LibSafe

Summary

LibSafe is a shared library developed by Lucent Technologies that can detect and prevent buffer overflow attacks in C programs without requiring much effort to install.

It is a collection of safe versions of commonly exploited C functions. For example, strcpy() is a standard C function that is vulnerable to buffer overflow attacks if the user has any control over its parameters. When libsafe is installed properly, programs are linked to libsafe's version of strcpy() instead of the standard C strcpy(), thus protecting that program against attacks that exploit strcpy().

URL: http://www.bell-labs.com/org/11356/libsafe.html

Buffer overflow or "stack smashing" attacks work by changing the return address that is associated with the current stack frame. When the currently running function returns, the program continues executing wherever the return address points, typically at code the attacker has placed inside the buffer that was attacked. For example, suppose a function reads input from the user and stores it into a 1024 byte buffer and the return address is at offset 2048 relative to the buffer's starting address. An attacker could then give the program 2048 bytes of code followed by an address that points to the beginning of that code. A well written program will ensure that no more than 1024 bytes are copied into the buffer despite the length of the input. However, not all programs are well written. Many will just copy the input into the buffer. A "safe assumption" about how large the buffer should be is the program's only defense. Of course, a safe assumption based on normal input is far different than a safe assumption based on malicious input. The C programming language has no built-in bounds checking so if our poorly-written program calls strcpy(buffer, input), it will copy 2052 bytes beginning at the first byte of the buffer, overwriting other local variables as well as the return address of the function. When the function returns, execution jumps to the address the attacker supplied (the buffer's address) and the system begins executing their code. If the code launches a shell, the attacker now has the access level of the owner of the original program.

The Intel architecture has what is called a frame pointer which points to the beginning of the current stack frame. That is, it points to a position in the stack between the return address of the last function and the local variables of the current function. Libsafe works by making an important assumption: No correct C program explicitly changes the frame pointer. What follows is that the frame pointer is a safe upper bound on the memory allocated to all of the local variables on the stack. Libsafe terminates and logs any program that attempts to copy data that would cross the frame pointer, thus protecting the return address of the current function and preventing an attack.

The downside is that it is a loose upper bound. In the example above, an attacker could give the program up to 2048 bytes of input, overwriting the local variables between the end of the buffer and the start of the stack frame, without libsafe intervening. An attack that causes the program to make illegal state transitions by manipulating the local variables (as opposed to an attack that makes the system execute code that was not originally part of the program) is still possible. Fortunately that kind of attack represents the minority of buffer overflow attacks because it requires more knowledge of the code and does not give the attacker as much of a prize when it is successful.

Notes

LibSafe is works on any recent Linux OS running on Intel x86 architecture (and clones). It is probably portable to other UNIX-like platforms on the x86 arch.

Pros:

• no source code required
• works transparently with existing binaries
• little overhead
• deployable system-wide as easily as for an individual
• in C programs, a buffer overrun or "stack smashing" attack is a fairly easy attack which yields the largest prize (root access). Libsafe can protect programs from most of this kind of attack.
• limits the scope of possible damage to the current stack frame (local variables on the stack)

Cons

• it provides safe versions of the most commonly exploited C functions, but not all of the exploitable functions; meaning that some buffer overruns could still get through by exploiting functions libsafe does not provide. Future versions of libsafe will probably protect more functions.
• the failsafe state, terminating the program, may be what the attacker was trying to do in the first place. If this were the case, the only advantage libsafe provides is a log of the event.
• the attacker could still change locally defined variables, still allowing a way for the attack to alter execution flow. This kind of attack requires more thorough knowledge of the code being exploited.

Rating: Highly recommended. Effectively prevents most buffer overrun attacks. Stay informed of future versions.

Classification

• Static or dynamic: dynamic
• Modified library or instrumenting: modified library
• Testing or production env: production
• Opaque or clear or cloudy view of the system: cloudy
• List-based or heuristic: list-based
• Convervative or liberal: moderate
• Concurrent or stand-alone: stand-alone
• Alert or advice: alert

Evaluated by Patrick LeBlanc on 7-14-00