C and C++ Vulnerabilities
C and C++ Vulnerabilities
C and C++ Vulnerabilities
Introduction
C/C++ programs: some vulnerabilities exist which could allow code injection attacks Code injection attacks allow an attacker to execute foreign code with the privileges of the vulnerable program Major problem for programs written in C/C++ Focus will be on:
Illustration of code injection attacks Countermeasures for these attacks
March, 2012
2 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities Countermeasures Conclusion
March, 2012
3 / 149
March, 2012
4 / 149
For efficiency reasons, C/C++ compilers dont detect these bugs at run-time:
C standard states behavior of such programs is undefined
March, 2012
5 / 149
March, 2012
6 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities
Code injection attacks Buffer overflows Format string vulnerabilities Integer errors
Countermeasures Conclusion
March, 2012
7 / 149
Use the vulnerability to modify the location so that the program will execute the injected code
March, 2012
8 / 149
March, 2012
9 / 149
March, 2012
10 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities
Code injection attacks Buffer overflows
Stack-based buffer overflows Indirect Pointer Overwriting Heap-based buffer overflows and double free Overflows in other segments
Countermeasures
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 11 / 149
Of the remaining 122 vulnerabilities, 116 are marked as having medium severity
March, 2012
13 / 149
March, 2012
14 / 149
March, 2012
16 / 149
Shellcode
Small program in machine code representation Injected into the address space of the process int main() {
! ! ! ! ! ! ! ! ! ! ! printf("You win\n"); ! ! exit(0) ! ! } static char shellcode[] = ! ! "\x6a\x09\x83\x04\x24\x01\x68\x77" ! ! "\x69\x6e\x21\x68\x79\x6f\x75\x20" ! ! "\x31\xdb\xb3\x01\x89\xe1\x31\xd2" ! ! "\xb2\x09\x31\xc0\xb0\x04\xcd\x80" ! ! "\x32\xdb\xb0\x01\xcd\x80";
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 17 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities
Code injection attacks Buffer overflows
Stack-based buffer overflows Indirect Pointer Overwriting Heap-based buffer overflows and double free Overflows in other segments
Countermeasures
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 18 / 149
If an attacker can overflow a local variable he can find interesting locations nearby
March, 2012
19 / 149
March, 2012
21 / 149
March, 2012
22 / 149
IP
March, 2012
23 / 149
IP
March, 2012
24 / 149
IP
March, 2012
25 / 149
Login to any user account without knowing the password Called a non-control data attack
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 26 / 149
IP
March, 2012
27 / 149
March, 2012
28 / 149
SP
March, 2012
29 / 149
SP
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures
March, 2012
30 / 149
IP
SP
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures
Injected code
March, 2012
31 / 149
March, 2012
32 / 149
March, 2012
33 / 149
IP
March, 2012
35 / 149
IP
March, 2012
37 / 149
IP
March, 2012
38 / 149
March, 2012
39 / 149
IP
FP
0xbffffce4
Injected code
40
March, 2012
/ 149
March, 2012
42 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities
Code injection attacks Buffer overflows
Stack-based buffer overflows Indirect Pointer Overwriting Heap-based buffer overflows and double free Overflows in other segments
March, 2012
44 / 149
SP f1: ptrbuffer[] = &data; overflow() buffer[] ... overflow(); *ptr = value; ... data
March, 2012
45 / 149
SP
March, 2012
46 / 149
IP
SP
March, 2012
47 / 149
IP
SP
March, 2012
48 / 149
SP f1: ptrbuffer[] = &data; ptr overflow() = &data; buffer[] ... overflow(); *ptr = value; ... data
IP
Injected code
March, 2012
49 / 149
IP
SP
March, 2012
51 / 149
IP
SP
March, 2012
53 / 149
IP
SP
March, 2012
54 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities
Code injection attacks Buffer overflows
Stack-based buffer overflows Indirect Pointer Overwriting Heap-based buffer overflows and double free Overflows in other segments
March, 2012
56 / 149
March, 2012
57 / 149
Size of prev. chunk Size of chunk1 Forward pointer Backward pointer Old user data
March, 2012
58 / 149
This is:
P->fd->bk = P->bk P->bk->fd = P->fd
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 59 / 149
March, 2012
60 / 149
March, 2012
61 / 149
March, 2012
62 / 149
March, 2012
63 / 149
Size of chunk1 Size of chunk2 Forward pointer Backward pointer Old user data
March, 2012
64 / 149
call f1 ...
March, 2012
65 / 149
After unlink
call f1 ...
March, 2012
66 / 149
March, 2012
67 / 149
Double free
Chunk2 Size of prev. chunk Size of chunk2 Forward pointer Backward pointer Old user data Chunk3 Size of prev. chunk Size of chunk3 Forward pointer Backward pointer Old user data
March, 2012
68 / 149
Double free
Chunk2 Size of prev. chunk Size of chunk2 Forward pointer Backward pointer Old user data Chunk3 Size of prev. chunk Size of chunk3 Forward pointer Backward pointer Old user data
March, 2012
69 / 149
Double free
Chunk2 Size of prev. chunk Size of chunk2 Forward pointer Backward pointer Old user data Chunk2 Size of prev. chunk Size of chunk2 Forward pointer Backward pointer Old user data Chunk3 Size of prev. chunk Size of chunk3 Forward pointer Backward pointer Old user data
March, 2012
70 / 149
Double free
Chunk2 Size of prev. chunk Size of chunk2 Forward pointer Backward pointer Old user data Chunk3 Size of prev. chunk Size of chunk3 Forward pointer Backward pointer Old user data
March, 2012
71 / 149
Double free
Unlink: chunk stays linked because it points to itself
Chunk2 Size of prev. chunk Size of chunk2 Forward pointer Backward pointer Old user data
March, 2012
72 / 149
Double free
If unlinked to reallocate: attackers can now write to the user data part
Chunk2 Size of prev. chunk Size of chunk2 Forward pointer Backward pointer Old user data
March, 2012
73 / 149
Double free
It is still linked in the list too, so it can be unlinked again
Chunk2 Size of prev. chunk Size of chunk2 Forward pointer Backward pointer Injected code Return address
call f1 ...
March, 2012
74 / 149
Double free
After second unlink
Chunk2 Size of prev. chunk Size of chunk2 Forward pointer Backward pointer Injected code
call f1 ...
March, 2012
75 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities
Code injection attacks Buffer overflows
Stack-based buffer overflows Indirect Pointer Overwriting Heap-based buffer overflows and double free Overflows in other segments
March, 2012
77 / 149
Heap
March, 2012
78 / 149
March, 2012
79 / 149
March, 2012
80 / 149
March, 2012
81 / 149
March, 2012
82 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities
Code injection attacks Buffer overflows Format string vulnerabilities Integer errors
Countermeasures Conclusion
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 83 / 149
Variable number of arguments Expects arguments on the stack Problem when attack controls the format string:
printf(input); should be printf(%s, input);
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 84 / 149
Other stack frames Return address f0 Saved frame pointer f0 Local variable f0 string Arguments printf: format string Return address printf Saved frame ptr printf
FP SP
March, 2012
85 / 149
Other stack frames Return address f0 Saved frame pointer f0 Local variable f0 string Arguments printf: format string Return address printf Saved frame ptr printf
FP SP
March, 2012
86 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities
Code injection attacks Buffer overflows Format string vulnerabilities Integer errors
Integer overflows Integer signedness errors
Countermeasures Conclusion
Yves Younan Monday, February 13, 2012
March, 2012
88 / 149
Integer overflows
For an unsigned 32-bit integer, 2^32-1 is the largest value it can contain Adding 1 to this, will wrap around to 0. Can cause buffer overflows
int main(int argc, char **argv){ unsigned int a; char *buf; a = atol(argv[1]); buf = (char*) malloc(a+1); }
malloc(0) - result is implementation defined: either NULL is returned or malloc will allocate the smallest possible chunk: in Linux: 8 bytes
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 89 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities
Code injection attacks Buffer overflows Format string vulnerabilities Integer errors
Integer overflows Integer signedness errors
Countermeasures Conclusion
Yves Younan Monday, February 13, 2012
March, 2012
90 / 149
For a negative a:
In the condition, a is smaller than 100 Strncpy expects an unsigned integer: a is now a large positive number
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 91 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities Countermeasures
Safe languages Probabilistic countermeasures Separation and replication countermeasures Paging-based countermeasures Bounds checkers Verification countermeasures Conclusion
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 92 / 149
Safe languages
Change the language so that correctness can be ensured
Static analysis to prove safety If it cant be proven safe statically, add runtime checks to ensure safety (e.g. array unsafe statically -> add bounds checking) Type safety: casts of pointers are limited Less programmer pointer control
March, 2012
93 / 149
Safe languages
Runtime type-information Memory management: no explicit management
Garbage collection: automatic scheduled deallocation Region-based memory management: deallocate regions as a whole, pointers can only be dereferenced if region is live
March, 2012
94 / 149
Safe languages
Cyclone: Jim et al.
Pointers:
NULL check before dereference of pointers (*ptr) New type of pointer: never-NULL (@ptr) No artihmetic on normal (*) & never-NULL (@) pointers Arithmetic allowed on special pointer type (?ptr): contains extra bounds information for bounds check Uninitialized pointers cant be used
Region-based memory management Tagged unions: functions can determine type of arguments: prevents format string vulnerabilities
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 95 / 149
Safe languages
CCured: Necula et al.
Stays as close to C as possible Programmer has less control over pointers: static analysis determines pointer type
Safe: no casts or arithmetic; only needs NULL check Sequenced: only arithmetic; NULL and bounds check Dynamic: type cant be determined statically; NULL, bounds and run-time type check
March, 2012
96 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities Countermeasures
Safe languages Probabilistic countermeasures Separation and replication countermeasures Paging-based countermeasures Bounds checkers Verification countermeasures Conclusion
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 97 / 149
Probabilistic countermeasures
Based on randomness Canary-based approach
Place random number in memory Check random number before performing action If random number changed an overflow has occurred
Obfuscation of memory addresses Address Space Layout Randomization Instruction Set Randomization
March, 2012
98 / 149
Canary-based countermeasures
StackGuard (SG): Cowan et al.
Places random number before the return address when entering function Verifies that the random number is unchanged when returning from the function If changed, an overflow has occurred, terminate program
March, 2012
99 / 149
StackGuard (SG)
Stack f0: ... call f1 ... IP Other stack frames Return address f0 Saved frame pointer f0 Canary Local variables f0 f1: ptrbuffer[] = &data; overflow() buffer[] ... overflow(); *ptr = value; ... data Arguments f1 FP Return address f1 Saved frame pointer f1 Canary Pointer Buffer
SP
March, 2012
100 / 149
StackGuard (SG)
Stack f0: ... call f1 ... Other stack frames Return address f0 Saved frame pointer f0 Canary Local variables f0 f1: ptrbuffer[] = &data; overflow() buffer[] ... overflow(); *ptr = value; ... data Arguments f1 FP Return address f1 Saved frame pointer f1 Canary Pointer Injected code
101
IP
SP
March, 2012
/ 149
Canary-based countermeasures
Propolice (PP): Etoh & Yoda
Same principle as StackGuard Protects against indirect pointer overwriting by reorganizing the stack frame:
All arrays are stored before all other data on the stack (i.e. right next to the random value) Overflows will cause arrays to overwrite other arrays or the random value
Propolice (PP)
Stack f0: ... call f1 ... IP Other stack frames Return address f0 Saved frame pointer f0 Canary Local variables f0 f1: ptrbuffer[] = &data; overflow() buffer[] ... overflow(); *ptr = value; ... data Arguments f1 FP Return address f1 Saved frame pointer f1 Canary Buffer SP Pointer
March, 2012
103 / 149
Propolice (PP)
Stack f0: ... call f1 ... IP Other stack frames Return address f0 Saved frame pointer f0 Canary Local variables f0 f1: ptrbuffer[] = &data; overflow() buffer[] ... overflow(); *ptr = value; ... data Arguments f1 FP Return address f1 Saved frame pointer f1 Canary Buffer SP Pointer
March, 2012
104 / 149
Contrapolice (CP)
Chunk1 Canary1 Size of prev. chunk Size of chunk1 User data Canary1 Canary2 Size of chunk1 Size of chunk2 Forward pointer Backward pointer Old user data Canary2
106
Contrapolice: Krennmair
Stores a random value before and after the chunk Before exiting from a string copy operation, the random value before is compared to the random value after If they are not the same, an overflow has occured
Chunk2
March, 2012
/ 149
March, 2012
107 / 149
Probabilistic countermeasures
Obfuscation of memory addresses
Also based on random numbers Numbers used to encrypt memory locations Usually XOR
a XOR b = c c XOR b = a
March, 2012
108 / 149
March, 2012
109 / 149
Partial overwrite
XOR: 0x41424344 XOR 0x20304050 = 0x61720314 However, XOR encrypts bitwise 0x44 XOR 0x50 = 0x14 If injected code relatively close: 1 byte: 256 possibilities 2 bytes: 65536 possibilities
March, 2012
110 / 149
Partial overwrite
Stack f0: ... call f1 ... IP Other stack frames Return address f0 Saved frame pointer f0 Data Other Local variables f0 f1: ptrbuffer[] = &data; overflow() buffer[] ... overflow(); *ptr = value; ... Arguments f1 FP Return address f1 Saved frame pointer f1 Encrypted pointer Buffer
SP
March, 2012
111 / 149
Partial overwrite
Stack f0: ... call f1 ... Other stack frames Return address f0 Saved frame pointer f0 Data Other Local variables f0 f1: ptrbuffer[] = &data; overflow() buffer[] ... overflow(); *ptr = value; ... Arguments f1 FP Return address f1 Saved frame pointer f1 Encrypted pointer Injected code
IP
SP
March, 2012
112 / 149
Partial overwrite
Stack f0: ... call f1 ... Other stack frames Return address f0 Saved frame pointer f0 Data Other Local variables f0 f1: ptrbuffer[] = &data; overflow() buffer[] ... overflow(); *ptr = value; ... Arguments f1 FP Modified return address Saved frame pointer f1 Encrypted pointer Injected code
IP
SP
March, 2012
113 / 149
Probabilistic countermeasures
Address space layout randomization: PaX team
Compiler must generate PIC Randomizes the base addresses of the stack, heap, code and shared memory segments Makes it harder for an attacker to know where in memory his code is located Can be bypassed if attackers can print out memory addresses: possible to derive base address
March, 2012
114 / 149
Heap-spraying
Technique to bypass ASLR If an attacker can control memory allocation in the program (e.g. in the browser via javascript) Allocate a significant amount of memory
For example: 1GB or 2GB
Fill memory with a bunch of nops, place shell code at the end Reduces amount of randomization offered by ASLR Jumping anywhere in the nops will cause the shellcode to be executed eventually
March, 2012
115 / 149
Probabilistic countermeasures
Randomized instruction sets: Barrantes et al./Kc et al.
Encrypts instructions while they are in memory Decrypts them when needed for execution If attackers dont know the key their code will be decrypted wrongly, causing invalid code execution If attackers can guess the key, the protection can be bypassed High performance overhead in prototypes: should be implemented in hardware
March, 2012
116 / 149
Probabilistic countermeasures
Rely on keeping memory secret Programs that have buffer overflows could also have information leakage Example:
char buffer[100]; strncpy(buffer, input, 100); Printf(%s, buffer);
Strncpy does not NULL terminate (unlike strcpy), printf keeps reading until a NULL is found
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 117 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities Countermeasures
Safe languages Probabilistic countermeasures Separation and replication countermeasures Paging-based countermeasures Bounds checkers Verification countermeasures Conclusion
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 118 / 149
March, 2012
119 / 149
Separation of information
Dnmalloc: Younan et al.
Does not rely on random numbers Protection is added by separating the chunk information from the chunk Chunk information is stored in separate regions protected by guard pages Chunk is linked to its information through a hash table Fast: performance impact vs. dlmalloc: -10% to +5% Used as the default allocator for Samhein (open source IDS)
March, 2012
120 / 149
Dnmalloc
Low addresses
Heap Data Heap Data Heap Data Heap Data Heap Data Heap Data Heap Data Heap Data
Hashtable
Guard page Ptr to chunkinfo Ptr to chunkinfo Ptr to chunkinfo Ptr to chunkinfo Ptr to chunkinfo
Chunkinfo region
Guard page Management information Management information Management information Management information Management information
High addresses
Control data
Regular data
March, 2012
121 / 149
Separation of information
Multistack: Younan et al.
Does not rely on random numbers Separates the stack into multiple stacks, 2 criteria:
Risk of data being an attack target (target value) Risk of data being used as an attack vector (source value)
Return addres: target: High; source: Low Arrays of characters: target: Low; source: High
Dnstack
Pointers Array of pointers Structures (no arrays) Integers Guard page Structs (no char array) Array of struct (no char array) Arrays Alloca() Floats Guard page Structures (with char. array) Array of structures (with char array) Guard page Array of characters
Guard page
Stacks are at a fixed location from each other If source risk can be reduced: maybe only 2 stacks
Map stack 1,2 onto stack one Map stack 3,4,5 onto stack two
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 123 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities Countermeasures
Safe languages Probabilistic countermeasures Separation and replication countermeasures Paging-based countermeasures Bounds checkers Verification countermeasures Conclusion
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 124 / 149
Paging-based countermeasure
Non-executable memory (called NX or XN)
Pages of memory can be marked executable, writeable and readable Older Intel processors would not support the executable bit which meant that readable meant executable Eventually the bit was implemented, allowing the OS to mark data pages (such as the stack and heap writable but not executable) OpenBSD takes it further by implementing W^X (writable XOR executable) Programs doing JIT have memory that is both executable and writable
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 125 / 149
IP
SP
Injected code
March, 2012
126 / 149
March, 2012
127 / 149
For example calling system(/bin/bash) would place the address of the executable code for system as return address and would place a pointer to the string /bin/bash on the stack
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 128 / 149
Paging-based countermeasures
Stack f0: ... call f1 ... IP Other stack frames Return address f0 Saved frame pointer f0 Local variables f0 f1: buffer[] overflow() ... Arguments f1 FP Overwritten Return address return address f1 Saved frame pointer f1 Injected Buffer code
SP
March, 2012
129 / 149
Paging-based countermeasures
f0: ... call f1 ... Stack Other stack frames Return address f0 Saved frame pointer f0 string /bin/bash Pointer to /bin/bash FP system: ... int 0x80 SP Overwritten return address
IP
March, 2012
130 / 149
IP
March, 2012
132 / 149
machine code: f7 c7 07 00 00 00
setnzb [ebp-61]
machine code: 0f 95 45 c3 00 f7 c7 07 00 00 00 0f 95 45 c3
add bh, dh mov edi, 0x0F000000 xchg eax, ebp inc ebp ret
Example adapted from Return-oriented Programming: Exploitation without Code Injection by Buchanan et al.
Yves Younan C and C++: vulnerabilities, exploits and countermeasures March, 2012 135 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities Countermeasures
Safe languages Probabilistic countermeasures Separation and replication countermeasures Paging-based countermeasures Bounds checkers Verification countermeasures Conclusion
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 136 / 149
Bounds checkers
Ensure arrays and pointers do not access memory out of bounds through runtime checks Slow:
Bounds checking in C must check all pointer operations, not just array index accesses (as opposed to Java) Usually too slow for production deployment
Some approaches have compatibility issues Two major approaches: add bounds info to pointers, add bounds info to objects
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 137 / 149
Bounds checkers
Add bounds info to pointers
Pointer contains
Current value Upper bound Lower bound
Two techniques
Change pointer representation: fat pointers
Fat pointers are incompatible with existing code (casting)
Problems with existing code: if (global) pointer is changed, info is out of sync
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 138 / 149
Bounds checkers
Add bounds info to objects
Pointers remain the same Look up bounds information based on pointers value Check pointer arithmetic:
If result of arithmetic is larger than base object + size -> overflow detected Pointer use also checked to make sure object points to valid location
March, 2012
139 / 149
Bounds checkers
Safe C: Austin et al.
Safe pointer: value (V), pointer base (B), size (S), class (C), capability (CP) V, B, S used for spatial checks C and CP used for temporal checks
Prevents dangling pointers Class: heap, local or global, where is the memory allocated Capability: forever, never
First temp check: is the pointer still valid? Bounds check: is the pointer within bounds?
C and C++: vulnerabilities, exploits and countermeasures
March, 2012
140 / 149
Bounds checkers
Jones and Kelly
Austin not compatible with existing code Maps object size onto descriptor of object (base, size) Pointer dereference/arithmetic
Check descriptor If out of bounds: error
Bounds checkers
CRED: Ruwase and Lam
Extension of Jones and Kelly Problems with pointer arithmetic
1) pointer goes out-of-bounds, 2) is not dereferenced, 3) goes in-bounds again Out-of-bounds arithmetic causes error Many programs do this
Bounds checkers
PariCheck: Younan et al. Bounds are stored as a unique number over a region of memory Object inhabits one or more regions, each region has the same unique number Check pointer arithmetic
Look up unique number of object that pointer is pointing to, compare to unique number of the result of the arithmetic, if different -> overflow Faster than existing bounds checkers: ~50% overhead
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 143 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities Countermeasures
Safe languages Probabilistic countermeasures Separation and replication countermeasures Paging-based countermeasures Bounds checkers Verification countermeasures Conclusion
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 144 / 149
Verification countermeasures
Ensure that the values in use are sane
A typical example of this is safe unlinking
Safe unlinking was introduced to various heap allocators to ensure that the doubly linked list is sane before being used For example before unlinking, do the following checks:
P->fd->bk should be equal to P P->bk->fd should also be equal to P If both conditions hold, then proceed with unlinking
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 145 / 149
Lecture overview
Memory management in C/C++ Vulnerabilities
Buffer overflows Format string vulnerabilities Integer errors
Countermeasures Conclusion
March, 2012
146 / 149
These have made exploitations of these attacks significantly harder However, attackers have found various ways of bypassing these countermeasures
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 147 / 149
Different priorities: performance is much more important on embedded devices Area of very active research
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 148 / 149
Conclusion
Many attacks, countermeasures, countercountermeasures, etc. exist Search for good and performant countermeasures to protect C continues Best solution: switch to a safe language, if possible More information:
Y. Younan, W. Joosen and F. Piessens. Code injection in C and C++: A survey of vulnerabilities and Countermeasures Y. Younan. Efficient countermeasures for software vulnerabilities due to memory management errors . Erlingsson, Y. Younan, F. Piessens, Low-level software security by example
Yves Younan Monday, February 13, 2012 C and C++: vulnerabilities, exploits and countermeasures March, 2012 149 / 149