CHEN Linbo,JIANG Jianhui,ZHANG Danqing

DOI: https://doi.org/10.3969/j.issn.0253-374x.2012.03.021

2012-01-01

Abstract:An analysis is made of the classical buffer overflow prevention methods for Intel 80X86 architecture and C/C++.A new stack buffer overflow prevention method based on dual-stack is proposed due to the shortcomings of classical methods.Besides,an object file reconstructing tool for ELF format files is implemented with the dual-stack structure.Experiment results show that the proposed method and the tool are efficient for buffer overflow attack prevention with low overhead.

江建慧,章力源,金涛,陈川

DOI: https://doi.org/10.3969/j.issn.0253-374x.2010.06.024

2010-01-01

Abstract:The paper presents an analysis of the principle of stack buffer overflow attacks and basic attack patterns for Intel 80×86 architecture and C/C++.Then,the merits and drawbacks of the existing dynamic buffer overflow prevention methods are discussed.On the basis of the address obfuscation and integrity checking,this paper presents a new dynamic buffer overflow prevention method based on k circular random sequence.This improved prevention method can defend attacks of multiple patterns with high probability and enhance the intrusion-tolerance capability of the vulnerable software.

YA Tan,JY Zheng,YD Cao

DOI: https://doi.org/10.1109/pdcat.2005.47

2005-01-01

Abstract:Buffer overflows remain the leading cause of software vulnerabilities in the world of information security. The proposed segment-based non-executable stack approach aims to prevent the injection and execution of arbitrary code in an existing process's stack space under Windows NT/2000 and Intel 32-bit CPUs. The application's user-mode stack is relocated to the higher address and the effective limit of the code segment excludes the relocated stack from the code segment. The segmentation logic of IA-32 processors monitors the accesses to the memory ranges and a page fault is generated if instruction fetches are initiated in the stack memory pages. It is highly effective in preventing both known and yet unknown stack smashing attacks.

Gang Chen,Hai Jin,Deqing Zou,Bing Bing Zhou,Zhenkai Liang,Weide Zheng,Xuanhua Shi

DOI: https://doi.org/10.1109/TDSC.2013.25

2013-01-01

Abstract:AbstractBuffer overflow attacks still pose a significant threat to the security and availability of today's computer systems. Although there are a number of solutions proposed to provide adequate protection against buffer overflow attacks, most of existing solutions terminate the vulnerable program when the buffer overflow occurs, effectively rendering the program unavailable. The impact on availability is a serious problem on service-oriented platforms. This paper presents SafeStack, a system that can automatically diagnose and patch stack-based buffer overflow vulnerabilities. The key technique of our solution is to virtualize memory accesses and move the vulnerable buffer into protected memory regions, which provides a fundamental and effective protection against recurrence of the same attack without stopping normal system execution. We developed a prototype on a Linux system, and conducted extensive experiments to evaluate the effectiveness and performance of the system using a range of applications. Our experimental results showed that SafeStack can quickly generate runtime patches to successfully handle the attack's recurrence. Furthermore, SafeStack only incurs acceptable overhead for the patched applications.

WeiZhi Yang,Yuan Tan

DOI: https://doi.org/10.1109/ICCIAS.2006.295323

2006-01-01

Abstract:A segment-based non-executable stack approach is proposed and evaluated to defend against stack-based buffer overflow attacks under Windows NT/2000 /2003/XP and Intel 32-bit CPUs. A kernel device driver is designed to relocate the application's user-mode stack to the higher address and to modify the effective limit in the code segment descriptor, in order to exclude the relocated stack from the code segment. Once any code that attempts to execute the malicious code residing in the stack, a general-protection exception of exceeding the segment limit is triggered so the malicious code will be terminated. It is highly effective in preventing both known and yet unknown stack smashing attacks and its performance overhead is lower than the page-based non-executable stack approach.

Zhigang CUI,Yuan TIAN,Yuanda CAO,Xuelan ZHANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.10.051

2006-01-01

Abstract:A non-executable stack approach is proposed and evaluated to defense against stack-based buffer overflow attacks under Windows and Intel 32-bit CPUs. A kernel device driver is designed to relocate the application's user-mode stack to the higher address and to modify the effective limit in the code segment descriptor, so the relocated stack is excluded from the code segment. Once any malicious code that attempts to execute in the stack, a general-protection exception is triggered, then the malicious code will be terminated. It is highly effective in preventing both known and yet unknown stack smashing attacks, and its performance overhead is lower than the page-based non-executable stack approach.

Shixiang Gao,Tao Zheng,Xun Zhan,XianPing Tao,Qiaoming Zhu,Junyuan Xie,Wenyang Bai

DOI: https://doi.org/10.1007/978-3-319-09265-2_12

2014-01-01

Abstract:By preventing attacks which exploit stack buffer overflow vulnerabilities, address space layout randomization is an effective way for embedded systems protection. However, ASLR will probably suffer exhaustive attacks because the pertinence is not strong. At present only coarse-grained randomization has been implemented because one of the key bottlenecks for fine-grained randomization is the dependencies between functions cannot be constructed completely due to indirect calls. As a result, we give a static inter-procedural backtracking recognition mechanism in this paper by using intermediate code analysis technologies to identify the destination addresses of indirect callings generated by function pointers.

Yuan Tan,JiYan Zheng,Yuanda Cao,XueLan Zhang

DOI: https://doi.org/10.1109/ISCIT.2005.1567023

2005-01-01

Abstract:Stack smashing is a common mode of buffer overflow attack for hijacking system control. A segment-based non-executable stack approach is proposed and evaluated to defend against stack-based buffer overflow attacks under Windows operating system and Intel 32-bit CPUs. A kernel device driver is designed to relocate the application's user-mode stack to the higher address and to modify the effective limit in the code segment descriptor, in order to exclude the relocated stack from the code segment. Once any code that attempts to execute the malicious code residing in the stack, a general-protection exception of exceeding the segment limit is triggered so the malicious code is terminated. It is highly effective in preventing both known and yet unknown stack smashing attacks, and its performance overhead is lower than the page-based non-executable stack approach.

Chien-Ming Chen,Shaui-Min Chen,Wei-Chih Ting,Chi-Yi Kao,Hung-Min Sun

DOI: https://doi.org/10.1016/j.csi.2014.08.008

IF: 3.721

2014-01-01

Computer Standards & Interfaces

Abstract:Stack smashing is one of the most popular techniques for hijacking program controls. Various techniques have been proposed, but most techniques need to alter compilers or require hardware support, and only few of them are developed for Windows. In this paper, we design a Secure Return Address Stack to defeat stack smashing attacks on Windows. Our approach does not need source code and hardware support We also extend our approach to instrument a DLL, a multi-thread application, and DLLs used by multi-thread applications. Benchmark GnuWin32 shows that the relative performance overhead of our approach is only between 3.47% and 8.59%. (C) 2014 Elsevier B.V. All rights reserved.

Zhilong Wang,Xuhua Ding,Chengbin Pang,Jian Guo,Jun Zhu,Bing Mao

DOI: https://doi.org/10.1109/DSN.2018.00035

2018-01-01

Abstract:Stack Smashing Protection (SSP) is a simple and highly efficient technique widely used in practice as the front line defense against stack buffer overflow attacks. Unfortunately, SSP is known to be vulnerable to the so-called byte-by-byte attack. Although several remedy schemes are proposed in the recent literature, their security is achieved at the price of practicality, because their complex logics ruin SSP's simplicity and high-efficiency. In this paper, we present an elegant solution named as Polymorphic SSP (P-SSP) that attains the same security without sacrificing SSP's strengths. We also propose three extensions of the basic scheme for better compatibility, stronger security, and local variable protection, respectively. We have implemented both a compiler plugin and a binary instrumentation tool for deploying P-SSP. Their respective runtime overheads are only 0.24% and 1.01%. We have also experimented with our extensions and compared their pros and cons with the basic scheme.

Wenbing XIE,Xiaodong MA,Zhongsheng LI,Xiamu NIU

DOI: https://doi.org/10.3778/j.issn.1002-8331.1407-0160

2016-01-01

Abstract:Due to the lack of boundary checking mechanism, buffer overflow is one of the most serious attacks against C/C++programs. This paper presents a runtime countermeasure for buffer overflow attack. Through duplicating the control flow information with array which declared in the dynamic link libraries, including the return address and the frame pointer of each function, illegal overwriting can be detected dynamically. This method can both detect direct and indirect attack in the buffer overflow attack. Experiments based on the RIPE testbed and two practical tests as well as theoretical analysis show the effectiveness of this method.

CHEN Lin-bo,JIANG Jian-hui,ZHANG Dan-qing

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.09.019

2013-01-01

Computer Science

Abstract:Despite the numerous prevention and protection techniques that have been developed,the exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks.Because of the adoption of the write or execute only policy(W♁X)and address space layout randomization(ASLR),modern operate systems have been strengthened against code injection attacks.However,attackers have responded by employing code reuse attacks,in which software vulnerability is exploited to weave control flow through existing code base.Solutions targeting different aspects of the attack itself have got some success,but none of them can be a silver bullet.Under this situation,a novel defense technique was presented in order to prevent code reuse attacks,especially return-oriented programming(ROP)attacks.This new defense technique,which was benefit from the protection of return address,could dynamically prevent the execution of gadgets ending with 0xc3.Without requiring access to side information such as source code or debugging information,this defense technique could prevent ROP attacks with low performance overhead.

沈达宇,黄皓

2012-01-01

Abstract:The basic protection idea we proposed is the randomization of the data in memory.Through modify the program,instrument new instructions,making the data saved to memory randomization.In this way we can effectively prevent the destruction of the non-control data attack,and even play a certain effect on data privacy protection.This paper achieves a compiler optimization Pass module based on open source project of LLVM compiler,which can optimize executable program from the hazards of non-control data attacks when the source files can be obtained.

Zixuan Xu,Jingci Zhang,Shang Ai,Chen Liang,Lu Liu,Yuanzhang Li

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00046

2021-01-01

Abstract:The problem of buffer overflow in the information system is not threatening, and the system's own defense mechanism can detect and terminate code injection attacks. However, as countermeasures compete with each other, advanced stack overflow attacks have emerged: Return Oriented-Programming (ROP) technology, which has become a hot spot in the field of system security research in recent years. First, this article explains the reason for the existence of this technology and the attack principle. Secondly, it systematically expounds the realization of the return-oriented programming technology at home and abroad in recent years from the common architecture platform, the research of attack load construction, and the research of variants based on ROP attacks. Finally, we summarize the paper.

Yi Zhuang,Tao Zheng,Zhitian Lin

2014-01-01

Abstract:Fine-grained address space layout randomization has recently been proposed as a method of efficiently mitigating ROP attacks. In this paper, we introduce a design and implementation of a framework based on a runtime strategy that undermines the benefits of fine-grained ASLR. Specifically, we abuse a memory disclosure to map an application’s memory layout on-the-fly, dynamically discover gadgets and construct the desired exploit payload, and finish our goals by using virtual function call mechanism—all with a script environment at the time an exploit is launched. We demonstrate the effectiveness of our framework by using it in conjunction with a real-world exploit against Internet Explorer and other applications protected by fine-grained ASLR. Moreover, we provide evaluations that demonstrate the practicality of run-time code reuse attacks. Our work shows that such a framework is effective and fine-grained ASLR may not be as promising as first thought. Keywords-code reuse; security; dynamic; fine-grained ASLR

XIA Chao,QIU Wei-dong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.22.065

2008-01-01

Abstract:This paper proposes a method to detect buffer-overflow vulnerabilities for executables.Combining dynamic analysis and static analysis, it makes further detection of buffer-overflow vulnerabilities.Static methods mainly deal with the internal semantic relationship of assembly instructions and the properties of a function's stack frame for executables.Dynamic emulation provides a virtual run-time environment,which enables the program to combine its static properties while virtually executed,and then it can get the function's semantic results on buffer manipulation,and determine whether there is a buffer-overflow vulnerability.

WAN Yu-xi,LIU Zheng-lin,HUO Wen-jie,ZOU Xue-cheng

DOI: https://doi.org/10.19304/j.cnki.issn1000-7180.2011.04.034

2011-01-01

Abstract:The embedded systems design pay less attention to safety out of consideration for cost and power consumption,and the software defense mechanism unable to achieve the requirement of the embedded systems in real-time and reliability,as the most common software vulnerabilities,buffer overflow poses a serious threat to embedded systems in safety.So we build a hardware defense mechanism based on fine granularity instruction flow monitor to against buffer overflow attacks,through virtual implement the procedures by ours virtual execution units,we can detect attacks before it come comply.The result shows that the hardware defense mechanism can defense these attacks completely,and neither change the source code or destroy the pipeline integrity,nor affects performance,our protection mechanism could be used to prevent run-time buffer overflow attacks in other embedded systems.

Wangtong Liu,Senlin Luo,Yu Liu,Limin Pan,Qamas Gul Khan Safi

DOI: https://doi.org/10.1016/j.cose.2017.09.008

IF: 5.105

2018-01-01

Computers & Security

Abstract:Many defensive approaches have been proposed to protect the integrity of the operating system kernel stack. However, some types of attacks, such as the “return-to-schedule” rootkit, pose a serious threat to these approaches. In this paper, we present a kernel stack protection model to protect the integrity of the kernel stack. It adopts a synchronous design strategy to bind the execution unit with its kernel stack using virtualization technology, and allows the execution unit to write its own current kernel stack with legal kernel codes. To test the model, we propose three kinds of potential attacks which extend the “return-to-schedule” rootkit. The experimental results show that the prototype of the model can be effective against all attack methods, and introduces a performance cost of only 2%. Therefore, it effectively protects all types of data on the kernel stack with a small performance overhead.

Yong Wang,Hailin Yan,Zhenyan Liu,Jingfeng Xue,Changzhen Hu,Ming Li

DOI: https://doi.org/10.1109/3pgcic.2015.102

2015-01-01

Abstract:Memory corruption bugs are one of the most critical vulnerabilities in software security, which can be exploited to overwrite virtual tables (vtables) or virtual table pointers (vfptrs) and finally gain control over the programs at virtual function call sites (vtable hijacking). In this paper, we propose a novel approach to detect vtable hijacking attacks against C++ binary executables. We first analyze the programs to get vtable information of each class, and backup the original vtables and vfptrs at runtime, then instrument security checks dynamically before virtual function dispatches to validate vtables' integrity. We implement the proposed approach as a tool and use it to successfully detect vtable hijacking attacks on the version 11 of Microsoft's Internet Explorer.

PAN Yi,WU Chun-Mei,WU Gang-Shan

DOI: https://doi.org/10.3969/j.issn.1002-137x.2005.03.041

2005-01-01

Computer Science

Abstract:Enhancing compiler technology is one of the publicly available methods for buffer overflow prevention. This paper compares four typical and publicly available tools for buffer overflow prevention by enhancing compiler technology. Our motivation for this is to guide software developers to choose an appropriate tool to increase software quality from a security point of view, and also guide the researchers to bring forward their own more effective and safer method on buffer overflow prevention.