Suan Hsi Yong
ABSTRACT
Writes via unchecked pointer dereferences rank high among vulnerabilities most often exploited by malicious code. The most common attacks use an unchecked string copy to cause a buffer overrun, thereby overwriting the return address in the function's activation record. Then, when the function "returns", control is actually transferred to the attacker's code. Other attacks may overwrite function pointers, setjmp buffers, system-call arguments, or simply corrupt data to cause a denial of service.A number of techniques have been proposed to address such attacks. Some are limited to protecting the return address only; others are more general, but have undesirable properties such as having a high runtime overhead, requiring manual changes to the source code, or forcing programmers to give up control of data representations and memory management.This paper describes the design and implementation of a security tool for C programs that addresses all these issues: it has a low runtime overhead, does not require source code modification by the programmer, does not report false positives, and provides protection against a wide range of attacks via bad pointer dereferences, including but not limited to buffer overruns and attempts to access previously freed memory. The tool uses static analysis to identify potentially dangerous pointer dereferences, and memory locations that are legitimate targets of these pointers. Dynamic checks are then inserted; if at runtime the target of an unsafe dereference is not in the legitimate set, a potential security violation is reported, and the program is halted.
- L. O. Andersen. Program Analysis and Specialization for the C Programming Language. Ph.D. thesis, DIKU, University of Copenhagen, May 1994. (DIKU report 94/19).]]Google Scholar
- K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In IEEE Symposium on Security and Privacy, May 2002.]] Google ScholarDigital Library
- T. Austin, S. Breach, and G. Sohi. Efficient detection of all pointer and array access errors. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 290--201, Orlando, FL, June 1994.]] Google ScholarDigital Library
- T. Ball and S. Rajamani. The SLAM toolkit. In 13th Conf. on Computer Aided Verification, pp. 260--264, July 2001.]] Google ScholarDigital Library
- R. Bodik, R. Gupta, and V. Sarkar. ABCD: Eliminating array bounds checks on demand. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 321--333, Vancouver, BC, June 2000.]] Google ScholarDigital Library
- W. Bush, J. Pincus, and D. Sielaff. A static analyazer for finding dynamic programming errors. Software--Practice and Experience, 30(7):775--802, June 2000.]] Google ScholarDigital Library
- cfingerd: Configurable finger daemon. http://www.infodrom.org/projects/cfingerd/]]Google Scholar
- Ckit. http://www.smlnj.org/doc/ckit/]]Google Scholar
- J. Condit, M. Harren, S. McPeak, G. Necula, and W. Weimer. CCured in the real world. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 232--244, San Diego, CA, June 2003.]] Google ScholarDigital Library
- C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Automatic detection and prevention of buffer-overflow attacks. In 7th USENIX Security Symposium, San Antonio, TX, Jan. 1998.]] Google ScholarDigital Library
- M. Das. Unification-based pointer analysis with directional assignments. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 35--46, Vancouver, BC, June 2000.]] Google ScholarDigital Library
- D. L. Detlefs, K. R. M. Leino, G. Nelson, and J. B. Saxe. Extended static checking. Tech. Report SRC-159, Compaq SRC, 1998.]]Google Scholar
- N. Dor, M. Rodeh, and M. Sagiv. Cleanness checking of string manipulations in C programs via integer analysis. In The 8th International Static Analysis Symposium, volume 2126 of Lecture Notes in Computer Science, page 194. Springer, July 2001.]] Google ScholarDigital Library
- D. Evans. Static detection of dynamic memory errors. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 44--53, Philadelphia, PA, May 1996.]] Google ScholarDigital Library
- R. Gupta. Optimizing array bound checks using flow analysis. ACM Letters on Programming Languages and Systems, 2(1--4):135--150, Mar.--Dec. 1993.]] Google ScholarDigital Library
- R. Hasting and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter Usenix Conference, 1992.]]Google Scholar
- T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, Monterey, CA, June 2002.]] Google ScholarDigital Library
- P. Kolte and M. Wolfe. Elimination of redundant array subscript range checks. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 270--278, La Jolla, CA, June 1995.]] Google ScholarDigital Library
- W. Landi and B. Ryder. A safe approximate algorithm for interprocedural pointer aliasing. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 235--248, San Francisco, CA, June 1992.]] Google ScholarDigital Library
- A. Loginov, S. Yong, S. Horwitz, and T. Reps. Debugging via run-time type checking. In Fundamental Approaches to Software Engineering, volume 2029 of Lecture Notes in Computer Science, pp. 217--232. Springer, Apr. 2001.]] Google ScholarDigital Library
- M. Lujan, J. R. Gurd, T. L. Freeman, and J. Miguel. Elimination of java array bounds checks in the presence of indirection. Tech. Report CSPP-13, Department of Computer Science, University of Manchester, Feb. 2002.]]Google ScholarDigital Library
- V. Markstein, J. Cocke, and P. Markstein. Optimization of range checking. In ACM SIGPLAN Symposium on Compiler Construction, SIGPLAN Notices 17(6), pp. 114--119, Boston, MA, June 1982.]] Google ScholarDigital Library
- G. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy code. In ACM Symp. on Principles of Programming Languages, Portland, OR, Jan. 2002.]] Google ScholarDigital Library
- Openwall project linux kernel patches. http://www.openwall.com/]]Google Scholar
- Packet storm. http://packetstormsecurity.org/]]Google Scholar
- Parasoft. Insure++: An automatic runtime error detection tool. http://www.parasoft.com/insure/]]Google Scholar
- H. Patil and C. Fischer. Low-cost, concurrent checking of pointer and array accesses in C programs. Software--Practice and Experience, 27(1):87--110, Jan. 1997.]] Google ScholarDigital Library
- J. Seward. The design and implementation of Valgrind. http://developer.kde.org/~sewardj/]]Google Scholar
- N. P. Smith. Stack smashing vulnerabilities in the UNIX operating system. Technical report, Computer Science Department, Southern Connecticut State University, 1997.]]Google Scholar
- Immunix Stack Guard. http://immunix.org/stackguard.html]]Google Scholar
- Stack Shield. http://www.angelfire.com/sk/stackshield/]]Google Scholar
- N. Suzuki and K. Ishihata. Implementation of an array bound checker. In ACM Symp. on Principles of Programming Languages, pp. 132--143, Los Angeles, CA, Jan. 1977.]] Google ScholarDigital Library
- D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Symp. on Network and Distributed Systems Security, pp. 3--17, San Diego, CA, Feb. 2000.]]Google Scholar
- R. Wilson and M. Lam. Efficient context-sensitive pointer analysis for c programs. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 1--12, La Jolla, CA, June 1995.]] Google ScholarDigital Library
- S. Yong, S. Horwitz, and T. Reps. Pointer analysis for programs with structures and casting. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 91--103, Atlanta, GA, May 1999.]] Google ScholarDigital Library
Index Terms
- Protecting C programs from attacks via invalid pointer dereferences
Recommendations
Protecting C programs from attacks via invalid pointer dereferences
Writes via unchecked pointer dereferences rank high among vulnerabilities most often exploited by malicious code. The most common attacks use an unchecked string copy to cause a buffer overrun, thereby overwriting the return address in the function's ...
ARCHER: using symbolic, path-sensitive analysis to detect memory access errors
Memory corruption errors lead to non-deterministic, elusive crashes. This paper describes ARCHER (ARray CHeckER) a static, effective memory access checker. ARCHER uses path-sensitive, interprocedural symbolic analysis to bound the values of both ...
Defeating Memory Corruption Attacks via Pointer Taintedness Detection
DSN '05: Proceedings of the 2005 International Conference on Dependable Systems and NetworksMost malicious attacks compromise system security through memory corruption exploits. Recently proposed techniques attempt to defeat these attacks by protecting program control data. We have constructed a new class of attacks that can compromise network ...
Comments