LIBSAFE

Section: LIBSAFE (8)
Updated: 8-OCT-2001
Index

Name

libsafe - detection and protection against stack smashing attacks

Introduction

The libsafe library protects a process against the exploitation of buffer overflow vulnerabilities in process stacks. Libsafe works with any existing pre-compiled executable (but is incompatible with libc5-linked processes) and can be used transparently, even on a system-wide basis. The method intercepts all calls to library functions that are known to be vulnerable. A substitute version of the corresponding function implements the original functionality, but in a manner that ensures that any buffer overflows are contained within the current stack frame. Libsafe has been shown to detect several known attacks and can potentially prevent yet unknown attacks. Experiments indicate that the performance overhead of libsafe is negligible.

The following unsafe functions are currently monitored by libsafe:

strcpy(char *dest, const char *src)
strcpy(char *dest, const char *src)
strpcpy(char *dest, const char *src)
wcscpy(wchar_t *dest, const wchar_t *src)
wcpcpy(wchar_t *dest, const wchar_t *src): May overflow the dest buffer.
strcat(char *dest, const char *src)
wcscpy(wchar_t *dest, const wchar_t *src): May overflow the dest buffer.
getwd(char *buf): May overflow the buf buffer.
gets(char *s): May overflow the s buffer.
[vf]scanf(const char *format, ...): May overflow its arguments.
realpath(char *path, char resolved_path[]): May overflow the path buffer.
[v]sprintf(char *str, const char *format, ...): May overflow the str buffer.; May exploit "%n".

Where to get libsafe

The source code for libsafe can be found at http://www.research.avayalabs.com/project/libsafe/index.html.

Installing libsafe

If you install libsafe on Linux, make sure that your shared loader (ld-linux.so.1/ld.so) understands LD_PRELOAD. (Best if ld.so-1.8.5 or more recent)
Change to the lib directory.
Type make to compile and build libsafe.so.2.
Type make install to install the libsafe library and associated programs in their final destination locations.
To use libsafe, set the environment variable LD_PRELOAD to point to the libsafe library. Example (sh syntax):
```
    LD_PRELOAD=/lib/libsafe.so.2
    export LD_PRELOAD
```
or (csh syntax):
```
    setenv LD_PRELOAD /lib/libsafe.so.2
```
You might want to put these lines in your .profile or .cshrc in order to activate libsafe for all processes that you initiate.
Use your programs as you would normally. Libsafe will transparently check the parameters for supported unsafe functions. If a violation is detected, the following will occur:
1. The entire process group will be sent a SIGKILL signal.
2. An entry will be added to /var/log/secure. The following is an example of such an entry:
  
  Dec 21 13:57:40 denver libsafe[15704]: Detected an attempt to write across stack boundary.
  Dec 21 13:57:40 denver libsafe[15704]: Terminating /users/ttsai/work/security.D0_2/test/t91
  Dec 21 13:57:40 denver libsafe[15704]: scanf()

For security reasons, the dynamic loader disregards environmental variables such as LD_PRELOAD when executing set-uid programs. However, on Linux, you can use libsafe with set-uid programs too, by using one of the two methods described below:

You may append the path to libsafe.so.2 into /etc/ld.so.preload instead of using LD_PRELOAD.

WARNING: If you use /etc/ld.so.preload, be sure to install libsafe.so.2 on your root filesystem, for instance in /lib, as is done by the default installation. Using a directory which is not available at boot time, such as /usr/local/lib will cause trouble at the next reboot!
You should also be careful to remove libsafe from /etc/ld.so.preload when installing a new version. First test it out using LD_PRELOAD, and only if everything is ok, put it back into /etc/ld.so.preload.
If you have a version of ld.so which is more recent than 1.9.0, you can set LD_PRELOAD to just contain the basename of libsafe.so.2 without the directory. In that case, the file is found as long as it is in the shared library path (which usually contains /lib and /usr/lib)). Because the search is restricted to the library search path, this also works for set-uid programs. Example (sh syntax):

LD_PRELOAD=libsafe.so.2
export LD_PRELOAD
or (csh syntax):

setenv LD_PRELOAD libsafe.so.2
The advantage of this approach over ld.so.preload is that libsafe can more easily be switched off in case something goes wrong.

Using libsafe

Once libsafe is installed and either LD_PRELOAD or /etc/ld.so.preload has been appropriate configured, there is nothing else to do. The processes to be monitored can be used with no changes.

If a process attempts to use one of the monitored functions to overflow a buffer on the stack, then a violation will be declared. A message is output to the standard error stream, and an entry is made in /var/log/secure. If the corresponding options are enabled during compilation (See the libsafe/INSTALL file.), a core dump and a stack dump are produced.

If you wish to use libsafe with /etc/ld.so.preload to enable monitoring for all processes, but there are a few programs that you don't want to use with libsafe, you can list the programs you wish to excluse in /etc/libsafe.exclude. List each program on a separate line, using the absolute pathname for each program. Note that this absolute pathname must not contain any symbolic links.

There is a compile-time option for including code to automatically send email notification of detected attacks. See the source code for more information.

How it works

Programs written in C have always been plagued with buffer overflows. Two reasons contribute to this factor. First, the C programming language does not automatically bounds-check array and pointer references. Second, and more importantly, many of the functions provided by the standard C library, such as those listed in the introduction, are unsafe. Therefore, it is up to the programmers to check explicitly that the use of these functions cannot overflow buffers. However, programmers often omit these checks. Consequently, many programs are plagued with buffer overflows, which makes them vulnerable to security attacks.

Libsafe uses a novel method for performing detection and handling of buffer overflow attacks. Without requiring source code, it can transparently protect processes against stack smashing attacks, even on a system-wide basis. The method intercepts all calls to library functions that are known to be vulnerable. A substitute version of the corresponding function implements the original functionality, but in a manner that ensures that any buffer overflows are contained within the current stack frame.

The key idea is the ability to estimate a safe upper limit on the size of buffers automatically. This estimation cannot be performed at compile time because the size of the buffer may not be known at that time. Thus, the calculation of the buffer size must be made after the start of the function in which the buffer is accessed. Our method is able to determine the maximum buffer size by realizing that such local buffers cannot extend beyond the end of the current stack frame. This realization allows the substitute version of the function to limit buffer writes within the estimated buffer size. Thus, the return address from that function, which is located on the stack, cannot be overwritten and control of the process cannot be commandeered.

REPORTING BUGS

Report bugs to < libsafe@research.avayalabs.com >.

DISCLAIMER

Copyright (C) 2002 Avaya Labs, Avaya Inc.
Copyright (C) 1999 Bell Labs, Lucent Technologies.
Copyright (C) Arash Baratloo, Timothy Tsai, and Navjot Singh.

This file is part of the Libsafe library. Libsafe version 2.x: protecting against stack smashing attacks.

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

For more information,
visit http://www.research.avayalabs.com/project/libsafe/index.html
or email libsafe@research.bell-labs.com