Buffer overflows have been a serious security problem for software developers for several decades now, but the history of exploitation research on this class of flaws is relatively short.
Attackers and researchers originally focused on finding, fixing or exploiting buffer overflows on non-x86 systems, as those were the machines operating the networks that mattered in the 1980s and early 1990s. And, as researcher Nate Lawson explains, that soon changed.
In
August [1995], 8lgm published an advisory
for syslog()
on SunOS SPARC, but no public exploit. In December, the splitvt exploit for
Linux x86 was published. However, a month later, some people were still
wondering how it worked.
In November 1996, Aleph1 published “Smashing the Stack for
Fun and Profit“. This important article described in detail the
evolution of a stack overflow exploit. Though I don’t know the exact
history, Aleph1′s x86 shellcode is nearly identical to the splitvt
exploit, so perhaps his method was derived from it. The article also
provided shellcode for SunOS and Solaris on SPARC, which was an
important advance since such machines were still more “interesting” than
x86 systems.
After this paper, numerous stack overflows were published. Research
on both sides advanced rapidly, with new techniques such as heap overflow
exploitation and stack
integrity protection. So why had research in this area taken so
long to reach this inflection point of rapid growth?
Once Aleph1’s paper was published, it focused a lot of attention and energy on buffer overflow exploitation and defense. It’s been nearly 15 years since that paper’s publication, and in that time software vendors such as Microsoft, Sun, Mozilla and dozens of others have addressed buffer overflows, and memory exploits in general, by adding a number of protection mechanisms.
But technologies like ASLR and DEP, while effective in many scenarios, can’t stop everything. Creative exploitation techniques have shown that in the last couple of years. As Lawson points out, the arms race that began in 1996–or earlier–on buffer overflow defense and exploitation, is still running.