270 likes | 385 Vues
TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection. Kumar Avijit, Prateek Gupta and Deepak Gupta Dept. of Computer Science and Engg. IIT Kanpur (INDIA). Outline. The menace called “Buffer Overflow” Related work Libsafe – Protecting the return address Our Approach
E N D
TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection Kumar Avijit, Prateek Gupta and Deepak Gupta Dept. of Computer Science and Engg. IIT Kanpur (INDIA)
Outline • The menace called “Buffer Overflow” • Related work • Libsafe – Protecting the return address • Our Approach • TIED – The binary rewriter • LibsafePlus • Performance • Limitations 13th USENIX Security Symposium
The menace called Buffer Overflow 13th USENIX Security Symposium Excerpted from www.us-cert.gov/current/services_ports.html
Overview of Related Work • Kernel Based – make data areas non-executable. • Static analysis based. • Run-time techniques: • Stackshield/StackGuard/ProPolice • CRED – range checking at run-time. • Libsafe 13th USENIX Security Symposium
Libsafe: Protecting the return address • Dynamically loadable library -intercepts “unsafe” C library functions like strcpy, memcpy, … • Checks the size of destination buffer before copying. • Estimates a loose upper bound for stack buffers – upto the saved frame pointer of the enclosing frame. 13th USENIX Security Symposium
Stack Buffer Size Determination by Libsafe %esp Stack growth stack frame for strcpy f (char *p) { int *a, *b; char s[8]; . int x,y; … strcpy(s, p); …} Saved %ebp Ret. address from strcpy to p x, y char s[8] stack frame for f a, b Extent of s as estimated byLibsafe Saved %ebp Return address from f 13th USENIX Security Symposium
Libsafe (contd.) • Protects frame pointer and return address from being overwritten by a stack overflow. • Does not prevent sensitive data below the buffer from being overwritten. • Does not prevent overflows on global/dynamically allocated buffers. 13th USENIX Security Symposium
Our Approach • TIED : Augments the executable to contain size information about global and automatic buffers. • LibsafePlus: Intercepts calls to unsafe C library functions and performs more accurate and extensive bounds checking. 13th USENIX Security Symposium
Overall Approach Executable Prepared using -g option Augmented executable TIED Preload LibsafePlus.so Run Normal execution otherwise Aborts if buffer overflow 13th USENIX Security Symposium
TIED : The binary rewriter • Extracts type information from -g compiled executable. • Determines location and size information about automatic and global character arrays. • Organizes the information as tables and dumps it back in the binary as a loadable, read-only section. 13th USENIX Security Symposium
Type info header pointer Global Variable Table Size Starting address No. of global variables Ptr. to global var. table No. of functions Local Variable Table Ptr. To function table Offset from frame pointer. Size Function Table Starting address End address No. of vars. Ptr. to var. table Local Variable Table Offset from frame pointer. Size The Type Information Data Structure
Rewriting ELF Executables • Constraint: The virtual addresses of existing code and data should not change. • Solution: Extend the executable towards lower virtual addresses by a multiple of page size. • Serialize, relocate, and dump type information as a new loadable section in the gap created. • Provide a pointer to the new section as a symbol in the dynamic symbol table. 13th USENIX Security Symposium
ELF executable beforeand after rewriting ELF Header Program headers .dynsym ( new ) • .dynstr is modified • to hold the name of • the symbolic pointer. • .hash is modified • to hold the hash • value of the symbol • added to .dynsym. .dynstr ( new ) ELF Header .hash ( new ) Program headers Data structure containing type information .hash .oldhash .dynsym .olddynsym .dynstr .olddynstr .dynamic .dynamic Section header table Section header table Before rewriting After rewriting 13th USENIX Security Symposium
Range checking by LibsafePlus • Intercept unsafe C library functions. • strcpy, memcpy, gets … • Determine the size of destination buffer. • Determine the size of source string. • If destination buffer is large enough, perform the operation using actual C library function. • Terminate the program otherwise. 13th USENIX Security Symposium
Determining sizes for stack buffers • Preliminary Check: Check if address is greater than the current stack pointer. • Locate the encapsulating stack frame by traversing the saved frame pointers. • Find out the function that defines the buffer. • Search for the buffer in the local variable table of the function. • Return the loose Libsafe bound if buffer is not present in the local variable table. 13th USENIX Security Symposium
Locating function defining the buffer Case 1: buf may be local variable of function f. or Case 2: buf may be an argument to the function g. Use return address into f to locate the local variable table of f, search it for a matching entry. If no match is found, repeat the step using return address into g. strcpy strcpy() Return address into g Return address into g g Return address into f Return address into f buf f Saved %ebp Return address from f
Protecting heap variables • LibsafePlus also provides protection for variables allocated by malloc family of functions. • Intercepts calls to malloc family of functions. • Records sizes and addresses of all dynamically allocated chunks in a red-black tree. • This data structure is used to find sizes of dynamically allocated buffers. • Insertion, deletion and searching in O(log(n)). 13th USENIX Security Symposium
Determining sizes for heap and global buffers • Maintain the smallest starting address returned by malloc family of functions. • Preliminary Check: Check if the buffer address is greater than this address. • If yes, search in the red-black tree to get the size. • If buffer is neither on stack, nor on heap, search in the global variable table of the type information data structure. 13th USENIX Security Symposium
Evaluation • LibsafePlus was able to detect all 20 buffer overflow attempts in testsuite by Wilander & Kamkar. • Libsafe was able to stop only 6 attacks. 13th USENIX Security Symposium
Performance Evaluation 13th USENIX Security Symposium
Strcpy (global buffers) 13th USENIX Security Symposium
Strcpy (local buffers) 13th USENIX Security Symposium
Strcpy (heap buffers) 13th USENIX Security Symposium
Malloc/ Free Overhead 13th USENIX Security Symposium
Application benchmarks 13th USENIX Security Symposium
Limitations/Future Work • Does not handle overflows due to erroneous pointer arithmetic. • Imprecise bounds for automatic variable sized arrays and alloca()’ed buffers. • Applications that mmap() to fixed addresses may not work. • Type information about buffers inside shared libraries is not available – this has been addressed in a later version. 13th USENIX Security Symposium
Thank you ! 13th USENIX Security Symposium