Abstract
Memory vulnerabilities have severely affect system security and availability. Although there are a number of solutions proposed to defense against memory vulnerabilities, most of existing solutions protect the entire life cycle of the application or survive attacks after detecting attacks. This paper presents OPSafe, a system that make applications safely survive memory vulnerabilities for a period of time from the starting or in runtime with users’ demand. OPSafe can provide a hot-portable Green Zone of any size with users’ demand, where all the subsequent allocated memory objects including stack objects and heap objects are reallocated and safely managed in a protected memory area. When users open the green zone, OPSafe uses a comprehensive memory management in the protected memory area to adaptively allocate buffers with multiple times of their defined sizes and randomly place them. Combined with objects free masking techniques, OPSafe can avoid overrunning each other and dangling pointer errors as well as double free or invalid free errors. Once closing the green zone, OPSafe clears away all objects in the protected area and then frees the protected area. We have developed a Linux prototype and evaluated it using four applications which contains a wide range of vulnerabilities. The experimental results show that OPSafe can conveniently create and destruct a hot-portable green zone where the vulnerable application can survive crashes and eliminate erroneous execution.
Chapter PDF
Similar content being viewed by others
References
Berger, E., Zorn, B.: DieHard: Probabilistic Memory Safety for Unsafe Languages. In: Proceedings of the 2006 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 158–168. ACM (2006)
Bhatkar, S., Sekar, R., DuVarney, D.: Efficient Techniques for Comprehensive Protection from Memory Error Exploits. In: Proceedings of the 14th Conference on USENIX Security Symposium, pp. 271–286. USENIX (2005)
Chen, G., Jin, H., Zou, D., Zhou, B., Qiang, W., Hu, G.: SHelp: Automatic Self-healing for Multiple Application Instances in a Virtual Machine Environment. In: Proceedings of the 2010 IEEE International Conference on Cluster Computing, pp. 97–106. IEEE (2010)
Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: Automatic Adaptive Detection and Prevention of Buffer-overflow Attacks. In: Proceedings of the 7th Conference on USENIX Security Symposium, pp. 63–78. USENIX (1998)
Gao, Q., Zhang, W., Tang, Y., Qin, F.: First-Aid: Surviving and Preventing Memory Management Bugs During Production Runs. In: Proceedings of the 4th ACM European Conference on Computer Systems, pp. 159–172. ACM (2009)
Prasad, M., Chiueh, T.: A Binary Rewriting Defense Against Stack Based Buffer Overflow Attacks. In: Proceedings of the 2003 USENIX Annual Technical Conference, pp. 211–224. USENIX (2003)
Qin, F., Tucek, J., Sundaresan, J., Zhou, Y.: Rx: Treating Bugs as Allergies—A Safe Method to Survive Software Failures. In: Proceedings of the 20th ACM Symposium on Operating System Principles, pp. 235–248. ACM (2005)
Rinard, M., Cadar, C., Dumitran, D., Roy, D., Leu, T., Beebee Jr., W.: Enhancing Server Availability and Security Through Failure-Oblivious Computing. In: Proceedings of the 6th Conference on Symposium on Operating Systems Design and Implementation, pp. 303–316. USENIX (2004)
Sidiroglou, S., Laadan, O., Perez, C., Viennot, N., Nieh, J., Keromytis, A.: ASSURE: Automatic Software Self-healing Using REscue points. In: Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems, pp. 37–48. ACM (2009)
Vision Solutions Staff, Assessing the Financial Impact of Downtime. Vision Solutions, Inc. (2010)
Chen, G., Jin, H., Zou, D., Zhou, B., Liang, Z., Zheng, W., Shi, X.: SafeStack: Automatically Patching Stack-based Buffer Overflow Bugs. To be appeared in IEEE Transactions on Dependable and Secure Computing. IEEE (2013)
Zou, D., Zheng, W., Jiang, W., Jin, H., Chen, G.: Memshepherd: Comprehensive Memory Bug Fault-Tolerance System. To be appeared in Security and Communication Networks. John Wiley & Sons, Ltd. (2013)
Avijit, K., Gupta, P., Gupta, D.: TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection. In: Proceedings of the 13th USENIX Security Symposium, pp. 45–56. USENIX (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Chen, G., Jin, H., Zou, D., Dai, W. (2013). On-Demand Proactive Defense against Memory Vulnerabilities. In: Hsu, CH., Li, X., Shi, X., Zheng, R. (eds) Network and Parallel Computing. NPC 2013. Lecture Notes in Computer Science, vol 8147. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40820-5_31
Download citation
DOI: https://doi.org/10.1007/978-3-642-40820-5_31
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40819-9
Online ISBN: 978-3-642-40820-5
eBook Packages: Computer ScienceComputer Science (R0)