LIU Jia-xiang,JIANG Jian-hui,CHEN Lin-bo

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.05.017

2012-01-01

Abstract:In the paper,the basic attack patterns for Intel 80X86 are classified in the viewpoint of assemble language programs.The weak-ness of the existing dynamic buffer-overflow prevention mechanisms is discussed.A new dynamic stack buffer-overflow prevention mechanism based on return-address translation is proposed.The new mechanism is proved to be able to defend multiple patterns attacks with an acceptable performance tradeoff.We present experimental results of both the penetration resistance and the performance impact of the propsed mechanism.With simple modification,the mechanism is suitable for different security and performance needs.

Kangmin Kim,Jeong‐Nyeo Kim,Seungkwang Lee

DOI: https://doi.org/10.1049/ell2.13310

2024-10-08

Electronics Letters

Abstract:The existing method of canary‐based stack protection can be bypassed by several buffer overflow attacks. This paper improves on the canary‐based protection without having to recompile the binary. This paper introduces a novel software‐based approach to enhancing stack smashing protection in C/C++ applications, specifically targeting return‐oriented programming attacks, which remain a significant threat to firmware and software security. Traditional canary‐based protections are vulnerable to brute‐force and format string attacks. Additionally, many stack protection mechanisms require access to the source code or recompilation, complicating the security of existing binaries. This paper proposes a new method, aptly named StackGuard+ , that modifies the canary‐based protection mechanism by altering the code responsible for canary insertion and verification. This change ensures the integrity of the return address while maintaining the original code size, allowing for seamless interoperability without the need for recompilation or additional hardware. The approach can be automated using a Python script, which modifies existing canary‐based binaries with only 26 bytes of machine code on the × 86‐64 platform. Moreover, this approach can be easily adapted to other platforms, including × 86 and ARM64.

engineering, electrical & electronic

WeiZhi Yang,Yuan Tan

DOI: https://doi.org/10.1109/ICCIAS.2006.295323

2006-01-01

Abstract:A segment-based non-executable stack approach is proposed and evaluated to defend against stack-based buffer overflow attacks under Windows NT/2000 /2003/XP and Intel 32-bit CPUs. A kernel device driver is designed to relocate the application's user-mode stack to the higher address and to modify the effective limit in the code segment descriptor, in order to exclude the relocated stack from the code segment. Once any code that attempts to execute the malicious code residing in the stack, a general-protection exception of exceeding the segment limit is triggered so the malicious code will be terminated. It is highly effective in preventing both known and yet unknown stack smashing attacks and its performance overhead is lower than the page-based non-executable stack approach.

YA Tan,JY Zheng,YD Cao

DOI: https://doi.org/10.1109/pdcat.2005.47

2005-01-01

Abstract:Buffer overflows remain the leading cause of software vulnerabilities in the world of information security. The proposed segment-based non-executable stack approach aims to prevent the injection and execution of arbitrary code in an existing process's stack space under Windows NT/2000 and Intel 32-bit CPUs. The application's user-mode stack is relocated to the higher address and the effective limit of the code segment excludes the relocated stack from the code segment. The segmentation logic of IA-32 processors monitors the accesses to the memory ranges and a page fault is generated if instruction fetches are initiated in the stack memory pages. It is highly effective in preventing both known and yet unknown stack smashing attacks.

Yuan Tan,JiYan Zheng,Yuanda Cao,XueLan Zhang

DOI: https://doi.org/10.1109/ISCIT.2005.1567023

2005-01-01

Abstract:Stack smashing is a common mode of buffer overflow attack for hijacking system control. A segment-based non-executable stack approach is proposed and evaluated to defend against stack-based buffer overflow attacks under Windows operating system and Intel 32-bit CPUs. A kernel device driver is designed to relocate the application's user-mode stack to the higher address and to modify the effective limit in the code segment descriptor, in order to exclude the relocated stack from the code segment. Once any code that attempts to execute the malicious code residing in the stack, a general-protection exception of exceeding the segment limit is triggered so the malicious code is terminated. It is highly effective in preventing both known and yet unknown stack smashing attacks, and its performance overhead is lower than the page-based non-executable stack approach.

Hans Liljestrand,Thomas Nyman,Lachlan J. Gunn,Jan-Erik Ekberg,N. Asokan

DOI: https://doi.org/10.48550/arXiv.1905.10242

2020-10-15

Abstract:A popular run-time attack technique is to compromise the control-flow integrity of a program by modifying function return addresses on the stack. So far, shadow stacks have proven to be essential for comprehensively preventing return address manipulation. Shadow stacks record return addresses in integrity-protected memory secured with hardware-assistance or software access control. Software shadow stacks incur high overheads or trade off security for efficiency. Hardware-assisted shadow stacks are efficient and secure, but require the deployment of special-purpose hardware. We present authenticated call stack (ACS), an approach that uses chained message authentication codes (MACs). Our prototype, PACStack, uses the ARM general purpose hardware mechanism for pointer authentication (PA) to implement ACS. Via a rigorous security analysis, we show that PACStack achieves security comparable to hardware-assisted shadow stacks without requiring dedicated hardware. We demonstrate that PACStack's performance overhead is small (~3%).

Cryptography and Security

Gang Chen,Hai Jin,Deqing Zou,Bing Bing Zhou,Zhenkai Liang,Weide Zheng,Xuanhua Shi

DOI: https://doi.org/10.1109/TDSC.2013.25

2013-01-01

Abstract:AbstractBuffer overflow attacks still pose a significant threat to the security and availability of today's computer systems. Although there are a number of solutions proposed to provide adequate protection against buffer overflow attacks, most of existing solutions terminate the vulnerable program when the buffer overflow occurs, effectively rendering the program unavailable. The impact on availability is a serious problem on service-oriented platforms. This paper presents SafeStack, a system that can automatically diagnose and patch stack-based buffer overflow vulnerabilities. The key technique of our solution is to virtualize memory accesses and move the vulnerable buffer into protected memory regions, which provides a fundamental and effective protection against recurrence of the same attack without stopping normal system execution. We developed a prototype on a Linux system, and conducted extensive experiments to evaluate the effectiveness and performance of the system using a range of applications. Our experimental results showed that SafeStack can quickly generate runtime patches to successfully handle the attack's recurrence. Furthermore, SafeStack only incurs acceptable overhead for the patched applications.

Zhenliang An,Weike Wang,Wenxin Li,Senyang Li,Dexue Zhang

DOI: https://doi.org/10.3390/mi14081525

IF: 3.4

2023-07-30

Micromachines

Abstract:The growing prevalence of embedded systems in various applications has raised concerns about their vulnerability to malicious code reuse attacks. Current software-based and hardware-assisted security techniques struggle to detect or block these attacks with minor performance and implementation overhead. To address this issue, this paper presents a lightweight hardware-assisted scheme to enhance the security of embedded systems against code reuse attacks. We develop an on-chip lightweight hardware shadow stack to validate target addresses at runtime for backward-edge control flow integrity, which backs up valid return addresses during function calls and automatically verifies actual return addresses during the return phase. Additionally, we propose a lightweight stream cipher circuit that encrypts and decrypts critical stack data related to control flow manipulation, preventing attackers from analyzing or tampering with them. When designing and implementing the security mechanism for embedded systems, we fully consider the constraints of limited system resources and performance, optimizing both the architecture design and implementation of the proposed hardware. Finally, we integrate both the proposed lightweight hardware shadow stack and the runtime data encryption hardware into the OR1200 processor. We have verified the system security function on the Terasic DE1-SoC FPGA platform and evaluated the system performance as well as implementation overhead. The results show that the proposed lightweight hardware-assisted scheme can provide a dedicated defense capability against code reuse attacks for embedded systems, with an average system performance overhead of 0.39% and an area footprint of 0.316 mm2.

chemistry, analytical,nanoscience & nanotechnology,instruments & instrumentation,physics, applied

Zhigang CUI,Yuan TIAN,Yuanda CAO,Xuelan ZHANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.10.051

2006-01-01

Abstract:A non-executable stack approach is proposed and evaluated to defense against stack-based buffer overflow attacks under Windows and Intel 32-bit CPUs. A kernel device driver is designed to relocate the application's user-mode stack to the higher address and to modify the effective limit in the code segment descriptor, so the relocated stack is excluded from the code segment. Once any malicious code that attempts to execute in the stack, a general-protection exception is triggered, then the malicious code will be terminated. It is highly effective in preventing both known and yet unknown stack smashing attacks, and its performance overhead is lower than the page-based non-executable stack approach.

CHEN Lin-bo,JIANG Jian-hui,ZHANG Dan-qing

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.09.019

2013-01-01

Computer Science

Abstract:Despite the numerous prevention and protection techniques that have been developed,the exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks.Because of the adoption of the write or execute only policy(W♁X)and address space layout randomization(ASLR),modern operate systems have been strengthened against code injection attacks.However,attackers have responded by employing code reuse attacks,in which software vulnerability is exploited to weave control flow through existing code base.Solutions targeting different aspects of the attack itself have got some success,but none of them can be a silver bullet.Under this situation,a novel defense technique was presented in order to prevent code reuse attacks,especially return-oriented programming(ROP)attacks.This new defense technique,which was benefit from the protection of return address,could dynamically prevent the execution of gadgets ending with 0xc3.Without requiring access to side information such as source code or debugging information,this defense technique could prevent ROP attacks with low performance overhead.

Zelin Rong,Peidai Xie,Jingyuan Wang,Shenglin Xu,Yongjun Wang

DOI: https://doi.org/10.1109/ASAP.2018.8445132

2018-01-01

Abstract:With the implementation of W circle plus X security model on computer system, Return-Oriented Programming(ROP) has become the primary exploitation technique for adversaries. Although many solutions that defend against ROP exploits have been proposed, they still suffer from various shortcomings. In this paper, we propose a new way to mitigate ROP attacks that are based on return instructions. We clean the scratch registers which are also the parameter registers based on the features of ROP malicious code and calling convention. A prototype is implemented on x64-based Linux platform based on Pin. Preliminary experimental results show that our method can efficiently mitigate conventional ROP attacks.

Wangtong Liu,Senlin Luo,Yu Liu,Limin Pan,Qamas Gul Khan Safi

DOI: https://doi.org/10.1016/j.cose.2017.09.008

IF: 5.105

2018-01-01

Computers & Security

Abstract:Many defensive approaches have been proposed to protect the integrity of the operating system kernel stack. However, some types of attacks, such as the “return-to-schedule” rootkit, pose a serious threat to these approaches. In this paper, we present a kernel stack protection model to protect the integrity of the kernel stack. It adopts a synchronous design strategy to bind the execution unit with its kernel stack using virtualization technology, and allows the execution unit to write its own current kernel stack with legal kernel codes. To test the model, we propose three kinds of potential attacks which extend the “return-to-schedule” rootkit. The experimental results show that the prototype of the model can be effective against all attack methods, and introduces a performance cost of only 2%. Therefore, it effectively protects all types of data on the kernel stack with a small performance overhead.

沈达宇,黄皓

2012-01-01

Abstract:The basic protection idea we proposed is the randomization of the data in memory.Through modify the program,instrument new instructions,making the data saved to memory randomization.In this way we can effectively prevent the destruction of the non-control data attack,and even play a certain effect on data privacy protection.This paper achieves a compiler optimization Pass module based on open source project of LLVM compiler,which can optimize executable program from the hazards of non-control data attacks when the source files can be obtained.

Wonwoo Choi,Minjae Seo,Seongman Lee,Brent Byunghoon Kang

DOI: https://doi.org/10.1016/j.cose.2023.103568

IF: 5.105

2024-01-01

Computers & Security

Abstract:System software written in unsafe languages such as C/C++ is susceptible to various types of security vulnerabilities. Historically, backward-edges such as return addresses have been an attractive target for control-flow hijacking attacks due to the severity and ease of exploitation. Although various backward-edge control-flow integrity schemes have been proposed over the years, most of them mainly focus on protecting desktop/server-class systems, leaving embedded systems unprotected. Even worse, bringing their defense mechanisms into resource-constrained embedded systems is undesirable because they were originally designed for high-end computing systems and thus are not directly applicable to embedded systems without compromising performance and real-time constraints. In this paper, we propose Shadow under the Mask (SuM), an efficient and robust backward-edge control flow protection that is applicable to ARM Cortex-M processors. Specifically, SuM realizes a non-bypassable shadow stack mechanism and safeguards its structural integrity in a novel combination of an MPU and FaultMask—an overlooked hardware feature in Cortex-M processors. To be more specific, SuM restricts all access to the shadow stack through MPU, ensuring its integrity; and temporarily disables its MPU protection through FaultMask during the execution of safe instructions, guaranteeing that only authorized instructions can modify the shadow stack. In our empirical evaluation, SuM incurs minimal runtime overhead of 2.77% and 2.63%, respectively, on the BEEBS and CoreMark benchmark suites. These results underscore the viability of our proposed approach as a practical and potent solution to address the highlighted cybersecurity challenge.

computer science, information systems

Yi Zhuang,Tao Zheng,Zhitian Lin

2014-01-01

Abstract:Fine-grained address space layout randomization has recently been proposed as a method of efficiently mitigating ROP attacks. In this paper, we introduce a design and implementation of a framework based on a runtime strategy that undermines the benefits of fine-grained ASLR. Specifically, we abuse a memory disclosure to map an application’s memory layout on-the-fly, dynamically discover gadgets and construct the desired exploit payload, and finish our goals by using virtual function call mechanism—all with a script environment at the time an exploit is launched. We demonstrate the effectiveness of our framework by using it in conjunction with a real-world exploit against Internet Explorer and other applications protected by fine-grained ASLR. Moreover, we provide evaluations that demonstrate the practicality of run-time code reuse attacks. Our work shows that such a framework is effective and fine-grained ASLR may not be as promising as first thought. Keywords-code reuse; security; dynamic; fine-grained ASLR

CHEN Linbo,JIANG Jianhui,ZHANG Danqing

DOI: https://doi.org/10.3969/j.issn.0253-374x.2012.03.021

2012-01-01

Abstract:An analysis is made of the classical buffer overflow prevention methods for Intel 80X86 architecture and C/C++.A new stack buffer overflow prevention method based on dual-stack is proposed due to the shortcomings of classical methods.Besides,an object file reconstructing tool for ELF format files is implemented with the dual-stack structure.Experiment results show that the proposed method and the tool are efficient for buffer overflow attack prevention with low overhead.

Zhilong Wang,Xuhua Ding,Chengbin Pang,Jian Guo,Jun Zhu,Bing Mao

DOI: https://doi.org/10.1109/DSN.2018.00035

2018-01-01

Abstract:Stack Smashing Protection (SSP) is a simple and highly efficient technique widely used in practice as the front line defense against stack buffer overflow attacks. Unfortunately, SSP is known to be vulnerable to the so-called byte-by-byte attack. Although several remedy schemes are proposed in the recent literature, their security is achieved at the price of practicality, because their complex logics ruin SSP's simplicity and high-efficiency. In this paper, we present an elegant solution named as Polymorphic SSP (P-SSP) that attains the same security without sacrificing SSP's strengths. We also propose three extensions of the basic scheme for better compatibility, stronger security, and local variable protection, respectively. We have implemented both a compiler plugin and a binary instrumentation tool for deploying P-SSP. Their respective runtime overheads are only 0.24% and 1.01%. We have also experimented with our extensions and compared their pros and cons with the basic scheme.

Ping Chen,Jun Xu,Jun Wang,Peng Liu

DOI: https://doi.org/10.48550/arXiv.1507.02786

2015-07-10

Abstract:Fine-grained Address Space Randomization has been considered as an effective protection against code reuse attacks such as ROP/JOP. However, it only employs a one-time randomization, and such a limitation has been exploited by recent just-in-time ROP and side channel ROP, which collect gadgets on-the-fly and dynamically compile them for malicious purposes. To defeat these advanced code reuse attacks, we propose a new defense principle: instantly obsoleting the address-code associations. We have initialized this principle with a novel technique called virtual space page table remapping and implemented the technique in a system CHAMELEON. CHAMELEON periodically re-randomizes the locations of code pages on-the-fly. A set of techniques are proposed to achieve our goal, including iterative instrumentation that instruments a to-be-protected binary program to generate a re-randomization compatible binary, runtime virtual page shuffling, and function reordering and instruction rearranging optimizations. We have tested CHAMELEON with over a hundred binary programs. Our experiments show that CHAMELEON can defeat all of our tested exploits by both preventing the exploit from gathering sufficient gadgets, and blocking the gadgets execution. Regarding the interval of our re-randomization, it is a parameter and can be set as short as 100ms, 10ms or 1ms. The experiment results show that CHAMELEON introduces on average 11.1%, 12.1% and 12.9% performance overhead for these parameters, respectively.

Cryptography and Security

CHEN Zhi-jian,MENG Jian-yi,GE Hai-tong,YAN Xiao-lang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2011.09.013

2011-01-01

Abstract:A new hardware stack of embedded processor was proposed to support seamless context switching and remove the performance loss during function call.The high-performance hardware stack is composed of data stack(DS)and returning stack(RS),and both of them are designed to be reconfigurable two-level buffer scheme to eliminate the overhead of process switching.DS utilizes two alternative general purpose register(GPR) to construct a new virtual GPR,which operates multiple data in/out stack in one cycle and performs switch automatically,hiding the performance cost of stack operations during program switching.RS preserves the function return address and corresponding instruction when function is called to eliminate the pipeline bubbles during the function returnes.Both DS and RS reuse partial memory space of scratchpad memory(SPM) as the second level buffers to provide support for user reconfiguration and sufficient buffer space for specified embedded software.Experiment results show that the performance is improved by over 10% while the power cost reduced by 2 % with the new hardware stack.

Quentin Michaud,Yohan Pipereau,Olivier Levillain,Dhouha Ayed

2024-10-23

Abstract:WebAssembly is an instruction set architecture and binary format standard, designed for secure execution by an interpreter. Previous work has shown that WebAssembly is vulnerable to buffer overflow due to the lack of effective protection mechanisms. In this paper, we evaluate the implementation of Stack Smashing Protection (SSP) in WebAssembly standalone runtimes, and uncover two weaknesses in their current implementation. The first one is the possibility to overwrite the SSP reference value because of the contiguous memory zones inside a WebAssembly process. The second comes from the reliance of WebAssembly on the runtime to provide randomness in order to initialize the SSP reference value, which impacts the robustness of the solution. We address these two flaws by hardening the SSP implementation in terms of storage and random generator failure, in a way that is generalizable to all of WebAssembly. We evaluate our new, more robust, solution to prove that the implemented improvements do not reduce the efficiency of SSP.

Cryptography and Security