Memory safety in OpenSSH

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!


My group at Berkeley has been developting CCured,
a type-safe compiler for C code.  CCured performs compile-time and
run-time checks (including array bounds checks) to ensure memory
safety, which in turn prevents many security problems.  We've used it
to compile OpenSSH and OpenSSL, among other programs, and we use an
instrumented version of the OpenSSH daemon on our group's server.

If anyone is interested in using CCured to compile SSH on your system,
send me an email.  I can give you a patch for ssh and tell you how to
use CCured with it.

More info:

  When it sees a runtime error (such as a buffer overrun), CCured can
be configured to halt the current process or just log the error.
Halting the process works well for daemons such as sshd, because it's
usually a child process that is corrupted and aborted, while the
parent daemon is unaffected.  Even if the master process itself has a
buffer overrun and is shut down, CCured has limited the exploit to a
simple denial-of-service.

  Some changes an annotations are needed when using CCured on most
large C programs to help CCured understand features like unions and
external library functions.  This required about 100 small changes
when compiling openssh, and more for openssl because ssl uses types in
ways that CCured considers less safe.  We have modified versions that
I can give you of OpenSSH 3.7.1p2 and OpenSSL 9.6.5f that include
these changes.  We've only tested this on Linux, but in theory FreeBSD
should work as well.

  The instrumentation added by CCured adds about 15-25% time overhead
to ssh.  However, this slowdown usually isn't noticable by humans,
since CPU speed is not the limiting factor of most ssh connections.


Site Timeline