1 / 22

A Practical Dynamic Buffer Overflow Detector (CRED)

A Practical Dynamic Buffer Overflow Detector (CRED). Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University. Network and Distributed Security Symposium. Feb 2004. Buffer Overruns. 50% of the 60 most severe vulnerabilities (posted on CERT/CC)

coy
Download Presentation

A Practical Dynamic Buffer Overflow Detector (CRED)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security Symposium. Feb 2004.

  2. Buffer Overruns • 50% of the 60 most severe vulnerabilities (posted on CERT/CC) • Over 60 % of CERT/CC advisories in 2003 • Slammer, CodeRed, Blastercaused billions of dollars worth of damages • > $800K at Stanford for Blaster alone

  3. Unsafe C Programs • Legacy software cannot be rewritten • Sound static analysis • Finds all errors + many false positives • Unsound static analysis • Finds less false positives, but not all errors • Must still insert dynamic tests, since bounds-checking is undecidable at compile time

  4. Dynamic Overrun Checkers • Cannot catch all buffer overruns • Stackguard • Insert canary word • Can bypass by skipping canary word • Break existing code • Change pointer representation • Inefficient

  5. Dynamic Bounds-Checking • Insert bounds checking automatically • Use static analysis to reduce overhead • Catching all errors  100% coverage • Effective optimization  10% coverage

  6. State-of-the-art Checker • Referent objects [Jones and Kelly] • Objects and object table (splay tree) • In-bounds address start, end of object • Given in-bounds pointer p to object o, derived pointer qmust also point to o derives p q

  7. Implementation • GNU C compiler patch • DLL of bounds checking functions for object table lookups and updates • DLL also includes bounds checking versions of C standard library functions • Instrumentation in GCC front end of non-copy pointer operations, object allocations and de-allocations • Splay tree improves object table lookups

  8. Out-of-bounds Pointers • Ansi C and C++ • Common idiom int A[10]; for (p = &A; p < &A + 10; p++) {…} • Can generate, test, but not deref one byte past buffer • Cannot generate, test, or deref any other out-of-bounds addresses

  9. Jones and Kelly’s Solution • Pad all allocated objects by 1 byte • Pointers past one byte are replaced by “-2” • Subsequent non-copy use of “-2” pointer flagged as error

  10. Experiment: 20 programs, 1.2 Mloc

  11. p’ Programs Not Ansi-C Compliant q p

  12. Our solution to out-of-bounds (OOB) pointers • Unique OOB object created for every OOB pointer • Referent object and OOB value of pointer stored in OOB object • OOB pointer points to its own OOB object • OOB object table (hashtable)

  13. p’ OOB object Our solution to out-of-bound (OOB) pointers • Use OOB addr for computations and tests, but not dereference • OOB objects deleted as referent objects are deleted (no leaks) q p

  14. Addresses in-bounds padding out-of-bounds Out-of-bounds pointers Uninstrumented execution • { 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4: q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } referent object p = malloc(4) ; q = p + 1 ; s = p + 5 ; r = s – 3 ; stack

  15. Addresses in-bounds padding out-of-bounds Instrumentation with Jones and Kelly Checker • { 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4: q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } referent object p = malloc(4) ; q = p + 1 ; s = p + 5 ; r = s – 3 ; s = (-2) stack

  16. Addresses in-bounds padding out-of-bounds Instrumentation with CRED • { 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4: q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } p = malloc(4) ; stack q = p + 1 ; s = p + 5 ; referent object r = s – 3 ; OOB object

  17. Optimization • Buffer overflow attacks caused by user supplied string data • Restrict bounds checking to only strings • Objects of all types maintained in object table to handle casts • Common downcasts to char pointers when copying data • Experimental results indicate effective protection and improved performance

  18. Results • C Range Error Detector (CRED), built on Jones and Kelly’s implementation • Compatibility • Evaluation of full checking instrumentation • Rigorous evaluation using app test suites • Passed all the 1.2 M loc tests • Overflow bugs found in ssl, coreutils and bison test suites

  19. Protection • Against attacks on • Gawk, gzip, hypermail, monkey, pgp4pine, polymorph, WsMp3 • Against Wilander & Kamkar’s 20 tests • ProPolice passed 50% • StackGuard, StackShield, Libsafe and Libverify are worse

  20. Performance

  21. Conclusions • Focus of this work: Compatibility • Simplicity  correctness  thorough compatibility tests (1.2 M loc) • Buffer overruns in C programs can be detected dynamically • Can apply static analysis to reduce overhead

  22. CRED is Open Source • Merged into publicly available GNU C bounds checking patch maintained by Herman ten Brugge • http://web.inter.nl.net/hcc/Haj.Ten.Brugge/ • http://sourceforge.net/projects/boundschecking/

More Related