Re: A buffer overflow study - generic protections

From: Crispin Cowan (crispin@wirex.com)
Date: 04/03/02


Date: Tue, 02 Apr 2002 14:02:15 -0800
From: Crispin Cowan <crispin@wirex.com>
To: bugtraq@securityfocus.com

Vincent wrote:

>As computer science students, a friend and I have just ended a study
on buffer
>overflows and the existing protections a Linux system may use against
them.
>
>This study deals with the various kinds of overflows (heap, stack) to
>understand how they work and how they may be used to execute malicious
code;
>then it focuses on a few Linux solutions (Grsecurity features,
Libsafe...),
>and explains how they behave, which kinds of exploits they prevent
>respectively...
>
Readers may also be interested in a similar paper that we published in
2000. It appeared at the DARPA DISCEX conference
<http://schafercorp-ballston.com/discex/> , and again as an invited talk
at the SANS 2000 conference <http://www.sans.org/sans2000/sans2000.htm>
. You can read the paper here <http://immunix.org/StackGuard/discex00.pdf>

The similarities are substantial: we also categorized the attack space
(kinds of buffer overflows), surveyed the defenses, and considered
optimal combinations of defenses to get good coverage at reasonable
cost. Differences:

     * Our survey was much broader. We covered:
           * Non-executable buffers (i.e. Solar Designer's non-executable
             stack patch, and a similar feature in Solaris)
           * Array bunds checking (Compaq's ccc compiler, and the bounds
             checking GCC built by Jones & Kelly and maintained by Herman
             ten Brugge, Purify, and type safe languages such as Java)
           * Code pointer integrity checking (StackGuard, and the
             hand-coded stack introspection that Snarskii built into
             FreeBSD's libc)
     * We did not cover:
           * libsafe: it did not exist at the time
           * grsecurity: it is just a derivative of Solar Designer's work
           * PAX: it did not exist at the time
           * Prelude: I don't understand how a general purpose host
             intrusion detection system bears on a survey of buffer
overflows
           * Stack Shield: it is just a weak immitation of StackGuard,
             with no advantages, and substantial disadvantages
     * We came to a somewhat similar conclusion: that a combination of
       tools was the ideal defense. However, our preferred combo was
       StackGuard + Solar Designer's non-executable stack patch, which is
       what we actually ship in Immunix.
           * StackGuard offers the best resistance to "stack smashing"
             attacks
           * Non-executable stack segments offer substantial resistance
             to code injection (payload)
           * The two techniques are transparently compatible, and the
             combined performance overhead is nearly zero
     * As above, we did not consider PAX, but we would still not recomend
       it for most applications: the 10% macrobenchmark performance hit
       is pretty high.
     * We are mystified why Vincent et al recomend Stack Shield instead
       of StackGuard: Stack Shield offers no advantages (it is not more
       secure and it is not faster) and is much more problematic to deploy.
     * Libsafe vs. StackGuard or Stack Shield is a true decision: Libsafe
       is incompatible with compiler techniques that munge the call stack
       (and incompatible with -fno-frame-pointer) so you have to choose
       one or the other

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html



Relevant Pages

  • Re: A buffer overflow study - generic protections
    ... a friend and I have just ended a study on buffer ... >overflows and the existing protections a Linux system may use against them. ... * We are mystified why Vincent et al recomend Stack Shield instead ...
    (Vuln-Dev)
  • Re: A buffer overflow study - generic protections
    ... a friend and I have just ended a study on buffer ... >overflows and the existing protections a Linux system may use against them. ... * We are mystified why Vincent et al recomend Stack Shield instead ...
    (Focus-Linux)
  • [NEWS] Multiple ValiCert Security Problems
    ... * Enterprise VA Host Server for processing validation requests VA API ... Multiple buffer overflows exist in the CGI script, forms.exe, which is ... Analysis of the code and stack contents reveals that the unchecked buffer ...
    (Securiteam)
  • Re: lisp introspection/reflection question
    ... I wish there wouldn't be optional APIs in a language standard. ... This really has nothing to do with 'buffer overflows'. ... You stay away from undefined behaviors. ...
    (comp.lang.lisp)
  • [REVS] Exploring Adjacent Memory Against strncpy
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The exploitation of adjacent memory overflows is one of these ... You must know how basic buffer overflows occur. ... Using GDB to Exploit the Vulnerability: ...
    (Securiteam)