Protecting c programs from attacks via invalid pointer dereferences
This presentation is the property of its rightful owner.
Sponsored Links
1 / 36

Protecting C Programs from Attacks via Invalid Pointer Dereferences PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on
  • Presentation posted in: General

Protecting C Programs from Attacks via Invalid Pointer Dereferences. Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison. Invalid Pointer Dereferences. Buffer overruns via pointers or arrays Stale pointers (pointers to freed memory) Undesirable because incorrect results

Download Presentation

Protecting C Programs from Attacks via Invalid Pointer Dereferences

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Protecting c programs from attacks via invalid pointer dereferences

Protecting C Programsfrom Attacks viaInvalid Pointer Dereferences

Suan Hsi Yong, Susan Horwitz

University of Wisconsin – Madison


Invalid pointer dereferences

Invalid Pointer Dereferences

  • Buffer overruns

    • via pointers or arrays

  • Stale pointers (pointers to freed memory)

  • Undesirable because

    • incorrect results

    • crash / corrupt data

    • security risk

a[i] *(a+i)


Security risk

Security Risk

  • Gain control

    • stack smashing (return address on stack)

    • function pointers, setjmp buffers, GOT

  • Gain unauthorized access

    • e.g. changing argument to fopen

  • Corrupt data / Disrupt service


Stack smashing

Stack Smashing

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

p

buf

return address


Our approach for c

Our Approach, for C

  • Dynamically detect invalid writes via pointers

    • halt execution when detected

  • Efficient (low overhead)

  • No false positives

  • No source code modification needed


Outline

Outline

  • Introduction

  • Previous Approaches

  • Description of Approach

  • Experiments

  • Conclusion


Previous approaches

Previous Approaches

  • StackGuard: protects return addresses only

    • efficient

    • automatic

    • does not protect other memory locations

    • platform dependent

  • StackShield: similar, but also protects function pointers


Fat pointers

Fat Pointers

  • Record information about what a pointer should point to

  • CCured, Cyclone

    • detects all invalid accesses

    • less flexibility in memory management:requires garbage collection(or region-based model, for Cyclone)

    • doesn’t handle all of C(rejects some legal C programs)

    • requires programmer changes to source


Fat pointers1

Fat Pointers

  • associate information with pointer:

    address and size of referent

p

buf

12

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

buf

return address


Our approach

Our Approach

  • associates information with target rather than pointer

p

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

buf

return address


Which locations to mark

Which Locations to Mark?

  • naively: Mark All User-defined Locations

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

p

buf

return address


Which locations to mark1

Which Locations to Mark?

FN_PTRfp= &foo;

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

(*fp)();

p

buf

fp

  • Static Analysis, to permit marking fewer locations


Unsafe pointers

Unsafe Pointers

  • a pointer p that may point to invalid memory:

    • p is assigned a non-pointer value, or

    • p is the result of pointer arithmetic, or

    • p may become stale

  • only writes via unsafe pointers are checked at runtime

    • safe pointer dereferences are not checked

    • for efficiency, we don’t check reads

a[i]

*(a+i)


Example unsafe pointers

pointers:

unsafe

p

safe

fp

Example: Unsafe Pointers

FN_PTR fp = &foo;

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

(*fp)();


Tracked locations

Tracked Locations

  • a location that an unsafe pointer may point to

    • mirror is marked ok () when allocated, and forbidden () when freed.

  • untracked locations always forbidden ()

    • never pointed-to by unsafe pointer

  • points-to analysis needed


Example tracked locations

locations:

pointers:

points-to

graph:

untracked

unsafe

p

p

p

fp

untracked

safe

fp

fp

tracked

buf

foo

buf

Example: Tracked Locations

FN_PTR fp = &foo;

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

(*fp)();


Example allocation

locations:

pointers:

untracked

unsafe

p

p

untracked

safe

fp

fp

tracked

buf

Example: Allocation

FN_PTR fp = &foo;

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

(*fp)();


Example allocation1

locations:

pointers:

untracked

unsafe

p

p

untracked

safe

fp

fp

tracked

buf

Example: Allocation

FN_PTRfp = &foo;

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

(*fp)();

fp


Example allocation2

locations:

pointers:

untracked

unsafe

p

p

untracked

safe

fp

fp

tracked

buf

Example: Allocation

FN_PTR fp = &foo;

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

(*fp)();

buf

fp


Example allocation3

locations:

pointers:

untracked

unsafe

p

p

untracked

safe

fp

fp

tracked

buf

Example: Allocation

FN_PTR fp = &foo;

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

(*fp)();

p

buf

fp


Example checking writes

locations:

pointers:

untracked

unsafe

p

p

untracked

safe

fp

fp

tracked

buf

Example: Checking Writes

FN_PTR fp = &foo;

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

(*fp)();

p

buf

fp


Example checking writes1

locations:

pointers:

untracked

unsafe

p

p

untracked

safe

fp

fp

tracked

buf

Example: Checking Writes

FN_PTR fp = &foo;

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

(*fp)();

p

buf

fp


Example checking writes2

locations:

pointers:

untracked

unsafe

p

p

untracked

safe

fp

fp

tracked

buf

Example: Checking Writes

FN_PTR fp = &foo;

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

(*fp)();

p

buf

fp


Example checking writes3

locations:

pointers:

untracked

unsafe

p

p

untracked

safe

fp

fp

tracked

buf

Example: Checking Writes

FN_PTR fp = &foo;

char buf[12];

char *p = &buf[0];

do {

*p = getchar();

} while(*p++ != ‘\0’);

(*fp)();

p

buf

fp


Tool overview

Tool Overview

Csourcefile

instru-mentedClibrary

Static

Analysis

Instrumenter

CCompiler

unsafe pointers

tracked variables

instru-mentedC sourcefile

instru-mentedexec-utable


Implementation details

Implementation Details

  • Flow-insensitive Points-to Analysis [Das00]

    • near-linear time, good precision

  • C source-to-source instrumenter [Ckit]

    • ANSI C compliant, portable

  • Uninstrumented library functions may cause false positives or false negatives

    • write wrappers to be more precise


Outline1

Outline

  • Introduction

  • Previous Approaches

  • Description of Approach

  • Experiments

  • Conclusion


Experiments

Experiments

  • Tool successfully detected two simulated attacks via known vulnerabilities

    • cfingerd: buffer overrun attack

    • traceroute: modifying Global Offset Table entry via multiple-free bug


Performance

Performance

  • Runtime Overhead (average 1.97×)

Cyclone

Olden

Spec 95

Spec 2000


Performance1

increasing size (LOC)

Performance

  • Runtime Overhead (average 1.97×)


Comparing with ccured cyclone

Comparing with CCured/Cyclone


Analysis instrument compile time

Analysis/Instrument/Compile Time

  • Slowdown vs. Compile Time (average 5×)

increasing size (LOC)


Future work

Future Work

Goal: Less unsafe pointers and tracked locations

(for better performance and coverage)

  • Array-bounds Check Elimination

    • 98% of dereferences are array accesses

  • Escape Analysis

    • currently all pointers to stack objects are unsafe

  • Flow-Sensitive Analyses

    • better points-to analysis

    • dereferencing uninitialized pointer


Conclusion

Conclusion

  • We present a tool for detecting invalid pointer dereferences that

    • has low runtime overhead

    • does not report false positives

    • is portable, and does not require programmer changes to source code

    • protects against a wide range of vulnerabilities, including stack smashing and using freed memory


Protecting c programs from attacks via invalid pointer dereferences1

Protecting C Programsfrom Attacks viaInvalid Pointer Dereferences

– The End –

Suan Hsi Yong, Susan Horwitz

University of Wisconsin – Madison


Related work

Related Work

  • Dynamic Debugging Tools

    • Purify

    • Valgrind

    • Safe-C

  • Static techniques

    • LCLint

    • ESC

    • PREfix


  • Login