Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.

Published byArnold Fox Modified over 9 years ago

Similar presentations

Presentation on theme: "A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security."— Presentation transcript:

1 A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security Symposium. Feb 2004.

2 Buffer Overruns  50% of the 60 most severe vulnerabilities (posted on CERT/CC)  Over 60 % of CERT/CC advisories in 2003  Slammer, CodeRed, Blaster caused billions of dollars worth of damages  > $800K at Stanford for Blaster alone

3 Unsafe C Programs  Legacy software cannot be rewritten  Sound static analysis  Finds all errors + many false positives  Unsound static analysis  Finds less false positives, but not all errors  Must still insert dynamic tests, since bounds-checking is undecidable at compile time

4 Dynamic Overrun Checkers  Cannot catch all buffer overruns  Stackguard  Insert canary word  Can bypass by skipping canary word  Break existing code  Change pointer representation  Inefficient

5 Dynamic Bounds-Checking  Insert bounds checking automatically  Use static analysis to reduce overhead  Catching all errors  100% coverage  Effective optimization  10% coverage

6 State-of-the-art Checker  Referent objects [Jones and Kelly] p q derives  Objects and object table (splay tree)  In-bounds address  start, end of object  Given in-bounds pointer p to object o, derived pointer q must also point to o

7 Implementation  GNU C compiler patch  DLL of bounds checking functions for object table lookups and updates  DLL also includes bounds checking versions of C standard library functions  Instrumentation in GCC front end of non- copy pointer operations, object allocations and de-allocations  Splay tree improves object table lookups

8 Out-of-bounds Pointers  Ansi C and C++  Common idiom int A[10]; for (p = &A; p < &A + 10; p++) {…}  Can generate, test, but not deref one byte past buffer  Cannot generate, test, or deref any other out-of-bounds addresses

9 Jones and Kelly’s Solution  Pad all allocated objects by 1 byte  Pointers past one byte are replaced by “-2”  Subsequent non-copy use of “-2” pointer flagged as error

10 Experiment: 20 programs, 1.2 Mloc Pass KlocFail Kloc ccrypt4.4apache73.6 gzip5.8binutils596.5 monkey2.5bison25.1 polymorph0.4coreutils69.5 tar18.2enscript22.1 WsMp33.4gawk36.4 wu-ftpd18.3gnupg71.2 zlib8.3grep20.8 hypermail27.6 openssh43.4 openssl162.7 pgp4pine3.3 Total61.31152.2

11 Programs Not Ansi-C Compliant p q p’

12 Our solution to out-of-bounds (OOB) pointers  Unique OOB object created for every OOB pointer  Referent object and OOB value of pointer stored in OOB object  OOB pointer points to its own OOB object  OOB object table (hashtable)

13 Our solution to out-of-bound (OOB) pointers p q p’  Use OOB addr for computations and tests, but not dereference  OOB objects deleted as referent objects are deleted (no leaks) OOB object

14 Out-of-bounds pointers Uninstrumented execution {{ 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4:q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } p q r s referent object in-bounds padding out-of-bounds Addresses stack p = malloc(4) ; q = p + 1 ; s = p + 5 ; r = s – 3 ;

15 Instrumentation with Jones and Kelly Checker {{ 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4:q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } p q r s referent object in-bounds padding out-of-bounds Addresses s = (-2) p = malloc(4) ; q = p + 1 ; s = p + 5 ; r = s – 3 ; stack

16 Instrumentation with CRED {{ 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4:q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } p q r s referent object in-bounds padding out-of-bounds Addresses stack p = malloc(4) ; q = p + 1 ; s = p + 5 ; r = s – 3 ; objvalue OOB object

17 Optimization  Buffer overflow attacks caused by user supplied string data  Restrict bounds checking to only strings  Objects of all types maintained in object table to handle casts  Common downcasts to char pointers when copying data  Experimental results indicate effective protection and improved performance

18 Results  C Range Error Detector (CRED), built on Jones and Kelly’s implementation  Compatibility  Evaluation of full checking instrumentation  Rigorous evaluation using app test suites  Passed all the 1.2 M loc tests  Overflow bugs found in ssl, coreutils and bison test suites

19 Protection  Against attacks on  Gawk, gzip, hypermail, monkey, pgp4pine, polymorph, WsMp3  Against Wilander & Kamkar’s 20 tests  ProPolice passed 50%  StackGuard, StackShield, Libsafe and Libverify are worse

20 Performance

21 Conclusions  Focus of this work: Compatibility  Simplicity  correctness  thorough compatibility tests (1.2 M loc)  Buffer overruns in C programs can be detected dynamically  Can apply static analysis to reduce overhead

22 CRED is Open Source  Merged into publicly available GNU C bounds checking patch maintained by Herman ten Brugge  http://web.inter.nl.net/hcc/Haj.Ten.Brugge/  http://sourceforge.net/projects/boundschecking/

Download ppt "A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security."

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.

The Interface Definition Language for Fail-Safe C Kohei Suenaga, Yutaka Oiwa, Eijiro Sumii, Akinori Yonezawa University of Tokyko.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.

Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.
K. Salah1 Buffer Overflow The crown jewel of attacks.

K. Salah1 Buffer Overflow The crown jewel of attacks.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks - F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, Y. Wu (UIUC,

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks - F. Qin, C. Wang, Z. Li, H. Kim, Y. Zhou, Y. Wu (UIUC,
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania.

Using DISE to Protect Return Addresses from Attack Marc L. Corliss, E Christopher Lewis, Amir Roth University of Pennsylvania.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science PLDI 2006 DieHard: Probabilistic Memory Safety for Unsafe Programming Languages Emery.
Quarantine: A Framework to Mitigate Memory Errors in JNI Applications Du Li , Witawas Srisa-an University of Nebraska-Lincoln.

Quarantine: A Framework to Mitigate Memory Errors in JNI Applications Du Li , Witawas Srisa-an University of Nebraska-Lincoln.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2012.
U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger.

U NIVERSITY OF M ASSACHUSETTS A MHERST Department of Computer Science 2006 Exterminator: Automatically Correcting Memory Errors Gene Novark, Emery Berger.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2013.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2013.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Similar presentations

Ads by Google