View
230
Download
6
Category
Tags:
Preview:
Citation preview
A Practical Dynamic
Buffer Overflow Detector (CRED)
Olatunji Ruwase Monica S. Lam
Transmeta Corp. Stanford University
Network and Distributed Security Symposium.Feb 2004.
Buffer Overruns
50% of the 60 most severe vulnerabilities (posted on CERT/CC)
Over 60 % of CERT/CC advisories in 2003
Slammer, CodeRed, Blastercaused billions of dollars worth of damages > $800K at Stanford for Blaster alone
Unsafe C Programs
Legacy software cannot be rewritten
Sound static analysis Finds all errors + many false positives
Unsound static analysis Finds less false positives,
but not all errors
Must still insert dynamic tests, since bounds-checking is undecidable at compile time
Dynamic Overrun Checkers
Cannot catch all buffer overruns Stackguard
Insert canary word Can bypass by skipping canary
word
Break existing code Change pointer representation
Inefficient
Dynamic Bounds-Checking
Insert bounds checking automatically
Use static analysis to reduce overhead Catching all errors 100% coverage Effective optimization 10%
coverage
State-of-the-art Checker
Referent objects [Jones and Kelly]
p qderives
Objects and object table (splay tree)
In-bounds address start, end of object
Given in-bounds pointer p to object o, derived pointer q must also point to o
Implementation
GNU C compiler patch
DLL of bounds checking functions for object table lookups and updates
DLL also includes bounds checking versions of C standard library functions
Instrumentation in GCC front end of non-copy pointer operations, object allocations and de-allocations
Splay tree improves object table lookups
Out-of-bounds Pointers
Ansi C and C++
Common idiomint A[10];for (p = &A; p < &A + 10; p++) {…}
Can generate, test, but not deref one byte past buffer
Cannot generate, test, or deref any other out-of-bounds addresses
Jones and Kelly’s Solution
Pad all allocated objects by 1 byte
Pointers past one byte are replaced by “-2”
Subsequent non-copy use of “-2” pointer flagged as error
Experiment: 20 programs, 1.2 Mloc
Pass Kloc
Fail Kloc
ccrypt 4.4 apache 73.6
gzip 5.8 binutils 596.5
monkey 2.5 bison 25.1
polymorph 0.4 coreutils 69.5
tar 18.2 enscript 22.1
WsMp3 3.4 gawk 36.4
wu-ftpd 18.3 gnupg 71.2
zlib 8.3 grep 20.8
hypermail 27.6
openssh 43.4
openssl 162.7
pgp4pine 3.3
Total 61.3 1152.2
Programs Not Ansi-C Compliant
p
q
p’
Our solution to out-of-bounds (OOB) pointers
Unique OOB object created for every OOB pointer
Referent object and OOB value of pointer stored in OOB object
OOB pointer points to its own OOB object
OOB object table (hashtable)
Our solution to out-of-bound (OOB) pointers
p
q
p’
Use OOB addr for computations and tests, but not dereference
OOB objects deleted as referent objects are deleted (no leaks)
OOB object
Out-of-bounds pointersUninstrumented execution
{
1: char *p, *q, *r, *s;
2:
3: p = malloc(4);
4: q = p + 1;
5: s = p + 5;
6: r = s – 3;
………………
}
p
q
r
s
referent object
in-bounds
padding
out-of-bounds
Addresses
stack
p = malloc(4) ;
q = p + 1 ;
s = p + 5 ;
r = s – 3 ;
Instrumentation with Jones and Kelly Checker
{
1: char *p, *q, *r, *s;
2:
3: p = malloc(4);
4: q = p + 1;
5: s = p + 5;
6: r = s – 3;
………………
}
p
q
r
s
referent object
in-bounds
padding
out-of-bounds
Addresses
s = (-2)
p = malloc(4) ;
q = p + 1 ;
s = p + 5 ;
r = s – 3 ;
stack
Instrumentation with CRED
{
1: char *p, *q, *r, *s;
2:
3: p = malloc(4);
4: q = p + 1;
5: s = p + 5;
6: r = s – 3;
………………
}
p
q
r
s
referent object
in-bounds
padding
out-of-bounds
Addresses
stack
p = malloc(4) ;
q = p + 1 ;
s = p + 5 ;
r = s – 3 ;
obj valueOOB object
Optimization
Buffer overflow attacks caused by user supplied string data
Restrict bounds checking to only strings
Objects of all types maintained in object table to handle casts
Common downcasts to char pointers when copying data
Experimental results indicate effective protection and improved performance
Results
C Range Error Detector (CRED), built on Jones and Kelly’s implementation
Compatibility Evaluation of full checking
instrumentation Rigorous evaluation using app test
suites Passed all the 1.2 M loc tests Overflow bugs found in ssl, coreutils
and bison test suites
Protection
Against attacks on Gawk, gzip, hypermail, monkey,
pgp4pine, polymorph, WsMp3
Against Wilander & Kamkar’s 20 tests ProPolice passed 50% StackGuard, StackShield,
Libsafe and Libverify are worse
Performance
012
34567
89
1011
121314
apac
he
binu
tils
biso
n
ccry
pt
core
utils
ensc
ript
gaw
k
gnup
g
grep
gzip
hype
rmai
l
mon
key
pgp4
pine
poly
mor
ph
ssh(
scp)
rsa2
048
sign
rsa2
048
verif
y tar
WsM
p3
wu-
ftpd
zlib
Benchmark
Nor
mal
ized
exe
cutio
n tim
ee
Full checking
Strings only
Conclusions
Focus of this work: Compatibility Simplicity
correctness thorough compatibility tests (1.2 M loc)
Buffer overruns in C programs can be detected dynamically
Can apply static analysis to reduce overhead
CRED is Open Source
Merged into publicly available GNU C bounds checking patch maintained by Herman ten Brugge
http://web.inter.nl.net/hcc/Haj.Ten.Brugge/
http://sourceforge.net/projects/boundschecking/
Recommended