PAriCheck: an efficient pointer arithmetic checker for C programs

Buffer overflows are still a significant problem in programs written in C and C++. In this paper we present a bounds checker, called PAriCheck, that inserts dynamic runtime checks to ensure that attackers are not able to abuse buffer overflow vulnerabilities. The main approach is based on checking pointer arithmetic rather than pointer dereferences when performing bounds checks. The checks are performed by assigning a unique label to each object and ensuring that the label is associated with each memory location that the object inhabits. Whenever pointer arithmetic occurs, the label of the base location is compared to the label of the resulting arithmetic. If the labels differ, an out-of-bounds calculation has occurred. Benchmarks show that PAriCheck has a very low performance overhead compared to similar bounds checkers. This paper demonstrates that using bounds checkers for programs or parts of programs running on high-security production systems is a realistic possibility.

[1]  Joseph L. Steffen Adding run‐time checking to the portable C compiler , 1992, Softw. Pract. Exp..

[2]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[3]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[4]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[5]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[6]  Vivek Sarkar,et al.  ABCD: eliminating array bounds checks on demand , 2000, PLDI '00.

[7]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[8]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[9]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[10]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[11]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[12]  James Cheney,et al.  Region-based memory management in cyclone , 2002, PLDI '02.

[13]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[14]  Dinakar Dhurjati,et al.  Ensuring code safety without runtime checks for real-time control systems , 2002, CASES '02.

[15]  George C. Necula,et al.  CCured in the real world , 2003, PLDI '03.

[16]  Dinakar Dhurjati,et al.  Memory safety without runtime checks or garbage collection , 2003, LCTES '03.

[17]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[18]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[19]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[20]  Ravishankar K. Iyer,et al.  Transparent runtime randomization for security , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[21]  Andreas Krennmair ContraPolice: a libc Extension for Protecting Applications from Heap-Smashing Attacks , 2003 .

[22]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[23]  Christopher Krügel,et al.  Run-time Detection of Heap-based Overflows , 2003, LISA.

[24]  Wei Xu,et al.  An efficient and backwards-compatible transformation to ensure memory safety of C programs , 2004, SIGSOFT '04/FSE-12.

[25]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[26]  Wouter Joosen,et al.  Code injection in C and C++: a survey of vulnerabilities and countermeasures , 2004 .

[27]  James R. Larus,et al.  Righting software , 2004, IEEE Software.

[28]  Vikram S. Adve,et al.  Automatic pool allocation: improving performance by controlling data structure layout in the heap , 2005, PLDI '05.

[29]  Jun Xu,et al.  Non-Control-Data Attacks Are Realistic Threats , 2005, USENIX Security Symposium.

[30]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[31]  Wouter Joosen,et al.  Extended Protection against Stack Smashing Attacks without Performance Loss , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[32]  Wouter Joosen,et al.  Efficient Protection Against Heap-Based Buffer Overflows Without Resorting to Magic , 2006, ICICS.

[33]  Dinakar Dhurjati,et al.  Backwards-compatible array bounds checking for C with very low overhead , 2006, ICSE.

[34]  Úlfar Erlingsson,et al.  Low-Level Software Security: Attacks and Defenses , 2007, FOSAD.

[35]  Alessandro Orso,et al.  Effective memory protection using dynamic tainting , 2007, ASE '07.

[36]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[37]  Yves Younan,et al.  Efficient Countermeasures for Software Vulnerabilities due to Memory Management Errors (Efficiënte tegenmaatregelen voor softwarekwetsbaarheden veroorzaakt door geheugenbeheerfouten) , 2008 .

[38]  Miguel Castro,et al.  Preventing Memory Error Exploits with WIT , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[39]  S. Bhatkar,et al.  Data Space Randomization , 2008, DIMVA.

[40]  Frank Piessens,et al.  Breaking the memory secrecy assumption , 2009, EUROSEC '09.

[41]  Milo M. K. Martin,et al.  SoftBound: highly compatible and complete spatial memory safety for c , 2009, PLDI '09.

[42]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[43]  Yutaka Oiwa,et al.  Implementation of the memory-safe full ANSI-C compiler , 2009, PLDI '09.

[44]  Úlfar Erlingsson,et al.  Low-Level Software Security by Example , 2010, Handbook of Information and Communication Security.