Detection and Diagnosis of Control Interception

  • Chang-Hsien Tsai
  • Shih-Kun Huang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4861)


Crash implies that a software is unstable and possibly vulnerable. Stack overflow is one of many causes of crashes. This kind of bug is often hard to debug because of the corrupted stack, so that debuggers cannot trace the control flow of the programs. A control-type crash caused by stack overflow is easy to be developed as a control interception attack. We develop a method to locate this attack and implement it as a plug-in of Valgrind [1]. This tool can be used in the honeypot to detect and diagnose zero-day exploits. We use it to detect several vulnerabilities and automatically locate the bugs.


Return Address Malicious Code Stack Overflow Control Corruption USENIX Security Symposium 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Nethercote, N., Seward, J.: Valgrind: A program supervision framework. In: Sokolsky, O., Viswanathan, M. (eds.) Electronic Notes in Theoretical Computer Science, vol. 89, Elsevier, Amsterdam (2003)Google Scholar
  2. 2.
    IBM Internet Security Systems: Ibm report: Software security vulnerabilities will continue to rise in 2007,(2007)
  3. 3.
    Srinivasan, S.M., Kandula, S., Andrews, C.R., Zhou, Y.: Flashback: A lightweight extension for rollback and deterministic replay for software debugging. In: USENIX Annual Technical Conference, General Track, pp. 29–44 (2004)Google Scholar
  4. 4.
    Metasploit Team: Metasploit project,
  5. 5.
    PaX Team: Documentation for the pax project,
  6. 6.
    Linn, C.M., Rajagopalan, M., Baker, S., Collberg, C., Hartman, J.H.: Protecting against unexpected system calls. In: Proceedings of the 2005 USENIX Security Symposium, pp. 239–254 (2005)Google Scholar
  7. 7.
    Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, pp. 281–289. ACM Press, New York (2003)Google Scholar
  8. 8.
    Sovarel, A.N., Evans, D., Paul, N.: Where’s the feeb?: The effectiveness of instruction set randomization. In: Proceedings of 14th USENIX Security Symposium (2005)Google Scholar
  9. 9.
    Cowan, C., Beattie, S., Johansen, J., Wagle, P.: PointGuardTM: Protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the 12th USENIX Security Symposium, USENIX, pp. 91–104 (2003)Google Scholar
  10. 10.
    Valgrind Team: 2nd official valgrind survey (2005),
  11. 11.
    Biswas, B., Mall, R.: Reverse execution of programs. ACM SIGPLAN Notices 34(4), 61–69 (1999)CrossRefGoogle Scholar
  12. 12.
    Manevich, R., Sridharan, M., Adams, S., Das, M., Yang, Z.: Pse: explaining program failures via postmortem static analysis. In: SIGSOFT 2004/FSE-12: Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering, pp. 63–72. ACM Press, New York (2004)CrossRefGoogle Scholar
  13. 13.
    Baratloo, A., Tsai, T., Singh, N.: Libsafe: Protecting critical elements of stacks. White paper, Bell Labs, Lucent Technologies (1999)Google Scholar
  14. 14.
    Robertson, W., Kruegel, C., Mutz, D., Valeur, F.: Run-time detection of heap-based overflows. In: proceedings of 17th USENIX Large Installation Systems Administration (LISA) Conference (2003)Google Scholar
  15. 15.
    Haugh, E., Bishop, M.: Testing c programs for buffer overflow vulnerabilities. In: Proceedings of the 2003 Symposium on Networked and Distributed System Security (2003)Google Scholar
  16. 16.
    Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proc. 7th USENIX Security Conference, San Antonio, Texas, pp. 63–78 (1998)Google Scholar
  17. 17.
    Etoh, H.: Gcc extension for protecting applications from stack-smashing attacks,
  18. 18.
    Bray, B.: Compiler security checks in depth. Technical report, Microsoft Corporation (2002)Google Scholar
  19. 19.
    Vendicator: Stack shield: a ”stack smashing” technique protection tool for linux,(2000)
  20. 20.
    Prasad, M., cker Chiueh, T.: A binary rewriting defense against stack based overflow attacks. In: Proceedings of the USENIX Annual Technical Conference, pp. 211–224 (2003)Google Scholar
  21. 21.
    Nebenzahl, D., Sagiv, M.: Install-time vaccination of windows executables to defend against stack smashing attacks. IEEE Trans. Dependable Secur. Comput. 3(1), 78 (2006) (Senior Member-Avishai Wool)CrossRefGoogle Scholar
  22. 22.
    Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: Proceedings of the 2003 Symposium on Security and Privacy, pp. 62–77. IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
  23. 23.
    Ruwase, O., Lam, M.S.: A practical dynamic buffer overflow detector. In: Proceedings of the 11th Annual Network and Distributed System Security Symposium (2004)Google Scholar
  24. 24.
    Jones, R.W.M., Kelly, P.H.J.: Backwards-compatible bounds checking for arrays and pointers in C programs. In: AADEBUG, pp. 13–26 (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Chang-Hsien Tsai
    • 1
  • Shih-Kun Huang
    • 1
  1. 1.Department of Computer Science, National Chiao Tung UniversityTaiwan

Personalised recommendations