ABSTRACT
Despite the plethora of research done in code injection countermeasures, buffer overflows still plague modern software. In 2003, Wilander and Kamkar published a comparative evaluation on runtime buffer overflow prevention technologies using a testbed of 20 attack forms and demonstrated that the best prevention tool missed 50% of the attack forms. Since then, many new prevention tools have been presented using that testbed to show that they performed better, not missing any of the attack forms. At the same time though, there have been major developments in the ways of buffer overflow exploitation.
In this paper we present RIPE, an extension of Wilander's and Kamkar's testbed which covers 850 attack forms. The main purpose of RIPE is to provide a standard way of testing the coverage of a defense mechanism against buffer overflows. In order to test RIPE we use it to empirically evaluate some of the newer prevention techniques. Our results show that the most popular, publicly available countermeasures cannot prevent all of RIPE's buffer overflow attack forms. ProPolice misses 60%, LibsafePlus+TIED misses 23%, CRED misses 21%, and Ubuntu 9.10 with nonexecutable memory and stack protection misses 11%.
- Akritidis, P., Markatos, E., Polychronakis, M., and Anagnostakis, K. Stride: Polymorphic sled detection through instruction sequence analysis. In Security and Privacy in the Age of Ubiquitous Computing, R. Sasaki, S. Qing, E. Okamoto, and H. Yoshiura, Eds., vol. 181 of IFIP Advances in Information and Communication Technology. Springer Boston, 2005, pp. 375--391.Google Scholar
- Avijit, K., Gupta, P., and Gupta, D. Tied, libsafeplus: Tools for runtime buffer overflow protection. In Proceedings of The 13th USENIX Security Symposium (San Diego, USA, August 2004), pp. 45--56. Google ScholarDigital Library
- Avijit, K., Gupta, P., and Gupta, D. Binary rewriting and call interception for efficient runtime protection against buffer overflows: Research articles. Softw. Pract. Exper. 36 (July 2006), 971--998. Google ScholarDigital Library
- Baratloo, A., Singh, N., and Tsai, T. Libsafe: Protecting critical elements of stacks. White Paper http://www.research.avayalabs.com/project/libsafe/, December 1999.Google Scholar
- Baratloo, A., Singh, N., and Tsai, T. Transparent run-time defense against stack smashing attacks. In Proceedings of the 2000 USENIX Technical Conference (San Diego, California, USA, June 2000). Google ScholarDigital Library
- Berger, E. D., and Zorn, B. G. Diehard: probabilistic memory safety for unsafe languages. In Proceedings of the 2006 conference on Programming language design and implementation (Ottawa, ON, 2006), ACM Press, pp. 158--168. Google ScholarDigital Library
- Bhatkar, S., and Sekar, R. Data space randomization. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA '08) (July 2008). Google ScholarDigital Library
- Blazakis, D. Interpreter Exploitation: Pointer Inference and JIT Spraying. In BlackHat DC (2010).Google Scholar
- Bray, B. Compiler security checks in depth. http://msdn.microsoft.com/en-us/library/aa290051(v=vs.71).aspx, February 2002.Google Scholar
- Bulba, and Kil3r. Bypassing StackGuard and StackShield. Phrack Magazine Volume 10, Issue 56 http://www.phrack.org/phrack/56/p56-0x05, May 2000.Google Scholar
- Castro, M. Securing software by enforcing data-flow integrity. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (2006), pp. 147--160. Google ScholarDigital Library
- Chen, S., Xu, J., Sezer, E. C., Gauriar, P., and Iyer, R. K. Non-control-data attacks are realistic threats. In 14th USENIX Security Symposium (2005). Google ScholarDigital Library
- cker Chiueh, T., and Hsu, F.-H. RAD: A compile-time solution to buffer overflow attacks. In Proceedings of the 21th International Conference on Distributed Computing Systems (ICDCS) (Phoenix, Arizona, USA, April 2001). Google ScholarDigital Library
- Clause, J., Li, W., and Orso, R. Dytan: A generic dynamic taint analysis framework. In Proceedings of the International Symposium on Software Testing and Analysis (2007), pp. 196--206. Google ScholarDigital Library
- Costa, M., Crowcroft, J., Castro, M., and Rowstron, A. Can we contain internet worms? In Proceedings of Third Workshop on Hot Topics in Networks, HotNets-III (San Diego, CA USA, November 2004).Google Scholar
- Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., and Barham, P. Vigilante: End-to-end containment of internet worms. In Proceedings of the Symposium on Systems and Operating Systems Principles (SOSP) (2005), pp. 133--147. Google ScholarDigital Library
- Cowan, C., Beattie, S., Day, R. F., Pu, C., Wagle, P., and Walthinsen, E. Protecting systems from stack smashing attacks with StackGuard. Linux Expo http://www.cse.ogi.edu/~crispin/, May 1999.Google Scholar
- Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., and Hinton, H. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Conference (San Antonio, Texas, January 1998), pp. 63--78. Google ScholarDigital Library
- Designer, S. Linux kernel patch from the openwall project. http://www.openwall.com/linux/README.Google Scholar
- Durden, T. Bypassing pax aslr protection. http://www.phrack.com/issues.html?issue=59&id=9, July 2002.Google Scholar
- Etoh, H. GCC extension for protecting applications from stack-smashing attacks. http://www.trl.ibm.com/projects/security/ssp/, June 2000.Google Scholar
- Gajdos, P., and Kornacker, C. Cve-2009-4035 xpdf: buffer overflow in fofitype1. https://bugzilla.redhat.com/show_bug.cgi?id=541614, December 2009.Google Scholar
- grsecurity. Pax. http://pax.grsecurity.net/.Google Scholar
- Hassell, R., and Permeh, R. Microsoft internet information services remote buffer overflow. http://www.eeye.com/Resources/Security-Center/Research/Security-Advisories/AD20010618, 6 2001.Google Scholar
- Howard, M. Evils of strncat and strncpy - answers. http://blogs.msdn.com/b/michael_howard/archive/2004/12/10/279639.aspx, December 2004.Google Scholar
- Jones, R., and Kelly, P. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the Third International Workshop on Automatic Debugging AADEBUG'97 (1997).Google Scholar
- Kc, G. S., Keromytis, A. D., and Prevelakis, V. Countering code-injection attacks with instruction-set randomization. In Proceedings of The 10th ACM Conference on Computer and Communications Security (Washington D. C., USA, 2003), pp. 272--280. Google ScholarDigital Library
- Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. Inside the slammer worm. IEEE Security and Privacy 1, 4 (2003), 33--39. Google ScholarDigital Library
- Moore, D., Shannon, C., and claffy, k. Code-red: a case study on the spread and victims of an internet worm. In 2nd ACM Workshop on Internet measurment (2002). Google ScholarDigital Library
- Nebenzahl, D., and Wool, A. Install-time vaccination of windows executables to defend against stacksmashing attacks. In Proceedings of The 19th IFIP International Information Security Conference (2004).Google Scholar
- Novark, G., and Berger, E. D. Dieharder: securing the heap. In Proceedings of the 17th ACM conference on Computer and communications security (New York, NY, USA, 2010), CCS '10, ACM, pp. 573--584. Google ScholarDigital Library
- Pincus, J., and Baker, B. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy 2, 4 (2004), 20--27. Google ScholarDigital Library
- Project, T. U. Ubuntu 9.10 karmic. http://releases.ubuntu.com/karmic/.Google Scholar
- Project, T. U. Ubuntu security feature matrix. https://wiki.ubuntu.com/Security/Features.Google Scholar
- Qin, F., Wang, C., Li, Z., seop Kim, H., Zhou, Y., and Wu, Y. Lift: A low-overhead practical information flow tracking system for detecting security attacks. Microarchitecture, IEEE/ACM International Symposium on 0 (2006), 135--148. Google ScholarDigital Library
- Robertson, W., Kruegel, C., Mutz, D., and Valeur, F. Run-time detection of heap-based overflows. In Proceedings of The 17th Large Installation Systems Administration Conference (San Diego, USA, October 2003). Google ScholarDigital Library
- Ruwase, O., and Lam, M. S. A practical dynamic buffer overflow detector. In Proceedings of The 11th Annual Network and Distributed System Security Symposium (San Diego, USA, February 2004).Google Scholar
- Shacham, H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of CCS 2007 (Oct. 2007), S. De Capitani di Vimercati and P. Syverson, Eds., ACM Press, pp. 552--61. Google ScholarDigital Library
- Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM conference on Computer and communications security, CCS '04 (2004). Google ScholarDigital Library
- Sidiroglou, S., and Keromytis, A. D. Countering network worms through automatic patch generation. Security & Privacy, IEEE 3, 6 (November--December 2005), 41--49. Google ScholarDigital Library
- Simon, I. A comparative analysis of methods of defense against buffer overflow attacks. http://www.mcs.csuhayward.edu/~simon/security/boflo.html, January 2001.Google Scholar
- Smirnov, A., and cker Chiueh, T. Dira: Automatic detection, identification, and repair of control-hijacking attacks. In Proceedings of The 12th Annual Network and Distributed System Security Symposium (2005).Google Scholar
- Spafford, E. H., and Spafford, E. H. The internet worm program: An analysis. Computer Communication Review 19 (1988). Google ScholarDigital Library
- SPEC - Standard Performance Evaluation Corporation. http://www.spec.org/.Google Scholar
- Strackx, R., Younan, Y., Philippaerts, P., Piessens, F., Lachmund, S., and Walter, T. Breaking the memory secrecy assumption. In 2nd European Workshop on System Security (2009). Google ScholarDigital Library
- Tuck, N., Calder, B., and Varghese, G. Hardware and binary modification support for code pointer protection from buffer overflow. In Proceedings of the 37th Intl Symposium on Microarchitecture, MICRO 04 (2004), pp. 209--220. Google ScholarDigital Library
- US-CERT. Vulnerability notes database. http://www.kb.cert.org/vuls.Google Scholar
- Van Acker, S., Nikiforakis, N., Philippaerts, P., Younan, Y., and Piessens, F. Valueguard: Protection of native applications against data-only buffer overflows. In Proceedings of the Sixth International Conference on Information Systems Security (ICISS) (2010). Google ScholarDigital Library
- van de Ven, A., and Molnar, I. Execshield. http://people.redhat.com/mingo/exec-shield/docs/WHP0006US_Execshield.pdf.Google Scholar
- Vendicator. Stack Shield technical info file v0.7. http://www.angelfire.com/sk/stackshield/, January 2001.Google Scholar
- Viking, P. Comparison of dynamic buffer overflow protection tools. Master's thesis, Linkopings universitet, February 2006.Google Scholar
- Wikipedia. Wikipedia, nx bit. http://en.wikipedia.org/wiki/NX_bit.Google Scholar
- Wilander, J., and Kamkar, M. A comparative study of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the 10th Network & Distributed System Security Symposium (San Diego, California, February 2003).Google Scholar
- Zhivich, M., Leek, T., and Lippmann, R. Dynamic buffer overflow detection. Workshop on the Evaluation of Software Defect Detection Tools, co-located with PLDI 2005 http://ewww.cs.umd.edu/~pugh/BugWorkshop05/, June 2005.Google Scholar
Index Terms
- RIPE: runtime intrusion prevention evaluator
Recommendations
Security testing of a secure cache design
HASP '13: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and PrivacyCache side channel attacks are attacks that leak secret information through physical implementation of cryptographic operations, nullifying cryptographic protection. Recently, these attacks have received great interest. Previous research found that ...
A Distributed Security Approach against ARP Cache Poisoning Attack
CySSS '22: Proceedings of the 1st Workshop on Cybersecurity and Social SciencesThe Address Resolution Protocol (ARP) has a critical function in the Internet protocol suite, however, it was not designed for security as it does not verify that a response to an ARP request really comes from an authorized party. This weak point in the ...
Comments