Prevention and Detection of Stack Buffer Overflow Attacks
Carla Brodley2005
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
The recent announcement by Michael Lynn at Black Hat 2005 of a software flaw in Cisco routers has grabbed the attention of many technology news sources. The flaw is an instance of a buffer overflow, a type of security vulnerability that has been discussed since the 1960s, yet remains one of the most frequently reported type of remote attack against computer
Key takeaways
- Buffer overflow attacks can take place in processes that use a stack during program execution.
- A buffer overflow usually contains both executable code as well as the address of where that code is stored on the stack.
- If an attacker modifies the pointer value as part of an overflow attack, then she can redirect program execution without modifying a RA.
- It would be difficult for an attacker to modify both the return address in the stack segment and the copy in the data segment through a single unbounded string copy.
- Because many buffer overflow attacks take place by loading executable code onto the stack and redirecting execution there, one of the simpler approaches is to modify the stack segment to be non-executable.
Related papers
DETECTION AND PREVENTION OF STACK BUFFER OVERFLOW ATTACKS
2005
The July 2005 announcement by computer security researcher Michael Lynn at the Black Hat security conference of a software flaw in Cisco Systems routers grabbed media attention worldwide. The flaw was an instance of a buffer overflow, a security vulnerability that has been discussed for 40 years yet remains one of the most frequently reported types of remote attack against computer systems.
Buffer overflows: attacks and defenses for the vulnerability of the decade
2003
Buffer overflows have been the most common form of security vulnerability for the last ten years. More over, buffer overflow vulnerabilities dominate the area of remote network penetration vulnerabilities, where an anonymous Internet user seeks to gain partial or total control of a host. If buffer overflow vulnerabilities could be effectively eliminated, a very large portion of the most serious security threats would also be eliminated. In this paper, we survey the various types of buffer overflow vulnerabilities and attacks, and survey the various defensive measures that mitigate buffer overflow vulnerabilities, including our own StackGuard method. We then consider which combinations of techniques can eliminate the problem of buffer overflow vulnerabilities, while preserving the functionality and performance of existing systems.
StackOFFence: a technique for defending against buffer overflow attacks
2005
Software coding practices, in the interest of efficiency, often ignore to enforce strict bound checking on buffers, arrays and pointers. This results in software code that is more vulnerable to security intrusions exploiting buffer overflow vulnerabilities. Unfortunately, such attacks form the most common type of security threats to the computer and information systems, making it imperative to find efficient solutions for the buffer overflow vulnerabilities. Typically, an attacker is able to affect a successful intrusion by causing buffer overflow in the stack frame of a function call, thereby causing the valid return address to get overwritten by a malicious value. This allows the attacker to redirect the return from a function call to a malicious piece of code introduced by the attacker. Depending on the nature of the malicious code, the attacker is able to compromise availability, integrity, or confidentiality of a system. Researchers have suggested transforming the return address or even using an entirely separate stack for managing the return addresses. This paper describes a simple technique that ensures the integrity of the return address by pushing on the stack two copies of the return address, a transformed (or encrypted) return address value along with the original one. Before popping the return address, two return address values are compared to detect any malicious activity, thus preventing the exploitation of the stack based buffer overflow vulnerabilities. The proposed modification may be implemented at the CPU architecture level or by simple modification to the compiler's prologue and epilogue code.
StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
1998
This paper presents a systematic solution to the persistent problem of buffer overflow attacks. Buffer overflow attacks gained notoriety in 1988 as part of the Morris Worm incident on the Internet. While it is fairly simple to fix individual buffer overflow vulnerabilities, buffer overflow attacks continue to this day. Hundreds of attacks have been discovered, and while most of the obvious vulnerabilities have now been patched, more sophisticated buffer overflow attacks continue to emerge.
A Comparative Analysis of Methods of Defense against Buffer Overflow Attacks
For the past several years Buffer Overflow attacks have been the main method of compromising a computing system's security. Many of these attacks have been devastatingly effective, allowing the attacker to attain administrator privileges on the attacked system. We review the anatomy of these attacks and the reasons why conventional methods of defense have been ineffective, and likely to remain so in the foreseeable future. Recently, however, several promising methods of defense have been proposed. We compare the strengths and weaknesses of these defense methods.
Architecture support for defending against buffer overflow attacks
Workshop on Evaluating and …, 2002
Buffer overflow attacks are the predominant threat tothe secure operation of network and in particular, Internetbasedapplications. Stack smashing is a common mode ofbuffer overflow attack for hijacking system control. Thispaper evaluates two architecture-based techniques to defendsystems against such attacks: (1) the split control anddata stack, and (2) secure return address stack (SRAS). Thesplit stack approach separates control and data stack
Detection of Network Buffer Overflow Attacks: A Case Study
This paper presents an automated detection method based on classification of network traffic using predefined set of network metrics. We proposed the set of metrics with focus on behavior of buffer overflow attacks and their sufficient description without the need of deep packet inspection. In this paper we describe two laboratory experiments of automated detection of buffer overflow attacks on vulnerable network services and their description by proposed set of network metrics. We present the principles of several chosen network metrics and their application on experimental attacks according to their nature in comparison to valid communication.
Buttercup: on network-based detection of polymorphic buffer overflow vulnerabilities
2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507), 2004
Attack polymorphism is a powerful tool for the attackers in the Internet to evade signature-based intrusion detection/prevention systems. In addition, new and faster Internet worms can be coded and launched easily by even high school students anytime against our critical infrastructures, such as DNS or update servers. We believe that polymorphic Internet worms will be developed in the future such that many of our current solutions might have a very small chance to survive. In this paper, we propose a simple solution called "Buttercup" to counter against attacks based on buffer-overflow exploits (such as CodeRed, Nimda, Slammer, and Blaster). We have implemented our idea in SNORT, and included 19 return address ranges of buffer-overflow exploits. With a suite of tests against 55 TCPdump traces, the false positive rate for our best algorithm is as low as 0.01%. This indicates that, potentially, Buttercup can drop 100% worm attack packets on the wire while only 0.01% of the good packets will be sacrificed.
Short Paper: bufSTAT - a tool for early detection and classification of buffer overflow attacks
2005
Buffer overflows constitute by far the most frequently encountered class of attacks against computer systems. In this paper we introduce a tool, termed bufSTAT that achieves a low probability of false alarm and issues early attack warnings. BufSTAT relies on Finite State Machines (FSM) for attack modeling and can detect every stage of an ongoing attack and can thus prevent its execution by issuing early warning in a progressive manner. It can also detect sophisticated multi-stage attacks that are executed over long periods of time. A significant attribute of our approach is that it is amenable to detecting unknown attacks as well after appropriate modification of bufSTAT.
StackFences: a run-time approach for detecting stack overflows
2011
This article describes StackFences, a run-time technique for detecting overflows in local variables in C programs. This technique is different from all others developed so far because it tries to detect explicit overflow occurrences, instead of detecting if a particular stack value, namely a return address, was corrupted because of a stack overflow. Thus, StackFences is useful not only for detecting intrusion attempts but also for checking the run-time robustness of applications. We also conceived different policies for deploying StackFences, allowing a proper balancing between detection accuracy and performance. For testing StackFences we developed a prototype for Linux systems using TCC (Tiny C Compiler). C modules compiled with StackFences are fully compatible with C modules compiled differently and standard libraries. Effectiveness tests confirmed that all overflows in local variables are detected before causing any severe damage. Performance tests ran with several tools and parameters showed an acceptable performance degradation. Resumo-Este artigo descreve o StackFences, uma técnica para detectar em tempo de execução transbordamentos de memória em variáveis locais de programas em C. Esta técnicá e diferente das demais desenvolvidas para lidar com este problema porque detecta directamente os transbordamentos de memória, em vez de detectar se valor específicos na pilha, como endereços de retorno, foram corrompidos devido a um transbordamento de memória. Assim, o StackFenceséútil não só para detectar tentativas de intrusão mas também para monitorizar a correcção de execução das aplicações. Foram também concebidas duas políticas de exploração do StackFences que permitem um equilíbrio apropriado entre correcção e desempenho. Para testar o StackFences desenvolveu-se um protótipo para sistemas Linux usando o TCC (Tiny C Compiler). Os módulos C compilados com o StackFences são totalmente compatíveis com módulos C compilados diferentemente ou com bibliotecas padrão. Os testes de eficácia confirmaram que todos os transbordamentos em variáveis locais são detectados antes de causar um estrago significativo. Os testes de desempenho executados com diversas ferramentas e parâmetros revelaram uma degradação de desempenho aceitável. Keywords-Buffer overflows, run-time detection, run-time correctness assessment, damage containment, dependability Palavras chave-Transbordamentos de memória, detecção em tempo de execução, verificação de correcção em tempo de execução, minimização de estragos, confiança operacional This article is an extended version of another one published in the 1st International Conference on E-business and Telecommunication Networks (ICETE 2004).
Related papers
A Categorized Survey on Buffer Overflow Countermeasures
2013
Buffer overflow vulnerability is a fundamental cause for most of the cyber attacks such as server breaking-in, worms, zombies, and botnets, since the attacker gets a capital control over a victim host. Many solutions to the buffer overflow attacks have been proposed in the last decade. However, on a routine basis new buffer overflow vulnerabilities are still discovered and reported. Since almost all existing solutions to the buffer overflow attack problem require significant modification to the computing infrastructure in which network applications are developed or executed, and thus have met considerable resistance in actual deployment. This paper is aimed to provide a categorized survey for the existing countermeasures to buffer overflow attack. A categorized survey is necessary in this field because researchers have proposed many software-based and hardware based countermeasures for buffer overflow exploits. These methods differ from one another in the strength of protection prov...
StackGuard: Automatic Adaptive Detection and Prevention of
This paper presents a systematic solution to the persistent problem of buffer overflow attacks. Buffer overflow attacks gained notoriety in 1988 as part of the Morris Worm incident on the Internet. While it is fairly simple to fix individual buffer overflow vulnerabilities, buffer overflow attacks continue to this day. Hundreds of attacks have been discovered, and while most of the obvious vulnerabilities have now been patched, more sophisticated buffer overflow attacks continue to emerge.
IRJET- Buffer Overflows Attacks & Defense
IRJET, 2020
Buffer overflows is one of the most common form of security vulnerability. It may lead to an anonymous Internet user to gain control (partial or total) of a server. Mitigating buffer overflow vulnerabilities we can reduce most of the serious security threats. In this paper, we survey the various types of buffer overflow vulnerabilities and attacks, and survey the various defensive measures that mitigate buffer overflow vulnerabilities.
Classification and Prevention Techniques of Buffer Overflow Attacks
In computer world there are many types of input validation attacks, in which "Buffer Overflow Attacks" is one of the most important types of attacks. Buffer overflow attacks create more dangerous to handle. Buffer Overflow is an anomaly where a programmer writes a data in a buffer, that overruns boundary of the buffer and overwrites the adjacent memory. This give the result erratic program types, such as memory access error, wrong results, a crash or break the computer security. In this paper, we discuss the classification of buffer overflow according to the generation, and prevention techniques of buffer overflow vulnerabilities.
Counter-Measures against Stack Buffer Overflows in GNU/Linux Operating Systems
Procedia Computer Science, 2016
We address the particular cyber attack technique known as stack buffer overflow in GNU/Linux operating systems, which are widely used in HPC environments. The buffer overflow problem has been around for quite some time and continues to be an ever present issue. We develop a mechanism to successfully detect and react whenever a stack buffer overflow occurs. Our solution requires no compile-time support and so can be applied to any program, including legacy or closed source software for which the source code is not available. This makes it especially useful in HPC environments where given their complexity and scope of the computing system, incidents like overflows might be difficult to detect and react to accordingly.
Buffer Overrun: Techniques of Attack and Its Prevention
Buffer Overflow attack has been considered as one of the important security breaches in modern software systems that has proven difficult to mitigate. This attack allows the attacker to get the administrative control of the root-privilege by using the buffer overflow techniques by overwriting on the address of a returned function, function pointer stored on the memory and overflow a buffer on the heap. In this paper, we present the different buffer overflow techniques used by the exploiters and the methodologies applied to mitigate the buffer overflow.
Buffer overflow: Mechanism and countermeasures
IJARIIT, 2018
The invention of Computers, Information Technology and thence Internet has led humanity to a new era of revolution. We, as humans, have stored more data in the last 20 years than the whole of human history. In May 2018 Forbes announced that we have created 90% of data all data in the past two years. That describes the way information storage and usage is picking up the pace. But are our basic pillars of storing data and processing full proof and completely secure? Buffer Overflow is currently the most hostile vulnerability in the basics of information storage and processing of our computing technology. The paper discusses this vulnerability in thorough details. Ways systems are coping up with this and methods used to overcome this vulnerability present in the basics of our most important invention.
Buffer Overflow Exploits
JISR management and social sciences & economics, 2003
The focus of this Study is on providing an understanding of buffer overflows, the ways they are exploited, and ways to prevent attackers from abusing them. Although this problem has been around for decades, the devastating effects have been downplayed by the commercial organizations due to the fact that they require a lot of effort to trace and to fix. This has led to a flood of software on the market which claims to be secure, yet can be exploited by wily hackers. As our reliance on closed-source and proprietary systems increases, we have to face the facts that there could be a myriad of security vulnerabilities in the very tools we use to protect critical data. To be informed is to be better armed.
A Processor Architecture Defense against Buffer Overflow Attacks
Buffer overflow vulnerabilities in the memory stack continue to pose serious threats to network and computer security. By exploiting these vulnerabilities, a malicious party can strategically overwrite the return address of a procedure call, obtain control of a system, and subsequently launch more virulent attacks. Software countermeasures for such intrusions entail modifications to applications, compilers, and operating systems. Despite the availability of these defenses, many systems remain vulnerable to buffer overflow attacks.
This document is currently being converted. Please check back in a few minutes.