Transcript Exploring Buffer Overflow Vulnerabilities

BUFFER OVERFLOW VULNERABILITIES
CPSC 620 Presentation
12/3/2009
Prudhviraj Karumanchi
Vijay Venugopalan
Vijaya Raghavan
CONTENTS
Motivation
 Basic structure of process memory
 Buffer Overflow
 Canary Method
 Static Analysis
 ARCHER
 BOON
 SPLINT
 Polyspace C Verifier


UNO
o Conclusion
MOTIVATION



Buffer Overflows constitute for about 50% of the
vulnerabilities reported by CERT.
According to National Vulnerability Database
(NVD) CVE statistics, 563 buffer overruns were
detected in 2008 and 431 buffer overruns out of
4,634 vulnerabilities were detected in 2009 till
September.
Educate “Future” software programmers.
BUFFER ?
Buffer :
A temporary space in memory
used to hold data.
Buffer Overflow :
Happens when data written
into the buffer is larger than
the size of the buffer.
In turn overwrites adjacent
memory locations
SAMPLE BUFFER OVERFLOW FUNCTION
GetInput()
{
char buffer[8];
gets(buffer);
puts(buffer);
}
Dangerous
Function !!!
VIRTUAL ADDRESS SPACE
A LOOK AT THE STACK
Local
Variabl
es
OVER WRITING THE “RETURN ADDRESS”
#include<stdio.h>
notToExecute()
{
printf(“This is not to be run\n");
}
GetInput()
{
char buffer[8];
gets(buffer);
puts(buffer);
}
main()
{
GetInput();
return 0;
}
CANARY METHOD TO DETECT BUFFER
OVERFLOWS



Stack canaries, are used to detect a stack buffer overflow
before execution of malicious code can occur.
This method works by placing a small integer, the value of
which is randomly chosen at program start, in memory just
before the stack return pointer.
Most buffer overflows overwrite memory from lower to
higher memory addresses, so in order to overwrite the
return pointer (and thus take control of the process) the
canary value must also be overwritten.
STATIC ANALYSIS OF TOOLS
Tools
ARCHER
BOON
Polyspace C Verifier
SPLINT
UNO
Analysis
Symbolic, interprocedural,
flow-sensitive analysis
Integer ranges, interprocedural
flow-insensitive analysis
for string functions.
Abstract interpretation,
Interprocedural, flow-sensitive.
Lightweight static analysis,
Intraprocedural.
Model checking, interprocedural,
flow-sensitive.
DETECTION AND FALSE ALARM RATES
System
Detection
False Alarm
PolySpace
0.87
0.5
SPLINT
0.57
0.43
BOON
0.05
0.05
ARCHER
0.01
0
UNO
0
0
CONCLUSION

No Software can be 100% bug free.

Buffer overflows can be reduced by reduced by enforcing better

programming practices from the very early stages of Software
Engineering.
Some of these are:
Use of wrappers
 Training software programmers with ‘Good’ programming
practices




Use of memn*() functions instead of str*() functions
calloc() instead of malloc()
Proper free()ing of memory etc.,