A Practical Dynamic Buffer Overflow Detector (CRED) Olatunji Ruwase Monica S. Lam Transmeta Corp. Stanford University Network and Distributed Security Symposium. Feb 2004.

Buffer Overruns  50% of the 60 most severe vulnerabilities (posted on CERT/CC)  Over 60 % of CERT/CC advisories in 2003  Slammer, CodeRed, Blaster caused billions of dollars worth of damages  > $800K at Stanford for Blaster alone

Unsafe C Programs  Legacy software cannot be rewritten  Sound static analysis  Finds all errors + many false positives  Unsound static analysis  Finds less false positives, but not all errors  Must still insert dynamic tests, since bounds-checking is undecidable at compile time

Dynamic Overrun Checkers  Cannot catch all buffer overruns  Stackguard  Insert canary word  Can bypass by skipping canary word  Break existing code  Change pointer representation  Inefficient

Dynamic Bounds-Checking  Insert bounds checking automatically  Use static analysis to reduce overhead  Catching all errors  100% coverage  Effective optimization  10% coverage

State-of-the-art Checker  Referent objects [Jones and Kelly] p q derives  Objects and object table (splay tree)  In-bounds address  start, end of object  Given in-bounds pointer p to object o, derived pointer q must also point to o

Implementation  GNU C compiler patch  DLL of bounds checking functions for object table lookups and updates  DLL also includes bounds checking versions of C standard library functions  Instrumentation in GCC front end of non- copy pointer operations, object allocations and de-allocations  Splay tree improves object table lookups

Out-of-bounds Pointers  Ansi C and C++  Common idiom int A[10]; for (p = &A; p < &A + 10; p++) {…}  Can generate, test, but not deref one byte past buffer  Cannot generate, test, or deref any other out-of-bounds addresses

Jones and Kelly’s Solution  Pad all allocated objects by 1 byte  Pointers past one byte are replaced by “-2”  Subsequent non-copy use of “-2” pointer flagged as error

Experiment: 20 programs, 1.2 Mloc Pass KlocFail Kloc ccrypt4.4apache73.6 gzip5.8binutils596.5 monkey2.5bison25.1 polymorph0.4coreutils69.5 tar18.2enscript22.1 WsMp33.4gawk36.4 wu-ftpd18.3gnupg71.2 zlib8.3grep20.8 hypermail27.6 openssh43.4 openssl162.7 pgp4pine3.3 Total

Programs Not Ansi-C Compliant p q p’

Our solution to out-of-bounds (OOB) pointers  Unique OOB object created for every OOB pointer  Referent object and OOB value of pointer stored in OOB object  OOB pointer points to its own OOB object  OOB object table (hashtable)

Our solution to out-of-bound (OOB) pointers p q p’  Use OOB addr for computations and tests, but not dereference  OOB objects deleted as referent objects are deleted (no leaks) OOB object

Out-of-bounds pointers Uninstrumented execution {{ 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4:q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } p q r s referent object in-bounds padding out-of-bounds Addresses stack p = malloc(4) ; q = p + 1 ; s = p + 5 ; r = s – 3 ;

Instrumentation with Jones and Kelly Checker {{ 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4:q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } p q r s referent object in-bounds padding out-of-bounds Addresses s = (-2) p = malloc(4) ; q = p + 1 ; s = p + 5 ; r = s – 3 ; stack

Instrumentation with CRED {{ 1: char *p, *q, *r, *s; 2: 3: p = malloc(4); 4:q = p + 1; 5: s = p + 5; 6: r = s – 3; ……………… } p q r s referent object in-bounds padding out-of-bounds Addresses stack p = malloc(4) ; q = p + 1 ; s = p + 5 ; r = s – 3 ; objvalue OOB object

Optimization  Buffer overflow attacks caused by user supplied string data  Restrict bounds checking to only strings  Objects of all types maintained in object table to handle casts  Common downcasts to char pointers when copying data  Experimental results indicate effective protection and improved performance

Results  C Range Error Detector (CRED), built on Jones and Kelly’s implementation  Compatibility  Evaluation of full checking instrumentation  Rigorous evaluation using app test suites  Passed all the 1.2 M loc tests  Overflow bugs found in ssl, coreutils and bison test suites

Protection  Against attacks on  Gawk, gzip, hypermail, monkey, pgp4pine, polymorph, WsMp3  Against Wilander & Kamkar’s 20 tests  ProPolice passed 50%  StackGuard, StackShield, Libsafe and Libverify are worse

Performance

Conclusions  Focus of this work: Compatibility  Simplicity  correctness  thorough compatibility tests (1.2 M loc)  Buffer overruns in C programs can be detected dynamically  Can apply static analysis to reduce overhead

CRED is Open Source  Merged into publicly available GNU C bounds checking patch maintained by Herman ten Brugge  