Skip to main content
SpringerLink
Log in

Low-Level Software Security: Attacks and Defenses

  • Conference paper
Foundations of Security Analysis and Design IV (FOSAD 2007, FOSAD 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4677))

Abstract

This tutorial paper considers the issues of low-level software security from a language-based perspective, with the help of concrete examples. Four examples of low-level software attacks are covered in full detail; these examples are representative of the major types of attacks on C and C++ software that is compiled into machine code. Six examples of practical defenses against those attacks are also covered in detail; these defenses are selected because of their effectiveness, wide applicability, and low enforcement overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abadi, M.: Protection in programming-language translations. In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS, vol. 1443, pp. 868–883. Springer, Heidelberg (1998), Also Digital Equipment Corporation Systems Research Center report No. 154 (April 1998)

    Google Scholar 

  2. Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-Flow Integrity: Principles, implementations, and applications. In: Proceedings of the ACM Conference on Computer and Communications Security (2005), Also as Microsoft Research Technical Report MSR-TR-05-18 (February 2005)

    Google Scholar 

  3. Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: A theory of secure control flow. In: Proceedings of the 7th International Conference on Formal Engineering Methods (2005), Also as Microsoft Research Technical Report MSR-TR-05-17 (May 2005)

    Google Scholar 

  4. Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., New York (2001)

    Google Scholar 

  5. Bailey, M., Cooke, E., Jahanian, F., Watson, D., Nazario, J.: The Blaster worm: Then and now. IEEE Security and Privacy 03(4), 26–31 (2005)

    Article  Google Scholar 

  6. Blazy, S., Dargaye, Z., Leroy, X.: Formal verification of a C compiler front-end. In: Misra, J., Nipkow, T., Sekerinski, E. (eds.) FM 2006. LNCS, vol. 4085, pp. 460–475. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  7. Bray, B.: Compiler security checks in depth (2002), http://msdn2.microsoft.com/en-us/library/aa290051vs.71.aspx

  8. Brumley, D., Chiueh, T.C., Johnson, R., Lin, H., Song, D.: Efficient and accurate detection of integer-based attacks. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium (NDSS 2007) (February 2007)

    Google Scholar 

  9. Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: USENIX 2006: Proceedings of the 7th conference on USENIX Symposium on Operating Systems Design and Implementation, Berkeley, CA, USA, USENIX Association, pp. 11–11 (2006)

    Google Scholar 

  10. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.: Non-control-data attacks are realistic threats. In: Proceedings of the Usenix Security Symposium, pp. 177–192 (2005)

    Google Scholar 

  11. Intel Corporation: Intel IA-32 architecture, software developer’s manual, vol. 1–3 (2007), http://developer.intel.com/design/Pentium4/documentation.htm

  12. Cowan, C., Barringer, M., Beattie, S., Kroah-Hartman, G., Frantzen, M., Lokier, J.: FormatGuard: Automatic protection from printf format string vulnerabilities. In: Proceedings of the Usenix Security Symposium (2001)

    Google Scholar 

  13. Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: Protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the Usenix Security Symposium, pp. 91–104 (2003)

    Google Scholar 

  14. Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the Usenix Security Symposium, pp. 63–78 (1998)

    Google Scholar 

  15. Etoh, H., Yoda, K.: ProPolice—improved stack smashing attack detection. IPSJ SIGNotes Computer Security (CSEC) (14 October 2001)

    Google Scholar 

  16. Florio, E.: GDIPLUS VULN - MS04-028 - CRASH TEST JPEG (September 15, 2004), Forum message sent, www.full-disclosureatlists.netsys.com

  17. Forrest, S., Somayaji, A., Ackley, D.: Building diverse computer systems. In: HOTOS ’97: Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), p. 67. IEEE Computer Society, Washington, DC (1997)

    Chapter  Google Scholar 

  18. Foster, J.C.: Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research. Syngress Publishing (2007)

    Google Scholar 

  19. Howard, M.: Alleged bugs in Windows Vistas ASLR implementation (2006), http://blogs.msdn.com/michael_howard/archive/2006/10/04/Alleged-Bugs-in-Windows-Vista_1920_s-ASLR-Implementation.aspx

  20. Howard, M.: Protecting against pointer subterfuge (redux) (2006), http://blogs.msdn.com/michael_howard/archive/2006/08/16/702707.aspx

  21. Howard, M.: Hardening stack-based buffer overrun detection in VC++ 2005 SP1 (2007), http://blogs.msdn.com/michael_howard/archive/2007/04/03/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1.aspx

  22. Howard, M.: Lessons learned from the animated cursor security bug (2007), http://blogs.msdn.com/sdl/archive/2007/04/26/lessons-learned-from-the-animated-cursor-security-bug.aspx

  23. Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, Redmond, WA (2006)

    Google Scholar 

  24. Howard, M., Thomlinson, M.: Windows Vista ISV security (April 2007), http://msdn2.microsoft.com/en-us/library/bb430720.aspx

  25. Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., Wang, Y.: Cyclone: A safe dialect of C. In: Proceedings of the Usenix Technical Conference, pp. 275–288 (2002)

    Google Scholar 

  26. Johns, M., Beyerlein, C.: SMask: Preventing injection attacks in Web applications by approximating automatic data/code separation. In: SAC 2007: Proceedings of the 2007 ACM symposium on Applied computing, pp. 284–291. ACM Press, New York (2007)

    Chapter  Google Scholar 

  27. Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, pp. 272–280. ACM Press, New York (2003)

    Chapter  Google Scholar 

  28. Kennedy, A.: Securing the .NET programming model. special issue of Theoretical Computer Science. In: Earlier version presented at APPSEM II Workshop, in Munich, Germany, September 12-15, 2005 (to appear, 2007)

    Google Scholar 

  29. Kiriansky, V., Bruening, D., Amarasinghe, S.: Secure execution via program shepherding. In: Proceedings of the Usenix Security Symposium, pp. 191–206 (2002)

    Google Scholar 

  30. Klog.: The frame pointer overwrite. Phrack 9(55) (1999)

    Google Scholar 

  31. Leroy, X.: Formal certification of a compiler back-end, or: programming a compiler with a proof assistant. In: 33rd symposium Principles of Programming Languages, pp. 42–54. ACM Press, New York (2006)

    Google Scholar 

  32. Litchfield, D.: Defeating the stack buffer overflow prevention mechanism of Microsoft Windows 2003 Server (2003), http://www.nextgenss.com/papers/defeating-w2k3-stack-protection.pdf

  33. Littlewood, B., Popov, P., Strigini, L.: Modeling software design diversity: a review. ACM Comput. Surv. 33(2), 177–208 (2001)

    Article  Google Scholar 

  34. Livshits, B., Erlingsson, Ú.: Using Web application construction frameworks to protect against code injection attacks. In: PLAS 2007: Proceedings of the 2007 workshop on Programming languages and analysis for security, pp. 95–104. ACM Press, New York (2007)

    Chapter  Google Scholar 

  35. Necula, G.C., McPeak, S., Weimer, W.: CCured: Type-safe retrofitting of legacy code. In: Proceedings of the 29th ACM Symposium on Principles of Programming Languages, pp. 128–139 (2002)

    Google Scholar 

  36. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2007) (February 2005)

    Google Scholar 

  37. PaX Project: The PaX project (2004), http://pax.grsecurity.net/

  38. Pincus, J., Baker, B.: Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy 2(4), 20–27 (2004)

    Article  Google Scholar 

  39. Pucella, R., Schneider, F.B.: Independence from obfuscation: A semantic framework for diversity. In: CSFW 2006: Proceedings of the 19th IEEE workshop on Computer Security Foundations, pp. 230–241. IEEE Computer Society, Washington, DC (2006), Expanded version available as Cornell University Computer Science Department Technical Report TR 2006-2016

    Google Scholar 

  40. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: submission (2006), http://hovav.net/dist/geometry.pdf

  41. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: CCS 2004: Proceedings of the 11th ACM conference on Computer and communications security, pp. 298–307. ACM Press, New York (2004)

    Chapter  Google Scholar 

  42. Small, C.: A tool for constructing safe extensible C++ systems. In: Proceedings of the 3rd Conference on Object-Oriented Technologies and Systems (1997)

    Google Scholar 

  43. Spafford, E.H.: The Internet worm program: An analysis. SIGCOMM Comput. Commun. Rev. 19(1), 17–57 (1989)

    Article  Google Scholar 

  44. Wikipedia: x86-64 (2007), http://en.wikipedia.org/wiki/X86-64

  45. Zhou, F., Condit, J., Anderson, Z., Bagrak, I., Ennals, R., Harren, M., Necula, G., Brewer, E.: SafeDrive: Safe and recoverable extensions using language-based techniques. In: USENIX 2006: Proceedings of the 7th conference on USENIX Symposium on Operating Systems Design and Implementation, Berkeley, CA, USA, USENIX Association, pp. 4–4 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Microsoft Research, Silicon Valley, and, Reykjavík University, Iceland

    Úlfar Erlingsson

Authors
  1. Úlfar Erlingsson
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Alessandro Aldini Roberto Gorrieri

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Erlingsson, Ú. (2007). Low-Level Software Security: Attacks and Defenses. In: Aldini, A., Gorrieri, R. (eds) Foundations of Security Analysis and Design IV. FOSAD FOSAD 2007 2006. Lecture Notes in Computer Science, vol 4677. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74810-6_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-74810-6_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-74809-0

  • Online ISBN: 978-3-540-74810-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation