a practical dynamic buffer overflow detector (cred) olatunji ruwase monica s. lam transmeta corp....
TRANSCRIPT
![Page 1: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/1.jpg)
A Practical Dynamic
Buffer Overflow Detector (CRED)
Olatunji Ruwase Monica S. Lam
Transmeta Corp. Stanford University
Network and Distributed Security Symposium.Feb 2004.
![Page 2: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/2.jpg)
Buffer Overruns
50% of the 60 most severe vulnerabilities (posted on CERT/CC)
Over 60 % of CERT/CC advisories in 2003
Slammer, CodeRed, Blastercaused billions of dollars worth of damages > $800K at Stanford for Blaster alone
![Page 3: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/3.jpg)
Unsafe C Programs
Legacy software cannot be rewritten
Sound static analysis Finds all errors + many false positives
Unsound static analysis Finds less false positives,
but not all errors
Must still insert dynamic tests, since bounds-checking is undecidable at compile time
![Page 4: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/4.jpg)
Dynamic Overrun Checkers
Cannot catch all buffer overruns Stackguard
Insert canary word Can bypass by skipping canary
word
Break existing code Change pointer representation
Inefficient
![Page 5: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/5.jpg)
Dynamic Bounds-Checking
Insert bounds checking automatically
Use static analysis to reduce overhead Catching all errors 100% coverage Effective optimization 10%
coverage
![Page 6: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/6.jpg)
State-of-the-art Checker
Referent objects [Jones and Kelly]
p qderives
Objects and object table (splay tree)
In-bounds address start, end of object
Given in-bounds pointer p to object o, derived pointer q must also point to o
![Page 7: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/7.jpg)
Implementation
GNU C compiler patch
DLL of bounds checking functions for object table lookups and updates
DLL also includes bounds checking versions of C standard library functions
Instrumentation in GCC front end of non-copy pointer operations, object allocations and de-allocations
Splay tree improves object table lookups
![Page 8: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/8.jpg)
Out-of-bounds Pointers
Ansi C and C++
Common idiomint A[10];for (p = &A; p < &A + 10; p++) {…}
Can generate, test, but not deref one byte past buffer
Cannot generate, test, or deref any other out-of-bounds addresses
![Page 9: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/9.jpg)
Jones and Kelly’s Solution
Pad all allocated objects by 1 byte
Pointers past one byte are replaced by “-2”
Subsequent non-copy use of “-2” pointer flagged as error
![Page 10: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/10.jpg)
Experiment: 20 programs, 1.2 Mloc
Pass Kloc
Fail Kloc
ccrypt 4.4 apache 73.6
gzip 5.8 binutils 596.5
monkey 2.5 bison 25.1
polymorph 0.4 coreutils 69.5
tar 18.2 enscript 22.1
WsMp3 3.4 gawk 36.4
wu-ftpd 18.3 gnupg 71.2
zlib 8.3 grep 20.8
hypermail 27.6
openssh 43.4
openssl 162.7
pgp4pine 3.3
Total 61.3 1152.2
![Page 11: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/11.jpg)
Programs Not Ansi-C Compliant
p
q
p’
![Page 12: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/12.jpg)
Our solution to out-of-bounds (OOB) pointers
Unique OOB object created for every OOB pointer
Referent object and OOB value of pointer stored in OOB object
OOB pointer points to its own OOB object
OOB object table (hashtable)
![Page 13: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/13.jpg)
Our solution to out-of-bound (OOB) pointers
p
q
p’
Use OOB addr for computations and tests, but not dereference
OOB objects deleted as referent objects are deleted (no leaks)
OOB object
![Page 14: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/14.jpg)
Out-of-bounds pointersUninstrumented execution
{
1: char *p, *q, *r, *s;
2:
3: p = malloc(4);
4: q = p + 1;
5: s = p + 5;
6: r = s – 3;
………………
}
p
q
r
s
referent object
in-bounds
padding
out-of-bounds
Addresses
stack
p = malloc(4) ;
q = p + 1 ;
s = p + 5 ;
r = s – 3 ;
![Page 15: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/15.jpg)
Instrumentation with Jones and Kelly Checker
{
1: char *p, *q, *r, *s;
2:
3: p = malloc(4);
4: q = p + 1;
5: s = p + 5;
6: r = s – 3;
………………
}
p
q
r
s
referent object
in-bounds
padding
out-of-bounds
Addresses
s = (-2)
p = malloc(4) ;
q = p + 1 ;
s = p + 5 ;
r = s – 3 ;
stack
![Page 16: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/16.jpg)
Instrumentation with CRED
{
1: char *p, *q, *r, *s;
2:
3: p = malloc(4);
4: q = p + 1;
5: s = p + 5;
6: r = s – 3;
………………
}
p
q
r
s
referent object
in-bounds
padding
out-of-bounds
Addresses
stack
p = malloc(4) ;
q = p + 1 ;
s = p + 5 ;
r = s – 3 ;
obj valueOOB object
![Page 17: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/17.jpg)
Optimization
Buffer overflow attacks caused by user supplied string data
Restrict bounds checking to only strings
Objects of all types maintained in object table to handle casts
Common downcasts to char pointers when copying data
Experimental results indicate effective protection and improved performance
![Page 18: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/18.jpg)
Results
C Range Error Detector (CRED), built on Jones and Kelly’s implementation
Compatibility Evaluation of full checking
instrumentation Rigorous evaluation using app test
suites Passed all the 1.2 M loc tests Overflow bugs found in ssl, coreutils
and bison test suites
![Page 19: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/19.jpg)
Protection
Against attacks on Gawk, gzip, hypermail, monkey,
pgp4pine, polymorph, WsMp3
Against Wilander & Kamkar’s 20 tests ProPolice passed 50% StackGuard, StackShield,
Libsafe and Libverify are worse
![Page 20: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/20.jpg)
Performance
012
34567
89
1011
121314
apac
he
binu
tils
biso
n
ccry
pt
core
utils
ensc
ript
gaw
k
gnup
g
grep
gzip
hype
rmai
l
mon
key
pgp4
pine
poly
mor
ph
ssh(
scp)
rsa2
048
sign
rsa2
048
verif
y tar
WsM
p3
wu-
ftpd
zlib
Benchmark
Nor
mal
ized
exe
cutio
n tim
ee
Full checking
Strings only
![Page 21: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/21.jpg)
Conclusions
Focus of this work: Compatibility Simplicity
correctness thorough compatibility tests (1.2 M loc)
Buffer overruns in C programs can be detected dynamically
Can apply static analysis to reduce overhead
![Page 22: A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security](https://reader035.vdocuments.net/reader035/viewer/2022062216/56649d195503460f949eec16/html5/thumbnails/22.jpg)
CRED is Open Source
Merged into publicly available GNU C bounds checking patch maintained by Herman ten Brugge
http://web.inter.nl.net/hcc/Haj.Ten.Brugge/
http://sourceforge.net/projects/boundschecking/