Inscrypt 2006: Information Security and Cryptology pp 238-252 | Cite as

Return Address Randomization Scheme for Annuling Data-Injection Buffer Overflow Attacks

  • Deok Jin Kim
  • Tae Hyung Kim
  • Jong Kim
  • Sung Je Hong
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4318)

Abstract

Buffer overflow(BOF) has been the most common form of vulnerability in software systems today, and many methods exist to defend software systems against BOF attacks. Among them, the instruction set randomization scheme, which makes attacker not to know the specific instruction set of the target machine, is the most promising defense scheme because it defends all typical code-injection BOF attacks. However, this defense scheme can not cover data-injection BOF attacks like return-into-libc attacks. In order to defend against the data-injection BOF attacks as well as the code-injection BOF attacks, we propose an enhanced defense scheme randomizing not only the instruction sets but also the return addresses. Implementation results show that the proposed scheme can defend software systems against data-injection BOF attacks as well as code-injection BOF attacks without significant extra overheads.

Keywords

Security Buffer Overflow Randomization Instruction Set Return Address return-into-libc Attack Data Injection Buffer Overflow Attack 
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Cert: Cert coordination center (2006), http://www.cert.org/
  2. 2.
    Bugtraq: Bugtraq mailing list (2006), http://www.securityfocus.com/archive/1
  3. 3.
    Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Intrusion detection: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the 10th ACM Conference on Computer and Communication Security (2003)Google Scholar
  4. 4.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of 10th ACM International Conference on Computer and Communications Security (2003)Google Scholar
  5. 5.
    Seward, J., Nethercote, N.: Valgrind: A program supervision framework. Electronic Notes in Theoretical Computer Science (2003)Google Scholar
  6. 6.
    Nergal: The advanced return-into-lib(c) exploits (pax case study). Phrack Magazine 58(4) (2001), http://www.phrack.org/phrack/58/p58-0x04
  7. 7.
    Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: Stackguard: Automatic adaptive detection and prevention of buffer overflow attacks. In: Proceedings of 7th USENIX Security Conference (1998)Google Scholar
  8. 8.
    Vendicator: Stackshield: A stack smashing technique protection tool for linux (2000), http://www.angelfire.com/sk/stackshield
  9. 9.
    Bulba, Kil3r: Bypassing stackguard and stackshield. Phrack Magazine 56(5) (2000), http://www.phrack.org/phrack/56/p56-0x05
  10. 10.
    Designer, S.: Openwall project, non-executable user stack (2005), http://www.openwall.com/linux
  11. 11.
    Team, P.: Pax aslr (address space layout randomization) (2003), http://pax.grsecurity.net/
  12. 12.
    Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: 11th ACM Conference on Computer and Communications Security (2004)Google Scholar
  13. 13.
    Johnson, S.C.: Lint: a c program checker. Bell Laboratories Computer Science Technical Report 65 (1977)Google Scholar
  14. 14.
    Evans, D., Larochelle, D.: Improving security using extensible lightweight static analysis. IEEE Software magazine (2002), http://www.splint.org/
  15. 15.
    Jones, R.: Bounds checking patches for gcc (2005), http://sourceforge.net/projects/boundschecking/
  16. 16.
    Baratloo, A., Tsai, T., Singh, N.: Libsafe: Protecting critical elements of stacks (1999), http://www.research.avayalabs.com/project/libsafe/
  17. 17.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium (2005)Google Scholar
  18. 18.
    Barrantes, E.G., Ackley, D.H., Forrest, S., Stefanovic, D.: Randomized instruction set emulation. ACM Transactions on Information and System Security (2005)Google Scholar
  19. 19.
    Team, P.: Pax noexec (2003), http://pax.grsecurity.net/

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Deok Jin Kim
    • 1
  • Tae Hyung Kim
    • 1
  • Jong Kim
    • 1
  • Sung Je Hong
    • 1
  1. 1.Dept. of Computer Science & EngineeringPohang University of Science and TechnologyPohangKorea

Personalised recommendations