Re: A buffer overflow study - generic protections

From: Crispin Cowan (crispin@wirex.com)
Date: 03/28/02


Date: Thu, 28 Mar 2002 13:45:33 -0800
From: Crispin Cowan <crispin@wirex.com>
To: glaume@enseirb.fr

Vincent wrote:

>As computer science students, a friend and I have just ended a study on buffer
>overflows and the existing protections a Linux system may use against them.
>
>This study deals with the various kinds of overflows (heap, stack) to
>understand how they work and how they may be used to execute malicious code;
>then it focuses on a few Linux solutions (Grsecurity features, Libsafe...),
>and explains how they behave, which kinds of exploits they prevent
>respectively...
>
Readers may also be interested in a similar paper that we published in
2000. It appeared at the DARPA DISCEX conference
<http://schafercorp-ballston.com/discex/> , and again as an invited talk
at the SANS 2000 conference <http://www.sans.org/sans2000/sans2000.htm>
. You can read the paper here <http://immunix.org/StackGuard/discex00.pdf>

The similarities are substantial: we also categorized the attack space
(kinds of buffer overflows), surveyed the defenses, and considered
optimal combinations of defenses to get good coverage at reasonable
cost. Differences:

    * Our survey was much broader. We covered:
          * Non-executable buffers (i.e. Solar Designer's non-executable
            stack patch, and a similar feature in Solaris)
          * Array bunds checking (Compaq's ccc compiler, and the bounds
            checking GCC built by Jones & Kelly and maintained by Herman
            ten Brugge, Purify, and type safe languages such as Java)
          * Code pointer integrity checking (StackGuard, and the
            hand-coded stack introspection that Snarskii built into
            FreeBSD's libc)
    * We did not cover:
          * libsafe: it did not exist at the time
          * grsecurity: it is just a derivative of Solar Designer's work
          * PAX: it did not exist at the time
          * Prelude: I don't understand how a general purpose host
            intrusion detection system bears on a survey of buffer overflows
          * Stack Shield: it is just a weak immitation of StackGuard,
            with no advantages, and substantial disadvantages
    * We came to a somewhat similar conclusion: that a combination of
      tools was the ideal defense. However, our preferred combo was
      StackGuard + Solar Designer's non-executable stack patch, which is
      what we actually ship in Immunix.
          * StackGuard offers the best resistance to "stack smashing"
            attacks
          * Non-executable stack segments offer substantial resistance
            to code injection (payload)
          * The two techniques are transparently compatible, and the
            combined performance overhead is nearly zero
    * As above, we did not consider PAX, but we would still not recomend
      it for most applications: the 10% macrobenchmark performance hit
      is pretty high.
    * We are mystified why Vincent et al recomend Stack Shield instead
      of StackGuard: Stack Shield offers no advantages (it is not more
      secure and it is not faster) and is much more problematic to deploy.
    * Libsafe vs. StackGuard or Stack Shield is a true decision: Libsafe
      is incompatible with compiler techniques that munge the call stack
      (and incompatible with -fno-frame-pointer) so you have to choose
      one or the other

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html



Relevant Pages

  • Re: A buffer overflow study - generic protections
    ... a friend and I have just ended a study on buffer ... >overflows and the existing protections a Linux system may use against them. ... * We are mystified why Vincent et al recomend Stack Shield instead ...
    (Focus-Linux)
  • Re: A buffer overflow study - generic protections
    ... >overflows and the existing protections a Linux system may use against ... (kinds of buffer overflows), surveyed the defenses, and considered ... optimal combinations of defenses to get good coverage at reasonable ...
    (Bugtraq)
  • [NEWS] Multiple ValiCert Security Problems
    ... * Enterprise VA Host Server for processing validation requests VA API ... Multiple buffer overflows exist in the CGI script, forms.exe, which is ... Analysis of the code and stack contents reveals that the unchecked buffer ...
    (Securiteam)
  • Re: lisp introspection/reflection question
    ... I wish there wouldn't be optional APIs in a language standard. ... This really has nothing to do with 'buffer overflows'. ... You stay away from undefined behaviors. ...
    (comp.lang.lisp)
  • [REVS] Exploring Adjacent Memory Against strncpy
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The exploitation of adjacent memory overflows is one of these ... You must know how basic buffer overflows occur. ... Using GDB to Exploit the Vulnerability: ...
    (Securiteam)