The Experts below are selected from a list of 9309 Experts worldwide ranked by ideXlab platform
Xinran Wang - One of the best experts on this subject based on the ideXlab platform.
-
SigFree: A Signature-Free Buffer Overflow Attack Blocker
IEEE Transactions on Dependable and Secure Computing, 2010Co-Authors: Xinran WangAbstract:We propose SigFree, an online signature-free out-of-the-box application-layer method for blocking code-injection Buffer Overflow attack messages targeting at various Internet services such as Web service. Motivated by the observation that Buffer Overflow attacks typically contain executables whereas legitimate client requests never contain executables in most Internet services, SigFree blocks attacks by detecting the presence of code. Unlike the previous code detection algorithms, SigFree uses a new data-flow analysis technique called code abstraction that is generic, fast, and hard for exploit code to evade. SigFree is signature free, thus it can block new and unknown Buffer Overflow attacks; SigFree is also immunized from most attack-side code obfuscation methods. Since SigFree is a transparent deployment to the servers being protected, it is good for economical Internet-wide deployment with very low deployment and maintenance cost. We implemented and tested SigFree; our experimental study shows that the dependency-degree-based SigFree could block all types of code-injection attack packets (above 750) tested in our experiments with very few false positives. Moreover, SigFree causes very small extra latency to normal client requests when some requests contain exploit code.
-
sigfree a signature free Buffer Overflow attack blocker
USENIX Security Symposium, 2006Co-Authors: Xinran WangAbstract:We propose SigFree, a realtime, signature-free, out-of-the-box, application layer blocker for preventing Buffer Overflow attacks, one of the most serious cyber security threats. SigFree can filter out code-injection Buffer Overflow attack messages targeting at various Internet services such as web service. Motivated by the observation that Buffer Overflow attacks typically contain executables whereas legitimate client requests never contain executables in most Internet services, SigFree blocks attacks by detecting the presence of code. SigFree first blindly dissembles and extracts instruction sequences from a request. It then applies a novel technique called code abstraction, which uses data flow anomaly to prune useless instructions in an instruction sequence. Finally it compares the number of useful instructions to a threshold to determine if this instruction sequence contains code. SigFree is signature free, thus it can block new and unknown Buffer Overflow attacks; SigFree is also immunized from most attack-side code obfuscation methods. Since SigFree is transparent to the servers being protected, it is good for economical Internet wide deployment with very low deployment and maintenance cost. We implemented and tested SigFree; our experimental study showed that SigFree could block all types of codeinjection attack packets (above 250) tested in our experiments. Moreover, SigFree causes negligible throughput degradation to normal client requests.
Tzicker Chiueh - One of the best experts on this subject based on the ideXlab platform.
-
scalable network based Buffer Overflow attack detection
Architectures for Networking and Communications Systems, 2006Co-Authors: Tzicker ChiuehAbstract:Buffer Overflow attack is the main attack method that most if not all existing malicious worms use to propagate themselves from machine to machine. Although a great deal of research has been invested in defense mechanisms against Buffer Overflow attack, most of them require modifications to the network applications and/or the platforms that host them. Being an extension work of CTCP, this paper presents a network-based low performance overhead Buffer Overflow attack detection system called Nebula 1 NEtwork-based Buffer Overflow Attack detection, which can detect both known and zero-day Buffer Overflow attacks based solely on the packets observed without requiring any modifications to the end hosts. Moreover, instead of deriving a specific signature for each individual Buffer Overflow attack instance, Nebula uses a generalized signature that can capture all known variants of Buffer Overflow attacks while reducing the number of false positives to a negligible level. In addition, Nebula is built on a centralized TCP/IP architecture that effectively defeats all existing NIDS evasion techniques. Finally, Nebula incorporates a payload type identification mechanism that reduces further the false positive rate and scales the proposed Buffer Overflow attack detection scheme to gigabit network links.
-
ANCS - Scalable network-based Buffer Overflow attack detection
Proceedings of the 2006 ACM IEEE symposium on Architecture for networking and communications systems - ANCS '06, 2006Co-Authors: Tzicker ChiuehAbstract:Buffer Overflow attack is the main attack method that most if not all existing malicious worms use to propagate themselves from machine to machine. Although a great deal of research has been invested in defense mechanisms against Buffer Overflow attack, most of them require modifications to the network applications and/or the platforms that host them. Being an extension work of CTCP, this paper presents a network-based low performance overhead Buffer Overflow attack detection system called Nebula 1 NEtwork-based Buffer Overflow Attack detection, which can detect both known and zero-day Buffer Overflow attacks based solely on the packets observed without requiring any modifications to the end hosts. Moreover, instead of deriving a specific signature for each individual Buffer Overflow attack instance, Nebula uses a generalized signature that can capture all known variants of Buffer Overflow attacks while reducing the number of false positives to a negligible level. In addition, Nebula is built on a centralized TCP/IP architecture that effectively defeats all existing NIDS evasion techniques. Finally, Nebula incorporates a payload type identification mechanism that reduces further the false positive rate and scales the proposed Buffer Overflow attack detection scheme to gigabit network links.
-
Scalable network-based Buffer Overflow attack detection
2006 Symposium on Architecture For Networking And Communications Systems, 2006Co-Authors: Tzicker ChiuehAbstract:Buffer Overflow attack is the main attack method that most if not all existing malicious worms use to propagate themselves from machine to machine. Although a great deal of research has been invested in defense mechanisms against Buffer Overflow attack, most of them require modifications to the network applications and/or the platforms that host them. Being an extension work of CTCP, this paper presents a network-based low performance overhead Buffer Overflow attack detection system called Nebula, which can detect both known and zero-day Buffer Overflow attacks based solely on the packets observed without requiring any modifications to the end hosts. Moreover, instead of deriving a specific signature for each individual Buffer Overflow attack instance, Nebula uses a generalized signature that can capture all known variants of Buffer Overflow attacks while reducing the number of false positives to a negligible level. In addition, Nebula is built on a centralized TCP/IP architecture that effectively defeats all existing NIDS evasion techniques. Finally, Nebula incorporates a payload type identification mechanism that reduces further the false positive rate and scales the proposed Buffer Overflow attack detection scheme to gigabit network links.
-
a binary rewriting defense against stack based Buffer Overflow attacks
USENIX Annual Technical Conference, 2003Co-Authors: Manish Prasad, Tzicker ChiuehAbstract:Buffer Overflow attack is the most common and arguably the most dangerous attack method used in Internet security breach incidents reported in the public literature. Various solutions have been developed to address the Buffer Overflow vulnerability problem in both research and commercial communities. Almost all the solutions that provide adequate protection against Buffer Overflow attacks are implemented as compiler extensions and hence require the source code of the programs being protected to be available so that they can be re-compiled. While this requirement is reasonable in many cases, there are scenarios in which it is not feasible, e.g., legacy applications that are purchased from an outside vendor. The work reported in this paper explores application of static binary translation to protect Internet software from Buffer Overflow attacks. Specifically, we use a binary rewriting approach to augment existing Win32/Intel Portable Executable (PE) binary programs with a return address defense (RAD) mechanism [1], which protects the integrity of the return address on the stack with a redundant copy. This paper presents the disassembly and instrumentation issues involved in static binary translation, how our tool achieves satisfactory disassembly precision in the presence of indirect branches, position-independent code sequences, hand crafted assembly code and arbitrary code/data mixing, and how it ensures safe binary instrumentation in most practical cases. The paper reports our experiences with this approach, based on results of applying the resulting prototype to rewriting several commercial grade Windows applications (Ftp server, Telnet Server, DNS server, DHCP server, Outlook Express, MS FrontPage, MS Publisher, Telnet, Ftp, Winhlp, Notepad, CL compiler, MS NetMeeting, MS PowerPoint, MS Access, etc.), as well as experimentation with published Buffer Overflow exploits.
-
RAD: a compile-time solution to Buffer Overflow attacks
Proceedings 21st International Conference on Distributed Computing Systems, 2001Co-Authors: Tzicker ChiuehAbstract:Buffer Overflow attack can inflict upon almost arbitrary programs and is one of the most common vulnerabilities that can seriously compromise the security of a network-attached computer system. This paper presents a compiler-based solution to the notorious Buffer Overflow attack problem. Using this solution, users can prevent attackers from compromising their systems by changing the return address to execute injected code, which is the most common method used in Buffer Overflow attacks. Return address defender (RAD) is a simple compiler patch that automatically creates a safe area to store a copy of return addresses and automatically adds protection code into applications that it compiles to defend programs against Buffer Overflow attacks. Using it to protect a program does not need to modify the source code of the protected programs. Moreover, RAD does not change the layout of stack frames, so binary code it generated is compatible with existing libraries and other object files. Empirical performance measurements on a fully operational RAD prototype show that programs protected by RAD only experience a factor of between 1.01 to 1.31 slow-down. In this paper we present the principle of Buffer Overflow attacks, a taxonomy of defense methods, the implementation details of RAD, and the performance analysis of the RAD prototype.
Sung Won Sohn - One of the best experts on this subject based on the ideXlab platform.
-
a new stack Buffer Overflow hacking defense technique with memory address confirmation
International Conference on Information Security and Cryptology, 2001Co-Authors: Yangseo Choi, Sung Won SohnAbstract:Stack Buffer Overflow hacking became generally known due to the Morris' Internet Worm in 1988. Since then Buffer Overflow hacking has been used to attack systems and servers by hackers very frequently. Recently, many researches tried to prevent it, and several solutions were developed such as Libsafe and StackGuard; however, these solutions have a few problems. In this paper we present a new stack Buffer Overflow attack prevention technique that uses the system call monitoring mechanism and memory address where the system call is made. Because of its detection mechanism this system can be used for unknown attack detection, too.
Y He - One of the best experts on this subject based on the ideXlab platform.
-
defending embedded systems against Buffer Overflow via hardware software
Annual Computer Security Applications Conference, 2003Co-Authors: Zili Shao, Qingfeng Zhuge, Y HeAbstract:Buffer over-flow attacks have been causing serious security problems for decades. With more embedded systems networked, it becomes an important research problem to defend embedded systems against Buffer Overflow attacks. We propose the hardware/software address protection (HSAP) technique to solve this problem. We first classify Buffer Overflow attacks into two categories (stack smashing attacks and function pointer attacks) and then provide two corresponding defending strategies. In our technique, hardware boundary check method and function pointer XOR method are used to protect a system against stack smashing attacks and function pointer attacks, respectively. Although the focus of the HSAP technique is on embedded systems because of the availability of hardware support, we show that the HSAP technique is applied to any type of processors to defend against Buffer Overflow attacks. We use four classes of processors to illustrate that the applicability of our technique is independent of architectures. We experiment with our HSAP technique in ARM Evaluator-7T simulation development environments. The results show that our HSAP technique defends a system against more types of Buffer Overflow attacks with little overhead.
-
Defending embedded systems against Buffer Overflow via hardware/software
19th Annual Computer Security Applications Conference 2003. Proceedings., 2003Co-Authors: Zili Shao, Qingfeng Zhuge, Y HeAbstract:Buffer over-flow attacks have been causing serious security problems for decades. With more embedded systems networked, it becomes an important research problem to defend embedded systems against Buffer Overflow attacks. We propose the hardware/software address protection (HSAP) technique to solve this problem. We first classify Buffer Overflow attacks into two categories (stack smashing attacks and function pointer attacks) and then provide two corresponding defending strategies. In our technique, hardware boundary check method and function pointer XOR method are used to protect a system against stack smashing attacks and function pointer attacks, respectively. Although the focus of the HSAP technique is on embedded systems because of the availability of hardware support, we show that the HSAP technique is applied to any type of processors to defend against Buffer Overflow attacks. We use four classes of processors to illustrate that the applicability of our technique is independent of architectures. We experiment with our HSAP technique in ARM Evaluator-7T simulation development environments. The results show that our HSAP technique defends a system against more types of Buffer Overflow attacks with little overhead.
Zili Shao - One of the best experts on this subject based on the ideXlab platform.
-
Efficient array & pointer bound checking against Buffer Overflow attacks via hardware/software
International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II, 2005Co-Authors: Zili Shao, Qingfeng Zhuge, Bin XiaoAbstract:Buffer Overflow attacks cause serious security problems. Array & pointer bound checking is one of the most effective approaches for defending against Buffer Overflow attacks when source code is available. However; original array & pointer bound checking causes too much overhead since it is designed to catch memory errors and it puts too many checks. In this paper, we propose an efficient array & pointer bound checking strategy to defend against Buffer Overflow attacks. In our strategy, only the bounds of write operations are checked. We discuss the optimization strategy via hardware/software and conduct experiments. The experimental results show that our strategy can greatly reduce the overhead of array & pointer bound checking. Our conclusion is that based on our strategy, array & pointer bound checking can be a practical solution for defending systems against Buffer Overflow attacks with tolerable overhead.
-
defending embedded systems against Buffer Overflow via hardware software
Annual Computer Security Applications Conference, 2003Co-Authors: Zili Shao, Qingfeng Zhuge, Y HeAbstract:Buffer over-flow attacks have been causing serious security problems for decades. With more embedded systems networked, it becomes an important research problem to defend embedded systems against Buffer Overflow attacks. We propose the hardware/software address protection (HSAP) technique to solve this problem. We first classify Buffer Overflow attacks into two categories (stack smashing attacks and function pointer attacks) and then provide two corresponding defending strategies. In our technique, hardware boundary check method and function pointer XOR method are used to protect a system against stack smashing attacks and function pointer attacks, respectively. Although the focus of the HSAP technique is on embedded systems because of the availability of hardware support, we show that the HSAP technique is applied to any type of processors to defend against Buffer Overflow attacks. We use four classes of processors to illustrate that the applicability of our technique is independent of architectures. We experiment with our HSAP technique in ARM Evaluator-7T simulation development environments. The results show that our HSAP technique defends a system against more types of Buffer Overflow attacks with little overhead.
-
Defending embedded systems against Buffer Overflow via hardware/software
19th Annual Computer Security Applications Conference 2003. Proceedings., 2003Co-Authors: Zili Shao, Qingfeng Zhuge, Y HeAbstract:Buffer over-flow attacks have been causing serious security problems for decades. With more embedded systems networked, it becomes an important research problem to defend embedded systems against Buffer Overflow attacks. We propose the hardware/software address protection (HSAP) technique to solve this problem. We first classify Buffer Overflow attacks into two categories (stack smashing attacks and function pointer attacks) and then provide two corresponding defending strategies. In our technique, hardware boundary check method and function pointer XOR method are used to protect a system against stack smashing attacks and function pointer attacks, respectively. Although the focus of the HSAP technique is on embedded systems because of the availability of hardware support, we show that the HSAP technique is applied to any type of processors to defend against Buffer Overflow attacks. We use four classes of processors to illustrate that the applicability of our technique is independent of architectures. We experiment with our HSAP technique in ARM Evaluator-7T simulation development environments. The results show that our HSAP technique defends a system against more types of Buffer Overflow attacks with little overhead.
