructions), but subtle differences arise in alignment maintenance during calls—Linux's System V ABI requires 16-byte alignment immediately before the call instruction, while Windows allows temporary 8-byte misalignment after pushing the return address, necessitating exploit payloads to account for these offsets in return-oriented techniques. Thread-local storage (TLS), implemented per-thread in modern OSes, adds complications as it resides in a dedicated segment (accessed via FS/GS registers on x86), separate from the stack; a stack overflow corrupts only the current thread's frame, but multi-threaded exploits must navigate TLS for thread-specific data without cross-thread interference, potentially disrupting segment selector assumptions in payload construction. On the PowerPC architecture, the calling convention classifies general-purpose registers into volatile (caller-saved, e.g., R3-R12) and non-volatile (callee-saved, e.g., R13-R31) sets, requiring functions to spill non-volatile registers to the stack if used, which introduces variability in frame layout and reduces predictability for attackers aiming to locate control data amid saved register values. Exploits must adapt payloads to architecture-specific traits, such as endianness—little-endian systems like x86 store multi-byte values (e.g., return addresses) with the least significant byte at the lowest memory address, requiring reversed byte order in overflow payloads compared to big-endian architectures like PowerPC or MIPS, where the most significant byte precedes. Additionally, function prologues vary: x86 typically pushes the base pointer and adjusts the stack pointer, while MIPS uses immediate offsets (e.g., ADDIU sp,sp, sp, -N) without a dedicated frame pointer, forcing attackers to calibrate padding based on these sequences for precise control hijacking.

Protection Mechanisms

Stack Canaries

Stack canaries, also known as stack guards, serve as a runtime detection mechanism for stack buffer overflows by inserting a secret value between local buffers and critical control data, such as the return address, within a function's stack frame. This placement ensures that any overflow attempting to corrupt the return address must first overwrite the canary, which is otherwise left untouched during normal execution. In operation, the compiler generates code to place the canary on the stack during the function prologue, immediately following the local variables. Upon function exit in the epilogue, the code verifies the canary's integrity by comparing it against its original value; a mismatch signals a potential overflow, prompting the program to abort and terminate the process. This check occurs just before the return address is used, protecting the control flow from unauthorized modification. Implementation of stack canaries is primarily compiler-driven, with GCC providing options like -fstack-protector to enable protection for functions containing large local arrays or dynamic allocations via alloca, -fstack-protector-strong for functions with any local arrays or frame address references, -fstack-protector-all to instrument every function, and -fstack-protector-explicit for selective use via attributes. These options add minimal code—typically a few instructions per function—while maintaining compatibility with existing binaries. Canaries come in several types to balance security and performance: terminator canaries incorporate sentinel values like null (0x00), carriage return (0x0d), line feed (0x0a), or end-of-file (0xff) to detect common string-handling overflows; random canaries are generated at program startup using a high-entropy source such as /dev/urandom or a time-based hash; and random XOR canaries further obscure the value by XORing it with elements like the frame pointer. The value is stored in a global variable (e.g., __stack_chk_guard) or thread-local storage, rotating once per process or thread to prevent reuse across invocations. Introduced by Cowan et al. in 1998 through the StackGuard extension to GCC for Linux systems, stack canaries effectively thwart blind overflow attacks by requiring attackers to predict an unpredictable value, achieving near-complete prevention of stack-smashing exploits in protected code with only modest runtime overhead, such as 1-15% for typical workloads. Despite their strengths, stack canaries do not mitigate information disclosure vulnerabilities that could leak the canary value, nor do they address non-stack overflows like those in the heap. Their security relies on the canary's entropy; on 32-bit systems, the typical 32-bit canary yields a brute-force collision probability of about 1 in 2^{32} in retryable scenarios like forking network servers, while 64-bit systems on modern architectures reduce this risk to 1 in 2^{64}.

Non-Executable Stack

The non-executable stack is a memory protection mechanism that designates the stack memory region as non-executable, thereby preventing the execution of malicious code injected through buffer overflows. This relies on hardware support in processors equipped with a no-execute (NX) bit within the memory management unit (MMU), which allows operating systems to set page-level permissions that distinguish between code and data segments. The approach enforces a W^X (write XOR execute) policy, ensuring that memory pages are either writable (for data storage, such as on the stack) or executable (for code), but never both, to block the simultaneous writing and execution of unauthorized instructions. Operating systems implemented this protection in the late 1990s and early 2000s to counter stack-based exploits. Solaris 2.6 introduced non-executable stack support in 1997, configuring stack pages as read/write only through kernel patches that leverage MMU features. The PaX security patch for Linux followed in July 2001, providing NX enforcement via hardware-assisted page protections where available, marking stack memory to trigger faults on execution attempts. Microsoft integrated this capability into Windows as Data Execution Prevention (DEP) with Windows XP Service Pack 2 in 2004, applying it to default heap, stack, and memory pool pages to halt code execution from data areas. Compiler and linker tools, such as those in the GNU toolchain, enable this by default; for example, the linker flag -z noexecstack ensures non-executable stacks, while -z execstack can disable it for compatibility with certain applications requiring dynamic code generation. In practice, stack pages are mapped with read/write permissions but without the execute bit, so any attempt to fetch and execute instructions from them results in a processor fault or access violation, often leading to process termination. This directly thwarts code injection techniques by rendering injected payloads, such as shellcode in overflowed buffers, inoperable. The non-executable stack significantly reduces the success rate of traditional buffer overflow exploits reliant on executing attacker-supplied code, with early adoptions like Solaris demonstrating its role in elevating attacker complexity. Nonetheless, limitations persist: it does not prevent data-only attacks that corrupt control data (e.g., return addresses or function pointers) to redirect execution to existing legitimate code, nor does it block overflows exploiting already-executable regions outside the stack.

Address Space Layout Randomization

Address Space Layout Randomization (ASLR) is a memory protection technique designed to hinder stack buffer overflow exploits by randomizing the base addresses of key memory regions, thereby making it difficult for attackers to predict return addresses or gadget locations needed for control-flow hijacking. In traditional stack overflows, attackers overwrite return addresses with fixed values pointing to executable code, such as in libraries; ASLR disrupts this by introducing variability at process creation or load time, forcing exploits to rely on probabilistic guessing rather than deterministic targeting. ASLR typically randomizes several components of the process address space, including the stack base (to obscure local variables and return pointers), the heap base (affecting dynamic allocations that might be overflowed), shared libraries (like libc, which often serve as targets for return-to-libc attacks), and memory mappings via mmap (for loaded modules). For the main executable, randomization requires position-independent executables (PIE), which compile the binary to allow relocation; without PIE, the code segment remains at a fixed address, limiting protection to data regions. Entropy for these randomizations is generated kernel-side, often using boot-time seeds combined with per-process variations from sources like hardware random number generators, ensuring independence across processes. Implementations vary by operating system but share kernel-level enforcement. The PaX project introduced ASLR in 2001 as a Linux patch, randomizing stack (up to 24 bits on i386), heap (16 bits), libraries (16 bits), and executable segments during ELF loading. Mainline Linux integrated ASLR in kernel version 2.6.12 (released June 2005), applying it to stack, heap, mmap regions (including libraries), and VDSO, with configurable levels via /proc/sys/kernel/randomize_va_space (0=disabled, 1=partial conservative, 2=full including stack). Microsoft introduced ASLR in Windows Vista (2007) for compatible binaries, randomizing the main executable, DLLs, stack, heap, and mapped files, with opt-in via the DYNAMICBASE linker flag. ASLR operates at partial or full levels: partial randomizes only data regions like stack and heap, while full extends to code via PIE, providing broader protection against code-reuse attacks. On 32-bit systems, entropy is constrained—e.g., Linux offers ~8-13 bits for libraries and heap, and PaX up to 16 bits for executables—resulting in limited variability (e.g., 256-65,536 possible layouts), which attackers can brute-force in some scenarios. In contrast, 64-bit systems provide high entropy, such as 28 bits for executables and mmaps in Linux (yielding ~268 million possibilities) and 17-19 bits in Windows, drastically increasing the search space and reducing blind exploit success to near zero without additional information. This probabilistic barrier complements deterministic defenses like canaries, though ASLR's effectiveness diminishes if memory addresses are leaked through vulnerabilities such as format string errors.

Bypassing Protections

Canary Bypass Techniques

Stack canary protections detect buffer overflows by verifying a secret value placed between local variables and control data on the stack, but attackers have developed techniques to leak or predict this value to avoid detection. These bypass methods exploit implementation details or auxiliary vulnerabilities, allowing controlled corruption of return addresses or other sensitive data. Leakage attacks represent a primary bypass vector, where the canary value is read from memory using separate vulnerabilities without immediately triggering the check. Format string vulnerabilities enable this by treating user input as a format specifier in functions like printf, allowing arbitrary stack reads that expose the canary for reuse in a subsequent overflow. Similarly, partial buffer overwrites or overreads can disclose the canary if an attacker controls the read operation precisely. Such leaks are feasible when overread and overflow vulnerabilities coexist in the same function, emphasizing the need for comprehensive input validation. Prediction techniques rely on guessing the canary through systematic trials or side information. Early StackGuard implementations used 32-bit canaries with the least significant byte fixed at zero for null-terminated string detection, enabling brute-force guessing of that byte in just 256 attempts before attempting full control. In networked servers using forking models, attackers can perform byte-by-byte brute force on the full canary; since the process only crashes upon mismatched verification, each failed guess reveals one correct byte, requiring approximately 256 trials per byte (e.g., 768 for a 24-bit effective canary). Additional predictability arises from information in prior stack frames or shared thread contexts, where a leak in one frame exposes values usable across the execution. Advanced bypasses exploit historical design flaws, such as canary reuse across processes before 2005. In initial deployments like StackGuard, canaries were generated randomly once per process at startup and inherited by forked children, allowing attackers to leak or guess the value offline and apply it uniformly. Blind overwrites in C++ environments can also circumvent detection by leveraging exception handling (try-catch blocks) to intercept and recover from the abort signal triggered by a mismatched canary, permitting iterative refinement. Modern systems mitigate these issues with full 64-bit canaries randomized per-thread upon creation, rendering brute-force attacks computationally infeasible even in forking scenarios. Compilers further enhance protection through pointer encoding, such as XORing the canary with a random key derived from adjacent control data like the frame pointer and return address, complicating leakage without altering verification logic.

Return-Oriented Programming

Return-oriented programming (ROP) is an advanced code-reuse attack technique that enables attackers to execute arbitrary computations by chaining short sequences of existing instructions, called gadgets, from a program's address space. Introduced by Hovav Shacham in 2007, ROP exploits stack buffer overflows by overwriting the return address to redirect control flow to a gadget ending in a return instruction (RET), which then pops the next address from the stack to continue the chain. This approach allows the construction of complex behaviors without injecting new code, effectively bypassing non-executable memory protections that prevent direct shellcode execution. Gadgets are identified by scanning the executable binary and linked libraries, such as libc, for useful instruction sequences that conclude with RET; common examples include "POP reg; RET" for loading values into registers or arithmetic operations like "ADDL %reg1, %reg2; RET" for data manipulation. Attackers chain these gadgets via stack pivoting—manipulating the stack pointer to align with the desired sequence—enabling Turing-complete functionality, including memory reads/writes, conditional branches, and system calls, all derived from legitimate code fragments. The density of such gadgets in large codebases like libc ensures their abundance, making ROP feasible on architectures with variable-length instructions, such as x86. A representative example of an ROP exploit involves spawning a shell by calling the system() function with the argument "/bin/sh". The chain populates the stack with the string address, sets registers via POP gadgets, and redirects to system()'s entry point, often requiring prior leakage or defeat of address space layout randomization to obtain gadget and function addresses. This demonstrates ROP's power in achieving shellcode-like outcomes on protected systems. ROP has evolved into variants like jump-oriented programming (JOP), introduced by Stephen Checkoway et al. in 2010, which replaces RET instructions with indirect jumps (JMP reg) to chain gadgets, evading defenses targeting return-based flows. Despite its effectiveness against non-executable stack mechanisms, ROP's reliance on predictable control transfers makes it vulnerable to countermeasures such as fine-grained control-flow integrity (CFI), which enforces precise indirect branch targets and reduces usable gadget density.

Randomization Evasion Methods

Attackers seeking to evade Address Space Layout Randomization (ASLR) often rely on information leaks to reveal randomized memory addresses, enabling precise control over execution flow in stack buffer overflow exploits. Explicit leaks can occur through vulnerabilities like format string bugs, where functions such as printf inadvertently disclose stack pointers or library base addresses when supplied with attacker-controlled input. For instance, a format string vulnerability allows reading arbitrary memory locations, bypassing ASLR by leaking the offset between the stack and code segments, as demonstrated in early exploitation techniques integrated with return-oriented programming (ROP). Side-channel attacks provide another avenue for leaks without direct memory access; timing-based side channels exploit variations in memory access latency to infer address bits, while cache side channels, such as the AnC (Attack on Cache) method, use eviction and timing probes on page table entries to recover full kernel or user-space addresses randomized by ASLR. More advanced microarchitectural attacks, like those leveraging speculative execution in Spectre variants, can transiently access and leak privileged addresses, further undermining ASLR protections. Partial defeats of ASLR exploit systems with low entropy randomization, particularly on 32-bit architectures where only 8 to 16 bits of entropy are typically available for stack or library placements, making brute-force guessing feasible within reasonable timeframes. Attackers can iteratively attempt overflows with guessed addresses until a valid one succeeds, as the limited search space (e.g., 2^16 possibilities) allows success rates approaching certainty before detection. Heap spraying complements this by allocating large numbers of objects filled with NOP sleds and shellcode in predictable heap regions, increasing the likelihood of landing on attacker-controlled code even under partial ASLR; this technique exploits allocation granularity to cluster payloads at known offsets, evading full randomization. In browser environments, Just-In-Time (JIT) spraying generates executable code at partially predictable addresses by repeatedly compiling attacker-supplied JavaScript, filling JIT-compiled regions that often escape full ASLR due to their dynamic nature or alignment constraints. This method reliably places gadgets or payloads in unrandomized or low-entropy segments, such as those below the 1 GB mark in 32-bit processes. Format string leaks are a common precursor to defeating ASLR, allowing chaining of gadgets once addresses are known; however, modern 64-bit ASLR implementations provide at least 48 bits of entropy for key regions, rendering brute-force impractical due to the vast 2^48+ search space. Countermeasures have evolved to address these evasions; for example, Linux kernel 3.0 (released in 2011) introduced full randomization of the Virtual Dynamic Shared Object (VDSO) page and per-thread stack placements, increasing entropy and eliminating predictable offsets that prior leaks exploited. These enhancements ensure that even with partial leaks, reconstructing the full address space remains computationally infeasible on high-entropy systems.

Modern Mitigations

Control-Flow Integrity

Control-Flow Integrity (CFI) is a software-based security mechanism designed to mitigate control-flow hijacking attacks, such as those exploiting stack buffer overflows, by enforcing a program's intended control flow at runtime. It achieves this by constructing a control-flow graph (CFG) during compilation that represents all legitimate execution paths, then inserting checks to ensure that indirect branches, jumps, and calls only target valid destinations within this graph. These validations prevent attackers from redirecting execution to unauthorized code, including return-oriented programming (ROP) chains that chain together existing code snippets (gadgets) to bypass other defenses. CFI implementations vary in granularity to balance security and performance. Coarse-grained CFI applies broad restrictions, such as limiting indirect calls to a small set of global function entry points, which reduces precision but minimizes overhead. In contrast, fine-grained CFI enforces more precise policies, such as per-function or context-sensitive target sets derived from the CFG, offering stronger protection against sophisticated attacks. Additionally, shadow stacks complement CFI by maintaining a separate, protected copy of return addresses to validate function returns independently of the main stack, thwarting manipulations that alter return pointers. Modern CFI is supported through compiler frameworks like LLVM/Clang, where the -fsanitize=cfi flag enables instrumentation for forward-edge (calls and jumps) and backward-edge (returns) protections during compilation. This generates runtime checks, often using indirect call promotion or vtable verification, that can be software-enforced or assisted by hardware features for efficiency. Google has integrated CFI into Chrome, with protections for virtual calls enabled since version 54 in 2016, applying it to C++ code to safeguard against memory corruption exploits. Empirical evaluations demonstrate CFI's effectiveness in blocking a wide range of control hijacks by confining execution to the legitimate CFG, with implementations eliminating 93% of ROP gadgets in benchmarks. However, CFI incurs performance overheads typically ranging from 1% to 9%, depending on the scheme and optimization, due to the added checks and metadata. It also faces limitations in legacy codebases, as full enforcement requires recompilation with CFI-aware tools, leaving unmodified binaries vulnerable. As of 2025, evaluations show that CFI adoption remains limited in many software ecosystems, contributing to ongoing memory corruption issues despite its proven benefits.

Hardware-Based Protections

Hardware-based protections against stack buffer overflows leverage specialized CPU instructions and mechanisms to enforce control-flow integrity at the processor level, making it significantly harder for attackers to hijack return addresses or indirect branches even if a buffer overflow occurs. These features, introduced in modern processor architectures, provide low-overhead defenses that complement software mitigations by operating transparently during execution. Intel's Control-flow Enforcement Technology (CET), first available in hardware in 2020 with 11th-generation Core processors, includes shadow stacks and indirect branch tracking (IBT) to safeguard against stack-based attacks. Shadow stacks maintain a separate, protected copy of return addresses that cannot be directly modified by software instructions, ensuring that function returns match the expected values pushed during calls. IBT enforces that indirect jumps and calls target only valid entry points marked by special instructions, preventing unauthorized control transfers often exploited in return-oriented programming (ROP). ARM's Pointer Authentication (PAC), introduced in the Armv8.3-A architecture in 2016, uses cryptographic signing to protect pointers, including those on the stack. PAC generates a Pointer Authentication Code (PAC) by hashing the pointer value with a context-specific modifier and a secret key, embedding the code within unused bits of the pointer; this code is verified automatically before the pointer is dereferenced or used for returns. For stack returns, PAC specifically signs return addresses to resist overwrites, with hardware instructions like PACIA (authenticate increment address) ensuring integrity during function calls and returns. Other architectures offer similar hardened pointer mechanisms; for instance, IBM's POWER10 processor, released in 2021, employs cryptographic hashing to protect return addresses against ROP attacks. Upon function entry, the return address is hashed using dedicated instructions and stored alongside the original; on return, the hash is recomputed and compared, triggering an exception on mismatch to detect tampering. These hardware protections demonstrate high effectiveness with near-zero runtime overhead, as operations are accelerated by dedicated CPU units—e.g., CET incurs less than 1% slowdown in typical workloads, while PAC adds under 0.5% on average for return address protection. CET's IBT has been integrated into the Linux kernel since version 5.18 in 2022, and shadow stacks since 6.4, while full CET support is enabled by default in Windows 11 on compatible hardware, blocking ROP chains without requiring code modifications. Despite their strengths, hardware-based protections require processors and operating systems that support the features, limiting deployment to newer systems like 11th-generation Core or later, ARMv8.3-A, and IBM POWER10. Backward compatibility modes, such as emulating shadow stacks in software on older hardware, can introduce vulnerabilities and higher overhead, reducing overall .

Historical Examples

Early Network Exploits

One of the earliest and most significant network exploits involving a stack buffer overflow was the Morris Worm, released on November 2, 1988, by Robert Tappan Morris, a Cornell University graduate student intending to gauge the internet's size but inadvertently causing widespread disruption. The worm targeted a vulnerability in the fingerd (finger daemon) service on Unix systems, exploiting the unsafe gets() function, which lacked bounds checking and allowed an oversized input to overflow a 512-byte buffer on the stack, enabling arbitrary code execution to propagate the worm. This stack overflow was one of multiple propagation methods, including weak password guessing and exploitation of the DEBUG sendmail command, but the fingerd vulnerability proved particularly effective against VAX systems running 4.3 BSD Unix. The Morris Worm rapidly self-replicated, infecting approximately 6,000 machines—about 10% of the internet's estimated 60,000 connected hosts at the time—primarily academic and research institutions, leading to severe performance degradation as infected systems became overloaded with replication attempts. The U.S. Government Accountability Office estimated the cleanup costs at between $100,000 and $10 million, reflecting the era's limited but critical internet infrastructure. In response, the incident directly prompted the U.S. Department of Defense's Defense Advanced Research Projects Agency (DARPA) to fund the establishment of the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University in December 1988, marking the birth of organized computer security incident response. This exploit highlighted the severe risks of unchecked user inputs in network daemons, where remote attackers could leverage stack overflows to gain unauthorized control and propagate malware across interconnected systems without authentication. It spurred early advancements in intrusion detection systems (IDS), as researchers began developing tools to monitor anomalous network traffic and system behaviors to prevent similar unchecked replications. The Morris Worm remains a seminal case in demonstrating how stack buffer overflows in network services could threaten the nascent internet's stability, influencing foundational security practices.

Software and Embedded Incidents

In 2003, the Slammer worm (also known as Sapphire) demonstrated the devastating potential of stack buffer overflows in database software, targeting a vulnerability in the Microsoft SQL Server 2000 resolution service on UDP port 1434. The worm exploited an unchecked buffer in the routine processing UDP packets for server discovery, allowing it to overwrite the stack and execute its propagation code. Within 10 minutes of its release on January 25, 2003, Slammer infected approximately 75,000 vulnerable servers worldwide, saturating networks and causing widespread denial-of-service disruptions, including canceled airline flights and ATM outages, though it carried no additional malicious payload beyond propagation. The incident resulted in estimated global economic losses of $950 million to $1.2 billion in lost productivity and recovery costs during its first five days. A prominent example in consumer software came in 2008 with the Twilight Hack on the Nintendo Wii console. This exploit targeted a stack buffer overflow in the save file parser for The Legend of Zelda: Twilight Princess, specifically in the field storing the player's horse name (Epona), where insufficient bounds checking on input length allowed overflow during save loading. By crafting a malicious save file with an excessively long name, attackers could execute arbitrary code, enabling the installation of homebrew applications from SD card payloads and bypassing the console's security restrictions. Developed by Team Twiizers, the hack marked a significant early breach in embedded gaming firmware, facilitating widespread unauthorized software execution on millions of Wii units. Stack buffer overflows have also plagued embedded systems, particularly router firmware in the Internet of Things (IoT) during the 2010s. For instance, in 2019, vulnerabilities such as CVE-2019-6989 were identified in TP-Link TL-WR940N and TL-WR941ND routers, enabling remote code execution via stack buffer overflows in the web interface, exploitable by authenticated users to gain full administrative access. Similarly, in 2023, a stack-based buffer overflow (CVE-2023-48725) was identified in Netgear RAX30 routers (firmware versions 1.0.11.96 and earlier), triggered by crafted HTTP requests to the JSON parsing function getblockschedule(), allowing authenticated local network attackers to execute arbitrary code and potentially hijack device control. These flaws highlighted the risks in resource-constrained IoT environments, where overflows could lead to remote code injection, network pivoting, and disruptions in essential services like home automation or industrial control systems. More recently, in 2024, a stack-based buffer overflow vulnerability (CVE-2024-21762) in Fortinet FortiOS versions 7.0.0 through 7.2.4 and 7.4.0 through 7.4.2 was exploited in the wild. This out-of-bounds write in the SSL VPN component allowed unauthenticated remote code execution, targeted by advanced persistent threat actors, underscoring persistent risks in enterprise networking equipment as of 2024.

References

  1. https://cwe.mitre.org/data/definitions/121.html
  2. https://samate.nist.gov/SSATTM_Content/papers/Taxonomy%20of%20Buffer%20Overflows%20-%20Kratkiewicz%20-%20Lippmann%20.pdf
  3. https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-buffer-overflow-vulnerabilities
  4. https://owasp.org/www-community/vulnerabilities/Buffer_Overflow
  5. https://cwe.mitre.org/data/definitions/122.html
  6. https://crypto.stanford.edu/cs155old/cs155-spring03/lecture3.pdf
  7. https://www.jsums.edu/nmeghanathan/files/2015/05/CSC437-Fall2013-Module-5-Buffer-Overflow-Attacks.pdf
  8. https://phrack.org/issues/49/14.html
  9. https://cs.brown.edu/courses/csci0300/2022/notes/l10.html
  10. https://cseweb.ucsd.edu/classes/fa17/cse127-b/lec4.pdf
  11. https://cs.gmu.edu/~zeng/cs468-s25/slides/buffer_overflow.pdf
  12. https://inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf
  13. https://www.rapid7.com/blog/post/2019/02/19/stack-based-buffer-overflow-attacks-what-you-need-to-know/
  14. https://www.utc.edu/sites/default/files/2021-04/buffer-overflow.pdf
  15. https://arstechnica.com/information-technology/2015/08/how-security-flaws-work-the-buffer-overflow/
  16. https://www.rapid7.com/blog/post/2019/01/02/the-ghost-of-exploits-past-a-deep-dive-into-the-morris-worm/
  17. https://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
  18. https://eli.thegreenplace.net/2011/02/04/where-the-top-of-the-stack-is-on-x86/
  19. https://developer.arm.com/documentation/dui0056/latest/using-the-procedure-call-standard/the-stack/stack-terminology
  20. https://www.quora.com/How-can-I-determine-the-direction-of-stack-growth-in-Linux
  21. https://stackoverflow.com/questions/2744502/why-dont-stacks-grow-upwards-for-security
  22. https://stackoverflow.com/questions/664744/what-is-the-direction-of-stack-growth-in-most-modern-systems
  23. https://wiki.osdev.org/System_V_ABI
  24. https://learn.microsoft.com/en-us/cpp/build/x64-software-conventions?view=msvc-170
  25. http://cseweb.ucsd.edu/~bsy/cse190/memory.html
  26. https://www.bordergate.co.uk/mips32-buffer-overflows/
  27. https://stackoverflow.com/questions/49391001/why-does-the-x86-64-amd64-system-v-abi-mandate-a-16-byte-stack-alignment
  28. https://maskray.me/blog/2021-02-14-all-about-thread-local-storage
  29. https://www.ibm.com/docs/en/aix/7.1.0?topic=overview-register-usage-conventions
  30. https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/
  31. https://www.ret2libc.com/posts/Learning-about-buffer-overflows-using-MIPS/
  32. https://www.usenix.org/legacy/publications/library/proceedings/sec98/full_papers/cowan/cowan.pdf
  33. https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html
  34. https://www.redhat.com/en/blog/security-technologies-stack-smashing-protection-stackguard
  35. https://security.stackexchange.com/questions/149133/how-big-is-a-canary-word-on-linux-typically
  36. https://learn.microsoft.com/en-us/windows/win32/memory/data-execution-prevention
  37. https://www.usenix.org/system/files/login/articles/login_summer17_14_wetzels.pdf
  38. https://repository.gatech.edu/bitstreams/12f79bdf-bb3a-420e-946f-b8c69e1d8a26/download
  39. https://www.openbsd.org/papers/csw2023.pdf
  40. https://csrc.nist.gov/files/pubs/conference/2000/10/19/proceedings-of-the-23rd-nissc-2000/final/docs/papers/024.pdf
  41. https://pax.grsecurity.net/docs/PaXTeam-LATINOWARE12-PaX-linux-security.pdf
  42. https://hmarco.org/renewssp/data/OnTheEffectivness-NX-SSP-RenewSSP-and-ASLR-Paper.pdf
  43. https://www.isg.rhul.ac.uk/sullivan/pubs/tr/technicalreport-ir-cs-73.pdf
  44. https://pax.grsecurity.net/docs/aslr.txt
  45. https://dl.acm.org/doi/10.1145/1030083.1030124
  46. https://lettieri.iet.unipi.it/hacking/old/aslr-pie.pdf
  47. https://www.blackhat.com/docs/asia-16/materials/asia-16-Marco-Gisbert-Exploiting-Linux-And-PaX-ASLRS-Weaknesses-On-32-And-64-Bit-Systems-wp.pdf
  48. https://xorl.wordpress.com/2011/01/16/linux-kernel-aslr-implementation/
  49. https://learn.microsoft.com/en-us/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=msvc-170
  50. https://cloud.google.com/blog/topics/threat-intelligence/six-facts-about-address-space-layout-randomization-on-windows
  51. https://dl.acm.org/doi/10.1145/1315245.1315313
  52. https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf
  53. https://hovav.net/ucsd/dist/geometry.pdf
  54. https://dl.acm.org/doi/10.1145/1966913.1966919
  55. https://users.soe.ucsc.edu/~abadi/Papers/cfi-tissec-revised.pdf
  56. https://nebelwelt.net/files/11CCC.pdf
  57. https://www.ndss-symposium.org/wp-content/uploads/2017/09/Practical-Timing-Side-Channel-Attacks-Against-Kernel-Space-ASLR.pdf
  58. https://spectreattack.com/spectre.pdf
  59. https://www.scs.stanford.edu/nyu/05sp/sched/readings/asrandom.pdf
  60. https://www.comp.nus.edu.sg/~liangzk/papers/acsac10.pdf
  61. https://www.usenix.org/system/files/conference/usenixsecurity13/sec13-paper_zhang.pdf
  62. https://nebelwelt.net/files/15DIMVA.pdf
  63. https://research.google.com/pubs/archive/42808.pdf
  64. https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-carlini.pdf
  65. https://umu.diva-portal.org/smash/get/diva2:1970009/FULLTEXT01.pdf
  66. https://www.intel.com/content/www/us/en/developer/articles/technical/technical-look-control-flow-enforcement-technology.html
  67. https://www.usenix.org/system/files/sec19fall_liljestrand_prepub.pdf
  68. https://kib.kiev.ua/x86docs/Intel/CET/334525-003.pdf
  69. https://docs.kernel.org/next/x86/shstk.html
  70. https://developer.arm.com/documentation/109576/latest/Pointer-Authentication-Code
  71. https://dl.acm.org/doi/10.1145/3528416.3530245
  72. https://softsec.kaist.ac.kr/~sangkilc/papers/kim-dsn2022.pdf
  73. https://www.phoronix.com/news/Intel-CET-IBT-For-Linux-5.18
  74. https://cdrdv2-public.intel.com/848494/windows-11-security-ebook.pdf
  75. https://linuxsecurity.com/news/security-projects/intel-cet-shadow-stack-support-set-to-be-introduced-with-linux-6-4
  76. https://grsecurity.net/effectiveness_of_intel_cet_against_code_reuse_attacks
  77. https://www.synacktiv.com/sites/default/files/2025-06/sstic_windows_kernel_shadow_stack_mitigation.pdf
  78. https://www.fbi.gov/news/stories/morris-worm-30-years-since-first-major-attack-on-internet-110218
  79. https://www.sei.cmu.edu/history-of-innovation/fostering-growth-in-professional-cyber-incident-management/
  80. https://www.rapid7.com/db/modules/exploit/bsd/finger/morris_fingerd_bof/
  81. https://www.cs.cmu.edu/afs/cs/academic/class/15213-s02/www/applications/recitation/recitation4/A/r04-A-4up.pdf
  82. https://alumni.cornell.edu/cornellians/morris-worm/
  83. https://www.hypr.com/security-encyclopedia/morris-worm
  84. https://www.cs.umd.edu/class/fall2023/cmsc614/papers/morris-worm.pdf
  85. https://www.washingtonpost.com/news/the-switch/wp/2013/11/01/how-a-grad-student-trying-to-build-the-first-botnet-brought-the-internet-to-its-knees/
  86. https://cseweb.ucsd.edu/~savage/papers/IEEESP03.pdf
  87. https://www.cnet.com/tech/tech-industry/counting-the-cost-of-slammer/
  88. https://wiibrew.org/wiki/Twilight_Hack
  89. https://nvd.nist.gov/vuln/detail/CVE-2019-6989
  90. https://www.exploit-db.com/exploits/46678
  91. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1887
  92. https://routersecurity.org/bugs.php
  93. https://www.fortiguard.com/psirt/FG-IR-24-013
Add your contribution
Related Hubs
User Avatar
No comments yet.