RADARBOR: Automatic Detection and Repair of Buffer Overflow Attacks - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

RADARBOR: Automatic Detection and Repair of Buffer Overflow Attacks

Description:

Buffer overflows allow a remote attacker to hijack control ... glibc pointer arithmetic: eax src, esi - dest. mov %esi, ìx. sub êx, ìx. mov êx, íx ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 17
Provided by: AlexeyS6
Category:

less

Transcript and Presenter's Notes

Title: RADARBOR: Automatic Detection and Repair of Buffer Overflow Attacks


1
RADARBOR Automatic Detection and Repair of
Buffer Overflow Attacks
  • Alexey Smirnov
  • CSE684
  • 5/11/06

2
Introduction
  • Buffer overflows allow a remote attacker to
    hijack control of a computer.
  • Detection methods have been developed in the
    past.
  • Once compromised, the program is terminated.

3
Introduction
  • Using the same attack causes a DoS.
  • Repair
  • DIRA, Smirnov and Chiueh
  • Using Execution Transactions to Recover from
    Buffer Overflow Attacks, Keromytis et. al.
  • Adapt
  • Rx Treating Bugs as Allergies, Zhou et. al.
  • A Dynamic Technique for Eliminating Buffer
    Overflow Vulnerabilities, Rinard et al.

4
Related Work DIRA
  • A modified GCC.
  • Instruments source code so that the program logs
    memory updates when it runs normally.
  • The repair uses log to roll back the effects of
    attack packets and restart execution as if they
    were never received.
  • Overhead 65.

5
Associative Array Implementation
  • Brainstorm
  • Instrument each array and pointer reference
  • If two arrays are adjacent to each other, how to
    tell overflow from normal access?
  • Need to add padding
  • After detecting out-of-boundary, what to do?
  • Reallocate, need to take care of aliases.

6
Detecting an Overflow
  • RAD instrument function prolog/epilog. Uses
    return address repository.
  • The repository is mprotected.
  • Apply this technique to arrays.

7
Adapt
  • Use signal handler to detect a page fault.
  • Libsigsegv implements user-level signal handlers
  • realloc() overflown array
  • Fixing aliases???

8
Correlation
  • Seclabs ARBOR/COVERS use memory correlation to
    build attack signature.
  • Apply it to find other memory locations that
    reference the overflown array!
  • Registers are saved when exception is triggered.
    They are on the stack!

9
Continue Execution
  • Other projects used checkpointing functions
    setjmp/longjmp.
  • After the user-level exception handler returns,
    it restores the registers and re-executes the
    faulting instruction!

10
Architecture
  • RADARBORRADARBOR

11
Implementation Details
  • GEM framework
  • Local array declarations char buf10 replaced
    with char bufradarbor_malloc().
  • Free buffers when function returns.
    radarbor_free().
  • Install page fault handler when program begins.

12
Issues
  • glibc pointer arithmetic
  • eax src, esi - dest
  • mov esi, ecx
  • sub eax, ecx
  • mov eax, edx
  • movzbl (edx), eax
  • mov al, (edx, ecx, 1)
  • Use proxy functions

13
Issues
  • At the source-code level linux kernel vsnprintf
  • sprintf uses sizeINT_MAX parameter, that is
    write as many as you want.
  • enddstsize-1
  • Compare with end and return if too many bytes
    written.
  • dst gets overflown and re-allocated, but end does
    not. Comparison fails.

14
Experiments
  • drcatd remote cat daemon with sprintf()
    vulnerability in logit() function.
  • Attack results in four page faults
  • Slowdown 7x.

15
Conclusion and Future Work
  • Take care of pointer arithmetic issues. Use
    dataflow analysis.
  • Buddy allocator to reduce overhead.
  • Evaluation
  • ELinux RADARBOR-ed Linux distribution

16
  • Questions?
  • http//diratechnology.info
Write a Comment
User Comments (0)
About PowerShow.com