ValueGuard: Protection of native applications against data-only buffer overflows
15 Jan 2011 I graduated for the second time last year, getting me the grade of "Master in Engineering Science - Computer Science" and the title of engineer (ir.). My master thesis was in the area of computer security, specifically lowlevel security. The goal was to create a countermeasure to defend native applications (written in C) from data-only (or non-control-data) buffer overflows.The text of my master thesis can be found here: steven.van.acker-2010-06-16.hyperref.pdf.
I also made a live-CD based on Ubuntu 10.04 that can be found here: livecd.iso
The reason I could not blog about this untill now, is because my promotor wanted to keep it quiet last year, and because the work also got published at ICISS 2010. The countermeasure was rewritten a bit, taking into account the lessons learned from the benchmarks in my thesis. The result is ValueGuard.
Abstract:
Code injection attacks that target the control-data of an application have been prevalent amongst exploit writers for over 20 years. Today however, these attacks are getting increasingly harder for attackers to successfully exploit due to numerous countermeasures that are deployed by modern operating systems. We believe that this fact will drive exploit writers away from classic control-data attacks and towards data-only attacks. In data-only attacks, the attacker changes key data structures that are used by the program’s logic and thus forces the control flow into existing parts of the program that would be otherwise unreachable, e.g. overflowing into a boolean variable that states whether the current user is an administrator or not and setting it to “true” thereby gaining access to the administrative functions of the program.
In this paper we present ValueGuard, a canary-based defense mechanism to protect applications against data-only buffer overflow attacks. ValueGuard inserts canary values in front of all variables and verifies their integrity whenever these variables are used. In this way, if a buffer overflow has occurred that changed the contents of a variable, ValueGuard will detect it since the variable’s canary will have also been changed. The countermeasure itself can be used either as a testing tool for applications before their final deployment or it can be applied selectively to legacy or high-risk parts of programs that we want to protect at run-time, without incurring extra time-penalties to the rest of the applications.
Link to the ValueGuard paper: valueguard.pdf
Link to the same paper from Springer: http://www.springerlink.com/content/p26243813157387x/
Link to the LIRIAS database at the university: https://lirias.kuleuven.be/handle/123456789/289765