Protecting C Programs from Attacks via Invalid Pointer Dereferences
Suan Hsi Yong and Susan Horwitz
Writes via unchecked pointer dereferences rank high among
vulnerabilities most often exploited by malicious code. The
most common attacks use an unchecked string copy to cause a
buffer overrun, thereby overwriting the return address in
the function's activation record. Then, when the function
``returns'', control is actually transferred to the
attacker's code. Other attacks may overwrite function
pointers, setjmp buffers, system-call arguments, or simply
corrupt data to cause a denial of service.
A number of techniques have been proposed to address such
attacks. Some are limited to protecting the return address
only; others are more general, but have undesirable
properties such as having a high runtime overhead, requiring
manual changes to the source code, or forcing programmers to
give up control of data representations and memory
management.
This paper describes the design and implementation of a
security tool for C programs that addresses all these
issues: it has a low runtime overhead, does not require
source code modification by the programmer, does not report
false positives, and provides protection against a wide
range of attacks via bad pointer dereferences, including but
not limited to buffer overruns and attempts to access
previously freed memory. The tool uses static analysis to
identify potentially dangerous pointer dereferences, and
memory locations that are legitimate targets of these
pointers. Dynamic checks are then inserted; if at runtime
the target of an unsafe dereference is not in the legitimate
set, a potential security violation is reported, and the
program is halted.
Categories and Subject Descriptors:
F.3.2 [Logics and Meanings of Programs]: Semantics of
Programming Languages -- Program analysis;
K.6.5 [Management of Computing and Information Systems]:
Security and Protection
General Terms:
Security
Keywords:
Security, Buffer overrun, Static analysis, Instrumentation.
University of Wisconsin