Networked Systems Research

Protecting Critical Elements of Stacks

The exploitation of buffer overflow and format string vulnerabilities in process stacks constitutes a significant portion of security attacks in recent years. We present a new method to detect and handle such attacks. In contrast to previous work, our method does not require any modification to the operating system and works with existing binary programs. Our method does not require access to the source code of defective programs, nor does it require recompilation or off-line processing of binaries. Furthermore, it can be implemented on a system-wide basis transparently. Our solution is based on a middleware software layer that intercepts all function calls made to library functions that are known to be vulnerable. A substitute version of the corresponding function implements the original functionality, but in a manner that ensures that any buffer overflows are contained within the current stack frame, thus, preventing attackers from 'smashing' (overwriting) the return address and hijacking the control flow of a running program.

We have implemented our solution on Linux as a dynamically loadable library called libsafe. Libsafe has demonstrated its ability to detect and prevent several known attacks, but its real benefit, we believe, is its ability to prevent yet unknown attacks. Experiments indicate that the performance overhead of libsafe is negligible.

It is generally accepted that the best solution to buffer overflow and format string attacks is to fix the defective programs. However, fixing defective programs requires knowing that a particular program is defective. The true benefit of using libsafe and other alternative security measures is protection against future attacks on programs that are not yet known to be vulnerable. That is why we made libsafe version 2.0 source code under the GNU Lesser General Public License.

In contrast to most other solutions, libsafe is extremely easy to install and use. No source code, recompilation, or special expertise is needed. And, the installation only takes a few minutes.

Libsafe does not support programs linked with libc5. If you find that a process protected by libsafe experienced a segmentation fault, use the ldd utility to determine if the process is linked with libc5. If that is the case, then you will either need to recompile/relink the application with libc6 (i.e., glibc) or to download a newer version that has been linked with libc6. From our experience, most applications are offered with a libc6 version.

For more information contact Libsafe (this way we all get to read your emails).

Downloads

The libsafe version 2.0 source code and md5sum.
The Libsafe 2.0 binary rpm and source rpm. Here are the md5sum.
We are grateful to Yoann Vandoorselaere of MandrakeSoft for his tireless efforts in testing, porting, and packaging Libsafe 1.3.
We are thankful to Dr SuSe for providing the installation instructions for SuSe 6.x Systems.
David Coe has graciously created the Debian packages.

Notes

libc5 linked programs are not supported.

Connect
with Avaya

Contact Avaya Labs:

	Locations and Careers
	Media Relations

Events:

	Tagging Workshop
	WWW2008 Panel

All Events