Options
Detection of Buffer Overflow Attacks via Dynamic inary Translation
Issue Date
2009
Author(s)
Chen, Chun-Chung
Abstract
Abstractodern computer and network technologies improve some aspects of the humanife, but also compel us to face numerous security problems. Buffer overflow attacksre currently the most serious threats to computer systems. A buffer overflow vulnerabilitys caused when a program gets an input string without cautious bound-checking.ence, attackers could exploit this type of vulnerability by sending an input which isonger than the fixed-sized input buffer. Once the adjacent control data is corruptedy the overflowed data, the program control flow will be redirected to malicious codes.raditional defense mechanisms against buffer overflow attacks are constrainedith certain restrictions, such as waiting for the patch to fix vulnerabilities, acquiringource codes to recompile programs, modifying the operating system or hardwarerchitecture, etc. Thus, the efficiency or practicability of those mechanisms is restricted.his thesis proposes a mechanism to dynamically detect buffer overflowttacks. With the dynamic binary translation techniques, our mechanism does noteed source codes and directly provides protection for binaries that may compriseuffer overflow vulnerabilities. Our mechanism ensures the correctness of the returnddress and stack frame pointer. If these control data are detected to be corrupted,he detection tool will alarm the system administrator. Furthermore, corrupted controlata could be recovered so that the attacked programs could preserve normalontrol flows.n order to verify our proposed protection mechanism, we implement two suites ofools against buffer overflow attacks based on Pin and QEMU. The Pin and QEMUre dynamic binary translation software on Linux. Besides, we evaluate the perforivance and safety of both tools. The experimental results showed that both toolsccurately detected the occurrence of attacks in the safety experiments. And in theerformance experiments, the QEMU-based tool executed the tested programs with degradation between 11.2% and 41%, which is 11.1x faster than previous work,.g. Read-Only RAR, and should be acceptable for common users. Although thein-based tool imposed higher overhead, it may work for both Windows and Linuxpplications because of the portability and availability of Pin on those platforms.
Author Keyword(s)
buffer overflow attacks
stack smashing
software security
dynamic binary translation
File(s)
No Thumbnail Available
Name
ntu-98-R96944030-1.pdf
Size
23.32 KB
Format
Adobe PDF
Checksum
(MD5):e38d55100aceef79cf4080647fd46979