Qiang Zeng,Mingyi Zhao,Peng Liu

DOI: https://doi.org/10.1109/dsn.2015.54

2015-06-01

Abstract:For decades buffer overflows have been one of the most prevalent and dangerous software vulnerabilities. Although many techniques have been proposed to address the problem, they mostly introduce a very high overhead while others assume the availability of a separate system to pinpoint attacks or provide detailed traces for defense generation, which is very slow in itself and requires considerable extra resources. We propose an efficient solution against heap buffer overflows that integrates exploit detection, defense generation, and overflow prevention in a single system, named HeapTherapy. During program execution it conducts on-the-fly lightweight trace collection and exploit detection, and initiates automated diagnosis upon detection to generate defenses in realtime. It can handle both over-write and over-read attacks, such as the recent Heartbleed attack. The system has no false positives, and keeps effective under polymorphic exploits. It is compliant with mainstream hardware and operating systems, and does not rely on specific allocation algorithms. We evaluated HeapTherapy on a variety of services (database, web, and ftp) and benchmarks (SPEC CPU2006); it incurs a very low average overhead in terms of both speed (6.2%) and memory (7.7%).

Wenbing XIE,Xiaodong MA,Zhongsheng LI,Xiamu NIU

DOI: https://doi.org/10.3778/j.issn.1002-8331.1407-0160

2016-01-01

Abstract:Due to the lack of boundary checking mechanism, buffer overflow is one of the most serious attacks against C/C++programs. This paper presents a runtime countermeasure for buffer overflow attack. Through duplicating the control flow information with array which declared in the dynamic link libraries, including the return address and the frame pointer of each function, illegal overwriting can be detected dynamically. This method can both detect direct and indirect attack in the buffer overflow attack. Experiments based on the RIPE testbed and two practical tests as well as theoretical analysis show the effectiveness of this method.

YA Tan,JY Zheng,YD Cao

DOI: https://doi.org/10.1109/pdcat.2005.47

2005-01-01

Abstract:Buffer overflows remain the leading cause of software vulnerabilities in the world of information security. The proposed segment-based non-executable stack approach aims to prevent the injection and execution of arbitrary code in an existing process's stack space under Windows NT/2000 and Intel 32-bit CPUs. The application's user-mode stack is relocated to the higher address and the effective limit of the code segment excludes the relocated stack from the code segment. The segmentation logic of IA-32 processors monitors the accesses to the memory ranges and a page fault is generated if instruction fetches are initiated in the stack memory pages. It is highly effective in preventing both known and yet unknown stack smashing attacks.

Gang Chen,Hai Jin,Deqing Zou,Bing Bing Zhou,Zhenkai Liang,Weide Zheng,Xuanhua Shi

DOI: https://doi.org/10.1109/TDSC.2013.25

2013-01-01

Abstract:AbstractBuffer overflow attacks still pose a significant threat to the security and availability of today's computer systems. Although there are a number of solutions proposed to provide adequate protection against buffer overflow attacks, most of existing solutions terminate the vulnerable program when the buffer overflow occurs, effectively rendering the program unavailable. The impact on availability is a serious problem on service-oriented platforms. This paper presents SafeStack, a system that can automatically diagnose and patch stack-based buffer overflow vulnerabilities. The key technique of our solution is to virtualize memory accesses and move the vulnerable buffer into protected memory regions, which provides a fundamental and effective protection against recurrence of the same attack without stopping normal system execution. We developed a prototype on a Linux system, and conducted extensive experiments to evaluate the effectiveness and performance of the system using a range of applications. Our experimental results showed that SafeStack can quickly generate runtime patches to successfully handle the attack's recurrence. Furthermore, SafeStack only incurs acceptable overhead for the patched applications.

Yuan Tan,JiYan Zheng,Yuanda Cao,XueLan Zhang

DOI: https://doi.org/10.1109/ISCIT.2005.1567023

2005-01-01

Abstract:Stack smashing is a common mode of buffer overflow attack for hijacking system control. A segment-based non-executable stack approach is proposed and evaluated to defend against stack-based buffer overflow attacks under Windows operating system and Intel 32-bit CPUs. A kernel device driver is designed to relocate the application's user-mode stack to the higher address and to modify the effective limit in the code segment descriptor, in order to exclude the relocated stack from the code segment. Once any code that attempts to execute the malicious code residing in the stack, a general-protection exception of exceeding the segment limit is triggered so the malicious code is terminated. It is highly effective in preventing both known and yet unknown stack smashing attacks, and its performance overhead is lower than the page-based non-executable stack approach.

Dongfang Li,Zhenglin Liu,Yizhi Zhao

DOI: https://doi.org/10.1109/uic-atc.2012.115

2012-01-01

Abstract:Buffer overflow attacks have been causing serious security problems for decades. While numerous approaches have been proposed to prevent stack overflows, heap overflows remain a security threat and a frequent source of bugs. Embedded systems can be easily attacked by the heap overflow attacks. In this paper, based on analyzing the security of an embedded processor at instruction level, we propose a hardware defense mechanism, HeapDefender, which aims to detect heap buffer overflow attacks. HeapDefender, a module of hardware located the inside of the embedded processor, neither modifies the program nor destroys the pipeline integrity. The instructions parsed in parallel within the HeapDefender are synchronized with the CPU pipeline which makes the HeapDefender have little performance overhead. As demonstrated in an FPGA (Field Programmable Gate Array) prototyping, the experimental results show that HeapDefender can effectively detect heap buffer overflow attacks with around 15% hardware cost overhead and only 0.1% performance penalty.

WeiZhi Yang,Yuan Tan

DOI: https://doi.org/10.1109/ICCIAS.2006.295323

2006-01-01

Abstract:A segment-based non-executable stack approach is proposed and evaluated to defend against stack-based buffer overflow attacks under Windows NT/2000 /2003/XP and Intel 32-bit CPUs. A kernel device driver is designed to relocate the application's user-mode stack to the higher address and to modify the effective limit in the code segment descriptor, in order to exclude the relocated stack from the code segment. Once any code that attempts to execute the malicious code residing in the stack, a general-protection exception of exceeding the segment limit is triggered so the malicious code will be terminated. It is highly effective in preventing both known and yet unknown stack smashing attacks and its performance overhead is lower than the page-based non-executable stack approach.

Zhigang CUI,Yuan TIAN,Yuanda CAO,Xuelan ZHANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.10.051

2006-01-01

Abstract:A non-executable stack approach is proposed and evaluated to defense against stack-based buffer overflow attacks under Windows and Intel 32-bit CPUs. A kernel device driver is designed to relocate the application's user-mode stack to the higher address and to modify the effective limit in the code segment descriptor, so the relocated stack is excluded from the code segment. Once any malicious code that attempts to execute in the stack, a general-protection exception is triggered, then the malicious code will be terminated. It is highly effective in preventing both known and yet unknown stack smashing attacks, and its performance overhead is lower than the page-based non-executable stack approach.

Zhiqiang Lin,Bing Mao,Li Xie,I. I NTRODUCTION

DOI: https://doi.org/10.1109/IAW.2006.1652114

2006-01-01

Abstract:This paper presents a practical tool, LibsafeXP, to protect the software against the most common and severe attack, buffer overflows. As a dynamic shared library and an extension to Libsafe and LibsafePlus, LibsafeXP contains wrapper functions for all the buffer related functions in C standard library. These wrapper functions are enforced to check the source and target buffer's size using the following information: global buffer knowledge extracted from the program symbol information, heap buffer knowledge by intercepting memory allocation family functions, and stack buffer bound information by dynamically determined from the frame pointer. Compared with other approaches, LibsafeXP is more transparent to programs: it works on binary mode, and neither requires the source code nor any debugging information. The performance and effectiveness evaluation indicates LibsafeXP could be used to defend against buffer overflow attacks and impose about 10 percent overhead on the protected software

Donghai Tian,Xiaoqi Jia,Junhua Chen,Changzhen Hu,Jingfeng Xue

DOI: https://doi.org/10.1109/cc.2016.7781725

2016-01-01

China Communications

Abstract:Heap overflow attack is one of the major memory corruption attacks that have become prevalent for decades. To defeat this attack,many protection methods are proposed in recent years. However,most of these existing methods focus on user-level heap overflow detection. Only a few methods are proposed for kernel heap protection. Moreover,all these kernel protection methods need modifying the existing OS kernel so that they may not be adopted in practice. To address this problem,we propose a lightweight virtualization-based solution that can protect the kernel heap buffers allocated for the target kernel modules. The key idea of our approach is to combine the static binary analysis and virtualization technology to trap a memory allocation operation of the target kernel module,and then add one secure canary word to the end of the allocated buffer. After that,a monitor process is launched to check the integrity of the canaries. The evaluations show that our system can detect kernel heap overflow attacks effectively with minimal performance cost.

Chenghua Tang,Can Peng,Meng Liu,Junyan Qian

DOI: https://doi.org/10.3969/j.issn.1001-3695.2017.12.054

2017-01-01

Abstract:Buffer overflow is common network vulnerability,and the most important one is the stack overflow attack.By analyzing the methods and characteristics of buffer overflow attacks,this paper proposed an improved RetProtect algorithm based on StackShield.This algorithm used IDA Pro for the disassembly analysis of the source program,and then established a new library function.It detected the occurrence of buffer overflow attacks by modifying the GCC source code to realize the backup of the function return address when the program executed.Compared with other stack overflow attack detection methods,the RetProtect algorithm can effectively prevent the stack overflow attacks on the return address overlay,which is transparent to theuser and good compatibility.

SHI Sheng-li,REN Ping-an

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.10.037

2011-01-01

Abstract:According to the features that the attacker usual depends on modifying function return address or function entry address to change the program execution sequence and the structural characteristics of ELF file,while calling function and returning after function calling,certain specific information is dealed with in order to detect attack action.This paper presents a new approach of detecting buffer overflow attacks at runtime depending on the pin that is a tool for the dynamic program monitoring and provides numbers of API functions to design a tool which executives runtime program.Case analysis shows that the method does not need alter the software and hardware system.

Lei Wang,Ping Wang

DOI: https://doi.org/10.12720/IJOEE.1.3.127-131

2013-01-01

Abstract:Buffer overflow has been one of the most outstanding attacks in the last ten years. This kind of vulnerability may compromise the system security by various means. Existing solutions to this problem have focused on the execution environment of the malicious program rather than the hypostasis of buffer overflow and most of them try to detect buffer overflows dynamically. This paper presents the effort of applying a static analysis approach against the programs exploiting buffer overflow and the method adopted is named Proof-Carrying Code (PCC). This paper shows that: (1) it is possible to defend against most of the buffer overflow vulnerabilities with proper use of PCC; and (2) the method is well prepared to handle the coming-up variants of the buffer overflow problems. 

Computer Science

Zhilong Wang,Xuhua Ding,Chengbin Pang,Jian Guo,Jun Zhu,Bing Mao

DOI: https://doi.org/10.1109/DSN.2018.00035

2018-01-01

Abstract:Stack Smashing Protection (SSP) is a simple and highly efficient technique widely used in practice as the front line defense against stack buffer overflow attacks. Unfortunately, SSP is known to be vulnerable to the so-called byte-by-byte attack. Although several remedy schemes are proposed in the recent literature, their security is achieved at the price of practicality, because their complex logics ruin SSP's simplicity and high-efficiency. In this paper, we present an elegant solution named as Polymorphic SSP (P-SSP) that attains the same security without sacrificing SSP's strengths. We also propose three extensions of the basic scheme for better compatibility, stronger security, and local variable protection, respectively. We have implemented both a compiler plugin and a binary instrumentation tool for deploying P-SSP. Their respective runtime overheads are only 0.24% and 1.01%. We have also experimented with our extensions and compared their pros and cons with the basic scheme.

Xiaoguang Wang,Yong Qi,Chi Zhang,Saiyu Qi,Peijian Wang

DOI: https://doi.org/10.1109/COMPSAC.2017.206

2017-01-01

Abstract:Software memory disclosure attacks, such as buffer over-read, often work quietly and would cause secret data leakage. The well-known OpenSSL Heartbleed vulnerability leaked out millions of servers' private keys, which caused most of the Internet services insecure at that time. Existing solutions are either hard to apply to large code bases (e.g., through formal verification [20] or symbolic execution [8] on program code), or too heavyweight (e.g., by involving a hypervisor software [23], [24] or a modified operating system kernel [17]). In this paper, we propose SecretSafe, a lightweight and easy-to-use system which leverages the traditional x86 segmentation mechanism to isolate the application secrets from the remaining data. Software developers could prevent the secrets from being leaked out by simply declaring the secret variables with SECURE keyword. Our customized compiler will automatically separate the secrets from the remaining non-secret data with an isolated memory segment. Any legal instructions that have to access the secrets will be automatically instrumented to enable accesses to the isolated segment. We have implemented a SecretSafe prototype with the open source LLVM compiler framework. The evaluation shows that SecretSafe is both secure and efficient.

谭毓安,曹元大

2005-01-01

Journal of Beijing Institute of Technology

Abstract:The way of intercepting Windows DLL functions against buffer overflow attacks is evaluated. It's produced at the expense of hooking vulnerable DLL functions by addition of check code. If the return address in the stack belongs to a heap or stack page, the call is from illicit code and the program is terminated. The signature of malicious code is recorded, so it is possible for the next attack to be filtered out. The return-into-libc attacks are detected by comparing the entry address of DLL functions with the overwritten return address in the stack. The presented method interrupts the execution of malicious code and prevents the system from being hijacked when these intercepted DLL functions are invoked in the context of buffer overflow.

Zili Shao,Chun Xue,Qingfeng Zhuge,Edwin H. -M. Sha,Bin Xiao

DOI: https://doi.org/10.1109/ITCC.2005.140

2005-01-01

Abstract:Buffer overflow attacks cause serious security problems. Array & pointer bound checking is one of the most effective approaches for defending against buffer overflow attacks when source code is available. However, original array & pointer bound checking causes too much overhead since it is designed to catch memory errors and it puts too many checks. In this paper, we propose an efficient array & pointer bound checking strategy to defend against buffer overflow attacks. In our strategy, only the bounds of write operations are checked. We discuss the optimization strategy via hardware/software and conduct experiments. The experimental results show that our strategy can greatly reduce the overhead of array & pointer bound checking. Our conclusion is that based on our strategy, array & pointer bound checking can be a practical solution for defending systems against buffer overflow attacks with tolerable overhead.

ZHANG Lantu,WANG Ying

DOI: https://doi.org/10.3778/j.issn.1002-8331.2012.15.014

2012-01-01

Computer Engineering and Applications Journal

Abstract:The basic attack patterns of stack buffer overflow are introduced based on the principles of stack buffer overflow. A new dynamic stack buffer overflow prevention method based on protection of control-flow related data is proposed due to the weakness of the existing dynamic buffer overflow prevention methods. At the same time, two encryption algorithms are introduced to protect the control-flow related data. The new method is proved to be able to defend multiple patterns of attacks with an acceptable performance tradeoff. At the same time, an object file reconstructing tool for binary is implemented using this new method. Experimental results of both the penetration resistance and the performance impact of the proposed method are presented.

Minglei SHANG,Hao HUANG

DOI: https://doi.org/10.3969/j.issn.1000-3428.2005.12.014

2005-01-01

Abstract:The principle of buffer overflow and overflow string are analyzed.Then several typical real-time buffer overflow attacks detectionmethods are analyzed.At last, a real-time buffer overflow attack detection approach based on system calls is presented.This approach adds mandatoryaccess control to original system call function by the means of hijacking system calls.In the way of monitoring illegal system calls,it can detect andprevent various buffer overflow attacks of improving priviledge.

Zili Shao,Chun Jason Xue,Qingfeng Zhuge,Edwin H.‐M. Sha,Bin Xiao

DOI: https://doi.org/10.1109/itcc.2004.1286489

2004-01-01

Abstract:With more embedded systems networked, it becomes an important research problem to effectively defend embedded systems against buffer overflow attacks and efficiently check if systems have been protected. In this paper, we propose the HSDefender (hardware/software Defender) technique that considers the protection and checking together to solve this problem. Our basic idea is to design a secure instruction set and require third-party software developers to use secure instructions to call functions. Then the security checking can be easily performed by system integrators even without the knowledge of the source code. We first classify buffer overflow attacks into two categories, stack smashing attacks and function pointer attacks, and then provide two corresponding defending strategies. We analyze the HSDefender technique in respect of hardware cost, security, and performance, and experiment with it on the SimpleScalar/ARM simulator using benchmarks from MiBench. The results show that HSDefender can defend a system against more types of buffer overflow attacks with less overhead compared with the previous work.