Preventing Buffer Overflow

Attacks
 Some unsafe C lib functions
strcpy (char *dest, const char *src)
strcat (char *dest, const char *src)
gets (char *s)
scanf ( const char *format, … )
printf (conts char *format, … )
 Preventing buf overflow attacks
• Main problem:
– strcpy(), strcat(), sprintf() have no range checking.
– Use “safe” versions strncpy(), strncat() very
carefully
• Defenses:
– Type safe languages (Java, ML). Legacy code?
– Mark stack as non-execute.
– Static source code analysis.
– Run time checking: StackGuard, Libsafe, SafeC, (Purify).
– Black box testing (e.g. eEye Retina, ISIC ).
 Marking stack as non-execute
• Basic stack exploit can be prevented by marking
stack segment as non-executable
– Code patches exist for Linux and Solaris.

• Problems:
– Some apps need executable stack (e.g. LISP interpreters).

– Does not block more general overflow exploits:

• Overflow on heap: overflow buffer next to func pointer.
• Cannot make all the data segment non-executable
• More recent UNIX and MS windows emit dynamic code into
program data for performance optimizations
 Static source code analysis
• Statically check source to detect buffer overflows.
– Several consulting companies.

• Several tools exist to automate the review process:

– Stanford: Engler, et al. Test trust inconsistency.
– @stake.com (l0pht.com): SLINT (designed for UNIX)

– Berkeley: Wagner, et al. Test constraint violations.

• Find lots of bugs, but not all.

 Run time checking: StackGuard
• Many many run-time checking techniques …

• Solution: StackGuard (WireX)

– Run time tests for stack integrity.
– Enhance the code generator for emitting code to
set up and tear down functions
– Embeds “canaries” in stack frames and verify their
integrity prior to function return.

Frame 2 Frame 1
top
local canary sfp ret str local canary sfp ret str of
stack
 Canary Types
• Random canary: (used in Visual Studio 2003)

– Choose random string at program startup.

– Insert canary string into every stack frame.
– Verify canary before returning from function.
– To corrupt random canary, attacker must learn current
random string.

• Terminator canary:
Canary = 0 (null), newline, linefeed, EOF
– String functions will not copy beyond terminator.
– Hence, attacker cannot use string functions to corrupt
stack.
 StackGuard (Cont.)

• StackGuard implemented as a GCC patch.

– Program must be recompiled.
• Minimal performance effects
– Worst case: 8% for Apache.
Timing attacks
 Timing attacks
• Timing attacks extract secret information
based on the time a device takes to respond.

• Applicable to:
– Smartcards.
– Cell phones.
– PCI cards.
 Timing attacks: example
• Consider the following pwd checking code:
int password-check( char *inp, char *pwd)
if (strlen(inp) != strlen(pwd)) return 0;
for( i=0; i < strlen(pwd); ++i)
if ( *inp[i] != *pwd[i] )
return 0;
return 1;
• A simple timing attack will expose the password one
character at a time.
Backup Slides
 Preventing buf overflow attacks
• Main problem:
– strcpy(), strcat(), sprintf() have no range checking.
– “Safe” versions strncpy(), strncat() are misleading
• strncpy() may leave buffer unterminated.
• strncpy(), strncat() encourage off by 1 bugs.

• Defenses:
– Type safe languages (Java, ML). Legacy code?
– Mark stack as non-execute. Random stack location.
– Static source code analysis.
– Run time checking: StackGuard, Libsafe, SafeC, (Purify).
– Black box testing (e.g. eEye Retina, ISIC ).
 Buffer overflows
• Extremely common bug.
– First major exploit: 1988 Internet Worm. fingerd.

• 10 years later: over 50% of all CERT advisories:

– 1997: 16 out of 28 CERT advisories.
– 1998: 9 out of 13 -”-
– 1999: 6 out of 12 -”-

• Often leads to total compromise of host.

– Fortunately: exploit requires expertise and patience
– Two steps:
• Locate buffer overflow within an application.
• Design an exploit.
 Exploiting buffer overflows
• Suppose web server calls func() with given URL.
• Attacker can create a 200 byte URL to obtain shell on
web server.
• Some complications:
– Program P should not contain the ‘\0’ character.
– Overflow should not crash program before func() exists.
• Sample remote buffer overflows of this type:
– Overflow in MIME type field in MS Outlook.

– Overflow in Symantec Virus Detection (Free ActiveX)

Set test = CreateObject("Symantec.SymVAFileQuery.1")

test.GetPrivateProfileString "file", [long string]
Causing program to exec attack code
• Stack smashing attack:
– Override return address in stack activation record by
overflowing a local buffer variable.

• Function pointers: (used in attack on Linux superprobe)

Heap
buf[128] FuncPtr or
stack
– Overflowing buf will override function pointer.

• Longjmp buffers: longjmp(pos) (used in attack on Perl 5.003)

– Overflowing buf next to pos overrides value of pos .

 StackGuard (Cont.)
• StackGuard implemented as a GCC patch.
– Program must be recompiled.
• Minimal performance effects: 8% for Apache.

• Newer version: PointGuard.

– Protects function pointers and setjmp buffers by placing
canaries next to them.
– More noticeable performance effects.

• Note: Canaries don’t offer fullproof protection.

– Some stack smashing attacks can leave canaries untouched.
 Run time checking: Libsafe
• Solutions 2: Libsafe (Avaya Labs)
– Dynamically loaded library.
– Intercepts calls to strcpy (dest, src)
• Validates sufficient space in current stack frame:
|frame-pointer – dest| > strlen(src)
• If so, does strcpy.
Otherwise, terminates application.
top
sfp ret-addr dest src buf sfp ret-addr of
stack

libsafe main
 More methods …
• Address obfuscation. (Stony Brook ’03)

– Encrypt return address on stack by XORing with

random string. Decrypt just before returning
from function.
– Attacker needs decryption key to set return
address to desired value.

• PaX ASLR: Randomize location of libc.

– Attacker cannot jump directly to exec function.
Format string bugs
 Format string problem
int func(char *user) {
fprintf( stdout, user);
}

Problem: what if user = “%s%s%s%s%s%s%s” ??

– Most likely program will crash: DoS.
– If not, program will print memory contents. Privacy?
– Full exploit using user = “%n”

Correct form:
int func(char *user) {
fprintf( stdout, “%s”, user);
}
 History
• Danger discovered in June 2000.
• Examples:
– wu-ftpd 2.* : remote root.
– Linux rpc.statd: remote root
– IRIX telnetd: remote root
– BSD chpass: local root
 Vulnerable functions
Any function using a format string.

Printing:
printf, fprintf, sprintf, …
vprintf, vfprintf, vsprintf, …

Logging:
syslog, err, warn
 Exploit
• Dumping arbitrary memory:
– Walk up stack until desired pointer is found.

– printf( “%08x.%08x.%08x.%08x|%s|”)

• Writing to arbitrary memory:

– printf( “hello %n”, &temp) -- writes ‘6’ into temp.

– printf( “%08x.%08x.%08x.%08x.%n”)
 Overflow using format string
char errmsg[512], outbuf[512];

sprintf (errmsg, “Illegal command: %400s”,

user);

sprintf( outbuf, errmsg );

• What if user = “%500d <nops> <shellcode>”

– Bypass “%400s” limitation.
– Will ovreflow outbuf.