Protecting Global and Static Variables From Buffer Overflow Attacks
Protecting Global and Static Variables From Buffer Overflow Attacks
2.2 Exploitation
dtors
3 Countermeasure
got
write has been set. Any access to such a page will cause the program to
terminate.
799
eh_frame
the risk they pose if they are a target for attack), overflow-
able (ordered from less likely to overflow to more likely)
ctors but also a target of attacks and just overflowable (ordered
dtors by how likely they will overflow).
Pointers could be overwritten to perform a code injection
got
attack, but are not exploitable on their own, so we place
data pointers them in the first category. Integers can hold pointers or
data integers can be used as offsets to a pointer, so they could also be
data struct/union used to perform indirect pointer overwrites. Although they
(no arrays) are overflowable, they will never use more than the mem-
data floats ory allocated for them since they will wrap around zero on
data arrays of pointers overflow, as such we can place them in the same category
as pointers. Structures and unions that do not contain any
data arrays of integers
arrays come next, they could contain pointers that could
data struct/union with
arrays (not of char)
be overwritten, but do not contain any arrays so they are
data arrays of struct/union not overflowable. The last element of the first category are
with arrays (not of char)
data struct/union with
floats, they are not overflowable and are also not a likely
arrays of char target for attack.
data arrays of struct/union
with arrays of char
The second category contains data which can overflow
data arrays of floats
in theory, but which could also be used to perform an indi-
rect pointer overwrite. This data is sorted by the risk posed
data arrays of characters if it is attacked: higher risk data is stored first so that if an
guard page overflow occurs, it can only overwrite equally or less risky
bss (same layout as data)
data. The first element in this category are arrays of pointer,
followed by arrays of integers. Next we place structures
guard page and unions which contain arrays, but not arrays of charac-
ters, arrays of these structures and unions, structures and
unions which contain arrays of characters and finally arrays
Heap
of these structures.
The third category only contains data which is overflow-
able, ordered by how likely they are to be overflown. The
first elements stored here are arrays of floats, these do not
Figure 3. Modified layout of the data segment contain information which could easily lead to a code injec-
tion attack and could overflow. Arrays of characters, which
are most often targeted by attackers, because they are of-
ten used with vulnerable string manipulation functions (e.g.
ray and the heap3 . Since the size of the data segment is
strcpy), are placed last.
known at compile time, adding such a guard page at load
The data layout that these three categories provide are
time does not introduce any problems.
used for both the data and bss sections which are stored
Figure 3 illustrates the modified memory layout: first is
next to each other. To protect the bss section from the arrays
the memory which only contains data used by the loader:
of characters from the data section, we place a guard page
the constructors, destructors, global offset table, the excep-
between the two sections.
tion handling frame, etc. Since a program should not be
By separating the data which can influence control from
able to change them, these can be stored at the start of the
data which is can be modified by the user, we can protect
segment. While a major avenue for attack has been closed
against buffer overflow attacks in these sections.
off by preventing arrays from overflowing into the destruc-
tors section and the global offset table, an attacker could still
use an overflow in the data or bss section to overwrite data 4 Discussion
in that section. To prevent this from occurring we divide
the data into three categories: not-overflowable (ordered by It may still be possible to perform a code injection at-
3A
tack using a buffer overflow on a structure that contains
page on IA32 is 4096 bytes, this means that if we want to add a
guard page, the memory preceding the guard page will need to be aligned
both an array of characters and a pointer since these types
on 4096 bytes. Adding such a page after all memory locations would be of structures will be stored in a contiguous region of mem-
introduce a prohibitive memory overhead [29] ory. This is a limitation of the approach that can not easily
800
be fixed because the C standard[18] mandates that all struc- 5.1 Alternative approaches
tures must be stored in order in contiguous memory. Many
other countermeasures, including bounds checkers suffer Many alternative approaches exist that try and protect
from this limitation. Given that correct code can rely on this against buffer overflow attacks. In this section we will
feature of the C language, it is hard to protect against such briefly discuss the most important types of countermea-
an attack. To reduce the risk of attack, we treat structures sures. A more extensive discussion can be found in [38, 12].
containing arrays of characters different from other struc-
tures: by storing them below regular structures. While this
does not solve the problem, it reduces the risk of successful 5.1.1 Probabilistic countermeasures
exploitation because attackers can only overflow informa- Many countermeasures make use of randomness when pro-
tion stored below this type of structure. tecting against attacks. Many different approaches ex-
Integer errors could also be used to perform a buffer ist when using randomness for protection. Canary-based
overflow because they could be used to overwrite arbitrary countermeasures [9, 13, 23, 31] use a secret random num-
memory locations, without requiring a contiguous buffer ber that is stored before an important memory location:
overflow. This would bypass the protection provided by the if the random number has changed after some operations
guard page. This is an important limitation in our approach have been performed, then an attack has been detected.
and must be taken into account when applying this counter- Memory-obfuscation countermeasures [8, 5] encrypt (usu-
measure. ally with XOR) important memory locations or other infor-
mation using random numbers. Memory layout randomiz-
Implementation of this countermeasure will require
ers [35, 4, 36, 6] randomize the layout of memory: by load-
some substantial modifications to the compiler, the linker
ing the stack and heap at random addresses and by placing
and the loader, however because only the layout is changed,
random gaps between objects. Instruction set randomizers
it should not bring any extra performance overhead with it.
[3, 19] encrypt the instructions while in memory and will
Because the size of all the sections are known at load time,
decrypt them before execution.
changing the layout will not add much memory overhead ei-
While these approaches are often efficient, they rely on
ther: each section followed by a guard page will have to be
keeping memory locations secret. However, programs that
aligned to page size, which means that the maximum over-
contain buffer overflows could also contain ”buffer over-
head per section would be 4095 bytes (if only 1 byte is used
reads” (e.g. a string which is copied via strncpy but not
on the last page of that section). Since only 2 guard pages
explicitly null-terminated could leak information) or other
are used, the countermeasure has a maximum overhead of
vulnerabilities like format string vulnerabilities, which al-
8190 bytes. The guard pages themselves will only take up
low attackers to print out memory locations. Such memory
virtual memory, since they are not accessed, no physical
leaking vulnerabilities could allow attackers to bypass this
memory is consumed.
type of countermeasure.
801
programs, use of these languages may not always be practi- Proceedings of the 10th ACM Conference on Computer
cal for existing applications. and Communications Security (CCS2003), pages 281–289,
Washington, District of Columbia, U.S.A., Oct. 2003. ACM.
[4] S. Bhatkar, D. C. DuVarney, and R. Sekar. Address obfus-
5.1.4 Execution monitors cation: An efficient approach to combat a broad range of
In this section we describe two countermeasures that mon- memory error exploits. In Proceedings of the 12th USENIX
Security Symposium, pages 105–120, Washington, District
itor the execution of a program and prevent transferring
of Columbia, U.S.A., Aug. 2003. USENIX Association.
control-flow which could be unsafe.
[5] S. Bhatkar and R. Sekar. Data space randomization. In Pro-
Program shepherding [21] is a technique that monitors ceedings of the 5th Conference on Detection of Intrusions
the execution of a program and will disallow control-flow and Malware & Vulnerability Assessment, volume 5137 of
transfers4 that are not considered safe. An example of a Lecture Notes in Computer Science, Paris, France, July
use for shepherding is to enforce return instructions to only 2008. Springer.
return to the instruction after the call site. The proposed [6] S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient tech-
implementation of this countermeasure is done using a run- niques for comprehensive protection from memory error ex-
time binary interpreter. As a result, the performance impact ploits. In 14th USENIX Security Symposium, Baltimore,
of this countermeasure is significant for some programs, but MD, August 2005. USENIX Association.
acceptable for others. [7] J. Condit, M. Harren, S. McPeak, G. C. Necula, and
Control-flow integrity [1] determines a program’s con- W. Weimer. CCured in the real world. In Proceedings
of the ACM SIGPLAN 2003 Conference on Programming
trol flow graph beforehand and ensures that the program
Language Design and Implementation, pages 232–244, San
adheres to it. It does this by assigning a unique ID to each Diego, California, U.S.A., 2003. ACM.
possible control flow destination of a control flow transfer. [8] C. Cowan, S. Beattie, J. Johansen, and P. Wagle. Point-
Before transferring control flow to such a destination, the Guard: protecting pointers from buffer overflow vulnera-
ID of the destination is compared to the expected ID, and bilities. In Proceedings of the 12th USENIX Security Sym-
if they are equal, the program proceeds as normal. This ap- posium, pages 91–104, Washington, District of Columbia,
proach, while strong and in the same efficiency range as our U.S.A., Aug. 2003. USENIX Association.
approach, does not protect against non-control data attacks. [9] C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke,
S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stack-
Guard: Automatic adaptive detection and prevention of
6 Conclusion buffer-overflow attacks. In Proceedings of the 7th USENIX
Security Symposium, pages 63–78, San Antonio, Texas,
Many countermeasures exist to protect against attacks on U.S.A., Jan. 1998. USENIX Association.
stack-based buffer overflows, however only very few exist [10] D. Dhurjati, S. Kowshik, V. Adve, and C. Lattner. Memory
that will effectively protect against attacks on global and safety without runtime checks or garbage collection. In Pro-
static variables with a low performance overhead. In this ceedings of the 2003 ACM SIGPLAN Conference on Lan-
guage, Compiler, and Tool Support for Embedded Systems,
paper we suggested an approach which would better pro-
pages 69–80, San Diego, California, U.S.A., June 2003.
tect this region of memory from attack while only having ACM.
negligible performance and memory overhead. [11] U. Drepper. Security enhancements in redhat enterprise
linux (beside selinux). http://people.redhat.
References com/drepper/nonselsec.pdf, Dec. 2005.
[12] U. Erlingsson. Low-level software security: Attacks and
defenses. Technical Report MSR-TR-2007-153, Microsoft
[1] M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-
Research, Nov. 2007.
flow integrity. In Proceedings of the 12th ACM Conference
[13] H. Etoh and K. Yoda. Protecting from stack-smashing at-
on Computer and Communications Security, pages 340–
tacks. Technical report, IBM Research Divison, Tokyo Re-
353, Alexandria, Virginia, U.S.A., Nov. 2005. ACM.
search Laboratory, June 2000.
[2] T. M. Austin, S. E. Breach, and G. S. Sohi. Efficient de-
[14] D. Grossman, G. Morrisett, T. Jim, M. Hicks, Y. Wang, and
tection of all pointer and array access errors. In Proceed-
J. Cheney. Region-based memory management in cyclone.
ings of the ACM SIGPLAN ’94 Conference on Programming
In Proceedings of the 2002 ACM SIGPLAN Conference on
Language Design and Implementation, pages 290–301, Or-
Programming Language Design and Implementation, pages
lando, Florida, U.S.A., June 1994. ACM.
282–293, Berlin, Germany, June 2002.
[3] E. G. Barrantes, D. H. Ackley, S. Forrest, T. S. Palmer,
[15] Intel Corporation. IA-32 Intel Architecture Software Devel-
D. Stefanović, and D. D. Zovi. Randomized instruction
oper’s Manual Volume 1: Basic Architecture, 2001. Order
set emulation to disrupt binary code injection attacks. In
Nr 245470.
4 Such a control flow transfer occurs when e.g., a call or ret instruction [16] T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and
is executed. Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual
802
Technical Conference, pages 275–288, Monterey, Califor- [31] W. Robertson, C. Kruegel, D. Mutz, and F. Valeur. Run-
nia, U.S.A., June 2002. USENIX Association. time detection of heap-based overflows. In Proceedings
[17] R. W. M. Jones and P. H. J. Kelly. Backwards-compatible of the 17th Large Installation Systems Administrators Con-
bounds checking for arrays and pointers in C programs. In ference, pages 51–60, San Diego, California, U.S.A., Oct.
Proceedings of the 3rd International Workshop on Auto- 2003. USENIX Association.
matic Debugging, number 009-02 in Linköping Electronic [32] O. Ruwase and M. S. Lam. A practical dynamic buffer over-
Articles in Computer and Information Science, pages 13–26, flow detector. In Proceedings of the 11th Annual Network
Linköping, Sweden, 1997. Linköping University Electronic and Distributed System Security Symposium, San Diego,
Press. California, U.S.A., Feb. 2004. Internet Society.
[18] JTC 1/SC 22/WG 14. ISO/IEC 9899:1999: Programming [33] Solar Designer. JPEG COM marker processing vulnerability
languages – C. Technical report, International Organization in netscape browsers. http://www.openwall.com/
for Standards, 1999. advisories/OW-002-netscape-jpeg.txt, July
[19] G. S. Kc, A. D. Keromytis, and V. Prevelakis. Counter- 2000.
ing code-injection attacks with instruction-set randomiza- [34] J. L. Steffen. Adding run-time checking to the portable C
tion. In Proceedings of the 10th ACM Conference on Com- compiler. Software: Practice and Experience, 22(4):305–
puter and Communications Security (CCS2003), pages 272– 316, Apr. 1992. ISSN: 0038-0644.
280, Washington, District of Columbia, U.S.A., Oct. 2003. [35] The PaX Team. Documentation for the PaX project. http:
ACM. //pageexec.virtualave.net/docs/.
[20] S. C. Kendall. Bcc: Runtime checking for C programs. [36] J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent run-
In Proceedings of the USENIX Summer 1983 Conference, time randomization for security. In 22nd International Sym-
pages 5–16, Toronto, Ontario, Canada, July 1983. USENIX posium on Reliable Distributed Systems (SRDS’03), pages
Association. 260–269, Florence, Italy, Oct. 2003. IEEE Computer Soci-
[21] V. Kiriansky, D. Bruening, and S. Amarasinghe. Secure ety, IEEE Press.
execution via program shepherding. In Proceedings of the [37] W. Xu, D. C. DuVarney, and R. Sekar. An Efficient and
11th USENIX Security Symposium, San Francisco, Califor- Backwards-Compatible Transformation to Ensure Memory
nia, U.S.A., Aug. 2002. USENIX Association. Safety of C Programs. In Proceedings of the 12th ACM
[22] S. Kowshik, D. Dhurjati, and V. Adve. Ensuring code safety SIGSOFT International Symposium on Foundations of Soft-
without runtime checks for real-time control systems. In ware Engineering, pages 117–126, Newport Beach, Califor-
Proceedings of the International Conference on Compilers nia, U.S.A., October-November 2004. ACM, ACM Press.
Architecture and Synthesis for Embedded Systems, pages [38] Y. Younan. Efficient Countermeasures for Software Vulner-
288–297, Grenoble, France, Oct. 2002. abilities due to Memory Management Errors. PhD thesis,
[23] A. Krennmair. ContraPolice: a libc extension for protecting Katholieke Universiteit Leuven, 2008.
applications from heap-smashing attacks. http://www. [39] Y. Younan, W. Joosen, and F. Piessens. Code injection in
synflood.at/contrapolice/, Nov. 2003. C and C++ : A survey of vulnerabilities and countermea-
[24] J. R. Larus, T. Ball, M. Das, R. DeLine, M. Fähndrich, sures. Technical Report CW386, Departement Computer-
J. Pincus, S. K. Rajamani, and R. Venkatapathy. Righting wetenschappen, Katholieke Universiteit Leuven, July 2004.
software. IEEE Software, 21(3):92–100, May/June 2004. [40] Y. Younan, W. Joosen, and F. Piessens. A methodology for
[25] K.-S. Lhee and S. J. Chapin. Type-assisted dynamic buffer designing countermeasures against current and future code
overflow detection. In Proceedings of the 11th USENIX Se- injection attacks. In Proceedings of the Third IEEE Interna-
curity Symposium, pages 81–90, San Francisco, California, tional Information Assurance Workshop 2005 (IWIA2005),
U.S.A., Aug. 2002. USENIX Association. College Park, Maryland, U.S.A., Mar. 2005. IEEE, IEEE
[26] G. Necula, S. McPeak, and W. Weimer. CCured: Type-safe Press.
retrofitting of legacy code. In Conference Record of POPL [41] Y. Younan, W. Joosen, and F. Piessens. Efficient protec-
2002: The 29th SIGPLAN-SIGACT Symposium on Princi- tion against heap-based buffer overflows without resorting
ples of Programming Languages, pages 128–139, Portland, to magic. In Proceedings of the International Conference
Oregon, U.S.A., Jan. 2002. ACM. on Information and Communication Security (ICICS 2006),
[27] Y. Oiwa, T. Sekiguchi, E. Sumii, and A. Yonezawa. Fail-safe Raleigh, North Carolina, U.S.A., Dec. 2006.
ANSI-C compiler: An approach to making C programs se- [42] Y. Younan, D. Pozza, F. Piessens, and W. Joosen. Ex-
cure: Progress report. In Proceedings of International Sym- tended protection against stack smashing attacks without
posium on Software Security 2002, pages 133–153, Tokyo, performance loss. In Proceedings of the Twenty-Second An-
Japan, Nov. 2002. nual Computer Security Applications Conference, Miami,
[28] H. Patil and C. N. Fischer. Low-Cost, Concurrent Checking Florida, U.S.A., Dec. 2006. IEEE Press.
of Pointer and Array Accesses in C Programs. Software:
Practice and Experience, 27(1):87–110, January 1997.
[29] B. Perens. Electric fence 2.0.5. http://perens.com/
FreeSoftware/.
[30] J. M. B. Rivas. Overwriting the .dtors section. Posted on the
Bugtraq mailinglist http://www.securityfocus.
com/archive/1/150396, Dec. 2000.
803