RADARBOR: Automatic Detection and Repair of Buffer Overflow Attacks

1
RADARBOR Automatic Detection and Repair of
Buffer Overflow Attacks

• Alexey Smirnov
• CSE684
• 5/11/06

2
Introduction

• Buffer overflows allow a remote attacker to
  hijack control of a computer.
• Detection methods have been developed in the
  past.
• Once compromised, the program is terminated.

3
Introduction

• Using the same attack causes a DoS.
• Repair
• DIRA, Smirnov and Chiueh
• Using Execution Transactions to Recover from
  Buffer Overflow Attacks, Keromytis et. al.
• Adapt
• Rx Treating Bugs as Allergies, Zhou et. al.
• A Dynamic Technique for Eliminating Buffer
  Overflow Vulnerabilities, Rinard et al.

4
Related Work DIRA

• A modified GCC.
• Instruments source code so that the program logs
  memory updates when it runs normally.
• The repair uses log to roll back the effects of
  attack packets and restart execution as if they
  were never received.
• Overhead 65.

5
Associative Array Implementation

• Brainstorm
• Instrument each array and pointer reference
• If two arrays are adjacent to each other, how to
  tell overflow from normal access?
• Need to add padding
• After detecting out-of-boundary, what to do?
• Reallocate, need to take care of aliases.

6
Detecting an Overflow

• RAD instrument function prolog/epilog. Uses
  return address repository.
• The repository is mprotected.
• Apply this technique to arrays.

7
Adapt

• Use signal handler to detect a page fault.
• Libsigsegv implements user-level signal handlers
• realloc() overflown array
• Fixing aliases???

8
Correlation

• Seclabs ARBOR/COVERS use memory correlation to
  build attack signature.
• Apply it to find other memory locations that
  reference the overflown array!
• Registers are saved when exception is triggered.
  They are on the stack!

9
Continue Execution

• Other projects used checkpointing functions
  setjmp/longjmp.
• After the user-level exception handler returns,
  it restores the registers and re-executes the
  faulting instruction!

10
Architecture

• RADARBORRADARBOR

11
Implementation Details

• GEM framework
• Local array declarations char buf10 replaced
  with char bufradarbor_malloc().
• Free buffers when function returns.
  radarbor_free().
• Install page fault handler when program begins.

12
Issues

• glibc pointer arithmetic
• eax src, esi - dest
• mov esi, ecx
• sub eax, ecx
• mov eax, edx
• movzbl (edx), eax
• mov al, (edx, ecx, 1)
• Use proxy functions

13
Issues

• At the source-code level linux kernel vsnprintf
• sprintf uses sizeINT_MAX parameter, that is
  write as many as you want.
• enddstsize-1
• Compare with end and return if too many bytes
  written.
• dst gets overflown and re-allocated, but end does
  not. Comparison fails.

14
Experiments

• drcatd remote cat daemon with sprintf()
  vulnerability in logit() function.
• Attack results in four page faults
• Slowdown 7x.

15
Conclusion and Future Work

• Take care of pointer arithmetic issues. Use
  dataflow analysis.
• Buddy allocator to reduce overhead.
• Evaluation
• ELinux RADARBOR-ed Linux distribution

16

• Questions?
• http//diratechnology.info