A Binary Rewriting Defense Against Stack based Buffer Overflow Attacks
نویسندگان
چکیده
Buffer overflow attack is the most common and arguably the most dangerous attack method used in Internet security breach incidents reported in the public literature. Various solutions have been developed to address the buffer overflow vulnerability problem in both research and commercial communities. Almost all the solutions that provide adequate protection against buffer overflow attacks are implemented as compiler extensions and hence require the source code of the programs being protected to be available so that they can be re-compiled. While this requirement is reasonable in many cases, there are scenarios in which it is not feasible, e.g., legacy applications that are purchased from an outside vendor. The work reported in this paper explores application of static binary translation to protect Internet software from buffer overflow attacks. Specifically, we use a binary rewriting approach to augment existing Win32/Intel Portable Executable (PE) binary programs with a return address defense (RAD) mechanism [1], which protects the integrity of the return address on the stack with a redundant copy. This paper presents the disassembly and instrumentation issues involved in static binary translation, how our tool achieves satisfactory disassembly precision in the presence of indirect branches, position-independent code sequences, hand crafted assembly code and arbitrary code/data mixing, and how it ensures safe binary instrumentation in most practical cases. The paper reports our experiences with this approach, based on results of applying the resulting prototype to rewriting several commercial grade Windows applications (Ftp server, Telnet Server, DNS server, DHCP server, Outlook Express, MS FrontPage, MS Publisher, Telnet, Ftp, Winhlp, Notepad, CL compiler, MS NetMeeting, MS PowerPoint, MS Access, etc.), as well as experimentation with published buffer overflow exploits. Buffer Growth Stack Growth Low Address High Address (direction of copy) Other Local Variables Local Buffer target of unbounded copy ( ) (pushed by callee) Previous Frame Pointer (pushed by CALL inst) Local Variables Function Parameters (pushed by caller) Return Address *
منابع مشابه
RAD: A Compile-Time Solution to Buffer Overflow Attacks
This paper presents a solution to the notorious buffer overflow attack problem. Using this solution, users can prevent attackers from compromising their systems by changing the return address to execute injected code, which is the most common method used in buffer overflow attacks. Buffer overflow attacks can occur in almost any kind of programs and is one of the most common vulnerabilities tha...
متن کاملA Processor Architecture Defense against Buffer Overflow Attacks
Buffer overflow vulnerabilities in the memory stack continue to pose serious threats to network and computer security. By exploiting these vulnerabilities, a malicious party can strategically overwrite the return address of a procedure call, obtain control of a system, and subsequently launch more virulent attacks. Software countermeasures for such intrusions entail modifications to application...
متن کاملDefending Embedded Systems Against Buffer Overflow via Hardware/Software
Buffer overflow attacks have been causing serious security problems for decades. With more embedded systems networked, it becomes an important research problem to defend embedded systems against buffer overflow attacks. In this paper, we propose the Hardware/Software Address Protection (HSAP) technique to solve this problem. We first classify buffer overflow attacks into two categories (stack s...
متن کاملArchitecture Support for Defending Against Buffer Overflow Attacks
Buffer overflow attacks are the predominant threat to the secure operation of network and in particular, Internetbased applications. Stack smashing is a common mode of buffer overflow attack for hijacking system control. This paper evaluates two architecture-based techniques to defend systems against such attacks: (1) the split control and data stack, and (2) secure return address stack (SRAS)....
متن کاملStack-Based Buffer Overflows in Harvard Class Embedded Systems
Many embedded devices used to control critical infrastructure assets are based on the Harvard architecture. This architecture separates data and program memory into independent address spaces, unlike the von Neumann architecture, which uses a single address space for data and program code. Buffer overflow attacks in desktop and server platforms based on the von Neumann model have been studied e...
متن کامل