A binary rewriting defense against buffer overflow attacks
Download
1 / 17

A Binary Rewriting Defense Against Buffer Overflow Attacks - PowerPoint PPT Presentation


  • 287 Views
  • Uploaded on
  • Presentation posted in: Pets / Animals

A Binary Rewriting Defense Against Buffer Overflow Attacks. From USENIX 2003 Paper by Prasad & Chiueh Presentation by Bryan Pass. Outline. Outline Background Buffer Overflow methods Open Research Problems Previous/Related Work Binary Rewriting Newness Significance Technique

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

A Binary Rewriting Defense Against Buffer Overflow Attacks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


A Binary Rewriting Defense Against Buffer Overflow Attacks

From USENIX 2003

Paper by Prasad & Chiueh

Presentation by Bryan Pass


Outline

  • Outline

  • Background

    • Buffer Overflow methods

  • Open Research Problems

  • Previous/Related Work

  • Binary Rewriting

    • Newness

    • Significance

    • Technique

  • Limitations

  • Results

    • Disassembly Accuracy

    • Performance Overhead

    • Executable Size Overhead


Two Methods of Overflow

  • Classic Return Address hacks

    • Overflow a buffer and change the return address

    • Causes execution to jump to code inside the buffer when the function returns

  • Overwriting other pointers

    • Overflow a pointer used in another (potentially safe) copy operation

    • Insert code at any location in the executable

    • Usually used to overwrite the windows Global Offset Table


Yes, it is a problem.


Open Research Problems

  • Overflow safe compiler extensions

    • Why aren’t these more widespread and widely used?

  • Education

    • How many of you were taught how to avoid buffer overflows?

  • Overflow protection in hardware

    • Separate stack for return addresses

    • Interference with benign code?

  • Fixing legacy code

    • Binary Rewriting


Previous/Related Work

  • “Canary” words

  • Languages & tools for compilers to use to identify potential overflows

    char *strcpy (char *s1, const char *s2)

    /*@requires maxSet(s1) >= maxRead(s2)@*/

    /*@ensures maxRead(s1) == maxRead(s2)

    /\ result == s1@*/;


A New Approach: Binary Rewriting

  • Alter assembly code of programs to prevent Return Address vulnerabilities

  • Uses compiled programs rather than their source code

  • Since source code is not required, this can help ensure the security of legacy applications/utilities and binaries provided by outside programmers


Basic Method

  • Search a program’s assembly code for functions

  • Modify function prologs to store the proper return address in another area of memory (created by the binary rewriter) called the “return address stack”

  • Modify epilogs to use this “return address stack” to ensure they return to the proper address


Architecture


Issues with Disassembly

  • As it turns out, finding functions in disassembly is no simple task

  • Data in code regions

    • Variable Instruction size on x86

  • Position independent code

  • Indirect branches

  • Functions without explicit CALLs

  • Hand written assembly

    • Cross function jumps


Disassembly Methods

  • Recursive Traversal

    • Does not do well with complex code, especially GUIs

  • Linear Sweep

    • Hard to identify code segments

    • Misidentified segments can cause a “chain reaction” breaking most of the disassembly results

  • Combined approach with “Compiler independent heuristics”


System Limitations

  • Intel Only

  • PE/Windows Only

  • Only protects return addresses

  • False negatives in function detection

  • False positives

    Fn1: // no ’interesting’ prologue

    :

    jne label

    :

    ret // no ’interesting’ epilogue

    Fn2: // ’interesting prologue’

    :

    label:

    :

    ret // ’interesting’ epilogue

  • Hand-written assembly

  • Self modifying code

  • Small epilogs (int 3)


Disassembly Accuracy


Disassembly Accuracy


Run-Time Overhead


Executable Size Overhead


References

  • A Binary Rewriting Defense against Stack based Buffer Overflow Attacks. Manish Prasad and Tzi-cker Chiueh.Proceedings of the General Track: 2003 USENIX Annual Technical Conference. June 9-14, 2003. http://www.usenix.org/publications/library/proceedings/usenix03/tech/prasad.html

  • Statically Detecting Buffer Overflow Vulnerabilities. Larochelle and Evans. http://lclint.cs.virginia.edu/usenix01.pdf

  • A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. Wagner, Foster, Brewer, Aiken. http://www.cs.berkeley.edu/~daw/papers/overruns-ndss00.pdf


ad
  • Login