We presented the control flow anomaly detection mechanism such as stack corrupt site identification and call target validation, as a measure to automate the process of crash analysis related to the security errors. We study and employ the interception techniques to instrument and intercept programs. By these techniques we monitor their running behaviors in execution when only COTS (Commercial Off-The-Shelf) executables available for analysis on the platform of proprietary Microsoft Windows. Our contribution lies, not in inventing new approaches to detect buffer overflow attacks, but in trying to add some sort of automation in crash analysis to build up a relationship between software robustness and system security. Moreover, our stack corrupt site identification is helpful to understand why a certain stack-based crash occurs. When the program crashes, its inherent bug may have correlation to the vulnerability to be exploited. We design a tool that helps analyze the program running behavior and determine if it is an exploitable vulnerability. By process rewriting and breakpoint interruption to get control over a particular piece of code execution, we intercept the running process and checkpoint their execution status to judge if this crash is exploitable or not.
A limitation of current implementation is the lack of data flow analysis. Under the assumption of source code unavailable, it is not easy to understand how the tainted input flows to the corrupt site. If the information of data flow path is available, it will be helpful to determine the exploitability of the software. However, the primary problem is how to combine the runtime observation with the data flow analysis to deduce the exploitability.
References
[1] K. Avijit, P. Gupta and D. Gupta. TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection. In Proceedings of 13th USENIX Security Symposium, August 2004.
[2] Bulba and Kil3r. Bypassing Stackguard and Stackshield. Phrack Magazine, 10(56): File 5, 2000.
[3] H. Chen and David Wagner. MOPS: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM Conference on Computer and Communication Security, November 2002.
[4] C. Cowan, S. Beattie, J. Johansen and P.Wagle. PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, August 2003.
[5] C. Cowan, C.Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang and H.
Hinton. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks.
In Proceedings of 7th USENIX Security Conference, pages 63-78, January 1998.
[6] Justin E. Forrester and Barton P. Miller. An Empirical Study of the Robustness of Windows NT Applications Using Random Testing. 4th Usenix Windows System Symposium, August 2000.
[7] A. K. Ghosh and M. Schmid. An Approach to Testing COTS Software for Robustness to Operating System Exceptions and Errors. 10th International Symposium on Software Reliability Engineering, November 1999.
[8] Samuel Z. Guyer and Calvin Lin. Client-Driven Pointer Analysis, The 10th International Static Analysis Symposium, 2003.
[9] S. Hangal and M. S. Lam.Tracking Down Software Bugs Using Automatic Anomaly Detection.
In Proceedings of International Conference on Software Engineering, May 2002.
[10] G. Hunt and D. Brubacher. Detours: Binary Interception of Win32 Functions. In Proceedings of the 3rd USENIX Windows NT Symposium, July 1999.
[11] Alan A. Jorgensen. Testing with Hostile Data Streams. Software Engineering Notes vol 28 no 2, March 2003.
[12] klog. The Frame Pointer Overwrite. Phrack Magazine, 9(55): File 8, 1999.
[13] D. Liang, P. E. Chung, Y. Huang, C. Kintala, W. J. Lee, T. K. Tsai and C. Y. Wang. NT-SwiFT:
software implemented fault tolerance on Windows NT. In Journal of Systems and Software, November 2002
[14] B. Liblit and A. Aiken. Building a Better Backtrace: Techniques for Postmortem Program
Analysis. UCB Technical Report, No. UCB//CSD-02-1203, October 2002
[15] V. B. Livshits and M. S. Lam. Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs. In Proceedings of the 9th European Software Engineering Conference held jointly with 10th ACM SIGSOFT International Symposium on Foundations of Software Engineering, September 2003.
[16] D. Nebenzahl and A. Wool. Install-time Vaccination of Windows Executables to Defend Against Stack Smashing Attacks. In Proceedings of 19th IFIP International Information Security Conference, August 2004.
[17] Aleph One. Smashing the Stack for Fun and Profit. Phrack Magazine, 7(49): File 14, 1996.
[18] Matt Pietrek. Windows 95 System Programming SECRETS. IDG Books, 1995
[19] M. Prasad and T. Chiueh. A Binary Rewriting Defense against Stack based Buffer Overflow Attacks. In Proceedings of the USENIX Annual Technical Conference, pages 211-224, June 2003.
[20] rix. Smashing C++ VPTRs. Phrack Magazine, 10(56): File 8, 2000
[21] Michiel Ronsse, Koen De Bosschere, Jacques Chassin de Kergommeaux. Execution Replay and Debugging. In Proceedings of the Fourth International Workshop on Automated Debugging, August 2000.
[22] O. Ruwase and M. S. Lam. A Practical Dynamic Buffer Overflow Detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, February 2004.
[23] SecurityFocus. The Palace Graphical Chat Client Remote Buffer Overflow Vulnerability.
http://www.securityfocus.com/bid/9602.
[24] SecurityFocus. Rhinosoft Serv-U FTP Server SITE CHMOD Buffer Overflow Vulnerability.
http://www.securityfocus.com/bid/9675.
[25] M. Shapiro and S. Horwitz. Fast and Accurate Flow-Insensitive Points-To Analysis, In Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, 1997.
[26] J. Srouji, P. Schuster, M. Bach and Y. Kuzmin. A Transparent Checkpoint Facility on NT. In Proceeding of the 2nd USENIX Windows NT Symposium, August 1998.
[27] B. Steensgaard. Points-to Analysis in Almost Linear Time, In ACM Symposium on Principles of Programming Language, pages 32-41, January 1996.
[28] Vendicator. Stackshield: a “Stack Smashing” Technique Protection Tool for Linux.
http://www.angelfire.com/sk/stackshield/, January 2000.
[29] J. Viega, J. T. Bloch, T. Kohno and G. McGraw. Token-based Scanning of Source Code for Security Problems. ACM Transactions on Information and System Security, 5(3): 238-261, August 2002.
[30] James A. Whittaker and Alan A. Jorgensen. Why Software Fails. ACM SIGSOFT Software Engineering Notes, 1999.
[31] Y. Xie, A. Chou and D. Engler. ARCHER: Using Symbolic, Path-sensitive Analysis to Detect Memory Access Errors. In Proceedings of the 9th European Software Engineering Conference held jointly with 10th ACM SIGSOFT International Symposium on Foundations of Software Engineering, September 2003.
[32] O. Yuschuk. OllyDBG. http://home.t-online.de/home/Ollydbg/
[33] V. C Zandy and B. P. Miller. Checkpoints of GUI-based Applications, In Proceedings of USENIX 2003 Annual Technical Conference, June 2003.