Giving Students a View of Buffer Overflow

Giving Students a View of Buffer Overflow

Author: Cheryl Resch, University of Florida

The assignment given in Fall 2023 is available in PDF  and Docx format.

This program requires students to download and install a qemu emulator running the ARMv8 architecture.  Instructions can be found here

Buffer overflow is one of the most common vulnerabilities reported by the Common Vulnerabilities and Exposures (CVE) program. Giving students a mental model of how buffer overflow works and how dangerous these vulnerabilities are may instill in them a commitment to avoiding these vulnerabilities in the future. Buffer overflow and stack frames are known to be a difficult concept for students to understand. This nifty buffer overflow assignment in which students use a free and open-source emulator and debugger to exploit a buffer overflow and view the effect on stack memory. The assignment steps students through assembling a C program vulnerable to buffer overflow in the emulator, running the program in the debugger, exploiting the vulnerable function and causing a buffer overflow, then examining the registers and the stack memory to see the effect of the buffer overflow.   Students are able to see their input data in stack memory, and observe how variables are overwritten when more input is provided than has been allocated for that input.  Next, students run the program from the command line, and are guided in providing an address in instruction memory as input, so the program runs a function that was not called.  This provides a hands-on look at running arbitrary code, and the potentially malicious effects of a buffer overflow vulnerability.  Students are also introduced to measures that can be used to mitigate buffer overflow vulnerabilities.

This assignment has been used with 500-700 students per semester in a Computer Organization course in Fall 2022, Spring 2023, Fall 2023.

  • Summary: This buffer overflow assignment in which students use a free and open-source emulator and debugger to exploit a buffer overflow and view the effect on stack memory. The assignment steps students through assembling a C program vulnerable to buffer overflow in the emulator, running the program in the debugger, exploiting the vulnerable function and causing a buffer overflow, then examining the registers and the stack memory to see the effect of the buffer overflow.  
  • Topics: This assignment teaches students about stack frames, stack memory and the consequences of buffer overflow
  • Audience: This is appropriate for 2nd, 3rd or 4th year students in Computer Organization, Computer Architecture, Operating Systems, or Computer Security courses.
  • Difficulty: The assignment has step by step instructions.  Any student familiar with compiling and running a program the command line will be able to follow these instructions.
  • Length: This assignment should take about 1 hour once a students has installed and set up the emulator
  • Strengths: This hands-on assignment shows students what happens to stack memory when there is a buffer overflow.  Students get a direct look at the effect of buffer overflow.  It isn’t an animation, it is looking at the actual memory and seeing what happens.
  • Weaknessess: This assignment depends on students having some understanding of the ARM instruction set architecture.  It would have to be rewritten to use another architecture, such as x86 or RISC-V.
  • Dependencies: This assignment assumes students have learned about stack frames.  This assignment depends on students having the ability to install and run a qemu emulator.  This assignment depends on students being familiar with the ARM instruction set architecture and registers.
  • Variants: The step by step guidance in this assignment could be rewritten for another architecture, such as x86 or RISC-V.