Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison

Invalid Pointer Dereferences Buffer overruns –via pointers or arrays Stale pointers (pointers to freed memory)  Undesirable because –incorrect results –crash / corrupt data –security risk a[i]  *(a+i)

Security Risk Gain control –stack smashing (return address on stack) –function pointers, setjmp buffers, GOT Gain unauthorized access –e.g. changing argument to fopen Corrupt data / Disrupt service

Stack Smashing char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); buf p return address

Our Approach, for C Dynamically detect invalid writes via pointers –halt execution when detected Efficient (low overhead) No false positives No source code modification needed

Outline Introduction Previous Approaches Description of Approach Experiments Conclusion

Previous Approaches StackGuard: protects return addresses only +efficient +automatic –does not protect other memory locations –platform dependent StackShield: similar, but also protects function pointers

Fat Pointers  Record information about what a pointer should point to CCured, Cyclone +detects all invalid accesses –less flexibility in memory management: requires garbage collection (or region-based model, for Cyclone) –doesn’t handle all of C (rejects some legal C programs) –requires programmer changes to source

associate information with pointer: address and size of referent buf p Fat Pointers buf 12  char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); return address

associates information with target rather than pointer buf p Our Approach char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’);                                   return address

char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); buf p                              Which Locations to Mark?   return address  naively: Mark All User-defined Locations

FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); buf p fp                              Which Locations to Mark?   Static Analysis, to permit marking fewer locations

Unsafe Pointers  a pointer p that may point to invalid memory: –p is assigned a non-pointer value, or –p is the result of pointer arithmetic, or –p may become stale only writes via unsafe pointers are checked at runtime –safe pointer dereferences are not checked –for efficiency, we don’t check reads a[i]  *(a+i)

FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Unsafe Pointers pointers: unsafe safe p fp

Tracked Locations  a location that an unsafe pointer may point to –mirror is marked ok ( ) when allocated, and forbidden (  ) when freed. untracked locations always forbidden (  ) –never pointed-to by unsafe pointer points-to analysis needed

FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Tracked Locations pointers: unsafe safe p fp p buf fp locations: untracked tracked p buf points-to graph: foo fp

FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Allocation pointers: unsafe safe p fp p buf fp locations: untracked tracked                                             

FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Allocation pointers: unsafe safe p fp p buf fp locations: untracked tracked                                              fp

FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Allocation pointers: unsafe safe p fp p buf fp locations: untracked tracked buf fp                                 

FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Allocation pointers: unsafe safe p fp p buf fp locations: untracked tracked buf p fp                                 

FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Checking Writes pointers: unsafe safe p fp p buf fp locations: untracked tracked buf p fp                                 

FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Checking Writes pointers: unsafe safe p fp p buf fp locations: untracked tracked buf p fp                                 

FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Checking Writes pointers: unsafe safe p fp p buf fp locations: untracked tracked buf p fp                                 

FN_PTR fp = &foo; char buf[12]; char *p = &buf[0]; do { *p = getchar(); } while(*p++ != ‘\0’); (*fp)(); Example: Checking Writes buf p fp                                   pointers: unsafe safe p fp p buf fp locations: untracked tracked

Tool Overview C source file instru- mented C source file instru- mented exec- utable instru- mented C library unsafe pointers tracked variables Static Analysis Instrumenter C Compiler

Implementation Details Flow-insensitive Points-to Analysis [Das00] –near-linear time, good precision C source-to-source instrumenter [Ckit] –ANSI C compliant, portable Uninstrumented library functions may cause false positives or false negatives –write wrappers to be more precise

Outline Introduction Previous Approaches Description of Approach Experiments Conclusion

Experiments Tool successfully detected two simulated attacks via known vulnerabilities –cfingerd: buffer overrun attack –traceroute: modifying Global Offset Table entry via multiple-free bug

Performance Runtime Overhead (average 1.97×) Cyclone OldenSpec 95Spec 2000

Performance Runtime Overhead (average 1.97×) increasing size (LOC)

Comparing with CCured/Cyclone

Analysis/Instrument/Compile Time Slowdown vs. Compile Time (average 5×) increasing size (LOC)

Future Work Goal: Less unsafe pointers and tracked locations (for better performance and coverage) Array-bounds Check Elimination –98% of dereferences are array accesses Escape Analysis –currently all pointers to stack objects are unsafe Flow-Sensitive Analyses –better points-to analysis –dereferencing uninitialized pointer

Future Work Goal: Less unsafe pointers and tracked locations (for better performance and coverage) Array-bounds Check Elimination –98% of dereferences are array accesses Escape Analysis –currently all pointers to stack objects are unsafe Flow-Sensitive Analyses –better points-to analysis –dereferencing uninitialized pointer

Conclusion We present a tool for detecting invalid pointer dereferences that +has low runtime overhead +does not report false positives +is portable, and does not require programmer changes to source code +protects against a wide range of vulnerabilities, including stack smashing and using freed memory

Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison – The End –

Related Work Dynamic Debugging Tools –Purify –Valgrind –Safe-C Static techniques –LCLint –ESC –PREfix