the stack, but when the plates or trays are replenished, the new plates or trays are put
on the top of the stack. When the stack is replenished in this way, you can think about
pushing onto the stack. However, when the topmost item is removed, you can think
about popping off the top of the stack.
Programs work in the same way. Programs are generally structured through the use
of functions. A
function
is a segment of code that performs a particular action. It
allows for the same segment of code to be called multiple times in multiple places in
the program without having to duplicate that segment. It also allows for nonlinear
code execution. Rather than having one long program that is run serially, using func‐
tions allows the program to alter its flow of execution by jumping around in memory.
When functions are called, they often need parameters. This is data the functions act
on. When a function is called, the parameters and the local variables to the function
are placed on the stack. This block of data is called a
stack frame
.
Inside the stack frame is not only the data associated with the function, but also the
address the program should return to after the function is completed. This is how
programs can run nonlinearly. The CPU doesn’t maintain the entire flow of the pro‐
gram. Instead, before a function is called, the address within the code block where the
program was last executing is also pushed on the stack.
Buffer overflows happen when a variable is allocated space on the stack. Let’s say you
expect to take in data from the user that is 10 bytes long. If the user enters 15 charac‐
ters, that’s 5 more bytes than the space that was allocated for the variable that is being
copied into it. Because of the way the stack is structured, all of the variables and data
come before the return instruction pointer. The data being placed into the buffer has
nowhere to go if the language doesn’t do any of the checking ahead of time to trun‐
cate the data. Instead, it just writes over the next addresses in memory. This can result
in the return instruction pointer being overwritten.
Figure 4-1
shows a simplified example of a stack frame for an individual function.
Some elements that belong on the stack frame aren’t demonstrated here. Instead,
we’re focusing on just the parts that we care about. If the function is reading into
var2, what the attacker can do is input more than the 32 characters expected. Once
the 32 characters has been exceeded, any additional data will be written into the
address space where the return instruction address is stored. When the function
returns, that value will be read from the stack, and the program will try to jump to
that address. A buffer overflow tries to get the program to jump to a location known
by or under the control of the attacker to execute the attacker’s code.
