A Practical Dynamic Buffer Overflow Detector CRED

1
A Practical Dynamic Buffer Overflow Detector
(CRED)

• Olatunji Ruwase Monica S. Lam
• Transmeta Corp. Stanford University

Network and Distributed Security Symposium. Feb
2004.
2
Buffer Overruns

• 50 of the 60 most severe vulnerabilities (posted
  on CERT/CC)
• Over 60 of CERT/CC advisories in 2003
• Slammer, CodeRed, Blastercaused billions of
  dollars worth of damages
• 800K at Stanford for Blaster alone

3
Unsafe C Programs

• Legacy software cannot be rewritten
• Sound static analysis
• Finds all errors many false positives
• Unsound static analysis
• Finds less false positives, but not all errors
• Must still insert dynamic tests, since
  bounds-checking is undecidable at compile time

4
Dynamic Overrun Checkers

• Cannot catch all buffer overruns
• Stackguard
• Insert canary word
• Can bypass by skipping canary word
• Break existing code
• Change pointer representation
• Inefficient

5
Dynamic Bounds-Checking

• Insert bounds checking automatically
• Use static analysis to reduce overhead
• Catching all errors ? 100 coverage
• Effective optimization ? 10 coverage

6
State-of-the-art Checker

• Referent objects Jones and Kelly

• Objects and object table (splay tree)
• In-bounds address? start, end of object
• Given in-bounds pointer p to object o, derived
  pointer q must also point to o

derives
p
q
7
Implementation

• GNU C compiler patch
• DLL of bounds checking functions for object table
  lookups and updates
• DLL also includes bounds checking versions of C
  standard library functions
• Instrumentation in GCC front end of non-copy
  pointer operations, object allocations and
  de-allocations
• Splay tree improves object table lookups

8
Out-of-bounds Pointers

• Ansi C and C
• Common idiom
• int A10
• for (p A p
• Can generate, test, but not deref one byte past
  buffer
• Cannot generate, test, or deref any other
  out-of-bounds addresses

9
Jones and Kellys Solution

• Pad all allocated objects by 1 byte
• Pointers past one byte are replaced by -2
• Subsequent non-copy use of -2 pointer flagged
  as error

10
Experiment 20 programs, 1.2 Mloc
11
Programs Not Ansi-C Compliant
q
p
12
Our solution to out-of-bounds (OOB) pointers

• Unique OOB object created for every OOB pointer
• Referent object and OOB value of pointer stored
  in OOB object
• OOB pointer points to its own OOB object
• OOB object table (hashtable)

13
Our solution to out-of-bound (OOB) pointers
q
p

• Use OOB addr for computations and tests, but not
  dereference
• OOB objects deleted as referent objects are
  deleted (no leaks)

14
Out-of-bounds pointers Uninstrumented
execution

• 1 char p, q, r, s
• 2
• 3 p malloc(4)
• 4 q p 1
• 5 s p 5
• 6 r s 3

referent object
p malloc(4)
q p 1
s p 5
r s 3
stack
15
Instrumentation with Jones and Kelly Checker

• 1 char p, q, r, s
• 2
• 3 p malloc(4)
• 4 q p 1
• 5 s p 5
• 6 r s 3

referent object
p malloc(4)
q p 1
s p 5
r s 3
s (-2)
stack
16
Instrumentation with CRED

• 1 char p, q, r, s
• 2
• 3 p malloc(4)
• 4 q p 1
• 5 s p 5
• 6 r s 3

p malloc(4)
stack
q p 1
s p 5
referent object
r s 3
OOB object
17
Optimization

• Buffer overflow attacks caused by user supplied
  string data
• Restrict bounds checking to only strings
• Objects of all types maintained in object table
  to handle casts
• Common downcasts to char pointers when copying
  data
• Experimental results indicate effective
  protection and improved performance

18
Results

• C Range Error Detector (CRED), built on Jones and
  Kellys implementation
• Compatibility
• Evaluation of full checking instrumentation
• Rigorous evaluation using app test suites
• Passed all the 1.2 M loc tests
• Overflow bugs found in ssl, coreutils and bison
  test suites

19
Protection

• Against attacks on
• Gawk, gzip, hypermail, monkey, pgp4pine,
  polymorph, WsMp3
• Against Wilander Kamkars 20 tests
• ProPolice passed 50
• StackGuard, StackShield, Libsafe and Libverify
  are worse

20
Performance
21
Conclusions

• Focus of this work Compatibility
• Simplicity ? correctness ? thorough
  compatibility tests (1.2 M loc)
• Buffer overruns in C programs can be detected
  dynamically
• Can apply static analysis to reduce overhead

22
CRED is Open Source

• Merged into publicly available GNU C bounds
  checking patch maintained by Herman ten Brugge
• http//web.inter.nl.net/hcc/Haj.Ten.Brugge/
• http//sourceforge.net/projects/boundschecking/