1 / 27

TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection

TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection. Kumar Avijit, Prateek Gupta and Deepak Gupta Dept. of Computer Science and Engg. IIT Kanpur (INDIA). Outline. The menace called “Buffer Overflow” Related work Libsafe – Protecting the return address Our Approach

trey
Télécharger la présentation

TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection Kumar Avijit, Prateek Gupta and Deepak Gupta Dept. of Computer Science and Engg. IIT Kanpur (INDIA)

  2. Outline • The menace called “Buffer Overflow” • Related work • Libsafe – Protecting the return address • Our Approach • TIED – The binary rewriter • LibsafePlus • Performance • Limitations 13th USENIX Security Symposium

  3. The menace called Buffer Overflow 13th USENIX Security Symposium Excerpted from www.us-cert.gov/current/services_ports.html

  4. Overview of Related Work • Kernel Based – make data areas non-executable. • Static analysis based. • Run-time techniques: • Stackshield/StackGuard/ProPolice • CRED – range checking at run-time. • Libsafe 13th USENIX Security Symposium

  5. Libsafe: Protecting the return address • Dynamically loadable library -intercepts “unsafe” C library functions like strcpy, memcpy, … • Checks the size of destination buffer before copying. • Estimates a loose upper bound for stack buffers – upto the saved frame pointer of the enclosing frame. 13th USENIX Security Symposium

  6. Stack Buffer Size Determination by Libsafe %esp Stack growth stack frame for strcpy f (char *p) { int *a, *b; char s[8]; . int x,y; … strcpy(s, p); …} Saved %ebp Ret. address from strcpy to p x, y char s[8] stack frame for f a, b Extent of s as estimated byLibsafe Saved %ebp Return address from f 13th USENIX Security Symposium

  7. Libsafe (contd.) • Protects frame pointer and return address from being overwritten by a stack overflow. • Does not prevent sensitive data below the buffer from being overwritten. • Does not prevent overflows on global/dynamically allocated buffers. 13th USENIX Security Symposium

  8. Our Approach • TIED : Augments the executable to contain size information about global and automatic buffers. • LibsafePlus: Intercepts calls to unsafe C library functions and performs more accurate and extensive bounds checking. 13th USENIX Security Symposium

  9. Overall Approach Executable Prepared using -g option Augmented executable TIED Preload LibsafePlus.so Run Normal execution otherwise Aborts if buffer overflow 13th USENIX Security Symposium

  10. TIED : The binary rewriter • Extracts type information from -g compiled executable. • Determines location and size information about automatic and global character arrays. • Organizes the information as tables and dumps it back in the binary as a loadable, read-only section. 13th USENIX Security Symposium

  11. Type info header pointer Global Variable Table Size Starting address No. of global variables Ptr. to global var. table No. of functions Local Variable Table Ptr. To function table Offset from frame pointer. Size Function Table Starting address End address No. of vars. Ptr. to var. table Local Variable Table Offset from frame pointer. Size The Type Information Data Structure

  12. Rewriting ELF Executables • Constraint: The virtual addresses of existing code and data should not change. • Solution: Extend the executable towards lower virtual addresses by a multiple of page size. • Serialize, relocate, and dump type information as a new loadable section in the gap created. • Provide a pointer to the new section as a symbol in the dynamic symbol table. 13th USENIX Security Symposium

  13. ELF executable beforeand after rewriting ELF Header Program headers .dynsym ( new ) • .dynstr is modified • to hold the name of • the symbolic pointer. • .hash is modified • to hold the hash • value of the symbol • added to .dynsym. .dynstr ( new ) ELF Header .hash ( new ) Program headers Data structure containing type information .hash .oldhash .dynsym .olddynsym .dynstr .olddynstr .dynamic .dynamic Section header table Section header table Before rewriting After rewriting 13th USENIX Security Symposium

  14. Range checking by LibsafePlus • Intercept unsafe C library functions. • strcpy, memcpy, gets … • Determine the size of destination buffer. • Determine the size of source string. • If destination buffer is large enough, perform the operation using actual C library function. • Terminate the program otherwise. 13th USENIX Security Symposium

  15. Determining sizes for stack buffers • Preliminary Check: Check if address is greater than the current stack pointer. • Locate the encapsulating stack frame by traversing the saved frame pointers. • Find out the function that defines the buffer. • Search for the buffer in the local variable table of the function. • Return the loose Libsafe bound if buffer is not present in the local variable table. 13th USENIX Security Symposium

  16. Locating function defining the buffer Case 1: buf may be local variable of function f. or Case 2: buf may be an argument to the function g. Use return address into f to locate the local variable table of f, search it for a matching entry. If no match is found, repeat the step using return address into g. strcpy strcpy() Return address into g Return address into g g Return address into f Return address into f buf f Saved %ebp Return address from f

  17. Protecting heap variables • LibsafePlus also provides protection for variables allocated by malloc family of functions. • Intercepts calls to malloc family of functions. • Records sizes and addresses of all dynamically allocated chunks in a red-black tree. • This data structure is used to find sizes of dynamically allocated buffers. • Insertion, deletion and searching in O(log(n)). 13th USENIX Security Symposium

  18. Determining sizes for heap and global buffers • Maintain the smallest starting address returned by malloc family of functions. • Preliminary Check: Check if the buffer address is greater than this address. • If yes, search in the red-black tree to get the size. • If buffer is neither on stack, nor on heap, search in the global variable table of the type information data structure. 13th USENIX Security Symposium

  19. Evaluation • LibsafePlus was able to detect all 20 buffer overflow attempts in testsuite by Wilander & Kamkar. • Libsafe was able to stop only 6 attacks. 13th USENIX Security Symposium

  20. Performance Evaluation 13th USENIX Security Symposium

  21. Strcpy (global buffers) 13th USENIX Security Symposium

  22. Strcpy (local buffers) 13th USENIX Security Symposium

  23. Strcpy (heap buffers) 13th USENIX Security Symposium

  24. Malloc/ Free Overhead 13th USENIX Security Symposium

  25. Application benchmarks 13th USENIX Security Symposium

  26. Limitations/Future Work • Does not handle overflows due to erroneous pointer arithmetic. • Imprecise bounds for automatic variable sized arrays and alloca()’ed buffers. • Applications that mmap() to fixed addresses may not work. • Type information about buffers inside shared libraries is not available – this has been addressed in a later version. 13th USENIX Security Symposium

  27. Thank you ! 13th USENIX Security Symposium

More Related