A Practical Dynamic

Buffer Overflow Detector (CRED)

Olatunji Ruwase Monica S. Lam

Transmeta Corp. Stanford University

Network and Distributed Security Symposium.Feb 2004.

Buffer Overruns

50% of the 60 most severe vulnerabilities (posted on CERT/CC)

Over 60 % of CERT/CC advisories in 2003

Slammer, CodeRed, Blastercaused billions of dollars worth of damages > $800K at Stanford for Blaster alone

Unsafe C Programs

Legacy software cannot be rewritten

Sound static analysis Finds all errors + many false positives

Unsound static analysis Finds less false positives,

but not all errors

Must still insert dynamic tests, since bounds-checking is undecidable at compile time

Dynamic Overrun Checkers

Cannot catch all buffer overruns Stackguard

Insert canary word Can bypass by skipping canary

word

Break existing code Change pointer representation

Inefficient

Dynamic Bounds-Checking

Insert bounds checking automatically

Use static analysis to reduce overhead Catching all errors 100% coverage Effective optimization 10%

coverage

State-of-the-art Checker

Referent objects [Jones and Kelly]

p qderives

Objects and object table (splay tree)

In-bounds address start, end of object

Given in-bounds pointer p to object o, derived pointer q must also point to o

Implementation

GNU C compiler patch

DLL of bounds checking functions for object table lookups and updates

DLL also includes bounds checking versions of C standard library functions

Instrumentation in GCC front end of non-copy pointer operations, object allocations and de-allocations

Splay tree improves object table lookups

Out-of-bounds Pointers

Ansi C and C++

Common idiomint A[10];for (p = &A; p < &A + 10; p++) {…}

Can generate, test, but not deref one byte past buffer

Cannot generate, test, or deref any other out-of-bounds addresses

Jones and Kelly’s Solution

Pad all allocated objects by 1 byte

Pointers past one byte are replaced by “-2”

Subsequent non-copy use of “-2” pointer flagged as error

Experiment: 20 programs, 1.2 Mloc

Pass Kloc

Fail Kloc

ccrypt 4.4 apache 73.6

gzip 5.8 binutils 596.5

monkey 2.5 bison 25.1

polymorph 0.4 coreutils 69.5

tar 18.2 enscript 22.1

WsMp3 3.4 gawk 36.4

wu-ftpd 18.3 gnupg 71.2

zlib 8.3 grep 20.8

hypermail 27.6

openssh 43.4

openssl 162.7

pgp4pine 3.3

Total 61.3 1152.2

Programs Not Ansi-C Compliant

p

q

p’

Our solution to out-of-bounds (OOB) pointers

Unique OOB object created for every OOB pointer

Referent object and OOB value of pointer stored in OOB object

OOB pointer points to its own OOB object

OOB object table (hashtable)

Our solution to out-of-bound (OOB) pointers

p

q

p’

Use OOB addr for computations and tests, but not dereference

OOB objects deleted as referent objects are deleted (no leaks)

OOB object

Out-of-bounds pointersUninstrumented execution

{

1: char *p, *q, *r, *s;

2:

3: p = malloc(4);

4: q = p + 1;

5: s = p + 5;

6: r = s – 3;

………………

}

p

q

r

s

referent object

in-bounds

padding

out-of-bounds

Addresses

stack

p = malloc(4) ;

q = p + 1 ;

s = p + 5 ;

r = s – 3 ;

Instrumentation with Jones and Kelly Checker

{

1: char *p, *q, *r, *s;

2:

3: p = malloc(4);

4: q = p + 1;

5: s = p + 5;

6: r = s – 3;

………………

}

p

q

r

s

referent object

in-bounds

padding

out-of-bounds

Addresses

s = (-2)

p = malloc(4) ;

q = p + 1 ;

s = p + 5 ;

r = s – 3 ;

stack

Instrumentation with CRED

{

1: char *p, *q, *r, *s;

2:

3: p = malloc(4);

4: q = p + 1;

5: s = p + 5;

6: r = s – 3;

………………

}

p

q

r

s

referent object

in-bounds

padding

out-of-bounds

Addresses

stack

p = malloc(4) ;

q = p + 1 ;

s = p + 5 ;

r = s – 3 ;

obj valueOOB object

Optimization

Buffer overflow attacks caused by user supplied string data

Restrict bounds checking to only strings

Objects of all types maintained in object table to handle casts

Common downcasts to char pointers when copying data

Experimental results indicate effective protection and improved performance

Results

C Range Error Detector (CRED), built on Jones and Kelly’s implementation

Compatibility Evaluation of full checking

instrumentation Rigorous evaluation using app test

suites Passed all the 1.2 M loc tests Overflow bugs found in ssl, coreutils

and bison test suites

Protection

Against attacks on Gawk, gzip, hypermail, monkey,

pgp4pine, polymorph, WsMp3

Against Wilander & Kamkar’s 20 tests ProPolice passed 50% StackGuard, StackShield,

Libsafe and Libverify are worse

Performance

012

34567

89

1011

121314

apac

he

binu

tils

biso

n

ccry

pt

core

utils

ensc

ript

gaw

k

gnup

g

grep

gzip

hype

rmai

l

mon

key

pgp4

pine

poly

mor

ph

ssh(

scp)

rsa2

048

sign

rsa2

048

verif

y tar

WsM

p3

wu-

ftpd

zlib

Benchmark

Nor

mal

ized

exe

cutio

n tim

ee

Full checking

Strings only

Conclusions

Focus of this work: Compatibility Simplicity

correctness thorough compatibility tests (1.2 M loc)

Buffer overruns in C programs can be detected dynamically

Can apply static analysis to reduce overhead

CRED is Open Source

Merged into publicly available GNU C bounds checking patch maintained by Herman ten Brugge

http://web.inter.nl.net/hcc/Haj.Ten.Brugge/

http://sourceforge.net/projects/boundschecking/