Code injection in C and C++: a survey of vulnerabilities and countermeasures

Implementation errors relating to memory-safety are the most common vulnerabilities used by attackers to gain control over the execution-flow of an application. By carefully crafting an exploit for these vulnerabilities, attackers can make an application transfer execution-flow to code that they have injected. Such code injection attacks are among the most powerful and common attacks against software applications. This report documents possible vulnerabilities in C and C++ applications that could lead to situations that allow for code injection and describes the techniques generally used by attackers to exploit them. A fairly large number of defense techniques have been described in literature. An important goal of this report is to give a comprehensive survey of all available preventive and defensive countermeasures that either attempt to eliminate specific vulnerabilities entirely or attempt to combat their exploitation. Finally, the report presents a synthesis of this survey that allows the reader to weigh the advantages and disadvantages of using a specific countermeasure as opposed to using another more easily. CR Subject Classification : K6.5, A.1, D3

[1]  John Wilander,et al.  A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention , 2003, NDSS.

[2]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[3]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[4]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[5]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[6]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[7]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000 .

[8]  R. P. Abbott,et al.  Security Analysis and Enhancements of Computer Operating Systems , 1976 .

[9]  Fred B. Schneider,et al.  Least Privilege and More , 2003, IEEE Secur. Priv..

[10]  Crispin Cowan,et al.  FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.

[11]  FrazerKen Building secure software , 2002 .

[12]  Yves Younan An overview of common programming security vulnerabilities and possible solutions , 2003 .

[13]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[14]  Steve J. Chapin,et al.  Type-Assisted Dynamic Buffer Overflow Detection , 2002, USENIX Security Symposium.

[15]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[16]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[17]  Gerardo Richarte Four dierent tricks to bypass StackShield and StackGuard protection , 2002, WWW 2002.

[18]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[19]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[20]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[21]  Zhen Xiao,et al.  Detecting heap smashing attacks through fault containment wrappers , 2001, Proceedings 20th IEEE Symposium on Reliable Distributed Systems.

[22]  Gary McGraw,et al.  An automated approach for identifying potential vulnerabilities in software , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[23]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[24]  Matt Bishop,et al.  Testing C Programs for Buffer Overflow Vulnerabilities , 2003, NDSS.

[25]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[26]  Martin C. Rinard,et al.  Symbolic bounds analysis of pointers, array indices, and accessed memory regions , 2005, TOPL.

[27]  Akinori Yonezawa,et al.  Fail-Safe ANSI-C Compiler: An Approach to Making C Programs Secure: Progress Report , 2002, ISSS.

[28]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[29]  Dinakar Dhurjati,et al.  Ensuring code safety without runtime checks for real-time control systems , 2002, CASES '02.

[30]  Nathan P. Smith Stack Smashing Vulnerabilities in the UNIX Operating System , 1997 .

[31]  Todd C. Miller,et al.  strlcpy and strlcat - Consistent, Safe, String Copy and Concatenation , 1999, USENIX Annual Technical Conference, FREENIX Track.

[32]  Matt Bishop,et al.  A Taxonomy of UNIX System and Network Vulnerabilities , 1997 .

[33]  Carl E. Landwehr,et al.  A Taxonomy of Computer Program Security Flaws, with Examples , 1993 .

[34]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[35]  Calton Pu,et al.  Protecting Systems from Stack Smashing Attacks with StackGuard , 1999 .

[36]  Susan Horwitz,et al.  Protecting C programs from attacks via invalid pointer dereferences , 2003, ESEC/FSE-11.

[37]  Somesh Jha,et al.  Buffer overrun detection using linear programming and static analysis , 2003, CCS '03.

[38]  Bjarne Stroustrup,et al.  The Annotated C++ Reference Manual , 1990 .

[39]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[40]  Ravishankar K. Iyer,et al.  Transparent runtime randomization for security , 2003, 22nd International Symposium on Reliable Distributed Systems, 2003. Proceedings..

[41]  Dawson R. Engler,et al.  ARCHER: using symbolic, path-sensitive analysis to detect memory access errors , 2003, ESEC/FSE-11.

[42]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[43]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[44]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[45]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[46]  David Litchfield Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server , 2003 .

[47]  Zhen Xiao,et al.  An automated approach to increasing the robustness of C libraries , 2002, Proceedings International Conference on Dependable Systems and Networks.

[48]  Derek Bruening,et al.  Secure Execution via Program Shepherding , 2002, USENIX Security Symposium.

[49]  Bjarne Stroustrup,et al.  C++ Programming Language , 1986, IEEE Softw..

[50]  Zhen Xiao,et al.  HEALERS: a toolkit for enhancing the robustness and security of existing applications , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[51]  Diomidis Spinellis,et al.  Sandboxing Applications , 2001, USENIX Annual Technical Conference, FREENIX Track.

[52]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[53]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[54]  Tzi-cker Chiueh,et al.  RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[55]  Olatunji Ruwase,et al.  A Practical Dynamic Buffer Overflow Detector , 2004, NDSS.

[56]  Christopher Krügel,et al.  Run-time Detection of Heap-based Overflows , 2003, LISA.

[57]  Eugene H. Spafford,et al.  Crisis and aftermath , 1989, Commun. ACM.

[58]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[59]  James R. Larus,et al.  Righting software , 2004, IEEE Software.

[60]  John Wilander,et al.  A Comparison of Publicly Available Tools for Static Intrusion Prevention , 2002 .

[61]  Anup Kumar Ghosh,et al.  Analyzing Programs for Vulnerability to Buffer Overrun Attacks , 1998 .

[62]  Andy King,et al.  Analyzing String Buffers in C , 2002, AMAST.

[63]  Andreas Krennmair ContraPolice: a libc Extension for Protecting Applications from Heap-Smashing Attacks , 2003 .

[64]  Michael Rodeh,et al.  CSSV: towards a realistic tool for statically detecting all buffer overflows in C , 2003, PLDI '03.

[65]  Brian D. Snow The future is not assured-but it should be , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[66]  Matt Bishop,et al.  A Critical Analysis of Vulnerability Taxonomies , 1996 .

[67]  Matt Bishop,et al.  Property-based testing: a new approach to testing for assurance , 1997, SOEN.

[68]  Richard Earnshaw Procedure Call Standard for the ARM ® Architecture , 2006 .

[69]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[70]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[71]  Carla E. Brodley,et al.  SmashGuard: A Hardware Solution to Prevent Security Attacks on the Function Return Address , 2006, IEEE Transactions on Computers.

[72]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[73]  George C. Necula,et al.  CCured in the real world , 2003, PLDI '03.

[74]  Dawn Song,et al.  Mitigating buffer overflows by operating system randomization , 2002 .

[75]  Navjot Singh,et al.  Transparent Run-Time Defense Against Stack-Smashing Attacks , 2000, USENIX Annual Technical Conference, General Track.

[76]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[77]  Christopher Small MiSFIT: A Tool for Constructing Safe Extensible C++ Systems , 1997, COOTS.

[78]  Kyung-Suk Lhee,et al.  Buffer overflow and format string overflow vulnerabilities , 2003, Softw. Pract. Exp..

[79]  Joseph L. Steffen Adding run‐time checking to the portable C compiler , 1992, Softw. Pract. Exp..

[80]  Michael Rodeh,et al.  Cleanness Checking of String Manipulations in C Programs via Integer Analysis , 2001, SAS.

[81]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[82]  James Cheney,et al.  Region-based memory management in cyclone , 2002, PLDI '02.

[83]  Ruby B. Lee,et al.  Enlisting Hardware Architecture to Thwart Malicious Code Injection , 2004, SPC.

[84]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[85]  Dinakar Dhurjati,et al.  Memory safety without runtime checks or garbage collection , 2003, LCTES '03.

[86]  Zhen Xiao,et al.  A flexible generator architecture for improving software dependability , 2002, 13th International Symposium on Software Reliability Engineering, 2002. Proceedings..

[87]  David A. Wheeler,et al.  Secure Programming for Linux and Unix HOWTO , 2003 .

[88]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[89]  John R. White,et al.  Linkers and Loaders , 1972, CSUR.

[90]  Robert O. Hastings,et al.  Fast detection of memory leaks and access errors , 1991 .

[91]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[92]  Michael Shuey,et al.  StackGhost: Hardware Facilitated Stack Protection , 2001, USENIX Security Symposium.

[93]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[94]  Frank Piessens,et al.  A taxonomy of causes of software vulnerabilities in Internet software , 2002 .

[95]  Margaret Martonosi,et al.  Improving prediction for procedure returns with return-address-stack repair mechanisms , 1998, Proceedings. 31st Annual ACM/IEEE International Symposium on Microarchitecture.

[96]  Todd M. Austin,et al.  High Coverage Detection of Input-Related Security Faults , 2003, USENIX Security Symposium.

[97]  Jun Xu,et al.  Architecture Support for Defending Against Buffer Overflow Attacks , 2002 .

[98]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.