article

Protecting C programs from attacks via invalid pointer dereferences

Authors:

Susan HorwitzAuthors Info & Claims

ACM SIGSOFT Software Engineering Notes, Volume 28, Issue 5

Pages 307 - 316

https://doi.org/10.1145/949952.940113

Published: 01 September 2003 Publication History

Abstract

Writes via unchecked pointer dereferences rank high among vulnerabilities most often exploited by malicious code. The most common attacks use an unchecked string copy to cause a buffer overrun, thereby overwriting the return address in the function's activation record. Then, when the function "returns", control is actually transferred to the attacker's code. Other attacks may overwrite function pointers, setjmp buffers, system-call arguments, or simply corrupt data to cause a denial of service.A number of techniques have been proposed to address such attacks. Some are limited to protecting the return address only; others are more general, but have undesirable properties such as having a high runtime overhead, requiring manual changes to the source code, or forcing programmers to give up control of data representations and memory management.This paper describes the design and implementation of a security tool for C programs that addresses all these issues: it has a low runtime overhead, does not require source code modification by the programmer, does not report false positives, and provides protection against a wide range of attacks via bad pointer dereferences, including but not limited to buffer overruns and attempts to access previously freed memory. The tool uses static analysis to identify potentially dangerous pointer dereferences, and memory locations that are legitimate targets of these pointers. Dynamic checks are then inserted; if at runtime the target of an unsafe dereference is not in the legitimate set, a potential security violation is reported, and the program is halted.

References

[1]

L. O. Andersen. Program Analysis and Specialization for the C Programming Language. Ph.D. thesis, DIKU, University of Copenhagen, May 1994. (DIKU report 94/19).]]

[2]

K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In IEEE Symposium on Security and Privacy, May 2002.]]

Digital Library

[3]

T. Austin, S. Breach, and G. Sohi. Efficient detection of all pointer and array access errors. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 290--201, Orlando, FL, June 1994.]]

Digital Library

[4]

T. Ball and S. Rajamani. The SLAM toolkit. In 13th Conf. on Computer Aided Verification, pp. 260--264, July 2001.]]

Digital Library

[5]

R. Bodik, R. Gupta, and V. Sarkar. ABCD: Eliminating array bounds checks on demand. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 321--333, Vancouver, BC, June 2000.]]

Digital Library

[6]

W. Bush, J. Pincus, and D. Sielaff. A static analyazer for finding dynamic programming errors. Software--Practice and Experience, 30(7):775--802, June 2000.]]

Digital Library

[7]

cfingerd: Configurable finger daemon. http://www.infodrom.org/projects/cfingerd/]]

[8]

Ckit. http://www.smlnj.org/doc/ckit/]]

[9]

J. Condit, M. Harren, S. McPeak, G. Necula, and W. Weimer. CCured in the real world. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 232--244, San Diego, CA, June 2003.]]

Digital Library

[10]

C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Automatic detection and prevention of buffer-overflow attacks. In 7th USENIX Security Symposium, San Antonio, TX, Jan. 1998.]]

Digital Library

[11]

M. Das. Unification-based pointer analysis with directional assignments. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 35--46, Vancouver, BC, June 2000.]]

Digital Library

[12]

D. L. Detlefs, K. R. M. Leino, G. Nelson, and J. B. Saxe. Extended static checking. Tech. Report SRC-159, Compaq SRC, 1998.]]

[13]

N. Dor, M. Rodeh, and M. Sagiv. Cleanness checking of string manipulations in C programs via integer analysis. In The 8th International Static Analysis Symposium, volume 2126 of Lecture Notes in Computer Science, page 194. Springer, July 2001.]]

Digital Library

[14]

D. Evans. Static detection of dynamic memory errors. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 44--53, Philadelphia, PA, May 1996.]]

Digital Library

[15]

R. Gupta. Optimizing array bound checks using flow analysis. ACM Letters on Programming Languages and Systems, 2(1--4):135--150, Mar.--Dec. 1993.]]

Digital Library

[16]

R. Hasting and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter Usenix Conference, 1992.]]

[17]

T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, Monterey, CA, June 2002.]]

Digital Library

[18]

P. Kolte and M. Wolfe. Elimination of redundant array subscript range checks. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 270--278, La Jolla, CA, June 1995.]]

Digital Library

[19]

W. Landi and B. Ryder. A safe approximate algorithm for interprocedural pointer aliasing. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 235--248, San Francisco, CA, June 1992.]]

Digital Library

[20]

A. Loginov, S. Yong, S. Horwitz, and T. Reps. Debugging via run-time type checking. In Fundamental Approaches to Software Engineering, volume 2029 of Lecture Notes in Computer Science, pp. 217--232. Springer, Apr. 2001.]]

Digital Library

[21]

M. Lujan, J. R. Gurd, T. L. Freeman, and J. Miguel. Elimination of java array bounds checks in the presence of indirection. Tech. Report CSPP-13, Department of Computer Science, University of Manchester, Feb. 2002.]]

Digital Library

[22]

V. Markstein, J. Cocke, and P. Markstein. Optimization of range checking. In ACM SIGPLAN Symposium on Compiler Construction, SIGPLAN Notices 17(6), pp. 114--119, Boston, MA, June 1982.]]

Digital Library

[23]

G. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy code. In ACM Symp. on Principles of Programming Languages, Portland, OR, Jan. 2002.]]

Digital Library

[24]

Openwall project linux kernel patches. http://www.openwall.com/]]

[25]

Packet storm. http://packetstormsecurity.org/]]

[26]

Parasoft. Insure++: An automatic runtime error detection tool. http://www.parasoft.com/insure/]]

[27]

H. Patil and C. Fischer. Low-cost, concurrent checking of pointer and array accesses in C programs. Software--Practice and Experience, 27(1):87--110, Jan. 1997.]]

Digital Library

[28]

J. Seward. The design and implementation of Valgrind. http://developer.kde.org/~sewardj/]]

[29]

N. P. Smith. Stack smashing vulnerabilities in the UNIX operating system. Technical report, Computer Science Department, Southern Connecticut State University, 1997.]]

[30]

Immunix Stack Guard. http://immunix.org/stackguard.html]]

[31]

Stack Shield. http://www.angelfire.com/sk/stackshield/]]

[32]

N. Suzuki and K. Ishihata. Implementation of an array bound checker. In ACM Symp. on Principles of Programming Languages, pp. 132--143, Los Angeles, CA, Jan. 1977.]]

Digital Library

[33]

D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Symp. on Network and Distributed Systems Security, pp. 3--17, San Diego, CA, Feb. 2000.]]

[34]

R. Wilson and M. Lam. Efficient context-sensitive pointer analysis for c programs. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 1--12, La Jolla, CA, June 1995.]]

Digital Library

[35]

S. Yong, S. Horwitz, and T. Reps. Pointer analysis for programs with structures and casting. In ACM SIGPLAN Conf. on Programming Language Design and Implementation, pp. 91--103, Atlanta, GA, May 1999.]]

Digital Library

Cited By

Chen ZZhang QWu JYan JXue J(2023)A Source-Level Instrumentation Framework for the Dynamic Analysis of Memory SafetyIEEE Transactions on Software Engineering10.1109/TSE.2022.321058049:4(2107-2127)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2022.3210580
Cheng LAhmed SLiljestrand HNyman TCai HJaeger TAsokan NYao D(2021)Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense ApproachesACM Transactions on Privacy and Security10.1145/346269924:4(1-36)Online publication date: 2-Sep-2021
https://dl.acm.org/doi/10.1145/3462699
Wang WZhang XHao QZhang ZXu BDong HXia TWang X(2019)Hardware-Enhanced Protection for the Runtime Data Security in Embedded SystemsElectronics10.3390/electronics80100528:1(52)Online publication date: 2-Jan-2019
https://doi.org/10.3390/electronics8010052
Show More Cited By

Index Terms

Protecting C programs from attacks via invalid pointer dereferences

Recommendations

Protecting C programs from attacks via invalid pointer dereferences
ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering

Writes via unchecked pointer dereferences rank high among vulnerabilities most often exploited by malicious code. The most common attacks use an unchecked string copy to cause a buffer overrun, thereby overwriting the return address in the function's ...
ARCHER: using symbolic, path-sensitive analysis to detect memory access errors

Memory corruption errors lead to non-deterministic, elusive crashes. This paper describes ARCHER (ARray CHeckER) a static, effective memory access checker. ARCHER uses path-sensitive, interprocedural symbolic analysis to bound the values of both ...
ARCHER: using symbolic, path-sensitive analysis to detect memory access errors
ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering

Memory corruption errors lead to non-deterministic, elusive crashes. This paper describes ARCHER (ARray CHeckER) a static, effective memory access checker. ARCHER uses path-sensitive, interprocedural symbolic analysis to bound the values of both ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGSOFT Software Engineering Notes

ACM SIGSOFT Software Engineering Notes Volume 28, Issue 5

September 2003

382 pages

ISSN:0163-5948

DOI:10.1145/949952

Issue’s Table of Contents

ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
September 2003
394 pages
ISBN:1581137435
DOI:10.1145/940071
General Chair:
Jukka Paakki
University of Helsinki, Finland
,
Program Chair:
Paola Inverardi
University of L'Aquila, Italy

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 September 2003

Published in SIGSOFT Volume 28, Issue 5

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

83
Total Citations
View Citations
1,198
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)3

Reflects downloads up to 15 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chen ZZhang QWu JYan JXue J(2023)A Source-Level Instrumentation Framework for the Dynamic Analysis of Memory SafetyIEEE Transactions on Software Engineering10.1109/TSE.2022.321058049:4(2107-2127)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2022.3210580
Cheng LAhmed SLiljestrand HNyman TCai HJaeger TAsokan NYao D(2021)Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense ApproachesACM Transactions on Privacy and Security10.1145/346269924:4(1-36)Online publication date: 2-Sep-2021
https://dl.acm.org/doi/10.1145/3462699
Wang WZhang XHao QZhang ZXu BDong HXia TWang X(2019)Hardware-Enhanced Protection for the Runtime Data Security in Embedded SystemsElectronics10.3390/electronics80100528:1(52)Online publication date: 2-Jan-2019
https://doi.org/10.3390/electronics8010052
Li WXu DWu WGong XXiang XWang Ygu FZeng Q(2019)Memory access integrity: detecting fine-grained memory access errors in binary codeCybersecurity10.1186/s42400-019-0035-x2:1Online publication date: 7-Jun-2019
https://doi.org/10.1186/s42400-019-0035-x
Zhang TLee DJung CBahar IHerlihy MWitchel ELebeck A(2019)BOGOProceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3297858.3304017(631-644)Online publication date: 4-Apr-2019
https://dl.acm.org/doi/10.1145/3297858.3304017
Redini NWang RMachiry AShoshitaishvili YVigna GKruegel C(2019)BinTrimmer: Towards Static Binary Debloating Through Abstract InterpretationDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-030-22038-9_23(482-501)Online publication date: 6-Jun-2019
https://doi.org/10.1007/978-3-030-22038-9_23
Wehbe TMooney VKeezer D(2018)Hardware-Based Run-Time Code Integrity in Embedded DevicesCryptography10.3390/cryptography20300202:3(20)Online publication date: 30-Aug-2018
https://doi.org/10.3390/cryptography2030020
Burow NMcKee DCarr SPayer MKim JAhn GKim SKim YLopez JKim T(2018)CUPProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196540(381-392)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196540
Grieve ADavies MJones PZambreno J(2018)ARMOR: A Recompilation and Instrumentation-Free Monitoring Architecture for Detecting Memory ExploitsIEEE Transactions on Computers10.1109/TC.2018.280781867:8(1092-1104)Online publication date: 1-Aug-2018
https://doi.org/10.1109/TC.2018.2807818
Gao YChen LShi GZhang F(2018)A Comprehensive Detection of Memory Corruption Vulnerabilities for C/C++ Programs2018 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Ubiquitous Computing & Communications, Big Data & Cloud Computing, Social Computing & Networking, Sustainable Computing & Communications (ISPA/IUCC/BDCloud/SocialCom/SustainCom)10.1109/BDCloud.2018.00062(354-360)Online publication date: Dec-2018
https://doi.org/10.1109/BDCloud.2018.00062
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents