||In this paper, we proposed a new defense mechanism solves the universal existence problems in the information system security — Stack-Based buffer Overflow Attacks, This type of Buffer Overflow Attacks exploit the loopholes result from that when the process write data to the buffer, not done Bound checking. It will modify some control-flow data structure(ex:return addresses and function pointers),and then force procedure to execute the injected code of attackers (Code Injection Attacks) or the attacker’s choice of code(Return into Libc Attacks).|
The traditional defense mechanisms are usually only focused on preventing the execution of shell code, but neglect the procedures be attacked may be abnormally terminated. Since, as the attacker launched the attack and unsuccessfully achieve the attack objective(obtain the root privilege),in such a situation, the attack is likely to corrupting the memory of the procedure which be attacked, and then result in the abnormal termination of the procedure which be attacked. It become more difficult that to debugging and keeping evidence.
We propose a novel defense mechanism based on operating system — Memory Protector(MP), to protect systems from Code Injection attacks of Stack-Based buffer overflow attacks and keep the integrity of memory.The mechanism can detect the malicious data before it be writed to memory block of the procedure which be attacked and the malicious data is blocked outside the procedure which be attacked, so the mechanism not only prevent the Buffer Overflow Attacks but also avoid the corruption of memory and then the procedure which be attacked can normally be terminated. Moreover, it only slightly reduce the effectiveness of the implementation of the program and has the low rate of false positive, this can be an effective mechanism for the detection of Code Injection types of Buffer Overflow Attacks, even if is zero day attack. Because the Linux popular rate fast promotion tendency and the source of operating system core, We chose the Linux operating system to implement this defense mechanism.
〔2〕 C. Cowan, C. Pu, D. Maier, H. Hinton, J. Wadpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang,“StackGuard: Automatic Detection and Prevention of Buffer-overrun Attacks,”In Proceedings of the 7th USENIX Security Symposium, January 1998.
〔3〕 Yves Younan, Davide Pozza, Frank Piessens and Wouter Joosen, “Extended protection against stack smashing attacks without performance loss” Proceedings of the Twenty-Second Annual Computer Security Applications Conference (ACSAC 2006), Miami Beach, Florida, U.S.A., IEEE, IEEE Press December 2006.
〔4〕 Bulba and Kil3r, “Bypassing StackGuard and StackShield”.
〔5〕 Fu-Hau Hsu, Fanglu Guo, and Tzi-cker Chiueh, “Scalable Network-based Buffer Overflow Attack Detection ,” in Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS 2006), San Jose, California, USA, December, 2006.
〔6〕 Ethereal: A Network Protocol Analyzer.
〔7〕 S. Bhatkar, D. DuVarney, and R. Sekar. “Address obfuscation: An efficient approach to combat a broad range of memory error exploits”. In V. Paxson, editor, Proc. 12th USENIX Sec. Symp, USENIX, Aug. 2003.
〔8〕 The PaX Address Space Layout Randomization project.
〔9〕 H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. “ On the effectiveness of address space randomization”, derandomization attack, page 2. In Proc. of the ACM Conf. on Computer and Communications Security, 2004.
〔10〕 Gaurav S. Kc, Angelos D. Keromytis, Vassilis Prevelakis, ” Countering code-injection attacks with instruction-set randomization” Proceedings of the 10th ACM conference on Computer and communications security, Washington D.C., USA,2003.
〔12〕 Richarte G. Four Different Tricks to Bypass StackShield and StackGuard Protection. http://www.coresecurity.com/files/files/11/StackguardPaper.pdf, 2002.
〔13〕 Ana Nora Sovarel, David Evans, Nathanael Paul，
“where’s the FEEB? The Effectiveness of Instruction Set Randomization”, Proceedings of the 14th conference on USENIX Security Symposium - Volume 14 SSYM'05 , July 2005.
〔14〕 Solar Designer , Non-Executable Stack,
〔15〕 Defeating Solar Designer's Non-executable Stack Patch
〔16〕 Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle.“Pointguard: Protecting pointers from buffer overflow vulnerabilities”. In Proceedings of the 12th USENIX Security Symposium, Washington, D.C., August 2003.
〔18〕 C.Cowan, C.Pu, D.Maier, J.Walpole, P.Bakke, S.Beattie, A.Grier, P.Wagle, Q.Zhang, and H.Hinton, “StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks,” in Proceedings of 7th USENIX Security Conference, San Antonio, Texas, Jan. 1998
〔19〕 Steve M.Bellovin, “Distributed Denial of Service Attacks,”
〔20〕 MARC http://marc.info/
〔21〕 Full-Disclosure https://lists.grok.org.uk/mailman/listinfo/full-disclosure
〔22〕 National Vulnerability Database http://nvd.nist.gov/
〔23〕 Derkeiler http://www.derkeiler.com/
〔24〕 SECUREROOT http://www.secureroot.com/
〔25〕 中國IT總部 http://www.ie100.cn/
〔26〕 iDefense Labs http://labs.idefense.com/
〔27〕 Security tracker http://www.securitytracker.com/
〔28〕 SECWATCH.ORG http://www.secwatch.org/
〔29〕 Tengu.be http://www.tengu.be/index.php
〔30〕 Thttpd http://www.acme.com/software/thttpd/
〔31〕 Cfengine http://www.cfengine.org/download.phtml
〔32〕 LScube http://live.polito.it/
〔33〕 Gopher http://gopher.quux.org:70/devel/gopher/Downloads/old
〔34〕 Micq http://linux.maruhn.com/sec/micq.html
〔35〕 Monkeyd http://monkeyd.sourceforge.net/
〔37〕 Pptpd http://www.poptop.org/