Upload
trey
View
46
Download
0
Tags:
Embed Size (px)
DESCRIPTION
TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection. Kumar Avijit, Prateek Gupta and Deepak Gupta Dept. of Computer Science and Engg. IIT Kanpur (INDIA). Outline. The menace called “Buffer Overflow” Related work Libsafe – Protecting the return address Our Approach - PowerPoint PPT Presentation
Citation preview
TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection
Kumar Avijit, Prateek Gupta and Deepak GuptaDept. of Computer Science and Engg.
IIT Kanpur (INDIA)
13th USENIX Security Symposium
Outline
The menace called “Buffer Overflow” Related work Libsafe – Protecting the return address Our Approach
TIED – The binary rewriter LibsafePlus
Performance Limitations
13th USENIX Security Symposium
The menace called Buffer Overflow
Excerpted from www.us-cert.gov/current/services_ports.html
13th USENIX Security Symposium
Overview of Related Work
Kernel Based – make data areas non-executable.
Static analysis based. Run-time techniques:
Stackshield/StackGuard/ProPolice CRED – range checking at run-time. Libsafe
13th USENIX Security Symposium
Libsafe: Protecting the return address
Dynamically loadable library -intercepts “unsafe” C library functions like strcpy, memcpy, …
Checks the size of destination buffer before copying.
Estimates a loose upper bound for stack buffers – upto the saved frame pointer of the enclosing frame.
13th USENIX Security Symposium
Saved %ebp
Return address from f
x, y
a, b
char s[8]
to p
Saved %ebp
Ret. address from strcpy
stack frame for strcpy
%esp
stack frame for fExtent of s as estimated byLibsafe
Stack growth
Stack Buffer Size Determination by Libsafe
f (char *p) { int *a, *b; char s[8]; . int x,y; … strcpy(s, p); …}
13th USENIX Security Symposium
Libsafe (contd.)
Protects frame pointer and return address from being overwritten by a stack overflow.
Does not prevent sensitive data below the buffer from being overwritten.
Does not prevent overflows on global/dynamically allocated buffers.
13th USENIX Security Symposium
Our Approach
TIED : Augments the executable to contain size information about global and automatic buffers.
LibsafePlus: Intercepts calls to unsafe C library functions and performs more accurate and extensive bounds checking.
13th USENIX Security Symposium
Overall Approach
Run
Aborts if bufferoverflow
Normal executionotherwise
ExecutablePrepared using
-g option
AugmentedexecutableTIED
LibsafePlus.soPreload
13th USENIX Security Symposium
TIED : The binary rewriter
Extracts type information from -g compiled executable.
Determines location and size information about automatic and global character arrays.
Organizes the information as tables and dumps it back in the binary as a loadable, read-only section.
Starting address End address No. of vars. Ptr. to var. table
No. of global variables
Ptr. to global var. table
No. of functions
Ptr. To function table
Starting address Size
Offset fromframe pointer.
Size
Offset fromframe pointer.
Size
Type info header pointer Global Variable Table
Function Table
Local Variable Table
Local Variable Table
The Type Information Data Structure
13th USENIX Security Symposium
Rewriting ELF Executables
Constraint: The virtual addresses of existing code and data should not change.
Solution: Extend the executable towards lower virtual addresses by a multiple of page size.
Serialize, relocate, and dump type information as a new loadable section in the gap created.
Provide a pointer to the new section as a symbol in the dynamic symbol table.
13th USENIX Security Symposium
ELF executable beforeand after rewriting
ELF Header
Program headers
.dynstr
.dynsym
.hash
Section header table
.dynamic
ELF Header
Program headers
.olddynstr
.olddynsym
.oldhash
.dynamic
Section header table
Data structure containingtype information
.dynsym ( new )
.dynstr ( new )
.hash ( new )
• .dynstr is modified to hold the name of the symbolic pointer.
• .hash is modified to hold the hash value of the symbol added to .dynsym.
Before rewritingAfter rewriting
13th USENIX Security Symposium
Range checking by LibsafePlus
Intercept unsafe C library functions. strcpy, memcpy, gets …
Determine the size of destination buffer. Determine the size of source string. If destination buffer is large enough, perform
the operation using actual C library function.
Terminate the program otherwise.
13th USENIX Security Symposium
Determining sizes for stack buffers
Preliminary Check: Check if address is greater than the current stack pointer.
Locate the encapsulating stack frame by traversing the saved frame pointers.
Find out the function that defines the buffer. Search for the buffer in the local variable
table of the function. Return the loose Libsafe bound if buffer is
not present in the local variable table.
Locating function defining the buffer
buf
Saved %ebp
Return address from f
Return address into f
Return address into g
strcpy()
f
g
strcpyCase 1: buf may be local variable
of function f.
or
Case 2: buf may be an argument to the function g.
Use return address into f to locate the local variable table of f, search it for a matching entry.
If no match is found, repeat the step using return address into g.
Return address into g
Return address into f
13th USENIX Security Symposium
Protecting heap variables
LibsafePlus also provides protection for variables allocated by malloc family of functions.
Intercepts calls to malloc family of functions. Records sizes and addresses of all dynamically
allocated chunks in a red-black tree. This data structure is used to find sizes of
dynamically allocated buffers. Insertion, deletion and searching in O(log(n)).
13th USENIX Security Symposium
Determining sizes for heap and global buffers
Maintain the smallest starting address returned by malloc family of functions.
Preliminary Check: Check if the buffer address is greater than this address.
If yes, search in the red-black tree to get the size.
If buffer is neither on stack, nor on heap, search in the global variable table of the type information data structure.
13th USENIX Security Symposium
Evaluation
LibsafePlus was able to detect all 20 buffer overflow attempts in testsuite by Wilander & Kamkar.
Libsafe was able to stop only 6 attacks.
13th USENIX Security Symposium
Performance Evaluation
13th USENIX Security Symposium
Strcpy (global buffers)
13th USENIX Security Symposium
Strcpy (local buffers)
13th USENIX Security Symposium
Strcpy (heap buffers)
13th USENIX Security Symposium
Malloc/ Free Overhead
13th USENIX Security Symposium
Application benchmarks
13th USENIX Security Symposium
Limitations/Future Work
Does not handle overflows due to erroneous pointer arithmetic.
Imprecise bounds for automatic variable sized arrays and alloca()’ed buffers.
Applications that mmap() to fixed addresses may not work.
Type information about buffers inside shared libraries is not available – this has been addressed in a later version.
13th USENIX Security Symposium
Thank you !