Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.

Published byJared Harmon Modified over 9 years ago

Similar presentations

Presentation on theme: "Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison."— Presentation transcript:

1 Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison

2 Invalid Pointer Dereferences Buffer overruns –via pointers or arrays Stale pointers (pointers to freed memory)  Undesirable because –incorrect results –crash / corrupt data –security risk a[i]  *(a+i)

3 Security Risk Gain control –stack smashing (return address on stack) –function pointers, setjmp buffers, GOT Gain unauthorized access –e.g. changing argument to fopen Corrupt data / Disrupt service

4 Stack Smashing char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); buf p return address

5 Our Approach, for C Dynamically detect invalid writes via pointers –halt execution when detected Efficient (low overhead) No false positives No source code modification needed

6 Outline Introduction Previous Approaches Description of Approach Experiments Conclusion

7 Previous Approaches StackGuard: protects return addresses only +efficient +automatic –does not protect other memory locations –platform dependent StackShield: similar, but also protects function pointers

8 Fat Pointers  Record information about what a pointer should point to CCured, Cyclone +detects all invalid accesses –less flexibility in memory management: requires garbage collection (or region-based model, for Cyclone) –doesn’t handle all of C (rejects some legal C programs) –requires programmer changes to source

9 associate information with pointer: address and size of referent buf p Fat Pointers buf 12  char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); return address

10 associates information with target rather than pointer buf p Our Approach char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’);                                   return address

11 char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); buf p                              Which Locations to Mark?   return address  naively: Mark All User-defined Locations

12 FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); buf p fp                              Which Locations to Mark?   Static Analysis, to permit marking fewer locations

13 Unsafe Pointers  a pointer p that may point to invalid memory: –p is assigned a non-pointer value, or –p is the result of pointer arithmetic, or –p may become stale only writes via unsafe pointers are checked at runtime –safe pointer dereferences are not checked –for efficiency, we don’t check reads a[i]  *(a+i)

14 FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Unsafe Pointers pointers: unsafe safe p fp

15 Tracked Locations  a location that an unsafe pointer may point to –mirror is marked ok ( ) when allocated, and forbidden (  ) when freed. untracked locations always forbidden (  ) –never pointed-to by unsafe pointer points-to analysis needed

16 FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Tracked Locations pointers: unsafe safe p fp p buf fp locations: untracked tracked p buf points-to graph: foo fp

17 FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Allocation pointers: unsafe safe p fp p buf fp locations: untracked tracked                                             

18 FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Allocation pointers: unsafe safe p fp p buf fp locations: untracked tracked                                              fp

19 FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Allocation pointers: unsafe safe p fp p buf fp locations: untracked tracked buf fp                                 

20 FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Allocation pointers: unsafe safe p fp p buf fp locations: untracked tracked buf p fp                                 

21 FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Checking Writes pointers: unsafe safe p fp p buf fp locations: untracked tracked buf p fp                                 

22 FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Checking Writes pointers: unsafe safe p fp p buf fp locations: untracked tracked buf p fp                                 

23 FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Checking Writes pointers: unsafe safe p fp p buf fp locations: untracked tracked buf p fp                                 

24 FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Checking Writes buf p fp                                   pointers: unsafe safe p fp p buf fp locations: untracked tracked

25 Tool Overview C source file instru- mented C source file instru- mented exec- utable instru- mented C library unsafe pointers tracked variables Static Analysis Instrumenter C Compiler

26 Implementation Details Flow-insensitive Points-to Analysis [Das00] –near-linear time, good precision C source-to-source instrumenter [Ckit] –ANSI C compliant, portable Uninstrumented library functions may cause false positives or false negatives –write wrappers to be more precise

27 Outline Introduction Previous Approaches Description of Approach Experiments Conclusion

28 Experiments Tool successfully detected two simulated attacks via known vulnerabilities –cfingerd: buffer overrun attack –traceroute: modifying Global Offset Table entry via multiple-free bug

29 Performance Runtime Overhead (average 1.97×) Cyclone OldenSpec 95Spec 2000

30 Performance Runtime Overhead (average 1.97×) increasing size (LOC)

31 Comparing with CCured/Cyclone

32 Analysis/Instrument/Compile Time Slowdown vs. Compile Time (average 5×) increasing size (LOC)

33 Future Work Goal: Less unsafe pointers and tracked locations (for better performance and coverage) Array-bounds Check Elimination –98% of dereferences are array accesses Escape Analysis –currently all pointers to stack objects are unsafe Flow-Sensitive Analyses –better points-to analysis –dereferencing uninitialized pointer

34 Future Work Goal: Less unsafe pointers and tracked locations (for better performance and coverage) Array-bounds Check Elimination –98% of dereferences are array accesses Escape Analysis –currently all pointers to stack objects are unsafe Flow-Sensitive Analyses –better points-to analysis –dereferencing uninitialized pointer

35 Conclusion We present a tool for detecting invalid pointer dereferences that +has low runtime overhead +does not report false positives +is portable, and does not require programmer changes to source code +protects against a wide range of vulnerabilities, including stack smashing and using freed memory

36 Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison – The End –

37 Related Work Dynamic Debugging Tools –Purify –Valgrind –Safe-C Static techniques –LCLint –ESC –PREfix

Download ppt "Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison."

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Various languages….  Could affect performance  Could affect reliability  Could affect language choice.

Various languages….  Could affect performance  Could affect reliability  Could affect language choice.
Hastings Purify: Fast Detection of Memory Leaks and Access Errors.

Hastings Purify: Fast Detection of Memory Leaks and Access Errors.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.

A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security.
SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.

SAFECode SAFECode: Enforcing Alias Analysis for Weakly Typed Languages Dinakar Dhurjati University of Illinois at Urbana-Champaign Joint work with Sumant.
CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.

CSE 451: Operating Systems Section 1. Why are you here? 9/30/102.
Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.

Introduction The Approach ’ s Overview A Language of Pointers The Type System Operational Semantics Type Safety Type Inference The Rest of C Experiments.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.

Securing software by enforcing data-flow integrity Manuel Costa Joint work with: Miguel Castro, Tim Harris Microsoft Research Cambridge University of Cambridge.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.
Pointers and Memory Allocation – part 2 -L. Grewe.

Pointers and Memory Allocation – part 2 -L. Grewe.
Run-Time Storage Organization

Run-Time Storage Organization
May 9, 2001OSQ Retreat 1 Run-Time Type Checking for Pointers and Arrays in C Wes Weimer, George Necula Scott McPeak, S.P. Rahul, Raymond To.

May 9, 2001OSQ Retreat 1 Run-Time Type Checking for Pointers and Arrays in C Wes Weimer, George Necula Scott McPeak, S.P. Rahul, Raymond To.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer

May 22, 2002OSQ Retreat 1 CCured: Taming C Pointers George Necula Scott McPeak Wes Weimer
Checking Memory Safety with BLAST Dirk Beyer, et al. FASE 2005 KAIST CS750b 2006 Fall Seonggun Kim.

Checking Memory Safety with BLAST Dirk Beyer, et al. FASE 2005 KAIST CS750b 2006 Fall Seonggun Kim.

Similar presentations

Ads by Google