A Practical Dynamic Buffer Overflow Detector (CRED)

1
A Practical Dynamic Buffer Overflow Detector
(CRED)

• Olatunji Ruwase Monica S. Lam
• Transmeta Corp. Stanford University

Network and Distributed Security Symposium. Feb
2004.
2
Buffer Overruns

• 50 of the 60 most severe vulnerabilities (posted
  on CERT/CC)
• Over 60 of CERT/CC advisories in 2003
• Slammer, CodeRed, Blastercaused billions of
  dollars worth of damages
• gt 800K at Stanford for Blaster alone

3
Unsafe C Programs

• Legacy software cannot be rewritten
• Sound static analysis
• Finds all errors many false positives
• Unsound static analysis
• Finds less false positives, but not all errors
• Must still insert dynamic tests, since
  bounds-checking is undecidable at compile time

4
Dynamic Overrun Checkers

• Cannot catch all buffer overruns
• Stackguard
• Insert canary word
• Can bypass by skipping canary word
• Break existing code
• Change pointer representation
• Inefficient

5
Dynamic Bounds-Checking

• Insert bounds checking automatically
• Use static analysis to reduce overhead
• Catching all errors ? 100 coverage
• Effective optimization ? 10 coverage

6
State-of-the-art Checker

• Referent objects Jones and Kelly

• Objects and object table (splay tree)
• In-bounds address? start, end of object
• Given in-bounds pointer p to object o, derived
  pointer q must also point to o

derives
p
q
7
Implementation

• GNU C compiler patch
• DLL of bounds checking functions for object table
  lookups and updates
• DLL also includes bounds checking versions of C
  standard library functions
• Instrumentation in GCC front end of non-copy
  pointer operations, object allocations and
  de-allocations
• Splay tree improves object table lookups

8
Out-of-bounds Pointers

• Ansi C and C
• Common idiom
• int A10
• for (p A p lt A 10 p)
• Can generate, test, but not deref one byte past
  buffer
• Cannot generate, test, or deref any other
  out-of-bounds addresses

9
Jones and Kellys Solution

• Pad all allocated objects by 1 byte
• Pointers past one byte are replaced by -2
• Subsequent non-copy use of -2 pointer flagged
  as error

10
Experiment 20 programs, 1.2 Mloc
Pass Kloc Pass Kloc Fail Kloc Fail Kloc
ccrypt 4.4 apache 73.6
gzip 5.8 binutils 596.5
monkey 2.5 bison 25.1
polymorph 0.4 coreutils 69.5
tar 18.2 enscript 22.1
WsMp3 3.4 gawk 36.4
wu-ftpd 18.3 gnupg 71.2
zlib 8.3 grep 20.8
hypermail 27.6
openssh 43.4
openssl 162.7
pgp4pine 3.3
Total 61.3 1152.2
11
Programs Not Ansi-C Compliant
q
p
12
Our solution to out-of-bounds (OOB) pointers

• Unique OOB object created for every OOB pointer
• Referent object and OOB value of pointer stored
  in OOB object
• OOB pointer points to its own OOB object
• OOB object table (hashtable)

13
Our solution to out-of-bound (OOB) pointers
q
p

• Use OOB addr for computations and tests, but not
  dereference
• OOB objects deleted as referent objects are
  deleted (no leaks)

14
Out-of-bounds pointers Uninstrumented
execution

• 1 char p, q, r, s
• 2
• 3 p malloc(4)
• 4 q p 1
• 5 s p 5
• 6 r s 3

referent object

p malloc(4)
p
q
r
s
q p 1
s p 5
r s 3
stack
15
Instrumentation with Jones and Kelly Checker

• 1 char p, q, r, s
• 2
• 3 p malloc(4)
• 4 q p 1
• 5 s p 5
• 6 r s 3

referent object

p malloc(4)
p
q
r
s
q p 1
s p 5
r s 3
s (-2)
stack
16
Instrumentation with CRED

p
q
r
s

• 1 char p, q, r, s
• 2
• 3 p malloc(4)
• 4 q p 1
• 5 s p 5
• 6 r s 3

p malloc(4)
stack

q p 1
s p 5
referent object
r s 3
obj value
OOB object
17
Optimization

• Buffer overflow attacks caused by user supplied
  string data
• Restrict bounds checking to only strings
• Objects of all types maintained in object table
  to handle casts
• Common downcasts to char pointers when copying
  data
• Experimental results indicate effective
  protection and improved performance

18
Results

• C Range Error Detector (CRED), built on Jones and
  Kellys implementation
• Compatibility
• Evaluation of full checking instrumentation
• Rigorous evaluation using app test suites
• Passed all the 1.2 M loc tests
• Overflow bugs found in ssl, coreutils and bison
  test suites

19
Protection

• Against attacks on
• Gawk, gzip, hypermail, monkey, pgp4pine,
  polymorph, WsMp3
• Against Wilander Kamkars 20 tests
• ProPolice passed 50
• StackGuard, StackShield, Libsafe and Libverify
  are worse

20
Performance
21
Conclusions

• Focus of this work Compatibility
• Simplicity ? correctness ? thorough
  compatibility tests (1.2 M loc)
• Buffer overruns in C programs can be detected
  dynamically
• Can apply static analysis to reduce overhead

22
CRED is Open Source

• Merged into publicly available GNU C bounds
  checking patch maintained by Herman ten Brugge
• http//web.inter.nl.net/hcc/Haj.Ten.Brugge/
• http//sourceforge.net/projects/boundschecking/