Many application attacks take advantage of vulnerabilities in a system’s memory. Because of this, it’s important for developers to use secure memory management techniques within their code. If you’re planning to take the SY0-501 version of the Security+ exam, you should have a good understanding of application vulnerabilities, including some common memory issues related to applications.
For example, can you answer this practice test question?
Q. An attacker is attempting to write more data into a web application’s memory than it can handle. Which type of attack is this?
A. XSRF
B. DLL injection
C. Pass the hash
D. Buffer overflow
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Memory Leak
A memory leak is a bug in a computer application that causes the application to consume more and more memory the longer it runs. In extreme cases, the application can consume so much memory that the operating system crashes.
Memory leaks are typically caused by an application that reserves memory for short-term use, but never releases it. As an example, imagine a web application collects user profile data to personalize the browsing experience for users. However, it collects this data every time a user accesses a web page and it never releases the memory used to store the data. Over time, the web server will run slower and slower and eventually need to be rebooted.
Integer Overflow
An integer overflow attack attempts to use or create a numeric value that is too big for an application to handle. The result is that the application gives inaccurate results. As an example, if an application reserves 8 bits to store a number, it can store any value between 0 and 255. If the application attempts to multiply two values such as 95 × 59, the result is 5,605. This number cannot be stored in the 8 bits, so it causes an integer overflow error. It’s a good practice to double- check the size of buffers to ensure they can handle any data generated by the applications.
In some situations, an integer overflow error occurs if an application expects a positive number, but receives a negative number instead. If the application doesn’t have adequate error- and exception-handling routines, this might cause a buffer overflow error.
Buffer Overflows
A buffer overflow occurs when an application receives more input, or different input, than it expects. The result is an error that exposes system memory that would otherwise be protected and inaccessible. Normally, an application will have access only to a specific area of memory, called a buffer. The buffer overflow allows access to memory locations beyond the application’s buffer, enabling an attacker to write malicious code into this area of memory.
The buffer overflow exposes a vulnerability, but it doesn’t necessarily cause damage by itself. However, once attackers discover the vulnerability, they exploit it and overwrite memory locations with their own code. If the attacker uses the buffer overflow to crash the system or disrupt its services, it is a DoS attack.
More often, the attacker’s goal is to insert malicious code in a memory location that the system will execute. It’s not easy for an attacker to know the exact memory location where the malicious code is stored, making it difficult to get the computer to execute it. However, an attacker can make educated guesses to get close.
The malicious code varies. In some instances, the attackers write code to spread a worm through the web server’s network. In other cases, the code modifies the web application so that the web application tries to infect every user who visits the web site with other malware. The attack possibilities are almost endless.
Buffer Overflow Attacks
A buffer overflow attack includes several different elements, but they happen all at once. The attacker sends a single string of data to the application. The first part of the string causes the buffer overflow. The next part of the string is a long string of NOPs followed by the attacker’s malicious code, stored in the attacked system’s memory. Last, the malicious code goes to work.
In some cases, an attacker writes a malicious script to discover buffer overflow vulnerabilities. For example, the attacker could use JavaScript to send random data to another service on the same system.
Although error-handling routines and input validation go a long way to prevent buffer overflows, they don’t prevent them all. Attackers occasionally discover a bug allowing them to send a specific string of data to an application, causing a buffer overflow. When vendors discover buffer overflow vulnerabilities, they are usually quick to release a patch or hotfix. From an administrator’s perspective, the solution is easy: Keep the systems up to date with current patches.
DLL Injection
Applications commonly use a Dynamic Link Library (DLL) or multiple DLLs. A DLL is a compiled set of code that an application can use without re-creating the code. As an example, most programming languages include math-based DLLs. Instead of writing the code to discover the square root of a number, a developer can include the appropriate DLL and access the square root function within it.
DLL injection is an attack that injects a DLL into a system’s memory and causes it to run. For example, imagine an attacker creates a DLL named malware.dll that includes several malicious functions. In a successful DLL injection attack, the attacker attaches to a running process, allocates memory within the running process, connects the malicious DLL within the allocated memory, and then executes functions within the DLL.
Q. An attacker is attempting to write more data into a web application’s memory than it can handle. Which type of attack is this?
A. XSRF
B. DLL injection
C. Pass the hash
D. Buffer overflow
Answer is D. One type of buffer overflow attack attempts to write more data into an application’s memory than it can handle.
None of the other answers are directly related to overloading the application’s memory.
A cross-site request forgery (XSRF) attack attempts to launch attacks with HTML code.
A Dynamic Link Library (DLL) injection attack injects a DLL into memory and causes it to run.
A pass the hash attack attempts to discover a password.
See Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on advanced attacks.
1 thought on “Memory Management Techniques”