Christof Fetzer,Zhen Xiao

DOI: https://doi.org/10.1109/RELDIS.2001.969756

2001-01-01

Abstract:Buffer overflow attacks are a major cause of secu- rity breaches in modern operating systems. Not only are overflows of buffers on the stack a security threat, over- flows of buffers kept on the heap can be too. A mali- cious user might be able to hijack the control flow of a root-privileged program if the user can initiate an over- flow of a buffer on the heap when this overflow over- writes a function pointer stored on the heap. This paper presents a fault-containment wrapper which provides ef- fective and efficient protection against heap buffer over- flows caused by C library functions. The wrapper inter- cepts every function call to the C library that can write to the heap and performs careful boundary checks before it calls the original function. This method is transparent to existing programs and does not require source code modification or recompilation. Experimental results on Linux machines indicate that the performance overhead is small.

Minglei SHANG,Hao HUANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.12.014

2005-01-01

Abstract:The principle of buffer overflow and overflow string are analyzed.Then several typical real-time buffer overflow attacks detectionmethods are analyzed.At last, a real-time buffer overflow attack detection approach based on system calls is presented.This approach adds mandatoryaccess control to original system call function by the means of hijacking system calls.In the way of monitoring illegal system calls,it can detect andprevent various buffer overflow attacks of improving priviledge.

Wei Jiang

2002-01-01

Abstract:Buffer overflow attacking is a seriously problem in network security. The paper analyses deeply the principle and possible of buffer overflow attacking. At last propose the method to defense buffer overflow attacking in writing programmer.

Qiang Zeng,Mingyi Zhao,Peng Liu

DOI: https://doi.org/10.1109/dsn.2015.54

2015-06-01

Abstract:For decades buffer overflows have been one of the most prevalent and dangerous software vulnerabilities. Although many techniques have been proposed to address the problem, they mostly introduce a very high overhead while others assume the availability of a separate system to pinpoint attacks or provide detailed traces for defense generation, which is very slow in itself and requires considerable extra resources. We propose an efficient solution against heap buffer overflows that integrates exploit detection, defense generation, and overflow prevention in a single system, named HeapTherapy. During program execution it conducts on-the-fly lightweight trace collection and exploit detection, and initiates automated diagnosis upon detection to generate defenses in realtime. It can handle both over-write and over-read attacks, such as the recent Heartbleed attack. The system has no false positives, and keeps effective under polymorphic exploits. It is compliant with mainstream hardware and operating systems, and does not rely on specific allocation algorithms. We evaluated HeapTherapy on a variety of services (database, web, and ftp) and benchmarks (SPEC CPU2006); it incurs a very low average overhead in terms of both speed (6.2%) and memory (7.7%).

Zhiqiang Lin,Bing Mao,Li Xie,I. I NTRODUCTION

DOI: https://doi.org/10.1109/IAW.2006.1652114

2006-01-01

Abstract:This paper presents a practical tool, LibsafeXP, to protect the software against the most common and severe attack, buffer overflows. As a dynamic shared library and an extension to Libsafe and LibsafePlus, LibsafeXP contains wrapper functions for all the buffer related functions in C standard library. These wrapper functions are enforced to check the source and target buffer's size using the following information: global buffer knowledge extracted from the program symbol information, heap buffer knowledge by intercepting memory allocation family functions, and stack buffer bound information by dynamically determined from the frame pointer. Compared with other approaches, LibsafeXP is more transparent to programs: it works on binary mode, and neither requires the source code nor any debugging information. The performance and effectiveness evaluation indicates LibsafeXP could be used to defend against buffer overflow attacks and impose about 10 percent overhead on the protected software

WANG Ye-jun,NI Xi-zhen,WEN Wei-ping,JIANG Jian-chun

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.10.033

2005-01-01

Abstract:The buffer overflow attacks have been the most common form in the network attacks and become a predominant problem in the system and network security area. After the principle of the buffer overflow attack is explained, this paper analyzes the causes leading to the attacks. Then the usual attack types the attackers often exploit are presented. Last, the common measures to defend these attacks and my own idea about the solution of this problem by modifying the compiler and the relevant functions of the system are given.

PAN Yi,WU Chun-Mei,WU Gang-Shan

DOI: https://doi.org/10.3969/j.issn.1002-137x.2005.03.041

2005-01-01

Computer Science

Abstract:Enhancing compiler technology is one of the publicly available methods for buffer overflow prevention. This paper compares four typical and publicly available tools for buffer overflow prevention by enhancing compiler technology. Our motivation for this is to guide software developers to choose an appropriate tool to increase software quality from a security point of view, and also guide the researchers to bring forward their own more effective and safer method on buffer overflow prevention.

Yan Fen,Yuan Fuchao,Shen Xiaobing,Yin Xinchun,Mao Bing

DOI: https://doi.org/10.1016/j.phpro.2012.02.259

2011-01-01

Computer Science

Abstract:Code injection attack has become a typical representative of the attacks against memory, buffer overflow attacks which is the most commonly used. It relies on the change of control-flow, let the program point to the malicious code in order to obtain the root rights. This paper presents a method using randomization based on data protection, through the protection of pointers and arrays to defend buffer overflow attacks effectively.

郭津之,龙海,黄皓

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.18.036

2009-01-01

Abstract:To prevent code injection by using message hook,a method of intercepting message hook and clean up the message hook objects in kernel mode is introduced based on analyzing Windows system service and message hook mechanism.Compared to current methods,this method can prevent intercept and cleanup from being bypassed by malware and works more effectively.Experiment proved that the method can prevent code injection effectively.

Tao Ye,Lingming Zhang,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1109/ICST.2016.21

2016-01-01

Abstract:Buffer overflow is one of the most common types of software security vulnerabilities. Although researchers have proposed various static and dynamic techniques for buffer overflow detection, buffer overflow attacks against both legacy and newly-deployed software systems are still quite prevalent. Compared with dynamic detection techniques, static techniques are more systematic and scalable. However, there are few studies on the effectiveness of state-of-the-art static buffer overflow detection techniques. In this paper, we perform an in-depth quantitative and qualitative study on static buffer overflow detection. More specifically, we obtain both the buggy and fixed versions of 100 buffer overflow bugs from 63 real-world projects totalling 28 MLoC (Millions of Lines of Code) based on the reports in Common Vulnerabilities and Exposures (CVE). Then, quantitatively, we apply Fortify, Checkmarx, and Splint to all the buggy versions to investigate their false negatives, and also apply them to all the fixed versions to investigate their false positives. We also qualitatively investigate the causes for the false-negatives and false-positives of studied techniques to guide the design and implementation of more advanced buffer overflow detection techniques. Finally, we also categorized the patterns of manual buffer overflow repair actions to guide automated repair techniques for buffer overflow. The experiment data is available at http://bo-study.github.io/Buffer-Overflow-Cases/.

张实睿,许蕾,徐宝文

DOI: https://doi.org/10.3969/j.issn.1003-7985.2009.02.016

2009-01-01

Abstract:A simplified integer overflow detection method based on path relaxation is described for avoiding buffer overflow triggered by integer overflow. When the integer overflow refers to the size of the buffer allocated dynamically, this kind of integer overflow is most likely to trigger buffer overflow. Based on this discovery, through lightly static program analysis, the solution traces the key variables referring to the size of a buffer allocated dynamically and it maintains the upper bound and lower bound of these variables. After the constraint information of these traced variables is inserted into the original program, this method tests the program with test cases through path relaxation, which means that it not only reports the errors revealed by the current runtime value of traced variables contained in the test case, but it also examines the errors possibly occurring under the same execution path with all the possible values of the traced variables. The effectiveness of this method is demonstrated in a case study. Compared with the traditional buffer overflow detection methods, this method reduces the burden of detection and improves efficiency.

HU Zhong-wang,LIU Wei-dong

DOI: https://doi.org/10.3969/j.issn.1000-7180.2006.07.003

2006-01-01

Abstract:It is difficult to protect the safety of modern computer systems by software method, hardware-based security technology is a new and important topic. The buffer overflow, harm to systems and intrusion mechanism are analyzed. The principle of NX(No eXecute bit) technology to prevent buffer overflow attack based on CPU hardware and implementation are explained. The works are beneficial to the research of CPU made in china.

Yu Ding,Tao Wei,TieLei Wang,Zhenkai Liang,Wei Zou

DOI: https://doi.org/10.1145/1920261.1920310

2010-01-01

Abstract:Heap spraying is an attack technique commonly used in hijacking browsers to download and execute malicious code. In this attack, attackers first fill a large portion of the victim process's heap with malicious code. Then they exploit a vulnerability to redirect the victim process's control to attackers' code on the heap. Because the location of the injected code is not exactly predictable, traditional heap-spraying attacks need to inject a huge amount of executable code to increase the chance of success. Injected executable code usually includes lots of NOP-like instructions leading to attackers' shellcode. Targeting this attack characteristic, previous solutions detect heap-spraying attacks by searching for the existence of such large amount of NOP sled and other shellcode. In this paper, we analyze the implication of modern operating systems' memory allocation granularity and present Heap Taichi, a new heap spraying technique exploiting the weakness in memory alignment. We describe four new heap object structures that can evade existing detection tools, as well as proof-of-concept heap-spraying code implementing our technique. Our research reveals that a large amount of NOP sleds is not necessary for a reliable heap-spraying attack. In our experiments, we showed that our heap-spraying attacks are a realistic threat by evading existing detection mechanisms. To detect and prevent the new heap-spraying attacks, we propose enhancement to existing approaches and propose to use finer memory allocation granularity at memory managers of all levels. We also studied the impact of our solution on system performance.

REN Gao-ming,QIAO Xiang-dong,YANG Tong,BAI Jun-liang

DOI: https://doi.org/10.16208/j.issn1000-7024.2011.09.060

2011-01-01

Abstract:To verify whether WehnTrust have the expected detection and prevention function of buffer overflow attacks,experiments are designed to test it.First,the source code of the intrusion prevention system is analyzed and debugged.On this basis,five experiments are presented to simulate buffer overflow attack;and,aiming at the features of WehnTrust,experimental environment is built to simulate attacked test of the C++ virtual function,structured exception handing attack and format string attack.By analyzing and summarizing the experimental results,it is indicated that WehnTrust are not fully capable of intrusion prevention of the developers claimed.

Yongqiang Zhang,Hai Bi

DOI: https://doi.org/10.4028/www.scientific.net/amr.159.424

2010-01-01

Advanced Materials Research

Abstract:HOOK and injection are advanced programming techniques. The common windows injection and HOOK techniques are introduced and analyzed in this paper. (1) By using hooks; (2) By using registration table;（3）By Trojan Horse DLL; (4) By PE import table; (5) By using remote thread. Proposed a method of non-DLL and gives a machine code-level implementations of the technology. Finally the paper lists the key technology and gives the main code.

Si-Hao SHAO,Qing GAO,Sen MA,Fu-Yao DUAN,Xiao MA,Shi-Kun ZHANG,Jin-Hua HU

DOI: https://doi.org/10.13328/j.cnki.jos.005504

2018-01-01

Abstract:First,in this paper,the breadth and risk of buffer overflow vulnerabilities are introduced.Then,from the aspect of how to exploit a buffer overflow vulnerability,an overview is provided on the definition of buffer overflow vulnerabilities,memory organization in operation systems,and classification of buffer overflow attacks.Based on the research,buffer overflow analysis technologies are classified into three categories:automatic detection,automatic repair,and run-time protection.Each types of technologies are introduced,analyzed and discussed according to the classification.Finally,three possible research directions in the field of buffer overflow vulnerability analysis are discussed:(1) analyzing binary code;(2) using machine learning algorithms;(3) combining multiple technologies for analysis.

Zhi-qiang LIN,Yi WANG,Bing MAO,Li XIE

DOI: https://doi.org/10.3321/j.issn:0372-2112.2007.05.016

2007-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:This paper presents a dynamic and transparent toolkit, SafeBird, to defend against run-time buffer overflows by combining several techniques. SafeBird consists of three tools: SIET, LibsafeXP and SLI. SIET extracts the size and starting address information of program global variables from the symbol section of ELF executable file. LibsafeXP, a dynamic shared library and an extension to Libsafe, contains wrapper functions for all the buffer related C Standard Library functions. These wrapper functions are enforced to check the source and target buffer's size using the following information: global buffer knowledge provided by SIET, heap buffer knowledge by intercepting/tracking memory allocation family functions, and stack buffer bound information by dynamically determined from the frame pointer. The third tool SLI is used to accomplish the function interception and inject the shared library, LibsafeXP, into the running process online without interruption. Compared with existing approaches, SafeBird is more transparent to programs: it works on binary mode, and neither requires the source code or any debug information, nor needs to stop/restart the protected software. Performance and effectiveness evaluations indicate that SafeBird could be used to prevent run-time buffer overflow attacks efficiently, and imposes only about 10 percent overhead on average.

Xiao-zhe LI,Mei-jun ZANG,Yi-qi DAI

DOI: https://doi.org/10.3969/j.issn.1672-464X.2008.04.015

2008-01-01

Abstract:Nowadays,Windows operating system is the most prevalent OS,and its security problem is widely concerned by users.System call interception is an efficient way to control accesses to the Windows system resource.This paper introduces and implements an API HOOK method to intercept Windows system calls,and exploits it to control host behaviors.By experiments,we prove that this system call interception method can control host access to system resources,which improves the security level of Windows OS.

Fengjuan Gao,Linzhang Wang,Xuandong Li

DOI: https://doi.org/10.1145/2970276.2970282

2016-01-01

Abstract:Buffer overflow is one of the most common types of software vulnerabilities. Various static analysis and dynamic testing techniques have been proposed to detect buffer overflow vulnerabilities. With automatic tool support, static buffer overflow detection technique has been widely used in academia and industry. However, it tends to report too many false positives fundamentally due to the lack of software execution information. Currently, static warnings can only be validated by manual inspection, which significantly limits the practicality of the static analysis. In this paper, we present BovInspector, a tool framework for automatic static buffer overflow warnings inspection and validated bugs repair. Given the program source code and static buffer overflow vulnerability warnings, BovInspector first performs warning reachability analysis. Then, BovInspector executes the source code symbolically under the guidance of reachable warnings. Each reachable warning is validated and classified by checking whether all the path conditions and the buffer overflow constraints can be satisfied simultaneously. For each validated true warning, BovInspector fix it with three predefined strategies. BovInspector is complementary to prior static buffer overflow discovery schemes. Experimental results on real open source programs show that BovInspector can automatically inspect on average of 74.9% of total warnings, and false warnings account for about 25% to 100% (on average of 59.9%) of the total inspected warnings. In addition, the automatically generated patches fix all target vulnerabilities. Further information regarding the implementation and experimental results of BovInspector is available at http://bovinspectortool.github.io/project/. And a short video for demonstrating the capabilities of BovInspector is now available at https://youtu.be/IMdcksROJDg.

Kang Sun,Daliang Xu,Dongwei Chen,Xu Cheng,Dong Tong

2020-01-01

Abstract: Annex K of C11, bounds-checking interfaces, recently introduced a set of alternative functions to mitigate buffer overflows, primarily those caused by string/memory functions. However, poor compatibility limits their adoption. Failure oblivious computing can eliminate the possibility that an attacker can exploit memory errors to corrupt the address space and significantly increase the availability of systems. In this paper, we present S3Library (Saturation-Memory-Access Safer String Library), which is compatible with the standard C library in terms of function signature. Our technique automatically replaces unsafe deprecated memory/string functions with safer versions that perform bounds checking and eliminate buffer overflows via boundless memory. S3Library employs MinFat, a very compact pointer representation following the Less is More principle, to encode metadata into unused upper bits within pointers. In addition, S3Library utilizes Saturation Memory Access to eliminate illegal memory accesses into boundless padding area. Even if an out-of-bounds access is made, the fault program will not be interrupted. We implement our scheme within the LLVM framework on X86-64 and evaluate our approach on correctness, security, runtime performance and availability.