Sunday, February 24, 2013

Libsafe installation

Libsafe is a tool for protecting the server against buffer overflow attacks. It is written in C language and used to protect systems against some of the more common buffer overflow attacks.

When you first install Libsafe, its advisable to use the first method, since if Libsafe causes problems, one can easily unset LD_PRELOAD to stop Libsafe being used.

cd /usr/local/src/
wget http://pubs.research.avayalabs.com/src/libsafe-2.0-16.tgz
tar -xzvf libsafe-2.0-16.tgz
cd libsafe-2.0-16/
make
yes y | make install

Now that Libsafe has been built and installed, we need to ensure that it intercepts all function calls to the standard C library. We can do this in two ways.

1) We can set the environmental variable LD_PRELOAD e.g. (in bash):
$ LD_PRELOAD=/lib/libsafe.so.2 $ export LD_PRELOAD

To set this on a system-wide basis, just add this to e.g. /etc/profile (or maybe /etc/profile.local)

2) Alternatively, we can add a line to /etc/ld.so.preload
echo '/lib/libsafe.so.2' >> /etc/ld.so.preload

This will ensure that Libsafe is used for all programs, and cannot be disabled by a normal user (unlike environmental variables).

Problems with Libsafe

At this point the reader will no doubt be wondering why Libsafe isn't included by default with all Linux distributions; unfortunately, Libsafe doesn't always work, and worse still, can even cause extra problems.
Because of certain assumptions made about the stack, Libsafe will only work with x86 processors.
Programs that have been linked against libc5 won't work with Libsafe.
If a program has been compiled without a stack pointer (i.e. by using the -fomit-frame-pointer option in GCC or perhaps due to an optimizer), then Libsafe won't be able to catch any overflows.
Libsafe won't catch overflows in statically compiled programs since Libsafe works by intercepting calls to shared libraries.
If a function is included inline, then for the same reason as above Libsafe won't catch overflows.
And of course, since Libsafe only works with a limited set of functions, it won't catch buffer overflows which involve other (user-defined) functions !

from http://www.symantec.com/connect/articles/protecting-systems-libsafe

No comments:

Post a Comment