Computer systems, which provide services to a plurality of users, are known in the art. Such services are provided through enabling access to a variety of system resources.
It will be appreciated to those skilled in the art that such computer systems are often configured and administered so each user is granted access to predetermined and limited resources of the system. For example, one user can have supervisor authorization, thereby being able to access and control most or all of the resources of the system. Such a user is also called a super-user. Similarly, another user can have a low level of authorization, thereby enabling him to access a limited set of resources of the system.
Reference is now made to FIG. 1, which is a schematic illustration of a computer system and a plurality of user stations, connected thereto. Computer system 10 includes a communication device 12, a CPU 14, a memory 22 and a plurality of system resources such as storage unit 16, printer 18 and multi-media unit 20. CPU 14 is connected to communication device 12, storage unit 16, printer 18 and multi-media unit 20. System 10 is connected to external users via computer systems 30, 32 and 34, and via a network 24.
Each of external users accessing system 10 via computer systems 30, 32 and 34 is allocated a different level of authorization, with respect to system 10. The user using computer system 30 is predetermined as a super-user, thereby being able to access and control all of the resources of computer system 10. The user using computer system 32 is predetermined as a high-level user, thereby being able to access storage unit 16, printer 18 and multi-media unit 20. The user using computer system 34 is predetermined as a low-level user, thereby being able to access printer 18.
Operating systems, such as the Unix based Solaris operating system produced and manufactured by Sun Computers Incorporated, allow discretionary access control to computer system components. Such systems allow programmers to grant or revoke user access rights to objects within a computer system. Conventionally, objects within a computer system include files, directories, computer programs and the like.
While a computer program is running, the computer program may be required to access objects for which the user executing the program does not have necessary privileges. Conventionally, system 10 administrator can provide such computer programs with predetermined enhanced privileges. Thus enabling non privileged user to access a privileged computer system resource in a controlled manner.
When a computer program is executed a computer program process is created. Conventionally, a computer program process is the manner of execution of the computer program.
Computer system 10 is vulnerable to attack techniques attempting to exploit enhanced privileges (for example, gaining super user privileges) within the computer system 10 via the Network 24 and the communication device 12.
One such technique is known as induced buffer overflow and is known in the art. Buffer overflow can be exploited in order to gain super user privileges within a computer system. Gaining super user privileges within a computer system allows non-authorized users access to privileged resources.
Buffer overflow is caused when a computer system attempts to write past the end of a defined array. Arrays are predefined allocated memory devices within a computer system. A computer program process is allocated an array of user address space. User address space is a memory device wherein the computer program processes are executed.
Reference is now made to FIG. 2A, which is a schematic illustration of an array of user address space locations, generally referenced 50, known in the art.
A computer program comprises instructions. Such instructions are executed by the computer system. Functions are part of a computer program. Functions contain several computer program instructions. Functions exchange variables by means of parameter passing, implemented within the stack segment user address space. User address space is organized in three parts, text 52, data 56 and stack segments 54.
The stack segment 54, of the array of user address space 50, contains and handles local variables, which are used by a function. The stack segment 54 of the array of user address space 50 further passes parameters to and from functions.
Reference is now made to FIG. 2B, which is a schematic illustration in detail of the stack segment array 54 of the array of user address space in FIG. 2A, known in the art.
When a computer program process is started the system 10 dynamically allocates an available stack segment block 61 of the stack segment array 54 to the process. Such stack segment block is deallocated when the process is completed.
When a function is invoked within a process, a frame 62 is allocated to the computer program process. Frames include the information needed by a single execution of a function.
Such information includes the temporary values field 69 holding the evaluation of expressions and the local data field 68 holding data for the execution of the process. Such information further includes the return address field 67. The return address field 67 includes the return address for the calling function. Such return address is the next computer program instruction subsequent the function call. Other information includes the optional access link field 66 pointing to data held in other frames, the optional control link field 65 and the actual parameters field 64 holding the parameters to be passed to the calling program or function. Such a frame is deallocated when the function ends.
Reference is now made to FIG. 3, which is a schematic illustration of a function stack segment array, generally referenced 70, and of a computer program, generally referenced 80, which are known in the art.
In the present example, computer program 80 includes three program elements 82, 84 and 86, which are performed in sequence. Program elements 82 and 86 are general computer program instructions. Program element 84 is a function call. Accordingly, function call 84 is performed after computer instruction 82 and before computer instruction 86. When the function 84 is called, the flow control of the computer program 80 is altered. Typically, a function receives the computer program control, performs a predetermined task and returns the computer program control to the statement or instruction, which follows the function call.
System 10 automatically determines a function return address 72, for function 84 and stores it within the stack segment return address field 67 of the array of user address space 50 (FIGS. 2A and 2B). Function return address 72 indicates the location of the computer program instruction which follows function 84, which in the present example is instruction 86.
One known technique to compromise the integrity and security within a computer system is to pass, as a parameter, a string containing a computer program or other executable code into the function stack segment array 74. Such string is passed to the function stack segment array 74 by the function 84 and is stored within the stack segment frame actual parameters field 64 of the array of user address space 50 (FIGS. 2A and 2B). It is noted that the length of this sting exceeds the length of the destination field 64.
When passed, such string overwrites past the end of the allotted field 64 (FIG. 2B) for the function 84. By overwriting past the end of the stack segment function actual parameters field 64 (FIG. 2B), the string further replaces the stack segment function return address 72 stored at the return address field 67 (FIG. 2B) with the stack segment function array initial address 76 (first address of the actual parameters field 64 of FIG. 2B).
Stack segment 76 points to the content of the function stack segment 74 actual parameters field 64 (FIG. 2B) as the next program instruction, which has to be executed after function 84.
It will be appreciated by those skilled in the art that the content of the function stack segment 74 can contain a valid computer instruction, capable of performing any predetermined operation, such as granting access to any resource within system 10.
Conventionally, if the set of privileges granted to the function 84 by the computer system administrator are enhanced privileges, then such privileges are granted to the computer program residing within the function stack segment array 74. Users executing function 84 and through the computer program residing within the function stack segment can receive such enhanced privileges, also known as super user privileges or root privileges.
Several strategies, which attempt to resolve this problem, are known in the art. These strategies are described by D. Bruschi et. al in "A Tool for Pro-active Defense Against the Buffer Overrun Attack" Published in Lecture Notes in Computer Science, 1485 Proceedings of the 5.sup.th European Symposium on Research in Computer Security Louvain-la-Neuve, Belgium, September 1998.
One such strategy is to design a computer program compiler designed to prohibit a computer program from writing past a stack segment array. Another such strategy is to detect off line buffer overflow vulnerable programs and alert the user to the possibility that the system privileges may be compromised.
Additional known strategy is to repair a program, which can be used to exploit the buffer overflow weakness, by providing a program for repairing and fixing such vulnerable program.
Non of the above provide an effective method for detection of buffer overflow within a computer system.