Provided by: libsafe_2.0-16-6_i386
libsafe - detection and protection against stack smashing attacks
The libsafe library protects a process against the exploitation of
buffer overflow vulnerabilities in process stacks. Libsafe works with
any existing pre-compiled executable (but is incompatible with
libc5-linked processes) and can be used transparently, even on a
system-wide basis. The method intercepts all calls to library
functions that are known to be vulnerable. A substitute version of the
corresponding function implements the original functionality, but in a
manner that ensures that any buffer overflows are contained within the
current stack frame. Libsafe has been shown to detect several known
attacks and can potentially prevent yet unknown attacks. Experiments
indicate that the performance overhead of libsafe is negligible.
The following unsafe functions are currently monitored by libsafe:
strcpy(char *dest, const char *src)
strpcpy(char *dest, const char *src)
wcscpy(wchar_t *dest, const wchar_t *src)
wcpcpy(wchar_t *dest, const wchar_t *src)
May overflow the dest buffer.
strcat(char *dest, const char *src)
wcscat(wchar_t *dest, const wchar_t *src)
May overflow the dest buffer.
May overflow the buf buffer.
May overflow the s buffer.
[vf]scanf(const char *format, ...)
May overflow its arguments.
realpath(char *path, char resolved_path)
May overflow the path buffer.
[v]sprintf(char *str, const char *format, ...)
May overflow the str buffer.
May exploit "%n".
Where to get libsafe
The source code for libsafe can be found at
1. If you install libsafe on Linux, make sure that your shared
loader (ld-linux.so.1/ld.so) understands LD_PRELOAD. (Best if
ld.so-1.8.5 or more recent)
2. Change to the lib directory.
3. Type make to compile and build libsafe.so.2.
4. Type make install to install the libsafe library and
associated programs in their final destination locations.
5. To use libsafe, set the environment variable LD_PRELOAD to
point to the libsafe library. Example (sh syntax):
or (csh syntax):
setenv LD_PRELOAD /lib/libsafe.so.2
You might want to put these lines in your .profile or .cshrc
in order to activate libsafe for all processes that you
6. Use your programs as you would normally. Libsafe will
transparently check the parameters for supported unsafe
functions. If a violation is detected, the following will
1. The entire process group will be sent a SIGKILL
2. An entry will be written using syslog() to the
LOG_AUTHPRIV facility (with LOG_CRIT priority).
On Debian systems, that’s usually
/var/log/auth.log; it’s configured in the
/etc/syslog.conf file. The following is an
example of such an entry:
Dec 21 13:57:40 denver libsafe Detected
an attempt to write across stack boundary.
Dec 21 13:57:40 denver libsafe
Dec 21 13:57:40 denver libsafe scanf()
For security reasons, the dynamic loader disregards
environmental variables such as LD_PRELOAD when
executing set-uid programs. However, on Linux, you
can use libsafe with set-uid programs too, by using
one of the two methods described below:
1. You may append the path to libsafe.so.2 into
/etc/ld.so.preload instead of using LD_PRELOAD.
WARNING: If you use /etc/ld.so.preload, be sure to
install libsafe.so.2 on your root filesystem, for
instance in /lib, as is done by the default
installation. Using a directory which is not
available at boot time, such as /usr/local/lib will
cause trouble at the next reboot!
You should also be careful to remove libsafe from
/etc/ld.so.preload when installing a new version.
First test it out using LD_PRELOAD, and only if
everything is ok, put it back into
2. If you have a version of ld.so which is more recent
than 1.9.0, you can set LD_PRELOAD to just contain
the basename of libsafe.so.2 without the directory.
In that case, the file is found as long as it is in
the shared library path (which usually contains
/lib and /usr/lib)). Because the search is
restricted to the library search path, this also
works for set-uid programs. Example (sh syntax):
or (csh syntax):
setenv LD_PRELOAD libsafe.so.2
The advantage of this approach over ld.so.preload
is that libsafe can more easily be switched off in
case something goes wrong.
Once libsafe is installed and either LD_PRELOAD or
/etc/ld.so.preload has been appropriate configured,
there is nothing else to do. The processes to be
monitored can be used with no changes.
If a process attempts to use one of the monitored
functions to overflow a buffer on the stack, then a
violation will be declared. A message is output to
the standard error stream, and an entry is written to
the syslog LOG_AUTHPRIV facility. If the
corresponding options are enabled during compilation
(See the libsafe/INSTALL file.), a core dump and a
stack dump are produced.
If you wish to use libsafe with /etc/ld.so.preload to
enable monitoring for all processes, but there are a
few programs that you don’t want to use with libsafe,
you can list the programs you wish to excluse in
/etc/libsafe.exclude. List each program on a separate
line, using the absolute pathname for each program.
Note that this absolute pathname must not contain any
There is an option to automatically send email
notification of detected attacks. That’s specified in
the /etc/libsafe.notify file; the special word none
suppresses the sending of these email messages.
How it works
Programs written in C have always been plagued with
buffer overflows. Two reasons contribute to this
factor. First, the C programming language does not
automatically bounds-check array and pointer
references. Second, and more importantly, many of the
functions provided by the standard C library, such as
those listed in the introduction, are unsafe.
Therefore, it is up to the programmers to check
explicitly that the use of these functions cannot
overflow buffers. However, programmers often omit
these checks. Consequently, many programs are plagued
with buffer overflows, which makes them vulnerable to
Libsafe uses a novel method for performing detection
and handling of buffer overflow attacks. Without
requiring source code, it can transparently protect
processes against stack smashing attacks, even on a
system-wide basis. The method intercepts all calls to
library functions that are known to be vulnerable. A
substitute version of the corresponding function
implements the original functionality, but in a manner
that ensures that any buffer overflows are contained
within the current stack frame.
The key idea is the ability to estimate a safe upper
limit on the size of buffers automatically. This
estimation cannot be performed at compile time because
the size of the buffer may not be known at that time.
Thus, the calculation of the buffer size must be made
after the start of the function in which the buffer is
accessed. Our method is able to determine the maximum
buffer size by realizing that such local buffers
cannot extend beyond the end of the current stack
frame. This realization allows the substitute version
of the function to limit buffer writes within the
estimated buffer size. Thus, the return address from
that function, which is located on the stack, cannot
be overwritten and control of the process cannot be
Report bugs to <firstname.lastname@example.org>.
The home web page for libsafe is
Copyright (C) 2002 Avaya Labs, Avaya Inc.
Copyright (C) 1999 Bell Labs, Lucent Technologies.
Copyright (C) Arash Baratloo, Timothy Tsai, and Navjot
This file is part of the Libsafe library. Libsafe
version 2.x: protecting against stack smashing
This library is free software; you can redistribute it
and/or modify it under the terms of the GNU Lesser
General Public License as published by the Free
Software Foundation; either version 2 of the License,
or (at your option) any later version.
This library is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU Lesser General Public
License for more details.
You should have received a copy of the GNU Lesser
General Public License along with this library; if
not, write to the Free Software Foundation, Inc., 59
Temple Place - Suite 330, Boston, MA 02111-1307, USA.
For more information,
or email email@example.com