Protecting structures on heap from buffer overflow vulnerabilities with TIED-LibsafePlus

Abstract

In spite of the numerous defenses that have been devised to combat the buffer overflow attack, buffer overflow vulnerability in the C programs still exist as the one widely exploited by the attackers to subsume the privileges of host on remote machine. This is subsequently used to launch even more precarious attacks. A buffer is said to be overrun if data is copied beyond its bounds thus overwriting the memory locations adjacent to the buffer. Buffer overflow vulnerabilities occur primarily due to two reasons. One is the absence of automatic bounds checking of arrays and pointer references in the language and other being the use of unsafe C library functions that don’t range check the buffers before copying data into them. This thesis proposes a defense mechanism for preventing heap buffer overflow. It is built over another solution to buffer overflow problem called TIED-LibsafePlus. TIED-LibsafePlus extracts the type information of all the buffers (except the one lying on heap) from the raw debug information present in the binary and rewrites it into the binary as new specific tables that are accessed by the library to find the size of buffers before copying the data into them by intercepting the unsafe C library functions. TIED-LibsafePlus cannot prevent the overflow of the buffers that are allocated on heap as member of some user defined data type like C structure. A manually crafted attack is demonstrated that changes the flow of control by overflowing such buffers. To prevent these buffers from getting overrun using the approach employed by TIED-LibsafePlus, it is necessary to dynamically find out the type of the structure allocated on heap, which is not feasible with the current implementation of malloc family of functions. Thus to achieve this the proposed solution augments the binary with some more type information pertaining to structures defined in the program, which is then accessed by the safe library. This thesis describes how the structures allocated on heap can be protected from buffer overflow at the cost of this extra type-information and extra checking performed by the library at run time.