SafeBird:一种动态和透明的运行时 缓冲区溢出防御工具集

通过多种技术的有效运用,本文提出了一种动态和透明的运行时缓冲区溢出防护工具集SafeBird,其包含SIET,LibsafeXP和SLI三个工具.SIET用于从可执行文件ELF的符号表中抽取全局变量的起始地址和大小信息.LibsafeXP作为对Libsafe扩展的动态链接库,包含C标准库中所有与缓冲区有关的函数的封装.这些封装的函数通过SIET提供的有关全局变量的信息,动态截获的有关堆变量的信息和以栈帧指针动态确定的栈变量的信息来防御缓冲区溢出攻击.SLI主要用于非干扰地完成对动态链接库函数的截获和注入LibsafeXP到被保护进程.与已有方法相比,SafeBird对被保护程序更透明:它工作在二进制级,既不需要源程序或者调试信息,也不需要终止和重起被保护软件.性能和有效性测试表明:SafeBird可以有效地应用于动态的缓冲区溢出防御,而且性能代价也平均只有10％.

SafeBird:A Dynamic and Transparent Toolkit for Run-Time Buffer Overflow Preventions

This paper presents a dynamic and transparent toolkit,SafeBird,to defend against run-time buffer overflows by combining several techniques.SafeBird consists of three tools:SIET,LibsafeXP and SLI.SIET extracts the size and starting address information of program global variables from the symbol section of ELF executable file.LibsafeXP,a dynamic shared library and an extension to Libsafe,contains wrapper functions for all the buffer related C Standard Library functions.These wrapper functions are enforced to check the source and target buffer's size using the following information:global buffer knowledge provided by SIET,heap buffer knowledge by intercepting/tracking memory allocation family functions,and stack buffer bound information by dynamically determined from the frame pointer.The third tool SLI is used to accomplish the function interception and inject the shared library,LibsafeXP,into the running process online without interruption.Compared with existing approaches,SafeBird is more transparent to programs:it works on binary mode,and neither requires the source code or any debug information,nor needs to stop/restart the protected software.Performance and effectiveness evaluations indicate that SafeBird could be used to prevent run-time buffer overflow attacks efficiently,and imposes only about 10 percent overhead on average.