System and method for protection from buffer overflow vulnerability due to placement new constructs in C++

摘要

Systems and methods for protection from buffer overflow vulnerability due to placement new constructs in C++ are provided. A system for protecting from buffer overflow vulnerability due to placement new constructs, comprises a compiler which is capable of receiving a program including a placement new instruction, and runtime which is capable of receiving binary code from the compiler and determining whether the program includes the placement new instruction and whether the placement new instruction would lead to buffer overflow, wherein the runtime is linked to a library including methods for preventing the buffer overflow, and selects a method for preventing the buffer overflow if the runtime determines that the placement new instruction would lead to the buffer overflow.

主权项

1. A system for protecting from buffer overflow vulnerability due to placement new constructs, comprising:
a memory and at least one processor coupled to the memory; a compiler, which executes via the at least one processor, and which is capable of receiving a program including a placement new instruction; an address-rewriting module, which executes via the at least one processor, wherein the address-rewriting module is capable of altering at least one of how and where an object is to be stored, and is capable of allocating portions of the object to respective memory regions, wherein the respective memory regions are in different systems; and runtime, which executes via the at least one processor, and which is capable of receiving binary code from the compiler and determining whether the program includes the placement new instruction and whether the placement new instruction would lead to buffer overflow, wherein the runtime is linked to a library including methods for preventing the buffer overflow, and selects a method for preventing the buffer overflow if the runtime determines that the placement new instruction seeks to place the object in a memory area where the object will overwrite contents in the memory area and would lead to the buffer overflow; wherein the library receives predetermined policies on which to base the selection of the method for preventing the buffer overflow; wherein a first method available to the runtime for selection takes into consideration that a given execution of the program will not reach all parts of the object, and comprises:
populating a portion of the memory area allocated by the placement new instruction with less than a total of the object; andpopulating a remaining space of the memory area originally allocated to a remaining portion of the total of the object with a first handler routine; and wherein a second method available to the runtime for selection comprises:
allocating portions of the object to the respective memory regions, wherein the respective memory regions are in the different systems; andinvoking a second handler routine if enough free space is not available to accommodate the total of the object.