libsafe - detection and protection against stack smashing attacks

The libsafe library protects a process against the exploitation of buffer overflow vulnerabilities in process stacks. Libsafe works with any existing pre-compiled executable (but is incompatible with libc5-linked processes) and can be used transparently, even on a system-wide basis. The method intercepts all calls to library functions that are known to be vulnerable. A substitute version of the corresponding function implements the original functionality, but in a manner that ensures that any buffer overflows are contained within the current stack frame. Libsafe has been shown to detect several known attacks and can potentially prevent yet unknown attacks. Experiments indicate that the performance overhead of libsafe is negligible.

The following unsafe functions are currently monitored by libsafe:

strcpy(char *dest, const char *src)

strpcpy(char *dest, const char *src)

wcscpy(wchar_t *dest, const wchar_t *src)

wcpcpy(wchar_t *dest, const wchar_t *src)

May overflow the dest buffer.

strcat(char *dest, const char *src)

wcscat(wchar_t *dest, const wchar_t *src) May overflow the dest buffer.

getwd(char *buf)

May overflow the buf buffer.

gets(char *s)

May overflow the s buffer.

[vf]scanf(const char *format, ...)

May overflow its arguments.

realpath(char *path, char resolved_path[])

May overflow the path buffer.

[v]sprintf(char *str, const char *format, ...)

May overflow the str buffer.

May exploit "%n".

The source code for libsafe can be found at http://www.research.avayalabs.com/project/libsafe/index.html.

1.

2.

Change to the lib directory.

3.

Type CWmake to compile and build libsafe.so.2.

4.

Type CWmake install to install the libsafe library and associated programs in their final destination locations.

5.

To use libsafe, set the environment variable CWLD_PRELOAD to point to the libsafe library. Example (sh syntax):

      LD_PRELOAD=/lib/libsafe.so.2
      export LD_PRELOAD

or (csh syntax):

      setenv LD_PRELOAD /lib/libsafe.so.2

You might want to put these lines in your CW.profile or CW.cshrc in order to activate libsafe for all processes that you initiate.

6.

Use your programs as you would normally. Libsafe will transparently check the parameters for supported unsafe functions. If a violation is detected, the following will occur:

1.

2.

An entry will be written using syslog() to the LOG_AUTHPRIV facility (with LOG_CRIT priority). On Debian systems, that's usually /var/log/auth.log; it's configured in the /etc/syslog.conf file. The following is an example of such an entry: Dec 21 13:57:40 denver libsafe[15704]: Detected an attempt to write across stack boundary.

Dec 21 13:57:40 denver libsafe[15704]: Terminating /users/ttsai/work/security.D0_2/test/t91

Dec 21 13:57:40 denver libsafe[15704]: scanf() For security reasons, the dynamic loader disregards environmental variables such as CWLD_PRELOAD when executing set-uid programs. However, on Linux, you can use libsafe with set-uid programs too, by using one of the two methods described below:

The entire process group will be sent a SIGKILL signal.

If you install libsafe on Linux, make sure that your shared loader (ld-linux.so.1/ld.so) understands CWLD_PRELOAD. (Best if ld.so-1.8.5 or more recent)

1.

You may append the path to libsafe.so.2 into CW/etc/ld.so.preload instead of using CWLD_PRELOAD.

WARNING: If you use CW/etc/ld.so.preload, be sure to install CWlibsafe.so.2 on your root filesystem, for instance in CW/lib, as is done by the default installation. Using a directory which is not available at boot time, such as /usr/local/lib will cause trouble at the next reboot!

You should also be careful to remove libsafe from CW/etc/ld.so.preload when installing a new version. First test it out using CWLD_PRELOAD, and only if everything is ok, put it back into CW/etc/ld.so.preload.

2.

If you have a version of CWld.so which is more recent than CW1.9.0, you can set CWLD_PRELOAD to just contain the basename of CWlibsafe.so.2 without the directory. In that case, the file is found as long as it is in the shared library path (which usually contains CW/lib and CW/usr/lib)). Because the search is restricted to the library search path, this also works for set-uid programs. Example (sh syntax):

      LD_PRELOAD=libsafe.so.2
      export LD_PRELOAD

or (csh syntax):

      setenv LD_PRELOAD libsafe.so.2

The advantage of this approach over CWld.so.preload is that libsafe can more easily be switched off in case something goes wrong.

Once libsafe is installed and either LD_PRELOAD or /etc/ld.so.preload has been appropriate configured, there is nothing else to do. The processes to be monitored can be used with no changes.

If a process attempts to use one of the monitored functions to overflow a buffer on the stack, then a violation will be declared. A message is output to the standard error stream, and an entry is written to the syslog LOG_AUTHPRIV facility. If the corresponding options are enabled during compilation (See the libsafe/INSTALL file.), a core dump and a stack dump are produced.

If you wish to use libsafe with /etc/ld.so.preload to enable monitoring for all processes, but there are a few programs that you don't want to use with libsafe, you can list the programs you wish to excluse in /etc/libsafe.exclude. List each program on a separate line, using the absolute pathname for each program. Note that this absolute pathname must not contain any symbolic links.

There is an option to automatically send email notification of detected attacks. That's specified in the /etc/libsafe.notify file; the special word none suppresses the sending of these email messages.

Programs written in C have always been plagued with buffer overflows. Two reasons contribute to this factor. First, the C programming language does not automatically bounds-check array and pointer references. Second, and more importantly, many of the functions provided by the standard C library, such as those listed in the introduction, are unsafe. Therefore, it is up to the programmers to check explicitly that the use of these functions cannot overflow buffers. However, programmers often omit these checks. Consequently, many programs are plagued with buffer overflows, which makes them vulnerable to security attacks.

Libsafe uses a novel method for performing detection and handling of buffer overflow attacks. Without requiring source code, it can transparently protect processes against stack smashing attacks, even on a system-wide basis. The method intercepts all calls to library functions that are known to be vulnerable. A substitute version of the corresponding function implements the original functionality, but in a manner that ensures that any buffer overflows are contained within the current stack frame.

The key idea is the ability to estimate a safe upper limit on the size of buffers automatically. This estimation cannot be performed at compile time because the size of the buffer may not be known at that time. Thus, the calculation of the buffer size must be made after the start of the function in which the buffer is accessed. Our method is able to determine the maximum buffer size by realizing that such local buffers cannot extend beyond the end of the current stack frame. This realization allows the substitute version of the function to limit buffer writes within the estimated buffer size. Thus, the return address from that function, which is located on the stack, cannot be overwritten and control of the process cannot be commandeered.

Report bugs to <libsafe@research.avayalabs.com>.

The home web page for libsafe is http://www.research.avayalabs.com/project/libsafe/index.html.

Copyright (C) 2002 Avaya Labs, Avaya Inc.

Copyright (C) 1999 Bell Labs, Lucent Technologies.

Copyright (C) Arash Baratloo, Timothy Tsai, and Navjot Singh.

This file is part of the Libsafe library. Libsafe version 2.x: protecting against stack smashing attacks.

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

For more information, visit http://www.research.avayalabs.com/project/libsafe/index.html or email libsafe@research.avayalabs.com