A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security Symposium. Feb 2004.
Buffer Overruns 50% of the 60 most severe vulnerabilities (posted on CERT/CC) Over 60 % of CERT/CC advisories in 2003 Slammer, CodeRed, Blaster caused billions of dollars worth of damages > $800K at Stanford for Blaster alone
Unsafe C Programs Legacy software cannot be rewritten Sound static analysis Finds all errors + many false positives Unsound static analysis Finds less false positives, but not all errors Must still insert dynamic tests, since bounds-checking is undecidable at compile time
Dynamic Overrun Checkers Cannot catch all buffer overruns Stackguard Insert canary word Can bypass by skipping canary word Break existing code Change pointer representation Inefficient
Dynamic Bounds-Checking Insert bounds checking automatically Use static analysis to reduce overhead Catching all errors 100% coverage Effective optimization 10% coverage
State-of-the-art Checker Referent objects [Jones and Kelly] p q derives Objects and object table (splay tree) In-bounds address start, end of object Given in-bounds pointer p to object o, derived pointer q must also point to o
Implementation GNU C compiler patch DLL of bounds checking functions for object table lookups and updates DLL also includes bounds checking versions of C standard library functions Instrumentation in GCC front end of non- copy pointer operations, object allocations and de-allocations Splay tree improves object table lookups
Out-of-bounds Pointers Ansi C and C++ Common idiom int A[10]; for (p = &A; p < &A + 10; p++) {…} Can generate, test, but not deref one byte past buffer Cannot generate, test, or deref any other out-of-bounds addresses
Jones and Kelly’s Solution Pad all allocated objects by 1 byte Pointers past one byte are replaced by “-2” Subsequent non-copy use of “-2” pointer flagged as error
Experiment: 20 programs, 1.2 Mloc Pass KlocFail Kloc ccrypt4.4apache73.6 gzip5.8binutils596.5 monkey2.5bison25.1 polymorph0.4coreutils69.5 tar18.2enscript22.1 WsMp33.4gawk36.4 wu-ftpd18.3gnupg71.2 zlib8.3grep20.8 hypermail27.6 openssh43.4 openssl162.7 pgp4pine3.3 Total
Programs Not Ansi-C Compliant p q p’
Our solution to out-of-bounds (OOB) pointers Unique OOB object created for every OOB pointer Referent object and OOB value of pointer stored in OOB object OOB pointer points to its own OOB object OOB object table (hashtable)
Our solution to out-of-bound (OOB) pointers p q p’ Use OOB addr for computations and tests, but not dereference OOB objects deleted as referent objects are deleted (no leaks) OOB object
Out-of-bounds pointers Uninstrumented execution {{ 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4:q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } p q r s referent object in-bounds padding out-of-bounds Addresses stack p = malloc(4) ; q = p + 1 ; s = p + 5 ; r = s – 3 ;
Instrumentation with Jones and Kelly Checker {{ 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4:q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } p q r s referent object in-bounds padding out-of-bounds Addresses s = (-2) p = malloc(4) ; q = p + 1 ; s = p + 5 ; r = s – 3 ; stack
Instrumentation with CRED {{ 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4:q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } p q r s referent object in-bounds padding out-of-bounds Addresses stack p = malloc(4) ; q = p + 1 ; s = p + 5 ; r = s – 3 ; objvalue OOB object
Optimization Buffer overflow attacks caused by user supplied string data Restrict bounds checking to only strings Objects of all types maintained in object table to handle casts Common downcasts to char pointers when copying data Experimental results indicate effective protection and improved performance
Results C Range Error Detector (CRED), built on Jones and Kelly’s implementation Compatibility Evaluation of full checking instrumentation Rigorous evaluation using app test suites Passed all the 1.2 M loc tests Overflow bugs found in ssl, coreutils and bison test suites
Protection Against attacks on Gawk, gzip, hypermail, monkey, pgp4pine, polymorph, WsMp3 Against Wilander & Kamkar’s 20 tests ProPolice passed 50% StackGuard, StackShield, Libsafe and Libverify are worse
Performance
Conclusions Focus of this work: Compatibility Simplicity correctness thorough compatibility tests (1.2 M loc) Buffer overruns in C programs can be detected dynamically Can apply static analysis to reduce overhead
CRED is Open Source Merged into publicly available GNU C bounds checking patch maintained by Herman ten Brugge