TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection

TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection

Kumar Avijit, Prateek Gupta and Deepak GuptaDept. of Computer Science and Engg.

IIT Kanpur (INDIA)

13th USENIX Security Symposium

Outline

The menace called “Buffer Overflow” Related work Libsafe – Protecting the return address Our Approach

TIED – The binary rewriter LibsafePlus

Performance Limitations


The menace called Buffer Overflow

Excerpted from www.us-cert.gov/current/services_ports.html


Overview of Related Work

Kernel Based – make data areas non-executable.

Static analysis based. Run-time techniques:

Stackshield/StackGuard/ProPolice CRED – range checking at run-time. Libsafe


Libsafe: Protecting the return address

Dynamically loadable library -intercepts “unsafe” C library functions like strcpy, memcpy, …

Checks the size of destination buffer before copying.

Estimates a loose upper bound for stack buffers – upto the saved frame pointer of the enclosing frame.


Saved %ebp

Return address from f

x, y

a, b

char s[8]

to p

Saved %ebp

Ret. address from strcpy

stack frame for strcpy

%esp

stack frame for fExtent of s as estimated byLibsafe

Stack growth

Stack Buffer Size Determination by Libsafe

f (char *p) { int *a, *b; char s[8]; . int x,y; … strcpy(s, p); …}


Libsafe (contd.)

Protects frame pointer and return address from being overwritten by a stack overflow.

Does not prevent sensitive data below the buffer from being overwritten.

Does not prevent overflows on global/dynamically allocated buffers.


Our Approach

TIED : Augments the executable to contain size information about global and automatic buffers.

LibsafePlus: Intercepts calls to unsafe C library functions and performs more accurate and extensive bounds checking.


Overall Approach

Run

Aborts if bufferoverflow

Normal executionotherwise

ExecutablePrepared using

-g option

AugmentedexecutableTIED

LibsafePlus.soPreload


TIED : The binary rewriter

Extracts type information from -g compiled executable.

Determines location and size information about automatic and global character arrays.

Organizes the information as tables and dumps it back in the binary as a loadable, read-only section.

Starting address End address No. of vars. Ptr. to var. table

No. of global variables

Ptr. to global var. table

No. of functions

Ptr. To function table

Starting address Size

Offset fromframe pointer.

Size

Offset fromframe pointer.

Size

Type info header pointer Global Variable Table

Function Table

Local Variable Table

Local Variable Table

The Type Information Data Structure


Rewriting ELF Executables

Constraint: The virtual addresses of existing code and data should not change.

Solution: Extend the executable towards lower virtual addresses by a multiple of page size.

Serialize, relocate, and dump type information as a new loadable section in the gap created.

Provide a pointer to the new section as a symbol in the dynamic symbol table.


ELF executable beforeand after rewriting

ELF Header

Program headers

.dynstr

.dynsym

.hash

Section header table

.dynamic

ELF Header

Program headers

.olddynstr

.olddynsym

.oldhash

.dynamic

Section header table

Data structure containingtype information

.dynsym ( new )

.dynstr ( new )

.hash ( new )

• .dynstr is modified to hold the name of the symbolic pointer.

• .hash is modified to hold the hash value of the symbol added to .dynsym.

Before rewritingAfter rewriting


Range checking by LibsafePlus

Intercept unsafe C library functions. strcpy, memcpy, gets …

Determine the size of destination buffer. Determine the size of source string. If destination buffer is large enough, perform

the operation using actual C library function.

Terminate the program otherwise.


Determining sizes for stack buffers

Preliminary Check: Check if address is greater than the current stack pointer.

Locate the encapsulating stack frame by traversing the saved frame pointers.

Find out the function that defines the buffer. Search for the buffer in the local variable

table of the function. Return the loose Libsafe bound if buffer is

not present in the local variable table.

Locating function defining the buffer

buf

Saved %ebp

Return address from f

Return address into f

Return address into g

strcpy()

f

g

strcpyCase 1: buf may be local variable

of function f.

or

Case 2: buf may be an argument to the function g.

Use return address into f to locate the local variable table of f, search it for a matching entry.

If no match is found, repeat the step using return address into g.

Return address into g

Return address into f


Protecting heap variables

LibsafePlus also provides protection for variables allocated by malloc family of functions.

Intercepts calls to malloc family of functions. Records sizes and addresses of all dynamically

allocated chunks in a red-black tree. This data structure is used to find sizes of

dynamically allocated buffers. Insertion, deletion and searching in O(log(n)).


Determining sizes for heap and global buffers

Maintain the smallest starting address returned by malloc family of functions.

Preliminary Check: Check if the buffer address is greater than this address.

If yes, search in the red-black tree to get the size.

If buffer is neither on stack, nor on heap, search in the global variable table of the type information data structure.


Evaluation

LibsafePlus was able to detect all 20 buffer overflow attempts in testsuite by Wilander & Kamkar.

Libsafe was able to stop only 6 attacks.


Performance Evaluation


Strcpy (global buffers)


Strcpy (local buffers)


Strcpy (heap buffers)


Malloc/ Free Overhead


Application benchmarks


Limitations/Future Work

Does not handle overflows due to erroneous pointer arithmetic.

Imprecise bounds for automatic variable sized arrays and alloca()’ed buffers.

Applications that mmap() to fixed addresses may not work.

Type information about buffers inside shared libraries is not available – this has been addressed in a later version.


Thank you !

TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection

Documents

Transcript of TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection