Skip to main content
Springer Nature Link
Log in

A Dynamic Mechanism for Recovering from Buffer Overflow Attacks

  • Conference paper
Information Security (ISC 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3650))

Included in the following conference series:

Abstract

We examine the problem of containing buffer overflow attacks in a safe and efficient manner. Briefly, we automatically augment source code to dynamically catch stack and heap-based buffer overflow and underflow attacks, and recover from them by allowing the program to continue execution. Our hypothesis is that we can treat each code function as a transaction that can be aborted when an attack is detected, without affecting the application’s ability to correctly execute. Our approach allows us to enable selectively or disable components of this defensive mechanism in response to external events, allowing for a direct tradeoff between security and performance. We combine our defensive mechanism with a honeypot-like configuration to detect previously unknown attacks, automatically adapt an application’s defensive posture at a negligible performance cost, and help determine worm signatures.

Our scheme provides low impact on application performance, the ability to respond to attacks without human intervention, the capacity to handle previously unknown vulnerabilities, and the preservation of service availability. We implement a stand-alone tool, DYBOC, which we use to instrument a number of vulnerable applications. Our performance benchmarks indicate a slow-down of 20% for Apache in full-protection mode, and 1.2% with selective protection. We provide preliminary evidence towards the validity of our transactional hypothesis via two experiments: first, by applying our scheme to 17 vulnerable applications, successfully fixing 14 of them; second, by examining the behavior of Apache when each of 154 potentially vulnerable routines are made to fail, resulting in correct behavior in 139 cases (90%), with similar results for sshd (89%) and Bind (88%).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A First Step towards Automated Detection of Buffer Overrun Vulnerabilities. In: Network and Distributed System Security Symposium, pp. 3–17 (2000)

    Google Scholar 

  2. Aleph One: Smashing the stack for fun and profit. Phrack 7 (1996)

    Google Scholar 

  3. Pincus, J., Baker, B.: Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overflows. IEEE Security & Privacy 2, 20–27 (2004)

    Google Scholar 

  4. Arce, I.: The Shellcode Generation. IEEE Security & Privacy 2, 72–76 (2004)

    Article  Google Scholar 

  5. Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer- Overflow Attacks. In: Proceedings of the 7th USENIX Security Symposium (1998)

    Google Scholar 

  6. Garber, L.: New Chips Stop Buffer Overflow Attacks. IEEE Computer 37, 28 (2004)

    Google Scholar 

  7. Rudys, A., Wallach, D.S.: Transactional Rollback for Language-Based Systems. In: ISOC Symposium on Network and Distributed Systems Security, SNDSS (2001)

    Google Scholar 

  8. Rudys, A., Wallach, D.S.: Termination in Language-based Systems. ACM Transactions on Information and System Security 5 (2002)

    Google Scholar 

  9. Sidiroglou, S., Keromytis, A.D.: A Network Worm Vaccine Architecture. In: Proceedings of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pp. 220–225 (2003)

    Google Scholar 

  10. Sidiroglou, S., Keromytis, A.D.: Countering Network Worms Through Automatic Patch Generation. IEEE Security & Privacy (2005) (to appear)

    Google Scholar 

  11. Provos, N.: A Virtual Honeypot Framework. In: Proceedings of the 13th USENIX Security Symposium, pp. 1–14 (2004)

    Google Scholar 

  12. Hernacki, B., Bennett, J., Lofgren, T.: Symantec Deception Server Experience with a Commercial Deception System. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 188–202. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  13. Necula, G.C., McPeak, S., Weimer, W.: CCured: Type-Safe Retrofitting of Legacy Code. In: Proceedings of the Principles of Programming Languages, PoPL (2002)

    Google Scholar 

  14. J.R. Cordy, T.R. Dean, A.M., Schneider, K.: Source Transformation in Software Engineering using the TXL Transformation System. Journal of Information and Software Technology 44, 827–837 (2002)

    Google Scholar 

  15. Sun, W., Liang, Z., Sekar, R., Venkatakrishnan, V.N.: One-way Isolation: An Effective Approach for Realizing Safe Execution Environments. In: Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pp. 265–278 (2005)

    Google Scholar 

  16. Demsky, B., Rinard, M.C.: Automatic Detection and Repair of Errors in Data Structures. In: Proceedings of the 18th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Application, OOPSLA (2003)

    Google Scholar 

  17. Candea, G., Fox, A.: Recursive restartability: Turning the reboot sledgehammer into a scalpel. In: Proceedings of the 8thWorkshop on Hot Topics in Operating Systems (HotOSVIII), Schloss Elmau, Germany, pp. 110–115. IEEE Computer Society, Los Alamitos (2001)

    Google Scholar 

  18. Candea, G., Fox, A.: Crash-only software. In: Proceedings of the 9th Workshop on Hot Topics in Operating Systems (2003)

    Google Scholar 

  19. Shannon, C., Moore, D.: The Spread of theWittyWorm. IEEE Security & Privacy 2, 46–50 (2004)

    Google Scholar 

  20. Levy, E.: Crossover: Online Pests Plaguing the Offline World. IEEE Security & Privacy 1, 71–73 (2003)

    Article  Google Scholar 

  21. Ször, P., Ferrie, P.: Hunting for Metamorphic. Technical report, Symantec Corporation (2003)

    Google Scholar 

  22. Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. In: Proceedings of the 12th USENIX Security Symposium, pp. 169–186 (2003)

    Google Scholar 

  23. Pasupulati, A., Coit, J., Levitt, K., Wu, S., Li, S., Kuo, J., Fan, K.: Buttercup: On Networkbased Detection of Polymorphic Buffer Overflow Vulnerabilities. In: Proceedings of the Network Operations and Management Symposium (NOMS), vol. 1, pp. 235–248 (2004)

    Google Scholar 

  24. Weaver, N., Staniford, S., Paxson, V.: Very Fast Containment of Scanning Worms. In: Proceedings of the 13th USENIX Security Symposium, pp. 29–44 (2004)

    Google Scholar 

  25. Yegneswaran, V., Barford, P., Plonka, D.: On the Design and Use of Internet Sinks for Network Abuse Monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  26. Rinard, M., Cadar, C., Dumitran, D., Roy, D., Leu, T.: A Dynamic Technique for Eliminating Buffer Overflow Vulnerabilities (and Other Memory Errors). In: Proceedings 20th Annual Computer Security Applications Conference, ACSAC (2004)

    Google Scholar 

  27. Rinard, M., Cadar, C., Dumitran, D., Roy, D., Leu, T., W. Beebee, J.: Enhancing Server Availability and Security Through Failure-Oblivious Computing. In: Proceedings 6th Symposium on Operating Systems Design and Implementation, OSDI (2004)

    Google Scholar 

  28. Sidiroglou, S., Keromytis, A.: Countering network worms through automatic patch generation. Technical Report CUCS-029-03, Columbia University (2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Columbia University, USA

    Stelios Sidiroglou, Giannis Giovanidis & Angelos D. Keromytis

Authors
  1. Stelios Sidiroglou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Giannis Giovanidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Cryptography and Security Department Institute for Infocomm Research, Singapore

    Jianying Zhou

  2. Department of Information and Communication Technologies, University of A Coruña, Spain

    Javier Lopez

  3. School of Information Systems, Singapore Management University, Singapore

    Robert H. Deng

  4. Institute for Infocomm Research, 119613, Singapore

    Feng Bao

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sidiroglou, S., Giovanidis, G., Keromytis, A.D. (2005). A Dynamic Mechanism for Recovering from Buffer Overflow Attacks. In: Zhou, J., Lopez, J., Deng, R.H., Bao, F. (eds) Information Security. ISC 2005. Lecture Notes in Computer Science, vol 3650. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11556992_1

Download citation

  • DOI: https://doi.org/10.1007/11556992_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-29001-8

  • Online ISBN: 978-3-540-31930-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics