Close

Example 2: Stack data access

A project log for Simple Security Risk Examples on Arduino

Simple Arduino examples of common cyber-security risks, such as buffer overflows and stack smashing

jake-wachlinJake Wachlin 09/19/2020 at 15:550 Comments

This next example shows a potential security risk in the form of leaking sensitive information. Like all these examples, the full code is on Github but also shown here.

#include <string.h>

#define BUFFER_LENGTH         16

void process_secret_data(void)
{
  char buffer[64];
  int ssn = 555555555; // Should NOT be leaked
  snprintf(buffer, 64, "SSN: %i", ssn);

  // Do something with SSN...
}

void do_something_else(void)
{
  char buffer[64];

  Serial.println("Enter your Name");

  int start = millis();
  int index = 0;
  while((millis() - start) < 5000)
  {
    if(Serial.available())
    {
      buffer[index++] = Serial.read();
    }
  }
  
  Serial.print("Your name: ");
  Serial.println(buffer);
}


void setup() {
  Serial.begin(115200);
  delay(1000);

  Serial.println("Booting...");
  delay(100);
}

void loop() {
  delay(5000);
  Serial.println("Loop still running");

  process_secret_data();
  do_something_else();

}

Here, we have some function "process_secret_data" that does something with sensitive information. It takes some social security number and processes it. Then, we have some other function "do_something_else" that asks the user for their name. Perhaps this would be used for some sort of login.

The main issue here is that the buffer in "do_something_else" is not zeroed out, and the buffer in process_secret_data is not cleared out before that function exits. The hardware does not clear that data either, so the buffer is not cleared out. These local variable buffers are put into similar addresses, and we can therefore access old sensitive data from a separate function.

Without inputting anything, we get the following (on a Adafruit Feather M0). It is printing whatever is in the buffer, finds a string terminating 0, and stops.

If we provide a short "name," we can overwrite the string terminating zero and cause it to print out more than expected. Here I provided the name "hello."

This program now leaks the sensitive information from this other function. We really do not want this to happen. We want to compartmentalize the code so leaks like this do not occur.
Previous log

Example 1: Simple buffer overflow

09/19/2020 at 15:43 0 comments
Next log

Example 3: Buffer overflow with function pointers

09/19/2020 at 16:14 0 comments

Discussions

Yes, delete it Cancel

Going up?

About Us Contact Hackaday.io Give Feedback Terms of Use Privacy Policy Hackaday API

© 2024 Hackaday