Интерактивная система просмотра системных руководств (man-ов)
libsafe ()
>> libsafe (8) ( Linux man: Команды системного администрирования )
Name
libsafe - detection and protection against stack smashing attacks
Introduction
The libsafe library protects a process against the exploitation of buffer
overflow vulnerabilities in process stacks. Libsafe works with any existing
pre-compiled executable and can be used transparently, even on a system-wide
basis. The method intercepts all calls to library functions that are known to
be vulnerable. A substitute version of the corresponding function implements
the original functionality, but in a manner that ensures that any buffer
overflows are contained within the current stack frame. Libsafe has been shown
to detect several known attacks and can potentially prevent yet unknown
attacks. Experiments indicate that the performance overhead of libsafe is
negligible.
The following unsafe functions are currently monitored by libsafe:
If you install libsafe on Linux, make sure that your shared loader
(ld-linux.so.1/ld.so) understands LD_PRELOAD. (Best if ld.so-1.8.5
or more recent)
2.
Change to the lib directory.
3.
Type make to compile and build libsafe.so.1.
4.
Type make install to install the libsafe library and associated
programs in their final destination locations.
5.
To use libsafe, set the environment variable LD_PRELOAD to
point to the libsafe library. Example (sh syntax):
LD_PRELOAD=/lib/libsafe.so.1
export LD_PRELOAD
or (csh syntax):
setenv LD_PRELOAD /lib/libsafe.so.1
You might want to put these lines in your .profile or
.cshrc in order to activate libsafe for all processes that you
initiate.
6.
Use your programs as you would normally. Libsafe will transparently check the
parameters for supported unsafe functions. If a violation is detected, the
following will occur:
1.
The entire process group will be sent a SIGKILL signal.
2.
An entry will be added to /var/log/secure. The following is an example of such
an entry:
Dec 21 13:57:40 denver libsafe[15704]: Detected an attempt to write across stack boundary.
Dec 21 13:57:40 denver libsafe[15704]: Terminating /users/ttsai/work/security.D0_2/test/t91
Dec 21 13:57:40 denver libsafe[15704]: scanf()
.PP
For security reasons, the dynamic loader disregards environmental
variables such as LD_PRELOAD when executing set-uid programs.
However, on Linux, you can use libsafe with set-uid programs too, by using
one of the two methods described below:
1.
You may append the path to libsafe.so.1 into
/etc/ld.so.preload instead of using
LD_PRELOAD.
WARNING: If you use /etc/ld.so.preload, be sure to
install libsafe.so.1 on your root filesystem, for
instance in /lib, as is done by the default installation. Using
a directory which is not available at boot time, such as /usr/local/lib will
cause trouble at the next reboot!
You should also be careful to remove libsafe from
/etc/ld.so.preload when installing a new version. First
test it out using LD_PRELOAD, and only if everything is ok, put it
back into /etc/ld.so.preload.
2.
If you have a version of ld.so which is more recent than
1.9.0, you can set LD_PRELOAD to just contain the
basename of libsafe.so.1 without the directory. In that
case, the file is found as long as it is in the shared library path (which
usually contains /lib and /usr/lib)).
Because the search is restricted to the library search path, this also works
for set-uid programs.
Example (sh syntax):
LD_PRELOAD=libsafe.so.1
export LD_PRELOAD
or (csh syntax):
setenv LD_PRELOAD libsafe.so.1
The advantage of this approach over ld.so.preload is that
libsafe can more easily be switched off in case something goes wrong.
Using libsafe
Once libsafe is installed and either LD_PRELOAD or /etc/ld.so.preload has been
appropriate configured, there is nothing else to do. The processes to be
monitored can be used with no changes.
If a process attempts to use one of the monitored functions to overflow a
buffer on the stack, then a violation will be declared. A message is output to
the standard error stream, and an entry is made in /var/log/secure. In
addition, if libsafe is compiled with NOTIFY_WITH_MAIL defined, then email will
be sent based on the following conditions:
1.
If the
LIBSAFE_NOTIFY_MAIL_ADDRESS
environment variable is set, then it contains the name of a file. Mail is sent
to the recipients listed in that file. The recipients are white-space
delimited.
2.
Otherwise, if the file
/etc/libsafe.notify
exists, then mail is sent to the recipients listed in that file.
Programs written in C have always been plagued with buffer overflows. Two
reasons contribute to this factor. First, the C programming language does not
automatically bounds-check array and pointer references. Second, and more
importantly, many of the functions provided by the standard C library, such as
those listed in the introduction, are unsafe. Therefore, it is up to the
programmers to check explicitly that the use of these functions cannot overflow
buffers. However, programmers often omit these checks. Consequently, many
programs are plagued with buffer overflows, which makes them vulnerable to
security attacks.
Libsafe uses a novel method for performing detection and handling of buffer
overflow attacks. Without requiring source code, it can transparently protect
processes against stack smashing attacks, even on a system-wide basis. The
method intercepts all calls to library functions that are known to be
vulnerable. A substitute version of the corresponding function implements the
original functionality, but in a manner that ensures that any buffer overflows
are contained within the current stack frame.
The key idea is the ability to estimate a safe upper limit on the size of
buffers automatically. This estimation cannot be performed at compile time
because the size of the buffer may not be known at that time. Thus, the
calculation of the buffer size must be made after the start of the function in
which the buffer is accessed. Our method is able to determine the maximum
buffer size by realizing that such local buffers cannot extend beyond the end
of the current stack frame. This realization allows the substitute version of
the function to limit buffer writes within the estimated buffer size. Thus,
the return address from that function, which is located on the stack, cannot be
overwritten and control of the process cannot be commandeered.
Copyright (C) 1999 Bell Labs, Lucent Technologies.
Copyright (C) Arash Baratloo, Timothy Tsai, and Navjot Singh.
This file is part of the Libsafe library.
Libsafe version 1.0: protecting against stack smashing attacks.
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public
License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Library General Public License for more details.
You should have received a copy of the GNU Library General Public
License along with this library; if not, write to the
Free Software Foundation, Inc., 59 Temple Place - Suite 330,
Boston, MA 02111-1307, USA.
