BUFFER OVERFLOW VULNERABILITIES

Prudhviraj Karumanchi Vijay Venugopalan Vijaya Raghavan

CPSC 620 Presentation12/3/2009

CONTENTS Motivation Basic structure of process memory Buffer Overflow Canary Method Static Analysis

ARCHERBOONSPLINTPolyspace C Verifier UNO

o Conclusion

MOTIVATION Buffer Overflows constitute for about 50% of

the vulnerabilities reported by CERT.

According to National Vulnerability Database (NVD) CVE statistics, 563 buffer overruns were detected in 2008 and 431 buffer overruns out of 4,634 vulnerabilities were detected in 2009 till September.

Educate “Future” software programmers.

BUFFER ?

Buffer :A temporary space in memory used to hold data.Buffer Overflow :Happens when data written into the buffer is larger than the size of the buffer.

In turn overwrites adjacent memory locations

SAMPLE BUFFER OVERFLOW FUNCTION

GetInput(){

char buffer[8];gets(buffer);

puts(buffer);}

Dangerous Function !!!

VIRTUAL ADDRESS SPACE A LOOK AT THE STACK

Local Variabl

es

OVER WRITING THE “RETURN ADDRESS”

#include<stdio.h>

notToExecute(){ printf(“This is not to be run\n");}

GetInput(){ char buffer[8]; gets(buffer); puts(buffer);}

main(){ GetInput(); return 0;}

CANARY METHOD TO DETECT BUFFER OVERFLOWS Stack canaries, are used to detect a stack buffer

overflow before execution of malicious code can occur.

This method works by placing a small integer, the value of which is randomly chosen at program start, in memory just before the stack return pointer.

Most buffer overflows overwrite memory from lower to higher memory addresses, so in order to overwrite the return pointer (and thus take control of the process) the canary value must also be overwritten.

STATIC ANALYSIS OF TOOLS Tools Analysis

ARCHER Symbolic, interprocedural,flow-sensitive analysis

BOON Integer ranges, interproceduralflow-insensitive analysisfor string functions.

Polyspace C Verifier Abstract interpretation,Interprocedural, flow-sensitive.

SPLINT Lightweight static analysis,Intraprocedural.

UNO Model checking, interprocedural,flow-sensitive.

DETECTION AND FALSE ALARM RATES

System Detection False Alarm

PolySpace 0.87 0.5

SPLINT 0.57 0.43

BOON 0.05 0.05

ARCHER 0.01 0

UNO 0 0

CONCLUSION No Software can be 100% bug free.

Buffer overflows can be reduced by reduced by enforcing better programming practices from the very early stages of Software Engineering.

Some of these are: Use of wrappers Training software programmers with ‘Good’ programming

practices Use of memn*() functions instead of str*() functions calloc() instead of malloc() Proper free()ing of memory etc.,