A Binary Rewriting Defense Against Buffer Overflow Attacks

From USENIX 2003

Paper by Prasad & Chiueh

Presentation by Bryan Pass

Outline• Outline• Background

– Buffer Overflow methods• Open Research Problems• Previous/Related Work• Binary Rewriting

– Newness– Significance– Technique

• Limitations• Results

– Disassembly Accuracy– Performance Overhead– Executable Size Overhead

Two Methods of Overflow

• Classic Return Address hacks– Overflow a buffer and change the return address– Causes execution to jump to code inside the buffer

when the function returns

• Overwriting other pointers– Overflow a pointer used in another (potentially safe)

copy operation– Insert code at any location in the executable– Usually used to overwrite the windows Global Offset

Table

Yes, it is a problem.

Open Research Problems

• Overflow safe compiler extensions– Why aren’t these more widespread and widely used?

• Education– How many of you were taught how to avoid buffer

overflows?

• Overflow protection in hardware– Separate stack for return addresses– Interference with benign code?

• Fixing legacy code– Binary Rewriting

Previous/Related Work

• “Canary” words

• Languages & tools for compilers to use to identify potential overflows

char *strcpy (char *s1, const char *s2)

/*@requires maxSet(s1) >= maxRead(s2)@*/

/*@ensures maxRead(s1) == maxRead(s2)

/\ result == s1@*/;

A New Approach: Binary Rewriting

• Alter assembly code of programs to prevent Return Address vulnerabilities

• Uses compiled programs rather than their source code

• Since source code is not required, this can help ensure the security of legacy applications/utilities and binaries provided by outside programmers

Basic Method

• Search a program’s assembly code for functions

• Modify function prologs to store the proper return address in another area of memory (created by the binary rewriter) called the “return address stack”

• Modify epilogs to use this “return address stack” to ensure they return to the proper address

Architecture

Issues with Disassembly

• As it turns out, finding functions in disassembly is no simple task

• Data in code regions– Variable Instruction size on x86

• Position independent code• Indirect branches• Functions without explicit CALLs• Hand written assembly

– Cross function jumps

Disassembly Methods

• Recursive Traversal– Does not do well with complex code, especially GUIs

• Linear Sweep– Hard to identify code segments– Misidentified segments can cause a “chain reaction”

breaking most of the disassembly results

• Combined approach with “Compiler independent heuristics”

System Limitations• Intel Only• PE/Windows Only• Only protects return addresses• False negatives in function detection• False positives

Fn1: // no ’interesting’ prologue :jne label :ret // no ’interesting’ epilogueFn2: // ’interesting prologue’ :label: :ret // ’interesting’ epilogue

• Hand-written assembly• Self modifying code• Small epilogs (int 3)

Disassembly Accuracy

Disassembly Accuracy

Run-Time Overhead

Executable Size Overhead

References

• A Binary Rewriting Defense against Stack based Buffer Overflow Attacks. Manish Prasad and Tzi-cker Chiueh.Proceedings of the General Track: 2003 USENIX Annual Technical Conference. June 9-14, 2003. http://www.usenix.org/publications/library/proceedings/usenix03/tech/prasad.html

• Statically Detecting Buffer Overflow Vulnerabilities. Larochelle and Evans. http://lclint.cs.virginia.edu/usenix01.pdf

• A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. Wagner, Foster, Brewer, Aiken. http://www.cs.berkeley.edu/~daw/papers/overruns-ndss00.pdf