Survey of Protections from Buffer-Overflow Attacks

Buffer-overflow attacks began two decades ago and persist today. Over that time, many solutions to provide protection from buffer-overflow attacks have been proposed by a number of researchers. They all aim to either prevent or protect against buffer-overflow attacks. As defenses improved, attacks adapted and became more sophisticated. Given the maturity of field and the fact that some solutions now exist that can prevent most buffer-overflow attacks, we believe it is time to survey these schemes and examine their critical issues. As part of this survey, we have grouped approaches into three board categories to provide a basis for understanding buffer-overflow protection schemes

StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks

This paper presents a systematic solution to the persistent problem of buffer overflow attacks. Buffer overflow attacks gained notoriety in 1988 as part of the Morris Worm incident on the Internet. While it is fairly simple to fix individual buffer overflow vulnerabilities, buffer overflow attacks continue to this day. Hundreds of attacks have been discovered, and while most of the obvious vulnerabilities have now been patched, more sophisticated buffer overflow attacks continue to emerge. We describe StackGuard: a simple compiler technique that virtually eliminates buffer overflow vulnerabilities with only modest performance penalties. Privileged programs that are recompiled with the StackGuard compiler extension no longer yield control to the attacker, but rather enter a fail-safe state. These programs require no source code changes at all, and are binary-compatible with existing operating systems and libraries. We describe the compiler technique (a simple patch to gcc), as well as a set of variations on the technique that tradeoff between penetration resistance and performance. We present experimental results of both the penetration resistance and the performance impact of this technique

Buffer overflow attacks & countermeasures

Often security website’ headlines read: "Buffer overflow in vendor’s product allows intruders to take over computer!” What can software engineering education do about this situation? In this document we have tried to point out how dangerous buffer overflow attacks can be and the amount of damage they are capable of incurring. We have shown several vulnerable applications both past as well as recent. The objective of this study is to take one inside the buffer overflow attack and bridge the gap between the “descriptive account” and the “technically intensive account”. The intent is to provide a logical, detailed, and technical explanation of the buffer overflow problem and the exploit that can be well understood by all. We have successfully coded several exploits and developed programs to demonstrate the effectiveness of such attacks

Analisa Pendeteksian dan Pencegahan Serangan Buffer Overflow terhadap Achat

A computer network security issues are very vulnerable to attack from many quarters. There are a variety of reasons or motives of the attacks. As for the kind of reason that is for, revenge, politics, or just to show ability. Behind the easy access to information available on the internet there is also a great danger that can lurk at any time, namely with a variety of attacks to try to find the weaknesses of computer network security system being used. The attack could cause data loss, data loss or even damage to computer hardware. This study will analyze how a buffer overflow attack works on software Achat Protocol, and then carry out attacks using Snort IDS detection. Detection and prevention is done by drafting an active firewall to monitor any incoming data into the server, whether the data is the buffer overflow attack or not. Results from this experiment is a system that has been built to work on network security that can detect and prevent buffer overflow attacks against Achat Software. The system is already in the wake of the already successful with a way to do a simulation or testing the system, which is already successfully snort IDS to detect attacks and firewall configurations can prevent an attack that has been entered into the system. Keywords: Computer Network Security, Buffer Oveflow, IDS Snort, Achat, Metasploit Faramework, Firewal

Statically Detecting Likely Buffer Overflow Vulnerabilities

Buffer overflow attacks may be today’s single most important security threat. This paper presents a new approach to mitigating buffer overflow vulnerabilities by detecting likely vulnerabilities through an analysis of the program source code. Our approach exploits information provided in semantic comments and uses lightweight and efficient static analyses. This paper describes an implementation of our approach that extends the LCLint annotation-assisted static checking tool. Our tool is as fast as a compiler and nearly as easy to use. We present experience using our approach to detect buffer overflow vulnerabilities in two security-sensitive programs

Sans Signature Buffer Overflow Blocker

The objective of Sans Signature buffer overflow blocker mainly is to intercept communications between a server and client, analyse the contents for the presence of executable code and prevent the code reaching the server. In this project, Sans Signature is a signature free approach, which can identify and block new and unknown buffer overflow attacks. The system can intercept the data coming via various channels before the server receives the packets. Typically, the data exchanged with a standard application is the data related to the transaction. Therefore, the presence of executable code along with data is something unwarranted. This system will analyze the incoming of the data, check is it contains any executable code. If the executable code is found, the packet is dropped. If the data packet is found to be safe, it is allowed to pass through. The payload or data is analyzed at the application layer called Proxy based Sans Signature. The system has been designed to identify certain executable pattern that is considered harmful.  It also has a thresh hold limit beyond which, the packet will be considered to be discarded. Given the intelligence of the algorithm, it prevents most of the buffer overflow attacks. The system can handle the packet analysis in a transparent manner, thus making it suitable for deployment at Firewall/Application Gateway level. Hence, it is quite powerful and efficient with very low deployment and maintenance cost. Keywords: buffer overflow attacks, code-injection attacks, Defense-side obfuscatio

Protection against overflow attacks

Buffer overflow happens when the runtime process loads more data into the buffer than its design capacity. Bad programming style and lack of security concern cause overflow vulnerabilities in almost all applications on all the platforms;Buffer overflow attack can target any data in stack or heap. The current solutions ignore the overflowed targets other than return address. Function pointer, for example, is a possible target of overflow attack. By overflowing the function pointer in stack or heap, the attacker could redirect the program control flow when the function pointer is dereferenced to make a function call. To address this problem we implemented protection against overflow attacks targeting function pointers. During compiling phase, our patch collects the set of the variables that might change the value of function pointers at runtime. During running phase, the set is protected by encryption before the value is saved in memory and decryption before the value is used. The function pointer protection will cover all the overflow attacks targeting function pointers;To further extend the protection to cover all possible overflowing targets, we implemented an anomaly detection which checks the program runtime behavior against control flow checking automata. The control flow checking automata are derived from the source codes of the application. A trust value is introduced to indicate how well the runtime program matches the automata. The attacks modifying the program behavior within the source codes could be detected;Both function pointer protection and control flow checking are compiler patches which require the access to source codes. To cover buffer overflow attack and enforce security policies regardless of source codes, we implemented a runtime monitor with stream automata. Stream automata extend the concept of security automata and edit automata. The monitor works on the interactions between two virtual entities: system and program. The security policies are expressed in stream automata which perform Truncation, Suppression, Insertion, Metamorphosis, Forcing, and Two-Way Forcing on the interactions. We implement a program/operating system monitor to detect overflow attack and a local network/Internet monitor to enforce honeywall policies

Metamorphic Viruses with Built-In Buffer Overflow

Metamorphic computer viruses change their structure—and thereby their signature—each time they infect a system. Metamorphic viruses are potentially one of the most dangerous types of computer viruses because they are difficult to detect using signature-based methods. Most anti-virus software today is based on signature detection techniques. In this project, we create and analyze a metamorphic virus toolkit which creates viruses with a built-in buffer overflow. The buffer overflow serves to obfuscate the entry point of the actual virus, thereby making detection more challenging. We show that the resulting viruses successfully evade detection by commercial virus scanners. Several modern operating systems (e.g., Windows Vista and Windows 7) employ address space layout randomization (ASLR), which is designed to prevent most buffer overflow attacks. We show that our proposed buffer overflow technique succeeds, even in the presence of ASLR. Finally, we consider possible defenses against our proposed technique

Buffer overflow attack mitigation via Trusted Platform Module (TPM)

As of the date of writing of this paper, we found no effort whatsoever in the employment of Trusted Computing (TC)'s Trusted Platform Module (TPM) security features in Buffer Overflow Attack (BOA) mitigation. Such is despite the extensive application of TPM in providing security based solutions, especially in key exchange protocols deemed to be an integral part of cryptographic solutions. In this paper we propose the use of TPM's Platform Configuration Register (PCR) in the detection and prevention of stack based buffer overflow attacks. Detection is achieved via the integrity validation (of SHA1 hashses) of both return address and call instruction opcodes. Prevention is achieved via encrypting the memory location addresses of both the return and call instruction above using RSA encryption. An exception is raised should integrity violations occur. Based on effectiveness tests conducted, our proposed solution has successfully detected 6 major variants of buffer overflow attacks attempted in conventional application codes, while incurring overheads that pose no major obstacles in the normal, continued operation of conventional application codes

Preventing Buffer Overflows with Binary Rewriting

Buffer overflows are the single largest cause of security attacks in recent times. Attacks based on this vulnerability have been the subject of extensive research and a significant number of defenses have been proposed for dealing with attacks of this nature. However, despite this extensive research, buffer overflows continue to be exploited due to the fact that many defenses proposed in prior research provide only partial coverage and attackers have adopted to exploit problems that are not well defended. The fact that many legacy binaries are still deployed in production environments also contributes to the success of buffer overflow attacks since most, if not all, buffer overflow defenses are source level defenses which require an application to be re-compiled. For many legacy applications, this may not be possible since the source code may no longer be available. In this thesis, we present an implementation of a defense mechanism for defending against various attack forms due to buffer overflows using binary rewriting. We study various attacks that happen in the real world and present techniques that can be employed within a binary rewriter to protect a binary from these attacks. Binary rewriting is a nascent field and little research has been done regarding the applications of binary rewriting. In particular, there is great potential for applications of binary rewriting in software security. With a binary rewriter, a vulnerable application can be immediately secured without the need for access to it's source code which allows legacy binaries to be secured. Also, numerous attacks on application software assume that application binaries are laid out in certain ways or have certain characteristics. Our defense scheme implemented using binary rewriting technology can prevent many of these attacks. We demonstrate the effectiveness of our scheme in preventing many different attack forms based on buffer overflows on both synthetic benchmarks and real-world attacks