Provided by: libsafe_2.0-16-6_i386 bug

Name

       libsafe - detection and protection against stack smashing attacks

Introduction

       The  libsafe  library  protects  a  process against the exploitation of
       buffer overflow vulnerabilities in process stacks.  Libsafe works  with
       any   existing   pre-compiled  executable  (but  is  incompatible  with
       libc5-linked processes) and  can  be  used  transparently,  even  on  a
       system-wide   basis.   The  method  intercepts  all  calls  to  library
       functions that are known to be vulnerable.  A substitute version of the
       corresponding  function implements the original functionality, but in a
       manner that ensures that any buffer overflows are contained within  the
       current  stack  frame.   Libsafe has been shown to detect several known
       attacks and can potentially prevent yet unknown  attacks.   Experiments
       indicate that the performance overhead of libsafe is negligible.

       The following unsafe functions are currently monitored by libsafe:

              strcpy(char *dest, const char *src)
              strpcpy(char *dest, const char *src)
              wcscpy(wchar_t *dest, const wchar_t *src)
              wcpcpy(wchar_t *dest, const wchar_t *src)
                     May overflow the dest buffer.

              strcat(char *dest, const char *src)
              wcscat(wchar_t *dest, const wchar_t *src)
                     May overflow the dest buffer.

              getwd(char *buf)
                     May overflow the buf buffer.

              gets(char *s)
                     May overflow the s buffer.

              [vf]scanf(const char *format, ...)
                     May overflow its arguments.

              realpath(char *path, char resolved_path[])
                     May overflow the path buffer.

              [v]sprintf(char *str, const char *format, ...)
                     May overflow the str buffer.
                     May exploit "%n".

Where to get libsafe

       The     source     code     for     libsafe    can    be    found    at
       http://www.research.avayalabs.com/project/libsafe/index.html.

Installing libsafe

       1. If you install libsafe on Linux, make sure that  your  shared
          loader (ld-linux.so.1/ld.so) understands LD_PRELOAD. (Best if
          ld.so-1.8.5 or more recent)

       2. Change to the lib directory.

       3. Type make to compile and build libsafe.so.2.

       4. Type  make  install  to  install  the  libsafe  library   and
          associated programs in their final destination locations.

       5. To  use  libsafe,  set the environment variable LD_PRELOAD to
          point to the libsafe library. Example (sh syntax):

                   LD_PRELOAD=/lib/libsafe.so.2
                   export LD_PRELOAD

          or (csh syntax):

                   setenv LD_PRELOAD /lib/libsafe.so.2

          You might want to put these lines in your .profile or  .cshrc
          in  order  to  activate  libsafe  for  all processes that you
          initiate.

       6. Use your  programs  as  you  would  normally.   Libsafe  will
          transparently  check  the  parameters  for  supported  unsafe
          functions.  If a violation is detected,  the  following  will
          occur:

          1. The  entire process group will be sent a SIGKILL
             signal.
          2. An entry will be written using syslog()  to  the
             LOG_AUTHPRIV  facility (with LOG_CRIT priority).
             On    Debian     systems,     that’s     usually
             /var/log/auth.log;   it’s   configured   in  the
             /etc/syslog.conf  file.   The  following  is  an
             example of such an entry:
             Dec  21  13:57:40 denver libsafe[15704] Detected
             an attempt to write across stack boundary.
             Dec   21    13:57:40    denver    libsafe[15704]
             Terminating
             /users/ttsai/work/security.D0_2/test/t91
             Dec 21 13:57:40 denver libsafe[15704] scanf()

       For security reasons, the  dynamic  loader  disregards
       environmental   variables   such  as  LD_PRELOAD  when
       executing set-uid programs.  However,  on  Linux,  you
       can  use  libsafe  with set-uid programs too, by using
       one of the two methods described below:

       1. You  may  append  the  path  to  libsafe.so.2  into
          /etc/ld.so.preload instead of using LD_PRELOAD.
          WARNING:  If you use /etc/ld.so.preload, be sure to
          install libsafe.so.2 on your root  filesystem,  for
          instance  in  /lib,  as  is  done  by  the  default
          installation.   Using  a  directory  which  is  not
          available at boot time, such as /usr/local/lib will
          cause trouble at the next reboot!
          You should also be careful to remove  libsafe  from
          /etc/ld.so.preload  when  installing a new version.
          First test it out using  LD_PRELOAD,  and  only  if
          everything    is    ok,    put    it    back   into
          /etc/ld.so.preload.

       2. If you have a version of ld.so which is more recent
          than  1.9.0, you can set LD_PRELOAD to just contain
          the basename of libsafe.so.2 without the directory.
          In that case, the file is found as long as it is in
          the shared library  path  (which  usually  contains
          /lib   and   /usr/lib)).   Because  the  search  is
          restricted to the library search  path,  this  also
          works for set-uid programs.  Example (sh syntax):

                   LD_PRELOAD=libsafe.so.2
                   export LD_PRELOAD

          or (csh syntax):

                   setenv LD_PRELOAD libsafe.so.2

          The  advantage  of this approach over ld.so.preload
          is that libsafe can more easily be switched off  in
          case something goes wrong.

Using libsafe

       Once  libsafe  is  installed  and either LD_PRELOAD or
       /etc/ld.so.preload has  been  appropriate  configured,
       there  is  nothing  else  to  do.  The processes to be
       monitored can be used with no changes.

       If a process attempts to  use  one  of  the  monitored
       functions  to  overflow  a buffer on the stack, then a
       violation will be declared.  A message  is  output  to
       the  standard error stream, and an entry is written to
       the   syslog   LOG_AUTHPRIV    facility.     If    the
       corresponding  options  are enabled during compilation
       (See the libsafe/INSTALL file.), a  core  dump  and  a
       stack dump are produced.

       If  you wish to use libsafe with /etc/ld.so.preload to
       enable monitoring for all processes, but there  are  a
       few  programs that you don’t want to use with libsafe,
       you can list the  programs  you  wish  to  excluse  in
       /etc/libsafe.exclude.  List each program on a separate
       line, using the absolute pathname  for  each  program.
       Note  that this absolute pathname must not contain any
       symbolic links.

       There  is  an  option  to  automatically  send   email
       notification of detected attacks.  That’s specified in
       the /etc/libsafe.notify file; the  special  word  none
       suppresses the sending of these email messages.

How it works

       Programs  written  in  C have always been plagued with
       buffer overflows.   Two  reasons  contribute  to  this
       factor.   First,  the  C programming language does not
       automatically   bounds-check   array    and    pointer
       references.  Second, and more importantly, many of the
       functions provided by the standard C library, such  as
       those   listed   in   the  introduction,  are  unsafe.
       Therefore, it  is  up  to  the  programmers  to  check
       explicitly  that  the  use  of  these functions cannot
       overflow buffers.   However,  programmers  often  omit
       these checks.  Consequently, many programs are plagued
       with buffer overflows, which makes them vulnerable  to
       security attacks.

       Libsafe  uses  a novel method for performing detection
       and handling  of  buffer  overflow  attacks.   Without
       requiring  source  code,  it can transparently protect
       processes against stack smashing attacks,  even  on  a
       system-wide basis.  The method intercepts all calls to
       library functions that are known to be vulnerable.   A
       substitute   version  of  the  corresponding  function
       implements the original functionality, but in a manner
       that  ensures  that any buffer overflows are contained
       within the current stack frame.

       The key idea is the ability to estimate a  safe  upper
       limit  on  the  size  of  buffers automatically.  This
       estimation cannot be performed at compile time because
       the  size of the buffer may not be known at that time.
       Thus, the calculation of the buffer size must be  made
       after the start of the function in which the buffer is
       accessed.  Our method is able to determine the maximum
       buffer  size  by  realizing  that  such  local buffers
       cannot extend beyond the  end  of  the  current  stack
       frame.  This realization allows the substitute version
       of the function to  limit  buffer  writes  within  the
       estimated  buffer size.  Thus, the return address from
       that function, which is located on the  stack,  cannot
       be  overwritten  and  control of the process cannot be
       commandeered.

REPORTING BUGS

       Report bugs to <libsafe@research.avayalabs.com>.

SEE ALSO

       The    home    web     page     for     libsafe     is
       http://www.research.avayalabs.com/project/libsafe/index.html.

DISCLAIMER

       Copyright (C) 2002 Avaya Labs, Avaya Inc.
       Copyright (C) 1999 Bell Labs, Lucent Technologies.
       Copyright (C) Arash Baratloo, Timothy Tsai, and Navjot
       Singh.

       This  file  is  part  of the Libsafe library.  Libsafe
       version  2.x:  protecting   against   stack   smashing
       attacks.

       This library is free software; you can redistribute it
       and/or modify it under the terms  of  the  GNU  Lesser
       General  Public  License  as  published  by  the  Free
       Software Foundation; either version 2 of the  License,
       or (at your option) any later version.

       This  library  is distributed in the hope that it will
       be useful, but WITHOUT ANY WARRANTY; without even  the
       implied  warranty  of MERCHANTABILITY or FITNESS FOR A
       PARTICULAR PURPOSE.  See the GNU Lesser General Public
       License for more details.

       You  should  have  received  a  copy of the GNU Lesser
       General Public License along  with  this  library;  if
       not,  write  to the Free Software Foundation, Inc., 59
       Temple Place - Suite 330, Boston, MA  02111-1307, USA.

       For more information,
         visit
       http://www.research.avayalabs.com/project/libsafe/index.html
         or email libsafe@research.avayalabs.com