We develop a tool, called DUBS, to protect COTS software and prevent malicious users from attacking the system. COTS software would crash when you use DUBS to protect the software at first attack. After first attacking, you would enable the detection and protection features in DUBS. Using DUBS, you can optionally enable the detection of buffer overflow vulnerability, by blocking the function with overflow vulnerability. This tool can also act as a better binary instrumentation tool, because it can instrument machine code into running program. The comparison of binary instrument tools is listed on Table 6-1. It also supports the feature which can change the behavior of functions.
Table 6-1: Binary instrumentation tools comparison table
Break 5
Our work has some limitations, and we show them as follows.
6.1.1. Call Destination Address in Registers
39
Our tool can not control the function which is called by registers in order to control the function whose size is small than 5 bytes. Most of all instrumentation techniques insert a JMP instruction into function prolog. They will face the 5 bytes limitation problem, because JMP occupies 5 bytes.
6.1.2. Control Flow Logging
We find the user define functions and inject the breakpoint in the function prolog and epilog. We can log the control flow by receiving the debug event EXCEPTION_BREAKPOINT. We find that the number of function call is more than function return when program logging finished. Because we can not inject the monitor code in function epilog in DLL files.
6.1.3. Buffer Overflow Vulnerability in Critical Function
We can block the function which has the buffer overflow vulnerability. But there is a condition. The function which we are blocked must be in the failing run and not in passing run. If you block the function which is in pass run, the right action might become wrong action. Robot FTP also has buffer overflow vulnerability, it occurs in USER command. We can not protect the Robot FTP because its passing run and failing run are the same.
6.2. Future Work
6.2.1. Memory Space Reallocation
Scarce memory space is a big problem to us, because we need memory to create function indirect table and place the instrumentation code. We can use binary rewriting technique to enlarge the memory space.
40
6.2.2. Using Event Message Instead of Polling Method
Our tool uses polling method to get the control of program. It must do context switch when breakpoint occurs. It costs high overhead when doing context switch. Microsoft Windows supports message which is like the signal in Unix-like system and it can communicate two individual programs.
6.2.3. Code Injection with C Language
Our tool can let users inject the code into running program. It supports injecting the machine code now. If you want to inject C language code, you must compile the C language code first before injecting it, but it has many limitations. For example, you must re-calculate the offset of function which in the library.
41
REFERENCES
[1] Steve Ranger, "Microsoft faces up to security threat," Computing,
Http://www.Computing.Co.uk/vnunet/news/2123457/microsoft-Faces-Security-Threat,
[2] Michael Zhivich, Tim Leek and Richard Lippmann, "Dynamic Buffer Overflow Detection," Workshop on the Evaluation of Software Defect Detection Tools, June. 2005.
[3] Gerald C. Gannod and Betty H.C. Cheng, "Strongest Postcondition Semantics as the Formal Basis forReverse Engineering," Proceedings of the Second Working Conference on Reverse Engineering, July. 1995.
[4] Anonymous "Once upon a free()," Http://www.Phrack.org/phrack/57/p57-0x09, [5] M. Hicks, J. T. Moore and S. Nettles, "Dynamic software updating," in PLDI '01:
Proceedings of the ACM SIGPLAN 2001 Conference on Programming Language Design and Implementation, 2001, pp. 13-23.
[6] Michael Hicks, "Practical Dynamic Software Updating for C," November. 2005.
[7] Matt Pietrek, Windows 95 System Programming SECRETS. IDG Books, 1995, [8] Galen Hunt and Doug Brubacher, "Detours: Binary Interception of Win32
Functions," Proceedings of the 3rd USENIX Windows NT Symposium, July.
1999.
[9] Yennun Huang, P. Emerald Chung and Chandra Kintala, "NT-SwiFT: Software Implemented Fault Tolerance on Windows NT," Journal of Systems and Software, November. 2002.
[10] Johny Srouji, Paul Schuster, Maury Bach and Yulik Kuzmin, "A Transparent Checkpoint Facility On NT," Proceedings of the 2nd USENIX Windows NT Symposium, August. 1998.
[11] Programming Methodology Group, "Automatic Software Upgrades,"
Http://pmg.Lcs.Mit.edu/upgrades/,
[12] I. Sun Microsystems, "JPDA Enhancements,"
Http://java.Sun.com/j2se/1.4.2/docs/guide/jpda/enhancements.Html,
[13] Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle and Qian Zhang, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," Proceedings of 7th USENIX Security Conference, pp. 63-78, January. 1998.
[14] Hiroaki Etoh and Kunikazu Yoda, "Protecting from stack-smashing attacks,"
Http://www.Trl.Ibm.com/projects/security/ssp/main.Html,
42
[15] Olatunji Ruwase and Monica S. Lam, "A Practical Dynamic Buffer Overflow Detector," Proceedings of the 11th Annual Network and Distributed System Security Symposium, February. 2004.
[16] Anonymous "Parasoft. Insure++: Automatic runtime error detection,"
Http://www.Parasoft.Com,
[17] N. N. Julian Seward and J. Fitzhardinge, "Valgrind: A GPL’d system for debugging and profiling x86-linux programs," Http://valgrind.Kde.Org, [18] George C. Necula, Scott McPeak and Westley Weimer, "CCured: Type-Safe Retrofitting of Legacy Code," Proceedings of Symposium on Principles of Programming Languages, pp. 128-139, 2002.
[19] F. Bellard, "TCC: Tiny C compiler," October. 2003.
[20] Anonymous "A "stack smashing" technique protection tool for Linux,"
Http://www.Angelfire.com/sk/stackshield/,
[21] Martin Rinard, Cristian Cadar, Daniel Dumitran, Daniel M. Roy and Tudor Leu,
"A Dynamic Technique for Eliminating Buffer Overflow Vulnerabilities (and Other Memory Errors)," ACSAC, December. 2004.
[22] Ted Romer, Geoff Voelker, Dennis Lee, Alec Wolman, Wayne Wong, Hank Levy and Brian Bershad, "Instrumentation and Optimization of Win32/Intel Executables Using Etch," Proceedings of the USENIX Windows NT Workshop, August. 1997.
[23] Amitabh Srivastava, Andrew Edwards and Hoi Vo, "Vulcan: Binary transformantion in a distributed environment," Techical Report MSR-TR-2001-50, 2001.
[24] Danny Nebenzahl, Mooly Sagiv and Avishai Wool, "Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks," IEEE Transactions on Dependable and Secure Computing, vol. 3, pp. 78-90, January-March. 2006.
[25] The Apache Jakarta Project, "BCEL: Byte Code Engineering Library," October.
2001.