A Practical Dynamic Buffer Overflow Detector CRED - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

A Practical Dynamic Buffer Overflow Detector CRED

Description:

Cannot generate, test, or deref any other out-of ... Focus of this work: Compatibility. Simplicity. correctness. thorough compatibility tests (1.2 M loc) ... – PowerPoint PPT presentation

Number of Views:132
Avg rating:3.0/5.0
Slides: 23
Provided by: Monic
Category:

less

Transcript and Presenter's Notes

Title: A Practical Dynamic Buffer Overflow Detector CRED


1
A Practical Dynamic Buffer Overflow Detector
(CRED)
  • Olatunji Ruwase Monica S. Lam
  • Transmeta Corp. Stanford University

Network and Distributed Security Symposium. Feb
2004.
2
Buffer Overruns
  • 50 of the 60 most severe vulnerabilities (posted
    on CERT/CC)
  • Over 60 of CERT/CC advisories in 2003
  • Slammer, CodeRed, Blastercaused billions of
    dollars worth of damages
  • 800K at Stanford for Blaster alone

3
Unsafe C Programs
  • Legacy software cannot be rewritten
  • Sound static analysis
  • Finds all errors many false positives
  • Unsound static analysis
  • Finds less false positives, but not all errors
  • Must still insert dynamic tests, since
    bounds-checking is undecidable at compile time

4
Dynamic Overrun Checkers
  • Cannot catch all buffer overruns
  • Stackguard
  • Insert canary word
  • Can bypass by skipping canary word
  • Break existing code
  • Change pointer representation
  • Inefficient

5
Dynamic Bounds-Checking
  • Insert bounds checking automatically
  • Use static analysis to reduce overhead
  • Catching all errors ? 100 coverage
  • Effective optimization ? 10 coverage

6
State-of-the-art Checker
  • Referent objects Jones and Kelly
  • Objects and object table (splay tree)
  • In-bounds address? start, end of object
  • Given in-bounds pointer p to object o, derived
    pointer q must also point to o

derives
p
q
7
Implementation
  • GNU C compiler patch
  • DLL of bounds checking functions for object table
    lookups and updates
  • DLL also includes bounds checking versions of C
    standard library functions
  • Instrumentation in GCC front end of non-copy
    pointer operations, object allocations and
    de-allocations
  • Splay tree improves object table lookups

8
Out-of-bounds Pointers
  • Ansi C and C
  • Common idiom
  • int A10
  • for (p A p
  • Can generate, test, but not deref one byte past
    buffer
  • Cannot generate, test, or deref any other
    out-of-bounds addresses

9
Jones and Kellys Solution
  • Pad all allocated objects by 1 byte
  • Pointers past one byte are replaced by -2
  • Subsequent non-copy use of -2 pointer flagged
    as error

10
Experiment 20 programs, 1.2 Mloc
11
Programs Not Ansi-C Compliant
q
p
12
Our solution to out-of-bounds (OOB) pointers
  • Unique OOB object created for every OOB pointer
  • Referent object and OOB value of pointer stored
    in OOB object
  • OOB pointer points to its own OOB object
  • OOB object table (hashtable)

13
Our solution to out-of-bound (OOB) pointers
q
p
  • Use OOB addr for computations and tests, but not
    dereference
  • OOB objects deleted as referent objects are
    deleted (no leaks)

14
Out-of-bounds pointers Uninstrumented
execution
  • 1 char p, q, r, s
  • 2
  • 3 p malloc(4)
  • 4 q p 1
  • 5 s p 5
  • 6 r s 3

referent object
p malloc(4)
q p 1
s p 5
r s 3
stack
15
Instrumentation with Jones and Kelly Checker
  • 1 char p, q, r, s
  • 2
  • 3 p malloc(4)
  • 4 q p 1
  • 5 s p 5
  • 6 r s 3

referent object
p malloc(4)
q p 1
s p 5
r s 3
s (-2)
stack
16
Instrumentation with CRED
  • 1 char p, q, r, s
  • 2
  • 3 p malloc(4)
  • 4 q p 1
  • 5 s p 5
  • 6 r s 3

p malloc(4)
stack
q p 1
s p 5
referent object
r s 3
OOB object
17
Optimization
  • Buffer overflow attacks caused by user supplied
    string data
  • Restrict bounds checking to only strings
  • Objects of all types maintained in object table
    to handle casts
  • Common downcasts to char pointers when copying
    data
  • Experimental results indicate effective
    protection and improved performance

18
Results
  • C Range Error Detector (CRED), built on Jones and
    Kellys implementation
  • Compatibility
  • Evaluation of full checking instrumentation
  • Rigorous evaluation using app test suites
  • Passed all the 1.2 M loc tests
  • Overflow bugs found in ssl, coreutils and bison
    test suites

19
Protection
  • Against attacks on
  • Gawk, gzip, hypermail, monkey, pgp4pine,
    polymorph, WsMp3
  • Against Wilander Kamkars 20 tests
  • ProPolice passed 50
  • StackGuard, StackShield, Libsafe and Libverify
    are worse

20
Performance
21
Conclusions
  • Focus of this work Compatibility
  • Simplicity ? correctness ? thorough
    compatibility tests (1.2 M loc)
  • Buffer overruns in C programs can be detected
    dynamically
  • Can apply static analysis to reduce overhead

22
CRED is Open Source
  • Merged into publicly available GNU C bounds
    checking patch maintained by Herman ten Brugge
  • http//web.inter.nl.net/hcc/Haj.Ten.Brugge/
  • http//sourceforge.net/projects/boundschecking/
Write a Comment
User Comments (0)
About PowerShow.com