ValueGuard: Protection of Native Applications against Data-Only Buffer Overflows

  • Steven Van Acker
  • Nick Nikiforakis
  • Pieter Philippaerts
  • Yves Younan
  • Frank Piessens
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6503)


Code injection attacks that target the control-data of an application have been prevalent amongst exploit writers for over 20 years. Today however, these attacks are getting increasingly harder for attackers to successfully exploit due to numerous countermeasures that are deployed by modern operating systems. We believe that this fact will drive exploit writers away from classic control-data attacks and towards data-only attacks. In data-only attacks, the attacker changes key data structures that are used by the program’s logic and thus forces the control flow into existing parts of the program that would be otherwise unreachable, e.g. overflowing into a boolean variable that states whether the current user is an administrator or not and setting it to “true” thereby gaining access to the administrative functions of the program.

In this paper we present ValueGuard, a canary-based defense mechanism to protect applications against data-only buffer overflow attacks. ValueGuard inserts canary values in front of all variables and verifies their integrity whenever these variables are used. In this way, if a buffer overflow has occurred that changed the contents of a variable, ValueGuard will detect it since the variable’s canary will have also been changed. The countermeasure itself can be used either as a testing tool for applications before their final deployment or it can be applied selectively to legacy or high-risk parts of programs that we want to protect at run-time, without incurring extra time-penalties to the rest of the applications.


buffer overflows non-control-data attacks canary 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: 12th ACM Conference on Computer and Communications Security (2005)Google Scholar
  2. 2.
    Akritidis, P., Cadar, C., Raiciu, C., Costa, M., Castro, M.: Preventing memory error exploits with WIT. In: IEEE Symposium on Security and Privacy (2008)Google Scholar
  3. 3.
    Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In: 18th USENIX Security Symposium (2009)Google Scholar
  4. 4.
    Austin, T.M., Breach, S.E., Sohi, G.S.: Efficient detection of all pointer and array access errors. In: ACM Conference on Programming Language Design and Implementation (1994)Google Scholar
  5. 5.
    Barrantes, E.G., Ackley, D.H., Forrest, S., Palmer, T.S., Stefanović, D., Zovi, D.D.: Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. In: 10th ACM Conference on Computer and Communications Security (2003)Google Scholar
  6. 6.
    Bhatkar, S., DuVarney, D.C., Sekar, R.: Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits. In: 12th USENIX Security Symposium (2003)Google Scholar
  7. 7.
    Bhatkar, S., Sekar, R.: Data space randomization. In: 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (2008)Google Scholar
  8. 8.
    Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: 14th USENIX Security Symposium (2005)Google Scholar
  9. 9.
    Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: 14th USENIX Security Symposium (2005)Google Scholar
  10. 10.
    Chiueh, T., Hsu, F.: RAD: A compile-time solution to buffer overflow attacks. In: 21st International Conference on Distributed Computing Systems (2001)Google Scholar
  11. 11.
    Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities. In: 12th USENIX Security Symposium (2003)Google Scholar
  12. 12.
    Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In: 7th USENIX Security Symposium (1998)Google Scholar
  13. 13.
    Erlingsson, U., Younan, Y., Piessens, F.: Low-level software security by example. In: Handbook of Information and Communication Security. Springer, Heidelberg (2010)Google Scholar
  14. 14.
    Etoh, H., Yoda, K.: Protecting from stack-smashing attacks. Tech. rep., IBM Research Divison, Tokyo Research Laboratory (2000)Google Scholar
  15. 15.
    Jim, T., Morrisett, G., Grossman, D., Hicks, M., Cheney, J., Wang, Y.: Cyclone: A safe dialect of C. In: USENIX Annual Technical Conference (2002)Google Scholar
  16. 16.
    Jones, R.W.M., Kelly, P.H.J.: Backwards-compatible bounds checking for arrays and pointers in C programs. In: 3rd International Workshop on Automatic Debugging (1997)Google Scholar
  17. 17.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering Code-Injection Attacks With Instruction-Set Randomization. In: 10th ACM Conference on Computer and Communications Security (2003)Google Scholar
  18. 18.
    Kendall, S.C.: Bcc: Runtime Checking for C Programs. In: USENIX Summer Conference (1983)Google Scholar
  19. 19.
    Krennmair, A.: ContraPolice: a libc Extension for Protecting Applications from Heap-Smashing Attacks (2003)Google Scholar
  20. 20.
    Lhee, K.S., Chapin, S.J.: Type-Assisted Dynamic Buffer Overflow Detection. In: 11th USENIX Security Symposium (2002)Google Scholar
  21. 21.
    Microsoft Coorporation: Detailed description of the Data Execution PreventionGoogle Scholar
  22. 22.
    Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE Security and Privacy 1(4), 33–39 (2003)CrossRefGoogle Scholar
  23. 23.
    Moore, D., Shannon, C., Claffy, K.: Code-red: a case study on the spread and victims of an internet worm. In: 2nd ACM Workshop on Internet Measurment (2002)Google Scholar
  24. 24.
    Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: Intermediate language and tools for analysis and transformation of C programs. In: CC 2002. LNCS, vol. 2304, p. 213. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  25. 25.
    Oiwa, Y., Sekiguchi, T., Sumii, E.: Fail-Safe ANSI-C Compiler: An Approach to Making C Programs Secure. In: Okada, M., Babu, C. S., Scedrov, A., Tokuda, H. (eds.) ISSS 2002. LNCS, vol. 2609, pp. 133–153. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  26. 26.
    OverTheWire: The OverTheWire hacker community,
  27. 27.
    Patil, H., Fischer, C.N.: Low-Cost, Concurrent Checking of Pointer and Array Accesses in C Programs. Software: Practice and Experience 27(1) (1997)Google Scholar
  28. 28.
    Robertson, W., Kruegel, C., Mutz, D., Valeur, F.: Run-time Detection of Heap-based Overflows. In: 17th Large Installation Systems Administrators Conference (2003)Google Scholar
  29. 29.
    SANS: Top 25 Most Dangerous Programming ErrorsGoogle Scholar
  30. 30.
    Solar Designer: Non-executable stack patch (1997)Google Scholar
  31. 31.
    Spafford, E.H., Spafford, E.H.: The internet worm program: An analysis. Computer Communication Review 19 (1988)Google Scholar
  32. 32.
    Steffen, J.L.: Adding Run-Time Checking to the Portable C Compiler. Software: Practice and Experience 22(4) (1992)Google Scholar
  33. 33.
    Strackx, R., Younan, Y., Philippaerts, P., Piessens, F., Lachmund, S., Walter, T.: Breaking the memory secrecy assumption. In: 2nd European Workshop on System Security (2009)Google Scholar
  34. 34.
    The PaX Team: Documentation for the PaX projectGoogle Scholar
  35. 35.
    Vendicator: Documentation for Stack Shield (2000)Google Scholar
  36. 36.
    Xu, J., Kalbarczyk, Z., Iyer, R.K.: Transparent Runtime Randomization for Security. In: 22nd International Symposium on Reliable Distributed Systems (2003)Google Scholar
  37. 37.
    Younan, Y.: Efficient Countermeasures for Software Vulnerabilities due to Memory Management Errors. Ph.D. thesis, Katholieke Universiteit Leuven (2008)Google Scholar
  38. 38.
    Younan, Y., Joosen, W., Piessens, F.: Code injection in C and C++: A survey of vulnerabilities and countermeasures. Tech. Rep. CW386, Departement Computerwetenschappen, Katholieke Universiteit Leuven (2004)Google Scholar
  39. 39.
    Younan, Y., Joosen, W., Piessens, F.: Efficient protection against heap-based buffer overflows without resorting to magic. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 379–398. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  40. 40.
    Younan, Y., Joosen, W., Piessens, F.: Extended protection against stack smashing attacks without performance loss. In: 22nd Annual Computer Security Applications Conference (2006)Google Scholar
  41. 41.
    Younan, Y., Philippaerts, P., Cavallaro, L., Sekar, R., Piessens, F., Joosen, W.: PAriCheck: an efficient pointer arithmetic checker for c programs. In: ACM Symposium on Information, Computer and Communications Security (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Steven Van Acker
    • 1
  • Nick Nikiforakis
    • 1
  • Pieter Philippaerts
    • 1
  • Yves Younan
    • 1
  • Frank Piessens
    • 1
  1. 1.IBBT-Distrinet Katholieke Universiteit LeuvenLeuvenBelgium

Personalised recommendations