a binary rewriting defense against buffer overflow attacks l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
A Binary Rewriting Defense Against Buffer Overflow Attacks PowerPoint Presentation
Download Presentation
A Binary Rewriting Defense Against Buffer Overflow Attacks

Loading in 2 Seconds...

play fullscreen
1 / 17

A Binary Rewriting Defense Against Buffer Overflow Attacks - PowerPoint PPT Presentation


  • 310 Views
  • Uploaded on

A Binary Rewriting Defense Against Buffer Overflow Attacks. From USENIX 2003 Paper by Prasad & Chiueh Presentation by Bryan Pass. Outline. Outline Background Buffer Overflow methods Open Research Problems Previous/Related Work Binary Rewriting Newness Significance Technique

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

A Binary Rewriting Defense Against Buffer Overflow Attacks


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a binary rewriting defense against buffer overflow attacks

A Binary Rewriting Defense Against Buffer Overflow Attacks

From USENIX 2003

Paper by Prasad & Chiueh

Presentation by Bryan Pass

outline
Outline
  • Outline
  • Background
    • Buffer Overflow methods
  • Open Research Problems
  • Previous/Related Work
  • Binary Rewriting
    • Newness
    • Significance
    • Technique
  • Limitations
  • Results
    • Disassembly Accuracy
    • Performance Overhead
    • Executable Size Overhead
two methods of overflow
Two Methods of Overflow
  • Classic Return Address hacks
    • Overflow a buffer and change the return address
    • Causes execution to jump to code inside the buffer when the function returns
  • Overwriting other pointers
    • Overflow a pointer used in another (potentially safe) copy operation
    • Insert code at any location in the executable
    • Usually used to overwrite the windows Global Offset Table
open research problems
Open Research Problems
  • Overflow safe compiler extensions
    • Why aren’t these more widespread and widely used?
  • Education
    • How many of you were taught how to avoid buffer overflows?
  • Overflow protection in hardware
    • Separate stack for return addresses
    • Interference with benign code?
  • Fixing legacy code
    • Binary Rewriting
previous related work
Previous/Related Work
  • “Canary” words
  • Languages & tools for compilers to use to identify potential overflows

char *strcpy (char *s1, const char *s2)

/*@requires maxSet(s1) >= maxRead(s2)@*/

/*@ensures maxRead(s1) == maxRead(s2)

/\ result == s1@*/;

a new approach binary rewriting
A New Approach: Binary Rewriting
  • Alter assembly code of programs to prevent Return Address vulnerabilities
  • Uses compiled programs rather than their source code
  • Since source code is not required, this can help ensure the security of legacy applications/utilities and binaries provided by outside programmers
basic method
Basic Method
  • Search a program’s assembly code for functions
  • Modify function prologs to store the proper return address in another area of memory (created by the binary rewriter) called the “return address stack”
  • Modify epilogs to use this “return address stack” to ensure they return to the proper address
issues with disassembly
Issues with Disassembly
  • As it turns out, finding functions in disassembly is no simple task
  • Data in code regions
    • Variable Instruction size on x86
  • Position independent code
  • Indirect branches
  • Functions without explicit CALLs
  • Hand written assembly
    • Cross function jumps
disassembly methods
Disassembly Methods
  • Recursive Traversal
    • Does not do well with complex code, especially GUIs
  • Linear Sweep
    • Hard to identify code segments
    • Misidentified segments can cause a “chain reaction” breaking most of the disassembly results
  • Combined approach with “Compiler independent heuristics”
system limitations
System Limitations
  • Intel Only
  • PE/Windows Only
  • Only protects return addresses
  • False negatives in function detection
  • False positives

Fn1: // no ’interesting’ prologue

:

jne label

:

ret // no ’interesting’ epilogue

Fn2: // ’interesting prologue’

:

label:

:

ret // ’interesting’ epilogue

  • Hand-written assembly
  • Self modifying code
  • Small epilogs (int 3)
references
References
  • A Binary Rewriting Defense against Stack based Buffer Overflow Attacks. Manish Prasad and Tzi-cker Chiueh.Proceedings of the General Track: 2003 USENIX Annual Technical Conference. June 9-14, 2003. http://www.usenix.org/publications/library/proceedings/usenix03/tech/prasad.html
  • Statically Detecting Buffer Overflow Vulnerabilities. Larochelle and Evans. http://lclint.cs.virginia.edu/usenix01.pdf
  • A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. Wagner, Foster, Brewer, Aiken. http://www.cs.berkeley.edu/~daw/papers/overruns-ndss00.pdf