22C3 - 2.2

22nd Chaos Communication Congress
Private Investigations

Referenten
Martin Johns
Programm
Tag 1
Raum Saal 3
Beginn 13:00
Dauer 01:00
Info
ID 556
Veranstaltungstyp Vortrag
Track Hacking
Sprache englisch
Feedback

Finding and Preventing Buffer Overflows

An overview of static and dynamic approaches

A talk that will present academic tools, which are designed to find or disarm security problems in C code

The last years have proven that humans are notorious producers of insecure code. They also seem to have problems security bigs on their own. For this reason scientist spend a reasonable amount of time in developing ideas how to automate the process of finding those security bugs (using static analysis) or how to fix those bugs automatically (with dynamic measures which take effect on runtime). The talk will give an introduction to both approaches. The presented tools are aimed at problems that belong to the programming language C: Buffer Overflows, Format String Exploits and their friends.

Static tools examine the source code before the compilation. Depending on the tool methods like functional verification, finite automatons or lattice theory are used to find security bugs. The talk will try to show, how these tools work and what their shortcomings are (e.g. to many false positives, no weighting, hard to configure,...)

Dynamic tools alter the source code before or during the compilation. They try to add constructs to the control flow with additions that are supposed to prevent the exploitation of security flaws. Classic examples (Stack Guard) and modern approaches (StoBo) are presented and discussed. Only tools and methods that are applicable by the programmer are addressed. Methods of preventing exploitation by altering the underlying infrastructure (i.e. the OS) are omitted. The focus is on measures that can be employed by the actual programmer. We think it is important that the usage of these kind of tools (esp. static analysis) grows in the open source community. Commercial companies are employing static analysis on a broad basis nowadays (for example Microsoft requires their coders to use the tools PreFast and PreFix daily). Otherwise the security advantage, that open source claims to possess, may diminish.