Check out the new USENIX Web site. next up previous
Next: Related work Up: Type-Assisted Dynamic Buffer Overflow Previous: Abstract

Introduction

Programs written in C are inherently vulnerable to buffer overflow attacks. C allows primitive pointer manipulation, which is usually necessary for array operation because C has no first-class array type. For example, functions are passed the pointers as array parameters. To ensure that buffers are not overflowed, it is the programmers' responsibility to explicitly bounds check the buffers. In practice, bounds checking is often neglected or cannot be done since arrays are often passed without any hint of their sizes. Many copy functions in the C library such as strcpy(dest, src) are vulnerable this way, making them a popular point of attack.

Various types of buffer overflow attacks have been discovered. The simplest and the most popular among them is the stack smashing attack [1]. The stack smashing attack overflows a buffer to overwrite the return address of a function, so that the return address points to the attack code that is injected into the stack by the attacker, rather than the legitimate call point. The control flow is directed to the attack code when the function returns. The stack smashing attack exploits the stack configuration and the function call mechanism. There are other types of buffer overflow attacks that exploit data structures in the heap as well as in the stack. A survey on various types of attacks is found in [7].

There are several run time solutions that are highly effective without much run time overhead. However, most of them rely on the signatures of known attacks (or the loosely estimated range of the referenced buffers) rather than the detection of actual occurrence of buffer overflow, since sizes of buffers are unknown at run time. As a result, buffers can still be overflowed and they are vulnerable to attacks that do not show such signatures. Moreover, they are mostly built to defend against the stack smashing attack and focus only on its signatures. Buffer overflow techniques that can bypass those run time solutions are found in [4,15,5,11,21,16,18], and are discussed in Section 3.

Our goal is to increase the level of security in computing systems by devising a run time solution that is less dependent on attack signatures. We propose a solution that range checks the buffers at run time. Our solution is a small extension to the GNU C compiler that augments executable files with type information of automatic buffers (local variables and parameters of functions) and static buffers (global variables in data / bss section) in order to detect the actual occurrence of buffer overflow. It also maintains the sizes of allocated heap buffers. Currently we use it to perform range checking within the vulnerable copy functions in the C library.


next up previous
Next: Related work Up: Type-Assisted Dynamic Buffer Overflow Previous: Abstract