Architectural Bound Checking for Buffer-Overflow Protection
Total Page:16
File Type:pdf, Size:1020Kb
162 ECTI TRANSACTIONS ON COMPUTER AND INFORMATION TECHNOLOGY VOL.14, NO.2 November 2020 Boundary Bit: Architectural Bound Checking for Buffer-Overflow Protection Sirisara Chiamwongpaet1 and Krerk Piromsopa2, Members ABSTRACT return addresses and function pointers). Few of them We propose Boundary Bit, a new architectural can prevent buffer overflow on arbitrary data (e.g. bound-checking approach that detects and prevents pointers, arrays and function arguments). We be- buffer-overflow attacks. Boundary Bit extends an ar- lieve the existence of buffer overflow is a result of an chitecture by associating a bit to each memory en- insufficient foundation at the architectural level. try. Software can set a (boundary) bit to delimit an object. On each memory access, the hardware 1.1 Concept will dynamically validate the object's bound using Boundary Bit provides bound checking at the ar- the boundary bit. With minimal hints from the com- chitectural level by ensuring that transferred data piler, our architectural design eliminates most (if not cannot exceed the allocated capacity of buffers. all) types of buffer-overflow attacks. These include at- While many hardware solutions (such as segmenta- tacks on non-control data (variables and arguments) tion [25] and tag architecture [12]) exist, some of them and array-indexing errors. We evaluated the perfor- (e.g. segmentation) are, however, not common to all mance of Boundary Bit using simulation, and the architectures. In supported systems, the mechanism results show that the majority of performance over- is usually ignored in favor of performance or compati- heads lies in bit scanning operations. To mitigate per- bility. We believe a light-weight architectural solution formance overhead, we introduce a hardware bitmap is the key to the success of buffer-overflow protection. to act as a cache. The results from our simulation To enforce bound checking without sacrificing per- show that the hardware bitmap can absorb most of formance, Boundary Bit associates an extra bit with the overhead from bit scanning, which in the best- each memory entry. This bit is similar to those of case scenario was 30 times faster than the version Secure Bit's [27] (as well as tag architecture [12]). It that does not utilize a bitmap cache. can do everything Secure Bit does. In addition, it can handle another whole class of attacks that Secure Bit Keywords: Buffer overflow, Invasive software, Se- cannot. curity kernels, Security and protection, System ar- chitectures, Unauthorized access 2. BACKGROUND: BUFFER-OVERFLOW 1. INTRODUCTION ATTACKS Since the creation of the infamous MORRIS worm A buffer-overflow attack can be described as an at- [35] in 1988, buffer-overflow vulnerabilities have been tack in which a buffer is overflowed beyond its bounds used by malicious worms and viruses to exploit nu- into another buffer with an intent to cause malicious merous computer systems. Though it is possible to behavior in a program [4,29,40]. write secure code, no program is guaranteed to be free from bugs. There have been a lot of buffer-overflow 2.1 Classification by Attack Locations vulnerabilities continuously detected and reported. • Stack Overflows These attacks are conducted by For example, even the well-known operating system's copying data larger than the size of an allocated libraries still suffer from buffer-overflow attacks [10]. buffer in the stack. As a result, the overflowed data Moreover, the well-known WannaCry ransomware at- will overwrite the return address. The eventual re- tack in May 2017 exploits a buffer-overflow vulnera- turn instruction at the end of a function will return bility in the most Microsoft Windows versions, in- to execute attackers' code instead of the normal cluding Microsoft Windows 10 SP1 [22]. process flow. However, this stack area may con- Many solutions have been proposed [13,31]. How- tain control data and non-control data. Although ever, they have mostly focused on control data (e.g. the return address is the major target, this type of overflow attack can occur arbitrarily. Manuscript received on August 28, 2019 ; revised on January 15, 2020. • Heap Overflows Similarly to stack-overflow at- Final manuscript received on January 16, 2020. tacks, heap-overflow attacks can modify data by 1;2 The authors are with the Department of Computer Engi- overwriting adjacent memory. The heap memory neering, Chulalongkorn University, Bangkok 10330, Thailand, E-mail: [email protected] and [email protected] stores function pointers and dynamically-allocated DOI: 10.37936/ecti-cit.2020142.212338 data. Such allocation is done by calling the \mal- Boundary Bit: Architectural Bound Checking for Buffer-Overflow Protection 163 loc" function in C language (or a new operation in Guard [6], Minezone RAD [37], Read-only RAD [37], modern object-oriented programming languages). Efficient Dynamic Taint Analysis Using Multicore For example, a function pointer can be changed to Machines [3], HeapDefender [20], Secure Bit [27], and point to attacker's code. Secure Canary Word [29] [4]. For comparison, we also • Array Indexing Errors This type of attack is include our proposed solution, Boundary Bit, in this different from the other types in that it is a result of table. indexing beyond the boundary of an array. Thus, In conclusion, a buffer-overflow protection sum- the attackers can theoretically write to arbitrary mary table with types of buffer-overflow attacks is memory locations. provided as Figure 2. The symbol Xmeans this so- lution can prevent this attack type. The symbol \?" 2.2 Classification Using Characteristics means this solution may prevent this attack type. There is another classification method based on However, the tables show only types of buffer- characteristics, defined by [2], with some precondi- overflow attacks that can be prevented without con- tions as follows. sidering the performance or the limitations. • Direct Executable The target is to change the control flow of the process. This class is comparable 3. BOUNDARY BIT to Stack overflows on control data. (dir:exec = Boundary Bit [5] is a hardware-assisted runtime flen:buff, con:addr, con:inst, mod:radd, bound-checking method that aims to prevent buffer- jmp:stack, exe:stackg overflow attacks on both control and non-control • Indirect Executable The difference from \Direct data. Executable" is that the process state information, To enforce bound checking, Boundary Bit asso- such as a return address, is not altered, but a func- ciates an extra bit with each byte of memory. These tion pointer is indirectly altered instead. When the bits are similar to those of Secure Bit's [27], the Tag function pointer is invoked, attacker's code will be architecture [12], as well as the bound information executed. This class is comparable to Heap over- used by various software-based bound-checking ap- flows on control data. ind:exec = flen:buff, proaches [1,23,24], and are used to delimit boundaries con:addr, mod:fptr, jmp:heap, exe:heapg of buffers. At runtime, these extra bits are used to • Direct Data Buffer-overflow attacks are differ- check whether an access to a buffer is out-of-bounds. ent from executable buffer-overflow attacks in that If an out-of-bounds access is detected, the offending no new instructions (attacker's code) are exe- program is terminated. Specifically, given a buffer cuted. Direct data buffer-overflow attacks modify at address a, if an attempt is made to access data some data which make the execution path change. at index i, Boundary Bit will scan bits from the ad- This class is comparable to the Stack overflows dress min(a,a+i) to max(a,a+i) - 1 in order to de- on non-control data. dir:data = flen:buff, termine whether an access is within the bounds. If, con:ctrl, mod:cvar, flow:ctrlg during the scan, Boundary Bit encounters a set bit • Indirect Data These attacks are similar to the (which signifies an end of the buffer), then it will ter- direct data overflows. The target of indirect minate the program with an error. In case the ending data buffer-overflow attacks is a pointer refer- address (max(a,a+i) -1 ) is less than the beginning ring to the data that can change the execution address (max(a,a+i)), no scanning is required. path. This class is comparable to Heap overflows The following examples further illustrate how on non-control data. ind:data = flen:buff, Boundary Bit works in practice. con:addr, mod:cptr, flow:ctrlg 3.1 Stack-Overflow Detection 2.3 Summary of buffer-overflow attack types The following function contains a potential buffer- From the patterns of buffer-overflow characteris- overflow bug caused by the usage of the unsafe tics and the taxonomy of buffer-overflow solutions, strcpy() function. the relationships between characteristics and existing void func1 ( char ∗p ) f solutions can be summarized as shown in Figure 1. int i ; // 4 b y t e s From the table, the symbol Xmeans this solution can char b [ 8 ] ; // 8 b y t e s prevent this characteristic. The symbol \?" means char ch ; // 1 b y t e the solution may prevent this characteristic (depend- strcpy(b, p); g ing on the implementation). The protection solutions in the table are as fol- Assuming that each variable in the above function lows: Segmentation [25], Integer Analysis to De- has an address in memory as shown in Figure 3a and termine Buffer Overflow [39], STOBO [14], Type- 3b, if the length of input is 8 bytes (the maximum Assisted Buffer Overflow Detection [19], C Range Er- index of the input is 7), the system will scan bits ror Detector (CRED) [32], Jump Pointer [36], Stack- starting at address 0x28ac58 and ending at address Guard [7], MemGuard [7], PointGuard [6], Smash- 0x28ac5e (from 0x28ac58 + 7 - 1), as per the earlier 164 ECTI TRANSACTIONS ON COMPUTER AND INFORMATION TECHNOLOGY VOL.14, NO.2 November 2020 Fig.1:: Summary with buffer-overflow characteristics Fig.2:: Summary with types of buffer-overflow attacks described scheme).