1,732 research outputs found
Buffer overflow attack mitigation via Trusted Platform Module (TPM)
As of the date of writing of this paper, we found no effort whatsoever in the employment of Trusted Computing (TC)'s Trusted Platform Module (TPM) security features in Buffer Overflow Attack (BOA) mitigation. Such is despite the extensive application of TPM in providing security based solutions, especially in key exchange protocols deemed to be an integral part of cryptographic solutions. In this paper we propose the use of TPM's Platform Configuration Register (PCR) in the detection and prevention of stack based buffer overflow attacks. Detection is achieved via the integrity validation (of SHA1 hashses) of both return address and call instruction opcodes. Prevention is achieved via encrypting the memory location addresses of both the return and call instruction above using RSA encryption. An exception is raised should integrity violations occur. Based on effectiveness tests conducted, our proposed solution has successfully detected 6 major variants of buffer overflow attacks attempted in conventional application codes, while incurring overheads that pose no major obstacles in the normal, continued operation of conventional application codes
Dynamic Information Flow Tracking on Multicores
Dynamic Information Flow Tracking (DIFT) is a promising technique for detecting software attacks. Due to the computationally intensive nature of the technique, prior efficient implementations [21, 6] rely on specialized hardware support whose only purpose is to enable DIFT. Alternatively, prior software implementations are either too slow [17, 15] resulting in execution time increases as much as four fold for SPEC integer programs or they are not transparent [31] requiring source code modifications. In this paper, we propose the use of chip multiprocessors (CMP) to perform DIFT transparently and efficiently. We spawn a helper thread that is scheduled on a separate core and is only responsible for performing information flow tracking operations. This entails the communication of registers and flags between the main and helper threads. We explore software (shared memory) and hardware (dedicated interconnect) approaches to enable this communication. Finally, we propose a novel application of the DIFT infrastructure where, in addition to the detection of the software attack, DIFT assists in the process of identifying the cause of the bug in the code that enabled the exploit in the first place. We conducted detailed simulations to evaluate the overhead for performing DIFT and found that to be 48 % for SPEC integer programs
ROPocop - Dynamic Mitigation of Code-Reuse Attacks
Control-flow attacks, usually achieved by exploiting a buffer-overflow
vulnerability, have been a serious threat to system security for over fifteen
years. Researchers have answered the threat with various mitigation techniques,
but nevertheless, new exploits that successfully bypass these technologies
still appear on a regular basis.
In this paper, we propose ROPocop, a novel approach for detecting and
preventing the execution of injected code and for mitigating code-reuse attacks
such as return-oriented programming (RoP). ROPocop uses dynamic binary
instrumentation, requiring neither access to source code nor debug symbols or
changes to the operating system. It mitigates attacks by both monitoring the
program counter at potentially dangerous points and by detecting suspicious
program flows.
We have implemented ROPocop for Windows x86 using PIN, a dynamic program
instrumentation framework from Intel. Benchmarks using the SPEC CPU2006 suite
show an average overhead of 2.4x, which is comparable to similar approaches,
which give weaker guarantees. Real-world applications show only an initially
noticeable input lag and no stutter. In our evaluation our tool successfully
detected all 11 of the latest real-world code-reuse exploits, with no false
alarms. Therefore, despite the overhead, it is a viable, temporary solution to
secure critical systems against exploits if a vendor patch is not yet
available
Protecting Against Address Space Layout Randomization (ASLR) Compromises and Return-to-Libc Attacks Using Network Intrusion Detection Systems
Writable XOR eXecutable (W XOR X) and
Address Space Layout Randomisation (ASLR), have
elevated the understanding necessary to perpetrate
buffer overflow exploits [1]. However, they have not
proved to be a panacea [1] [2] [3] and so other
mechanisms such as stack guards and prelinking have
been introduced. In this paper we show that host based
protection still does not offer a complete solution. To
demonstrate, we perform an over the network brute
force return-to-libc attack against a pre-forking
concurrent server to gain remote access to W XOR X and
ASLR. We then demonstrate that deploying a NIDS
with appropriate signatures can detect this attack
efficiently
Survey of Protections from Buffer-Overflow Attacks
Buffer-overflow attacks began two decades ago and persist today. Over that time, many solutions to provide protection from buffer-overflow attacks have been proposed by a number of researchers. They all aim to either prevent or protect against buffer-overflow attacks. As defenses improved, attacks adapted and became more sophisticated. Given the maturity of field and the fact that some solutions now exist that can prevent most buffer-overflow attacks, we believe it is time to survey these schemes and examine their critical issues. As part of this survey, we have grouped approaches into three board categories to provide a basis for understanding buffer-overflow protection schemes
- …