Abstract
Stack smashing is still one of the most popular techniques for corputer system attack. In this paper we present an anti-stack-smashing defense technique for Microsoft Windows systems. Our approach works at install-time, and does not rely on having access to the source-code: The user decides when and which executables to vaccinate. Our technique consists of instrumenting a given executable with a mechanism to detect stack smashing attacks. We developed a prototype implementing our technique and verified that it successfully defends against actual exploit code. We then extended our prototype to vaccinate DLLs, multithreaded applications, and DLLs used by multi-threaded applications, which present significant additional complications. We present promising performance results measured on SPEC2000 benchmarks: Vaccinated executables were no more than 8% slower than their un-vaccinated originals.
Keywords
Download to read the full chapter text
Chapter PDF
References
E. G. Barrantes, D. H. Ackley, S. Forrest, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proc. 10th ACM Conf. Computer and Communications Security (CCS), Washington, DC, 2003.
Arash Baratloo, Navjot Singh, and Timothy Tsai. Transparent run-time defense against stack smashing attacks. In Proc. USENIX Annual Technical Conference, 2000.
Microsoft Windows RegEdit.exe registry key value buffer overflow vulnerability. Bugtraq id 7411, 16 April 2003. http://www.securityfocus.com/bid/7411.
Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle. Point Guard: Protecting pointers from buffer overflow vulnerabilities. In Proc. 12th USENIX Security Symposium. USENIX, 2003.
Cristina Cifuentes and Mike Van Emmerik. Recovery of jump table case statements from binary code. Science of Computer Programming, 40(23):171–188, 2001.
CERT/cc statistics 1988–2001, 2002. http://www.cert.org/stats/.
CERT advisory CA-2003–16: Buffer overflow in Microsoft RPC, 17 July 2003. http://www.cert.org /advisories/CA-2003–16.html.
CERT advisory CA-2003–20: W32/Blaster worm, 11 August 2003. http://www.cert.org/advisories/CA-2003–20.html.
Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang, and Heather Hinton. Stack Guard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proc. 7th USENIX Security Symposium, pages 63–78, San Antonio, Texas, January 1998.
Nurit Dor, Michael Rodeh, and Mooly Sagiv. Cleanness checking of string manipulations in C programs via integer analysis. In Proc. 8th International Static Analysis Symposium (SAS), LNCS 2126, Paris, France, 2001. Springer-Verlag.
David Evans and David Larochelle. Improving security using extensible lightweight static analysis. IEEE Software, 19(1):42–51, 2002.
A. K. Ghosh and T. O’Connor. Analyzing programs for vulnerability to buffer overrun attacks. In Proc. 21st NIST-NCSC National Information Systems Security Conference, pages 274–382, 1998.
Galen Hunt and Doug Brubacher. Detours: Binary interception of Win32 functions. In Proc. 3rd USENIX NT Symposium, pages 135–144, 1999.
Michael Howard and David LeBlanc. Writing Secure Code. Microsoft Press, 2nd edition, 2002.
The IDA Pro disassembler and debugger, v4.51, 2003. http://www.datarescue.com/idabase/.
Immunix secured solutions, 2003. http://www.immunix.com.
Gaurav S. Kc, Angelos D. Keromytis, and Vassilis Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proc. 10th ACM Conf. Computer and Communications Security (CCS), Washington, DC, 2003.
Cullen Linn and Saumya Debray. Obfuscation of executable code to improve resistance to static disassembly. In Proc. 10th ACM Conf. Computer and Communications Security (CCS), Washington, DC, 2003.
Microsoft Visual C++ compiler options: /gs (control stack checking calls). Online documentation, 2001. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore/html/_core_.2f.gs.asp.
Manish Prasad and Tzi-cker Chiueh. A binary rewriting defense against stack based overflow attacks. In Proceedings of the USENIX 2003 Annual Technical Conference, 2003.
Gerardo Richarte. Four different tricks to bypass Stack Shield and Stack Guard protection. Core Security Technologies, 2002. http://downloads.securityfocus.com/library/StackGuard.pdf.
Solar Designer. Nonexecutable user stack. http://www.false.com/security/linux-stack/.
Eugene H. Spafford. The Internet worm program: An analysis. Technical Report CSD-TR-823, Purdue University, West Lafayette, IN 47907–2004, 1988.
SPEC CPU2000 V1.2. Standard Performance Evaluation Corporation, 2000. http://www.specbench.org/osg/cpu2000/.
Stackshield, 2000. http://www.angelfire.com/sk/stackshield.
David Wagner, Jeffrey S. Foster, Eric A. Brewer, and Alexander Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proc. Network and Distributed System Security Symposium (NDSS), pages 3–17, San Diego, CA, February 2000.
John Wilander and Mariam Kamkar. A comparison of publicly available tools for dynamic buffer overflow prevention. In Proceedings of the 10th Network and Distributed System Security Symposium (NDSS), pages 149–162, San Diego, California, February 2003.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 IFIP International Federation for Information Processing
About this paper
Cite this paper
Nebenzahl, D., Wool, A. (2004). Install-Time Vaccination of Windows Executables to Defend Against Stack Smashing Attacks. In: Deswarte, Y., Cuppens, F., Jajodia, S., Wang, L. (eds) Security and Protection in Information Processing Systems. SEC 2004. IFIP — The International Federation for Information Processing, vol 147. Springer, Boston, MA. https://doi.org/10.1007/1-4020-8143-X_15
Download citation
DOI: https://doi.org/10.1007/1-4020-8143-X_15
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-8016-1
Online ISBN: 978-1-4020-8143-9
eBook Packages: Springer Book Archive