Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Transcription

1 Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka September 24, Introduction to the topic and the reason for the topic being interesting In this paper security flaws pertaining to buffer overflows and the ways by which such security flaws can be overcome have been discussed. Buffer Overflows become particularly important with regards to network security, as here an attacker sitting at a distant location acquires control of the system by inserting and executing malicious program. The attacker achieves this by inserting erroneous code in the same memory space as that of the program. This topic is interesting as buffer overflows are the most common method of attacking a system, also they belong to one of the important class of security threats. 2 Questions that the paper asks and how are those questions interesting The paper explores buffer overflow attacks. The question is interesting as buffer overflow attacks belong to one of the most predominant form of security attacks. 3 How does it answer the questions The author answers the question by first classifying the various buffer overflow attacks. The classification is based on the ability of the attacker to place the code in the same memory space as that of the attacked program and in turn 1

2 make the program execution jump to that code. The classification is mentioned below: 1. By putting in the attack code in the programs memory space, this space may be the program s heap, stack or static data area. 2. The code which the intruder wants to insert is already there in the victim s program. The intruder may exploit this by passing parameters to the code. The malicious code may be executed by overflowing a vulnerable buffer. The execution of this erroneous code may be achieved by: 1. Changing the return address of functions and making it point to the malicious code. This type of buffer overflow attack has been referenced as stack smashing attack in the paper. 2. Changing the function pointers to point to the malicious code. For example, in void (*func)(int i,int j), func is a pointer to a function. So the value at the address of func is changed by the attacker to point to his code. 3. The value at the longjump(buffer) in a C program is changed to point to the attackers code. In order to overcome Buffer Overflow attacks the following strategies may be used: 1. Trying to avoid buffer overflows during the coding phase. One of the methods to do so, is to avoid using unsafe functions like strcpy and sprintf in ones code. These functions are vulnerable because they don t specify in their arguments the number of characters on which they are going to operate on. Safer alternatives to these functions are snprintf and strncpy. 2. If there are any executable instructions inside the memory area allocated to the stack. Those instructions should not be executed by the CPU. Leaving out some cases of Linux where the executable code must be placed on the stack, the other cases comply to this measure. 3. Constantly keep track of the legitimate range of the array. When this measure is incorporated properly, then it precludes the probability of buffer overflow attacks. The ways by which it is implemented are mentioned below: (a) Compaq C compiler for the Aplha CPU, does provide array bound checking but it has the following disadvantages: i. The compiler does not check the range of the array when it is accessed explicitly via pointers. For example, array[2] is verified by the compiler, whereas *(array+2) is not. ii. Vulnerable functions like sprintf() remain vulnerable even with array checking enabled. (b) Jones and Kelly array bound checker for C: In this a base pointer is derived and full bound checking is performed based on the value of this base pointer. However, the drawback of this approach is being its substantial run time overhead and its inability to execute complex functions. (c) Purify for checking array bounds: In order to accomplish its aim Purify uses the method of object code insertion. But the disadvantage with Purify being its slow execution time. 2

3 (d) Buffer Overflow vulnerabilities can also be avoided by employing type safe languages while coding. 4. A check on the value of the code pointer may be employed, in order to verify that the code pointer has not been corrupted by an attacker. In case the code pointer has been found to be corrupted, that code pointer is not used. The disadvantage of this approach being the fact that it does not completely eliminate the buffer overflow problem. The below mentioned tools are used in order to implement the above mentioned concepts: (a) Hand-coded Stack Introspection: The effectively prevents the attacker from exploiting vulnerabilities within the libc library. But apart from this, the tool is ineffective. (b) StackGuard: StackGuard verifies pointers pertaining to return addresses of functions. This method according to this paper places a canary, a unique and random word adjacent to the return address of the function. If this unique word is unchanged, this means that the return address of the function is intact. StackGuard works effectively against the stack smashing attack. The attacker is prevented from replacing the original canary with a fake canary by the following means: i. Placing any symbol which is used for termination in the programming language. As the copying function stops as soon as it comes across a terminator string, this protects the canary from being replaced by the attacker. This terminator also called Terminator Canary. ii. A random number generator may be employed to place a random number in the memory space of the canary, this random number acts as the canary. This canary is known as the Random Canary. When StackGuard was subject to performance tests, it was found to be highly effective preventing stack smashing attacks. One such test was the done on Apache web server, and the performance of the server with and without the stack guard was found to be somewhat identical. (c) PointGuard: Since many of the vulnerabilities caused by stack smashing attacks have been patched, so the attackers have moved towards non-trivial forms of attacks. Therefore, PointGuard was proposed to be built. PointGuard places canaries next to function pointers as well as longjmp buffers. The pointers are accessed only if the canaries are remain unmodified. The two disadvantages of placing a canary next to the code pointers are: i. The canary word consumes some space, which has to be allocated along with the variable which is to be protected. This becomes troublesome with some programs which do not allocate extra space for the canary. ii. Checking the canary time and again imposes a run time execution overhead. Though the PointGuard was yet to be implemented by the authors. It was stated that the combination of StackGuard and PointGuard would provide to be the ultimate tool against all buffer overflow vulnerabilities. 3

4 5. The advantages of code pointer integrity checking are enlisted below: (a) As in a typical C program, code pointers are referenced less frequently than accessing arrays. Thus code pointer referencing techniques work faster than keeping track of array bounds. (b) The implementation effort required to keep array sizes within bounds is greater than the effort required to keep track of the values of canaries, as C language represents arrays both as array indices and also as pointers, so to keep bound on the array requires a lot of effort. (c) Code integrity checking is compatible with the existing softwares. 6. Though StackGuard and the policy of not placing executable code in the stack does provide safeguard against many of the vulnerabilities like protecting Activation Record in the Resident, Stack Buffer, Heap Buffer and Static Buffer area of the memory. While protection in the remaining memory areas may be provided by PointGuard. 4 Methodology used to investigate the paper The methodology used to investigate the paper is an analytical one. 5 What I learned from the paper I learned from the paper the manner in which an attacker may exploit a buffer overflow vulnerability. And also the mechanisms by which protection may be provided against the exploitation of such a vulnerability. 6 How the paper relates to previous work The author relates to the previous work done by Snarskii in the paper FreeBSD Stack Integrity Patch. Snarskii discusses the Hand-coded Stack Introspection tool in this paper, though the tool effectively prevents the attacker from exploiting the vulnerabilities within the libc library, yet it is inefficient to protect any other code. While StackGuard and PointGuard discussed in the paper Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Cowan, et al. can effectively protect against most of the vulnerabilities. 7 Strengths of the paper The strength of the paper is, that the paper has been written in a simple and easy to understand way. 8 Weaknesses of the paper Did not find any weakness. 9 Results The existing techniques such as StackGuard can provide protection against Buffer Overflow attacks to a certain degree. But still there are loopholes which an attacker may exploit, in order to protect against such loopholes the author 4

5 proposes the technique of PointGuard as a generalized approach for verifying the value of code pointers. 5