The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

libsafe (8)
  • >> libsafe (8) ( Linux man: Команды системного администрирования )
  •  

    Name

    libsafe - detection and protection against stack smashing attacks

     

    Introduction

    The libsafe library protects a process against the exploitation of buffer overflow vulnerabilities in process stacks. Libsafe works with any existing pre-compiled executable and can be used transparently, even on a system-wide basis. The method intercepts all calls to library functions that are known to be vulnerable. A substitute version of the corresponding function implements the original functionality, but in a manner that ensures that any buffer overflows are contained within the current stack frame. Libsafe has been shown to detect several known attacks and can potentially prevent yet unknown attacks. Experiments indicate that the performance overhead of libsafe is negligible.

    The following unsafe functions are currently monitored by libsafe:

    strcpy(char *dest, const char *src)
    May overflow the dest buffer.
    strcat(char *dest, const char *src)
    May overflow the dest buffer.
    getwd(char *buf)
    May overflow the buf buffer.
    gets(char *s)
    May overflow the s buffer.
    [vf]scanf(const char *format, ...)
    May overflow its arguments.
    realpath(char *path, char resolved_path[])
    May overflow the path buffer.
    [v]sprintf(char *str, const char *format, ...)
    May overflow the str buffer.

     

    Where to get libsafe

    The source code for libsafe can be found at http://www.bell-labs.com/org/11356/libsafe.html.

     

    Installing libsafe

    1.
    If you install libsafe on Linux, make sure that your shared loader (ld-linux.so.1/ld.so) understands LD_PRELOAD. (Best if ld.so-1.8.5 or more recent)
    2.
    Change to the lib directory.
    3.
    Type make to compile and build libsafe.so.1.
    4.
    Type make install to install the libsafe library and associated programs in their final destination locations.
    5.
    To use libsafe, set the environment variable LD_PRELOAD to point to the libsafe library. Example (sh syntax):

     
          LD_PRELOAD=/lib/libsafe.so.1
          export LD_PRELOAD
    

     
    or (csh syntax):

     
          setenv LD_PRELOAD /lib/libsafe.so.1
    

     
    You might want to put these lines in your .profile or .cshrc in order to activate libsafe for all processes that you initiate.
    6.
    Use your programs as you would normally. Libsafe will transparently check the parameters for supported unsafe functions. If a violation is detected, the following will occur:
    1.
    The entire process group will be sent a SIGKILL signal.
    2.
    An entry will be added to /var/log/secure. The following is an example of such an entry:
    Dec 21 13:57:40 denver libsafe[15704]: Detected an attempt to write across stack boundary.
    Dec 21 13:57:40 denver libsafe[15704]: Terminating /users/ttsai/work/security.D0_2/test/t91
    Dec 21 13:57:40 denver libsafe[15704]: scanf()
    .PP For security reasons, the dynamic loader disregards environmental variables such as LD_PRELOAD when executing set-uid programs. However, on Linux, you can use libsafe with set-uid programs too, by using one of the two methods described below:

    1.
    You may append the path to libsafe.so.1 into /etc/ld.so.preload instead of using LD_PRELOAD.
    WARNING: If you use /etc/ld.so.preload, be sure to install libsafe.so.1 on your root filesystem, for instance in /lib, as is done by the default installation. Using a directory which is not available at boot time, such as /usr/local/lib will cause trouble at the next reboot!
    You should also be careful to remove libsafe from /etc/ld.so.preload when installing a new version. First test it out using LD_PRELOAD, and only if everything is ok, put it back into /etc/ld.so.preload.

    2.
    If you have a version of ld.so which is more recent than 1.9.0, you can set LD_PRELOAD to just contain the basename of libsafe.so.1 without the directory. In that case, the file is found as long as it is in the shared library path (which usually contains /lib and /usr/lib)). Because the search is restricted to the library search path, this also works for set-uid programs. Example (sh syntax):

     
          LD_PRELOAD=libsafe.so.1
          export LD_PRELOAD
    

     
    or (csh syntax):

     
          setenv LD_PRELOAD libsafe.so.1
    

     
    The advantage of this approach over ld.so.preload is that libsafe can more easily be switched off in case something goes wrong.

     

    Using libsafe

    Once libsafe is installed and either LD_PRELOAD or /etc/ld.so.preload has been appropriate configured, there is nothing else to do. The processes to be monitored can be used with no changes.

    If a process attempts to use one of the monitored functions to overflow a buffer on the stack, then a violation will be declared. A message is output to the standard error stream, and an entry is made in /var/log/secure. In addition, if libsafe is compiled with NOTIFY_WITH_MAIL defined, then email will be sent based on the following conditions:

    1.
    If the LIBSAFE_NOTIFY_MAIL_ADDRESS environment variable is set, then it contains the name of a file. Mail is sent to the recipients listed in that file. The recipients are white-space delimited.
    2.
    Otherwise, if the file /etc/libsafe.notify exists, then mail is sent to the recipients listed in that file.
    3.
    Otherwise, mail is sent to root@localhost.
     

     

    How it works

    Programs written in C have always been plagued with buffer overflows. Two reasons contribute to this factor. First, the C programming language does not automatically bounds-check array and pointer references. Second, and more importantly, many of the functions provided by the standard C library, such as those listed in the introduction, are unsafe. Therefore, it is up to the programmers to check explicitly that the use of these functions cannot overflow buffers. However, programmers often omit these checks. Consequently, many programs are plagued with buffer overflows, which makes them vulnerable to security attacks.

    Libsafe uses a novel method for performing detection and handling of buffer overflow attacks. Without requiring source code, it can transparently protect processes against stack smashing attacks, even on a system-wide basis. The method intercepts all calls to library functions that are known to be vulnerable. A substitute version of the corresponding function implements the original functionality, but in a manner that ensures that any buffer overflows are contained within the current stack frame.

    The key idea is the ability to estimate a safe upper limit on the size of buffers automatically. This estimation cannot be performed at compile time because the size of the buffer may not be known at that time. Thus, the calculation of the buffer size must be made after the start of the function in which the buffer is accessed. Our method is able to determine the maximum buffer size by realizing that such local buffers cannot extend beyond the end of the current stack frame. This realization allows the substitute version of the function to limit buffer writes within the estimated buffer size. Thus, the return address from that function, which is located on the stack, cannot be overwritten and control of the process cannot be commandeered.

     

    REPORTING BUGS

    Report bugs to <[email protected]>.

     

    SEE ALSO

    The home web page for libsafe is http://www.bell-labs.com/org/11356/libsafe.html.

     

    DISCLAIMER

    Copyright (C) 1999 Bell Labs, Lucent Technologies.
    Copyright (C) Arash Baratloo, Timothy Tsai, and Navjot Singh.

    This file is part of the Libsafe library. Libsafe version 1.0: protecting against stack smashing attacks.

    This library is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

    This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details.

    You should have received a copy of the GNU Library General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

    For more information,
      visit http://www.bell-labs.com/org/11356/libsafe.html
      or email [email protected]


     

    Index

    Name
    Introduction
    Where to get libsafe
    Installing libsafe
    Using libsafe
    How it works
    REPORTING BUGS
    SEE ALSO
    DISCLAIMER


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру