1. Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu. Buffer Overflow Defenses Author: Jedidiah R. Crandall, crandaj@erau.edu This Document was Funded by the National Science Foundation Federal Cyber Service Scholarship For Service Program: Grant No. 0113627 Distributed July 2002 Embry-Riddle Aeronautical University Prescott, Arizona USA

2. Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu. Buffer Overflow Defenses This section presents some defenses against buffer overflows and their pros and cons in a not-too- technical manner Caveats: 1. This is not intended to be a complete list of products that defend against buffer overflows. 2. There is no silver bullet that will stamp out buffer overflows, but some of these tools may help.

3. Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu. Kinds of Defenses Better software engineering practices Find-and-patch methods Language tools Analysis tools Compiler tools Operating system tools

4. Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu. Better software engineering practices Examples: Testing, code inspection, documentation of reused code Pros: Can prevent all types of buffer overflows before the software is released Cons: Time consuming, and time is money

5. Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu. Find-and-patch methods Examples: Software patches, anti-virus software Pros: Very effective at preventing known attacks, or even unknown attacks on known vulnerabilities Usually does not require that the software be recompiled Cons: Not effective at preventing attacks on unknown vulnerabilities, or sometimes unknown attacks on known vulnerabilities

6. Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu. Language tools Examples: Java, Perl, Ada, Cyclone, or any language that is not as susceptible to buffer overflows as C/C++, or components/libraries for C/C++ that are less susceptible to buffer overflows Pros: Use of better languages or libraries will greatly ameliorate the buffer overflow problem Cons: The programmer still has to be able to know how to handle long input strings – Should the input be truncated? Rejected? Should the buffer be resized? Should the program halt? C/C++ are popular languages and there are valid reasons for using them Reused C code must be heavily modified to use new libraries

7. Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu. Analysis tools Examples: static analysis tools that search the source code for possible buffer overflows, dynamic analysis tools that help identify buffer overflows during program execution for testing Pros: Static analysis tools can be very useful for code inspection Dynamic analysis tools can help you catch errors during testing that you might not have caught otherwise Cons: Static analysis tools produce many false positives and only look for certain kinds of buffer overflows, such as unsafe library function calls

8. Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu. Compiler tools Examples: Add automatic bounds checking to a C compiler, or protecting the return pointer (see StackGaurd applet) Pros: Adding automatic bounds checking to a C compiler can prevent many buffer oveflows Protecting the return pointer virtually eliminates stack smashing, which is currently the most prevalent and disastrous kind of buffer overflow attack Cons: There is a performance overhead, especially for adding bounds checking to C compilers Protecting the return pointer does not prevent heap-based attacks, denial-of-service attacks, or data corruption

9. Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu. Operating system tools Examples: Intrusion detection, disabling execution of code where there shouldn’t be code Pros: Disabling the execution of code where there shouldn’t be code usually has a negligible performance cost Intrusion detection systems can detect unknown attacks by monitoring user behavior for anomalies or likely attack patterns Cons: Neither of these will prevent every kind of buffer overflow attack Intrusion detection is a developing technology and is not perfect

10. Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu. About this Project This presentation is part of a larger package of materials on buffer overflow vulnerabilities, defenses, and software practices. For more information, go to: http://nsfsecurity.pr.erau.eduhttp://nsfsecurity.pr.erau.edu Also available are: Demonstrations of how buffer overflows occur (Java applets) PowerPoint lecture-style presentations on an introduction to buffer overflows, preventing buffer overflows (for C programmers), and a case study of Code Red Checklists and Points to Remember for C Programmers An interactive module and quiz set with alternative paths for journalists/analysts and IT managers as well as programmers and testers A scavenger hunt on implications of the buffer overflow vulnerability Please complete a feedback form at http://nsfsecurity.pr.erau.edu/feedback.html to tell us how you used this material and to offer suggestions for improvements.http://nsfsecurity.pr.erau.edu/feedback.html