a practical dynamic buffer overflow detector (cred)
DESCRIPTION
A Practical Dynamic Buffer Overflow Detector (CRED). Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University. Network and Distributed Security Symposium. Feb 2004. Buffer Overruns. 50% of the 60 most severe vulnerabilities (posted on CERT/CC) - PowerPoint PPT PresentationTRANSCRIPT
A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University
Network and Distributed Security Symposium.Feb 2004.
Buffer Overruns 50% of the 60 most severe
vulnerabilities (posted on CERT/CC) Over 60 % of CERT/CC advisories in
2003 Slammer, CodeRed, Blaster
caused billions of dollars worth of damages > $800K at Stanford for Blaster alone
Unsafe C Programs Legacy software cannot be rewritten Sound static analysis
Finds all errors + many false positives Unsound static analysis
Finds less false positives, but not all errors
Must still insert dynamic tests, since bounds-checking is undecidable at compile time
Dynamic Overrun Checkers Cannot catch all buffer overruns
Stackguard Insert canary word Can bypass by skipping canary
word Break existing code
Change pointer representation Inefficient
Dynamic Bounds-Checking Insert bounds checking automatically Use static analysis to reduce overhead
Catching all errors 100% coverage Effective optimization 10%
coverage
State-of-the-art Checker Referent objects [Jones and Kelly]
p qderives
Objects and object table (splay tree)
In-bounds address start, end of object
Given in-bounds pointer p to object o, derived pointer q must also point to o
Implementation GNU C compiler patch DLL of bounds checking functions for
object table lookups and updates DLL also includes bounds checking
versions of C standard library functions Instrumentation in GCC front end of non-
copy pointer operations, object allocations and de-allocations
Splay tree improves object table lookups
Out-of-bounds Pointers Ansi C and C++ Common idiom
int A[10];for (p = &A; p < &A + 10; p++) {…}
Can generate, test, but not deref one byte past buffer
Cannot generate, test, or deref any other out-of-bounds addresses
Jones and Kelly’s Solution Pad all allocated objects by 1 byte Pointers past one byte are replaced by
“-2” Subsequent non-copy use of “-2”
pointer flagged as error
Experiment: 20 programs, 1.2 Mloc
Pass Kloc
Fail Kloc
ccrypt 4.4 apache 73.6gzip 5.8 binutils 596.5monkey 2.5 bison 25.1polymorph 0.4 coreutils 69.5tar 18.2 enscript 22.1WsMp3 3.4 gawk 36.4wu-ftpd 18.3 gnupg 71.2zlib 8.3 grep 20.8
hypermail 27.6openssh 43.4openssl 162.7pgp4pine 3.3
Total 61.3 1152.2
Programs Not Ansi-C Compliant
p
q
p’
Our solution to out-of-bounds (OOB) pointers
Unique OOB object created for every OOB pointer
Referent object and OOB value of pointer stored in OOB object
OOB pointer points to its own OOB object
OOB object table (hashtable)
Our solution to out-of-bound (OOB) pointers
p
q
p’
Use OOB addr for computations and tests, but not dereference
OOB objects deleted as referent objects are deleted (no leaks)
OOB object
Out-of-bounds pointersUninstrumented execution
{
1: char *p, *q, *r, *s;
2:
3: p = malloc(4);
4: q = p + 1;
5: s = p + 5;
6: r = s – 3;
………………
}
pqrs
referent object
in-bounds padding out-of-bounds
Addresses
stack
p = malloc(4) ;q = p + 1 ;s = p + 5 ;r = s – 3 ;
Instrumentation with Jones and Kelly Checker
{
1: char *p, *q, *r, *s;
2:
3: p = malloc(4);
4: q = p + 1;
5: s = p + 5;
6: r = s – 3;
………………
}
pqrs
referent object
in-bounds padding out-of-bounds
Addresses
s = (-2)
p = malloc(4) ;q = p + 1 ;s = p + 5 ;r = s – 3 ;
stack
Instrumentation with CRED {
1: char *p, *q, *r, *s;
2:
3: p = malloc(4);
4: q = p + 1;
5: s = p + 5;
6: r = s – 3;
………………
}
pqrs
referent object
in-bounds padding out-of-bounds
Addresses
stackp = malloc(4) ;q = p + 1 ;s = p + 5 ;r = s – 3 ;
obj valueOOB object
Optimization Buffer overflow attacks caused by user
supplied string data Restrict bounds checking to only strings Objects of all types maintained in object
table to handle casts Common downcasts to char pointers
when copying data Experimental results indicate effective
protection and improved performance
Results C Range Error Detector (CRED), built on
Jones and Kelly’s implementation Compatibility
Evaluation of full checking instrumentation
Rigorous evaluation using app test suites
Passed all the 1.2 M loc tests Overflow bugs found in ssl, coreutils
and bison test suites
Protection Against attacks on
Gawk, gzip, hypermail, monkey, pgp4pine, polymorph, WsMp3
Against Wilander & Kamkar’s 20 tests ProPolice passed 50% StackGuard, StackShield,
Libsafe and Libverify are worse
Performance
0123456789
1011121314
apac
he
binu
tils
biso
n
ccry
pt
core
utils
ensc
ript
gaw
k
gnup
g
grep
gzip
hype
rmai
l
mon
key
pgp4
pine
poly
mor
ph
ssh(
scp)
rsa2
048
sign
rsa2
048
verif
y tar
WsM
p3
wu-
ftpd zlib
Benchmark
Nor
mal
ized
exe
cutio
n tim
ee
Full checking
Strings only
Conclusions Focus of this work: Compatibility
Simplicity correctness thorough compatibility tests (1.2 M loc)
Buffer overruns in C programs can be detected dynamically
Can apply static analysis to reduce overhead
CRED is Open Source Merged into publicly available GNU C
bounds checking patch maintained by Herman ten Brugge
http://web.inter.nl.net/hcc/Haj.Ten.Brugge/ http://sourceforge.net/projects/
boundschecking/