A Dynamic Mechanism for Recovering from Buffer Overflow Attacks

  • Stelios Sidiroglou
  • Giannis Giovanidis
  • Angelos D. Keromytis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3650)


We examine the problem of containing buffer overflow attacks in a safe and efficient manner. Briefly, we automatically augment source code to dynamically catch stack and heap-based buffer overflow and underflow attacks, and recover from them by allowing the program to continue execution. Our hypothesis is that we can treat each code function as a transaction that can be aborted when an attack is detected, without affecting the application’s ability to correctly execute. Our approach allows us to enable selectively or disable components of this defensive mechanism in response to external events, allowing for a direct tradeoff between security and performance. We combine our defensive mechanism with a honeypot-like configuration to detect previously unknown attacks, automatically adapt an application’s defensive posture at a negligible performance cost, and help determine worm signatures.

Our scheme provides low impact on application performance, the ability to respond to attacks without human intervention, the capacity to handle previously unknown vulnerabilities, and the preservation of service availability. We implement a stand-alone tool, DYBOC, which we use to instrument a number of vulnerable applications. Our performance benchmarks indicate a slow-down of 20% for Apache in full-protection mode, and 1.2% with selective protection. We provide preliminary evidence towards the validity of our transactional hypothesis via two experiments: first, by applying our scheme to 17 vulnerable applications, successfully fixing 14 of them; second, by examining the behavior of Apache when each of 154 potentially vulnerable routines are made to fail, resulting in correct behavior in 139 cases (90%), with similar results for sshd (89%) and Bind (88%).


Intrusion Detection System Program Execution Performance Overhead Memory Page USENIX Security Symposium 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Wagner, D., Foster, J.S., Brewer, E.A., Aiken, A.: A First Step towards Automated Detection of Buffer Overrun Vulnerabilities. In: Network and Distributed System Security Symposium, pp. 3–17 (2000)Google Scholar
  2. 2.
    Aleph One: Smashing the stack for fun and profit. Phrack 7 (1996)Google Scholar
  3. 3.
    Pincus, J., Baker, B.: Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overflows. IEEE Security & Privacy 2, 20–27 (2004)Google Scholar
  4. 4.
    Arce, I.: The Shellcode Generation. IEEE Security & Privacy 2, 72–76 (2004)CrossRefGoogle Scholar
  5. 5.
    Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer- Overflow Attacks. In: Proceedings of the 7th USENIX Security Symposium (1998)Google Scholar
  6. 6.
    Garber, L.: New Chips Stop Buffer Overflow Attacks. IEEE Computer 37, 28 (2004)Google Scholar
  7. 7.
    Rudys, A., Wallach, D.S.: Transactional Rollback for Language-Based Systems. In: ISOC Symposium on Network and Distributed Systems Security, SNDSS (2001)Google Scholar
  8. 8.
    Rudys, A., Wallach, D.S.: Termination in Language-based Systems. ACM Transactions on Information and System Security 5 (2002)Google Scholar
  9. 9.
    Sidiroglou, S., Keromytis, A.D.: A Network Worm Vaccine Architecture. In: Proceedings of the IEEE Workshop on Enterprise Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security, pp. 220–225 (2003)Google Scholar
  10. 10.
    Sidiroglou, S., Keromytis, A.D.: Countering Network Worms Through Automatic Patch Generation. IEEE Security & Privacy (2005) (to appear)Google Scholar
  11. 11.
    Provos, N.: A Virtual Honeypot Framework. In: Proceedings of the 13th USENIX Security Symposium, pp. 1–14 (2004)Google Scholar
  12. 12.
    Hernacki, B., Bennett, J., Lofgren, T.: Symantec Deception Server Experience with a Commercial Deception System. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 188–202. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Necula, G.C., McPeak, S., Weimer, W.: CCured: Type-Safe Retrofitting of Legacy Code. In: Proceedings of the Principles of Programming Languages, PoPL (2002)Google Scholar
  14. 14.
    J.R. Cordy, T.R. Dean, A.M., Schneider, K.: Source Transformation in Software Engineering using the TXL Transformation System. Journal of Information and Software Technology 44, 827–837 (2002) Google Scholar
  15. 15.
    Sun, W., Liang, Z., Sekar, R., Venkatakrishnan, V.N.: One-way Isolation: An Effective Approach for Realizing Safe Execution Environments. In: Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pp. 265–278 (2005)Google Scholar
  16. 16.
    Demsky, B., Rinard, M.C.: Automatic Detection and Repair of Errors in Data Structures. In: Proceedings of the 18th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Application, OOPSLA (2003)Google Scholar
  17. 17.
    Candea, G., Fox, A.: Recursive restartability: Turning the reboot sledgehammer into a scalpel. In: Proceedings of the 8thWorkshop on Hot Topics in Operating Systems (HotOSVIII), Schloss Elmau, Germany, pp. 110–115. IEEE Computer Society, Los Alamitos (2001)Google Scholar
  18. 18.
    Candea, G., Fox, A.: Crash-only software. In: Proceedings of the 9th Workshop on Hot Topics in Operating Systems (2003)Google Scholar
  19. 19.
    Shannon, C., Moore, D.: The Spread of theWittyWorm. IEEE Security & Privacy 2, 46–50 (2004)Google Scholar
  20. 20.
    Levy, E.: Crossover: Online Pests Plaguing the Offline World. IEEE Security & Privacy 1, 71–73 (2003)CrossRefGoogle Scholar
  21. 21.
    Ször, P., Ferrie, P.: Hunting for Metamorphic. Technical report, Symantec Corporation (2003)Google Scholar
  22. 22.
    Christodorescu, M., Jha, S.: Static Analysis of Executables to Detect Malicious Patterns. In: Proceedings of the 12th USENIX Security Symposium, pp. 169–186 (2003)Google Scholar
  23. 23.
    Pasupulati, A., Coit, J., Levitt, K., Wu, S., Li, S., Kuo, J., Fan, K.: Buttercup: On Networkbased Detection of Polymorphic Buffer Overflow Vulnerabilities. In: Proceedings of the Network Operations and Management Symposium (NOMS), vol. 1, pp. 235–248 (2004)Google Scholar
  24. 24.
    Weaver, N., Staniford, S., Paxson, V.: Very Fast Containment of Scanning Worms. In: Proceedings of the 13th USENIX Security Symposium, pp. 29–44 (2004)Google Scholar
  25. 25.
    Yegneswaran, V., Barford, P., Plonka, D.: On the Design and Use of Internet Sinks for Network Abuse Monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  26. 26.
    Rinard, M., Cadar, C., Dumitran, D., Roy, D., Leu, T.: A Dynamic Technique for Eliminating Buffer Overflow Vulnerabilities (and Other Memory Errors). In: Proceedings 20th Annual Computer Security Applications Conference, ACSAC (2004)Google Scholar
  27. 27.
    Rinard, M., Cadar, C., Dumitran, D., Roy, D., Leu, T., W. Beebee, J.: Enhancing Server Availability and Security Through Failure-Oblivious Computing. In: Proceedings 6th Symposium on Operating Systems Design and Implementation, OSDI (2004)Google Scholar
  28. 28.
    Sidiroglou, S., Keromytis, A.: Countering network worms through automatic patch generation. Technical Report CUCS-029-03, Columbia University (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Stelios Sidiroglou
    • 1
  • Giannis Giovanidis
    • 1
  • Angelos D. Keromytis
    • 1
  1. 1.Department of Computer ScienceColumbia UniversityUSA

Personalised recommendations