OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Buffer Overflows
From: Crispin Cowan (crispinwirex.com)
Date: Thu Apr 27 2000 - 13:09:15 CDT

Douglas Ostling wrote:

> On Thu, 27 Apr 2000, Crispin Cowan wrote:
>
> > I think we did fix the toolchain to produce more robust code. StackGuard is a
> > hack to the code generator to produce failsafe code that fails safe under
> > particularly dire circumstances.
>
> Could we do a bo analysis on this compiler patch:
>
> http://web.inter.nl.net/hcc/Haj.Ten.Brugge/
> http://www-ala.doc.ic.ac.uk/~phjk/BoundsChecking.html/\
> bounds-checking-gcc-2.95.2-1.03.tar.gz

Many of the questions being posed and discussions taking place are addressed in
this paper http://immunix.org/StackGuard/discex00.pdf . It compares & contrasts a
whole bunch of buffer overflow attacks and defenses, including the above bounds
checking compiler, as well as other bounds checkers, Java, the Purify defense,
non-executable stacks, and static analysis. Really, if you want to know more about
this issue, go read the paper. About the only thing it does not cover is libsafe
(because the paper pre-dates libsafe).

Summary: bounds checking slowed down software crypto via SSH by 12X, and
StackGuard imposed no measurable overhead.

Quoting from the paper:

     3.3.2 Jones & Kelly: Array Bounds Checking for C

     Richard Jones and Paul Kelly developed a gcc patch [26] that does full
     array bounds checking for C programs. Compiled programs are compatible
     with other gcc modules, because they have not changed the representation
     of pointers. Rather, they derive a ?base? pointer from each pointer
     expression, and check the attributes of that pointer to determine whether
     the expression is within bounds.

     The performance costs are substantial: a pointer-intensive program (ijk
     matrix multiply) experienced 30X slowdown, Since slowdown is
     proportionate to pointer usage, which is quite common in privileged
     programs, this performance penalty is particularly unfortunate. The
     compiler did not appear to be mature; complex programs such as elm failed
     to execute when compiled with this compiler. However, an updated version
     of the compiler is being maintained [39], and it can compile and run at
     least portions of the SSH software encryption package. Throughput
     experiments with the updated compiler and software encryption using SSH
     showed a 12X slowdown [32] (see Section 3.4.2 for comparison).

     3.4.2 StackGuard: Compiler-generated Activation Record Integrity
     Checking
     ...
     Our first macrobenchmark used SSH [42] which provides strongly
     authenticated and encrypted replacements for the Berkeley r* commands,
     i.e. rcp becomes scp. SSH uses software encryption, and so performance
     overheads will show up in lowered bandwidth. We measured the bandwidth
     impact by using scp to copy a large file via the network loopback
     interface as follows:

         scp bigsource localhost:bigdest

     The results showed that StackGuard presents virtually no cost to SSH
     throughput. Averaged over five runs, the generic scp ran for 14.5 seconds
     (+/- 0.3), and achieved an average throughput of 754.9 kB/s (+/- 0). The
     StackGuard-protected scp ran for 13.8 seconds (+/- 0.5), and achieved an
     average throughput of 803.8 kB/s (+/- 48.9).

     [26] Richard Jones and Paul Kelly. Bounds Checking for C.
     http://www-ala.doc.ic.ac.uk/phjk/BoundsChecking.html, July 1995.

     [32] Kurt Roeckx. Bounds Checking Overhead in SSH. Personal
     Communications, October 1999.

     [39] Herman ten Brugge. Bounds Checking C Compiler.
     http://web.inter.NL.net/hcc/Haj.Ten.Brugge/, 1998.

     [42] Tatu Ylonen. SSH (Secure Shell) Remote Login Program.
     http://www.cs.hut.fi/ssh.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
                  JOBS! http://immunix.org/jobs.html