220 likes | 338 Views
A Practical Dynamic Buffer Overflow Detector (CRED). Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University. Network and Distributed Security Symposium. Feb 2004. Buffer Overruns. 50% of the 60 most severe vulnerabilities (posted on CERT/CC)
E N D
A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security Symposium. Feb 2004.
Buffer Overruns • 50% of the 60 most severe vulnerabilities (posted on CERT/CC) • Over 60 % of CERT/CC advisories in 2003 • Slammer, CodeRed, Blastercaused billions of dollars worth of damages • > $800K at Stanford for Blaster alone
Unsafe C Programs • Legacy software cannot be rewritten • Sound static analysis • Finds all errors + many false positives • Unsound static analysis • Finds less false positives, but not all errors • Must still insert dynamic tests, since bounds-checking is undecidable at compile time
Dynamic Overrun Checkers • Cannot catch all buffer overruns • Stackguard • Insert canary word • Can bypass by skipping canary word • Break existing code • Change pointer representation • Inefficient
Dynamic Bounds-Checking • Insert bounds checking automatically • Use static analysis to reduce overhead • Catching all errors 100% coverage • Effective optimization 10% coverage
State-of-the-art Checker • Referent objects [Jones and Kelly] • Objects and object table (splay tree) • In-bounds address start, end of object • Given in-bounds pointer p to object o, derived pointer qmust also point to o derives p q
Implementation • GNU C compiler patch • DLL of bounds checking functions for object table lookups and updates • DLL also includes bounds checking versions of C standard library functions • Instrumentation in GCC front end of non-copy pointer operations, object allocations and de-allocations • Splay tree improves object table lookups
Out-of-bounds Pointers • Ansi C and C++ • Common idiom int A[10]; for (p = &A; p < &A + 10; p++) {…} • Can generate, test, but not deref one byte past buffer • Cannot generate, test, or deref any other out-of-bounds addresses
Jones and Kelly’s Solution • Pad all allocated objects by 1 byte • Pointers past one byte are replaced by “-2” • Subsequent non-copy use of “-2” pointer flagged as error
p’ Programs Not Ansi-C Compliant q p
Our solution to out-of-bounds (OOB) pointers • Unique OOB object created for every OOB pointer • Referent object and OOB value of pointer stored in OOB object • OOB pointer points to its own OOB object • OOB object table (hashtable)
p’ OOB object Our solution to out-of-bound (OOB) pointers • Use OOB addr for computations and tests, but not dereference • OOB objects deleted as referent objects are deleted (no leaks) q p
Addresses in-bounds padding out-of-bounds Out-of-bounds pointers Uninstrumented execution • { 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4: q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } referent object p = malloc(4) ; q = p + 1 ; s = p + 5 ; r = s – 3 ; stack
Addresses in-bounds padding out-of-bounds Instrumentation with Jones and Kelly Checker • { 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4: q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } referent object p = malloc(4) ; q = p + 1 ; s = p + 5 ; r = s – 3 ; s = (-2) stack
Addresses in-bounds padding out-of-bounds Instrumentation with CRED • { 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4: q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } p = malloc(4) ; stack q = p + 1 ; s = p + 5 ; referent object r = s – 3 ; OOB object
Optimization • Buffer overflow attacks caused by user supplied string data • Restrict bounds checking to only strings • Objects of all types maintained in object table to handle casts • Common downcasts to char pointers when copying data • Experimental results indicate effective protection and improved performance
Results • C Range Error Detector (CRED), built on Jones and Kelly’s implementation • Compatibility • Evaluation of full checking instrumentation • Rigorous evaluation using app test suites • Passed all the 1.2 M loc tests • Overflow bugs found in ssl, coreutils and bison test suites
Protection • Against attacks on • Gawk, gzip, hypermail, monkey, pgp4pine, polymorph, WsMp3 • Against Wilander & Kamkar’s 20 tests • ProPolice passed 50% • StackGuard, StackShield, Libsafe and Libverify are worse
Conclusions • Focus of this work: Compatibility • Simplicity correctness thorough compatibility tests (1.2 M loc) • Buffer overruns in C programs can be detected dynamically • Can apply static analysis to reduce overhead
CRED is Open Source • Merged into publicly available GNU C bounds checking patch maintained by Herman ten Brugge • http://web.inter.nl.net/hcc/Haj.Ten.Brugge/ • http://sourceforge.net/projects/boundschecking/