Your First Lab: Buffer Overflow¶

Let's explore the buffer overflow lab in detail to understand embedded security vulnerabilities.

Lab Overview¶

The buffer overflow lab (01-buffer-overflow) demonstrates a classic memory corruption vulnerability in embedded systems.

Learning Objectives¶

• Understand stack-based buffer overflows
• Learn about embedded memory layout
• Practice exploitation techniques
• Capture your first flag

Running the Lab¶

# Build and run
make qemu-01-buffer-overflow

Understanding the Vulnerability¶

The Vulnerable Code¶

The lab contains code similar to:

void vulnerable_function() {
    char buffer[32];
    uart_printf("Enter your name: ");
    uart_gets(buffer);  // No bounds checking!
    uart_printf("Hello %s!\n", buffer);
}

The Problem¶

• buffer is only 32 bytes
• uart_gets() doesn't limit input
• Excess input overwrites the stack
• Can redirect program execution

Exploitation Walkthrough¶

Step 1: Normal Behavior¶

# Run the lab
make qemu-01-buffer-overflow

# Enter normal input
Enter your name: Bob
Hello Bob!

Step 2: Identify the Overflow¶

Try increasingly longer inputs:

Enter your name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Look for crashes or unexpected behavior.

Step 3: Control Execution¶

1. Find the exact overflow offset
2. Identify where return address is stored
3. Overwrite with target address
4. Redirect to win function

Step 4: Capture the Flag¶

Successful exploitation prints:

Congratulations! Flag: {your_flag_here}

Debugging Techniques¶

Using GDB¶

# In one terminal
qemu-system-arm -M lm3s6965evb -kernel build-qemu/labs/01-buffer-overflow/01-buffer-overflow -nographic -serial tcp::1234,server -S

# In another terminal
arm-none-eabi-gdb build-qemu/labs/01-buffer-overflow/01-buffer-overflow
(gdb) target remote :1234
(gdb) break vulnerable_function
(gdb) continue

Memory Analysis¶

(gdb) info registers
(gdb) x/32x $sp
(gdb) disassemble

Key Concepts¶

Stack Layout¶

High Address
+----------------+
| Return Address |
+----------------+
| Saved FP       |
+----------------+
| Local Variables|
| (buffer[32])   |
+----------------+ <- Stack Pointer
Low Address

Protection Mechanisms¶

Embedded systems often lack:

• Stack canaries
• ASLR (Address Space Layout Randomization)
• NX bit (No-Execute)
• Making exploitation easier to learn

Testing Your Solution¶

# Run automated tests
make unittest-lab LAB=01-buffer-overflow

Prevention¶

// Safe version
void safe_function() {
    char buffer[32];
    uart_printf("Enter your name: ");
    uart_gets_n(buffer, sizeof(buffer)-1);
    buffer[sizeof(buffer)-1] = '\0';
    uart_printf("Hello %s!\n", buffer);
}

Next Steps¶

• Try Lab 02: Format String
• Read about Writing Secure Code
• Explore Advanced Debugging