The libsafe library protects a process against the exploitation of buffer overflow vulnerabilities in process stacks. Libsafe works with any existing pre-compiled executable (but is incompatible with libc5-linked processes) and can be used transparently, even on a system-wide basis. The method intercepts all calls to library functions that are known to be vulnerable. A substitute version of the corresponding function implements the original functionality, but in a manner that ensures that any buffer overflows are contained within the current stack frame. Libsafe has been shown to detect several known attacks and can potentially prevent yet unknown attacks. Experiments indicate that the performance overhead of libsafe is negligible.
The following unsafe functions are currently monitored by libsafe:
The source code for libsafe can be found at http://www.research.avayalabs.com/project/libsafe/index.html.
LD_PRELOAD=/lib/libsafe.so.2 export LD_PRELOADor (csh syntax):
setenv LD_PRELOAD /lib/libsafe.so.2You might want to put these lines in your .profile or .cshrc in order to activate libsafe for all processes that you initiate.
Once libsafe is installed and either LD_PRELOAD or /etc/ld.so.preload has been appropriate configured, there is nothing else to do. The processes to be monitored can be used with no changes.
If a process attempts to use one of the monitored functions to overflow a buffer on the stack, then a violation will be declared. A message is output to the standard error stream, and an entry is made in /var/log/secure. If the corresponding options are enabled during compilation (See the libsafe/INSTALL file.), a core dump and a stack dump are produced.
If you wish to use libsafe with /etc/ld.so.preload to enable monitoring for all processes, but there are a few programs that you don't want to use with libsafe, you can list the programs you wish to excluse in /etc/libsafe.exclude. List each program on a separate line, using the absolute pathname for each program. Note that this absolute pathname must not contain any symbolic links.
There is a compile-time option for including code to automatically send email notification of detected attacks. See the source code for more information.
Libsafe uses a novel method for performing detection and handling of buffer overflow attacks. Without requiring source code, it can transparently protect processes against stack smashing attacks, even on a system-wide basis. The method intercepts all calls to library functions that are known to be vulnerable. A substitute version of the corresponding function implements the original functionality, but in a manner that ensures that any buffer overflows are contained within the current stack frame.
The key idea is the ability to estimate a safe upper limit on the size of buffers automatically. This estimation cannot be performed at compile time because the size of the buffer may not be known at that time. Thus, the calculation of the buffer size must be made after the start of the function in which the buffer is accessed. Our method is able to determine the maximum buffer size by realizing that such local buffers cannot extend beyond the end of the current stack frame. This realization allows the substitute version of the function to limit buffer writes within the estimated buffer size. Thus, the return address from that function, which is located on the stack, cannot be overwritten and control of the process cannot be commandeered.
This file is part of the Libsafe library. Libsafe version 2.x: protecting against stack smashing attacks.
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
For more information,
or email firstname.lastname@example.org