Efficient Techniques for Comprehensive Protection from Memory Error Exploits

Despite the wide publicity received by buffer overflow attacks, the vast majority of today's security vulnerabilities continue to be caused by memory errors, with a significant shift away from stacks-mashing exploits to newer attacks such as heap overflows, integer overflows, and format-string attacks. While comprehensive solutions have been developed to handle memory errors, these solutions suffer from one or more of the following problems: high overheads (often exceeding 100%), incompatibility with legacy C code, and changes to the memory model to use garbage collection. Address space randomization (ASR) is a technique that avoids these drawbacks, but existing techniques for ASR do not offer a level of protection comparable to the above techniques. In particular, attacks that exploit relative distances between memory objects aren't tackled by existing techniques. Moreover, these techniques are susceptible to information leakage and brute-force attacks. To overcome these limitations, we develop a new approach in this paper that supports comprehensive randomization, whereby the absolute locations of all (code and data) objects, as well as their relative distances are randomized. We argue that this approach provides probabilistic protection against all memory error exploits, whether they be known or novel. Our approach is implemented as a fully automatic source-to-source transformation which is compatible with legacy C code. The address-space randomizations take place at load-time or runtime, so the same copy of the binaries can be distributed to everyone -- this ensures compatibility with today's software distribution model. Experimental results demonstrate an average runtime overhead of about 11%

Improving Attack Detection in Host-Based IDS by Learning Properties of System Call Arguments

Beginning with the work of Forrest et al, several researchers have developed intrusion detection techniques based on modeling program behaviors in terms of system calls. A weakness of these techniques is that they focus primarily on system call names, and not the arguments. This weakness makes them susceptible to several classes of attacks, including mimicry attacks, attacks on securitycritical data, and race-condition attacks. To address this weakness, we present an approach for capturing data-flow behaviors of programs. We provide a formal definition of data-flow behaviors on system call traces, and describe efficient algorithms for building such models. Our algorithm can be layered on top of most existing control-flow models. This layering increases the precision of models by exploting control-flow context to refine data-flow properties. We present a detailed experimental evaluation to establish the effectiveness of the approach, paying particular attention to detection of sophisticated attacks. A unique benefit of our approach is that the models contain sufficient information regarding resources (such as files) accessed by a program to make it feasible to formally reason about the security assurances provided by the model.

Abstract Efficient Techniques for Comprehensive Protection from Memory Error Exploits

Despite the wide publicity received by buffer overflow attacks, the vast majority of today’s security vulnerabilities continue to be caused by memory errors, with a significant shift away from stacksmashing exploits to newer attacks such as heap overflows, integer overflows, and format-string attacks. While comprehensive solutions have been developed to handle memory errors, these solutions suffer from one or more of the following problems: high overheads (often exceeding 100%), incompatibility with legacy C code, and changes to the memory model to use garbage collection. Address space randomization (ASR) is a technique that avoids these drawbacks, but existing techniques for ASR do not offer a level of protection comparable to the above techniques. In particular, attacks that exploit relative distances between memory objects aren’t tackled by existing techniques. Moreover, these techniques are susceptible to information leakage and brute-force attacks. To overcome these limitations, we develop a new approach in this paper that supports comprehensive randomization, whereby the absolute locations of all (code and data) objects, as well as their relative distances are randomized. We argue that this approach provides probabilistic protection against all memory error exploits, whether they be known or novel. Our approach is implemented as a fully automatic sourceto-source transformation which is compatible with legacy C code. The address-space randomizations take place at load-time or runtime, so the same copy of the binaries can be distributed to everyone — this ensures compatibility with today’s software distribution model. Experimental results demonstrate an average runtime overhead of about 11%.

Abstract Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits

sbhatkar,dand,sekar¡ Attacks which exploit memory programming errors (such as buffer overflows) are one of today’s most serious security threats. These attacks require an attacker to have an in-depth understanding of the internal details of a victim program, including the locations of critical data and/or code. Program obfuscation is a general technique for securing programs by making it difficult for attackers to acquire such a detailed understanding. This paper develops a systematic study of a particular kind of obfuscation called address obfuscation that randomizes the location of victim program data and code. We discuss different implementation strategies to randomize the absolute locations of data and code, as well as relative distances between data locations. We then present our implementation that transforms object files and executables at linktime and load-time. It requires no changes to the OS kernel or compilers, and can be applied to individual applications without affecting the rest of the system. It can be implemented with low runtime overheads. Address obfuscation can reduce the probability of successful attacks to be as low as a small fraction of a percent for most memory-error related attacks. Moreover, the randomization ensures that an attack that succeeds against one victim will likely not succeed against another victim, or even for a second time against the same victim. Each failed attempt will typically crash the victim program, thereby making it easy to detect attack attempts. These aspects make it particularly effective against large-scale attacks such as Code Red, since each infection attempt requires significantly more resources, thereby slowing down the propagation rate of such attacks.

Efficient techniques for comprehensive protection from memory error exploits

Abstract Despite the wide publicity received by buffer over-flow attacks, the vast majority of today's securit