a binary rewriting defense against buffer overflow attacks
Download
Skip this Video
Download Presentation
A Binary Rewriting Defense Against Buffer Overflow Attacks

Loading in 2 Seconds...

play fullscreen
1 / 17

A Binary Rewriting Defense Against Buffer Overflow Attacks - PowerPoint PPT Presentation


  • 302 Views
  • Uploaded on

A Binary Rewriting Defense Against Buffer Overflow Attacks. From USENIX 2003 Paper by Prasad & Chiueh Presentation by Bryan Pass. Outline. Outline Background Buffer Overflow methods Open Research Problems Previous/Related Work Binary Rewriting Newness Significance Technique

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'A Binary Rewriting Defense Against Buffer Overflow Attacks' - Sharon_Dale


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a binary rewriting defense against buffer overflow attacks

A Binary Rewriting Defense Against Buffer Overflow Attacks

From USENIX 2003

Paper by Prasad & Chiueh

Presentation by Bryan Pass

outline
Outline
  • Outline
  • Background
    • Buffer Overflow methods
  • Open Research Problems
  • Previous/Related Work
  • Binary Rewriting
    • Newness
    • Significance
    • Technique
  • Limitations
  • Results
    • Disassembly Accuracy
    • Performance Overhead
    • Executable Size Overhead
two methods of overflow
Two Methods of Overflow
  • Classic Return Address hacks
    • Overflow a buffer and change the return address
    • Causes execution to jump to code inside the buffer when the function returns
  • Overwriting other pointers
    • Overflow a pointer used in another (potentially safe) copy operation
    • Insert code at any location in the executable
    • Usually used to overwrite the windows Global Offset Table
open research problems
Open Research Problems
  • Overflow safe compiler extensions
    • Why aren’t these more widespread and widely used?
  • Education
    • How many of you were taught how to avoid buffer overflows?
  • Overflow protection in hardware
    • Separate stack for return addresses
    • Interference with benign code?
  • Fixing legacy code
    • Binary Rewriting
previous related work
Previous/Related Work
  • “Canary” words
  • Languages & tools for compilers to use to identify potential overflows

char *strcpy (char *s1, const char *s2)

/*@requires maxSet(s1) >= maxRead(s2)@*/

/*@ensures maxRead(s1) == maxRead(s2)

/\ result == [email protected]*/;

a new approach binary rewriting
A New Approach: Binary Rewriting
  • Alter assembly code of programs to prevent Return Address vulnerabilities
  • Uses compiled programs rather than their source code
  • Since source code is not required, this can help ensure the security of legacy applications/utilities and binaries provided by outside programmers
basic method
Basic Method
  • Search a program’s assembly code for functions
  • Modify function prologs to store the proper return address in another area of memory (created by the binary rewriter) called the “return address stack”
  • Modify epilogs to use this “return address stack” to ensure they return to the proper address
issues with disassembly
Issues with Disassembly
  • As it turns out, finding functions in disassembly is no simple task
  • Data in code regions
    • Variable Instruction size on x86
  • Position independent code
  • Indirect branches
  • Functions without explicit CALLs
  • Hand written assembly
    • Cross function jumps
disassembly methods
Disassembly Methods
  • Recursive Traversal
    • Does not do well with complex code, especially GUIs
  • Linear Sweep
    • Hard to identify code segments
    • Misidentified segments can cause a “chain reaction” breaking most of the disassembly results
  • Combined approach with “Compiler independent heuristics”
system limitations
System Limitations
  • Intel Only
  • PE/Windows Only
  • Only protects return addresses
  • False negatives in function detection
  • False positives

Fn1: // no ’interesting’ prologue

:

jne label

:

ret // no ’interesting’ epilogue

Fn2: // ’interesting prologue’

:

label:

:

ret // ’interesting’ epilogue

  • Hand-written assembly
  • Self modifying code
  • Small epilogs (int 3)
references
References
  • A Binary Rewriting Defense against Stack based Buffer Overflow Attacks. Manish Prasad and Tzi-cker Chiueh.Proceedings of the General Track: 2003 USENIX Annual Technical Conference. June 9-14, 2003. http://www.usenix.org/publications/library/proceedings/usenix03/tech/prasad.html
  • Statically Detecting Buffer Overflow Vulnerabilities. Larochelle and Evans. http://lclint.cs.virginia.edu/usenix01.pdf
  • A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. Wagner, Foster, Brewer, Aiken. http://www.cs.berkeley.edu/~daw/papers/overruns-ndss00.pdf
ad