Install-time vaccination of windows executables to defend against stack smashing attacks

IEEE Transactions on Dependable and Secure Computing

Volumn 3, Issue 1, 2006, Pages 78-90

  Nebenzahl, Danny ^a   Sagiv, Mooly ^a,b  

^a TEL AVIV UNIVERSITY   (Israel)

^b UNIVERSITY OF CHICAGO   (United States)

Author keywords

Buffer overflow; Computer security; Instrumentation

Indexed keywords

BENCHMARKING; SECURITY OF DATA; SOFTWARE PROTOTYPING;

BUTTER OVERFLOW; SOURCE-CODE; STACK SMASHING;

COMPUTER OPERATING SYSTEMS;

EID: 32844464153     PISSN: 15455971     EISSN: None     Source Type: Journal    
DOI: 10.1109/TDSC.2006.14     Document Type: Article

References (50)

1. E.G. Barrantes, D.H. Ackley, S. Forrest, T.S. Palmer, D. Stefanovic, and D.D. Zovi, "Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks," Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.
2. A. Baratloo, N. Singh, and T. Tsai, "Transparent Runtime Defense against Stack Smashing Attacks," Proc. USENIX Ann. Technical Conf., 2000.
3. "Hotfoon Dialer Buffer Overflow Vulnerability,"Bugtraq id 6156, Nov. 2002, http://www.securityfocus.com/bid/6156.
4. "Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability/,"Bugtraq id 8205, July 2003, http://www.securityfocus.com/ bid/8205.
5. "Microsoft Windows RegEdit.exe Registry Key Value Buffer Overflow Vulnerability/,"Bugtraq id 7411, Apr. 2003, http://www.securityfocus.com/ bid/7411.
6. "Adding Sections to PE Files: Enhancing Functionality of Programs by Adding Extra Code," 1999, http://bib.universitas-virtualis.org/go.php?id= bibuv-gdl-grey-2004-c0v3rt-119.
7. C. Cowan, S. Beattie, J. Johansen, and P. Wagle, "PointGuard: Protecting Pointers from Buffer Overflow Vulnerabilities," Proc. 12th USENIX Security Symp., 2003.
8. C. Cifuentes and M. Van Emmerik, "Recovery of Jump Table Case Statements from Binary Code," Science of Computer Programming, vol. 40, nos. 2-3, pp. 171-188, 2001.
9. CERT/cc Statistics 1988-2001, 2002, http://www.cert.org/stats/.
10. "CERT Advisory CA-2003-16: Buffer Overflow in Microsoft RFC," July 2003, http://www.cert.org/advisories/CA-2003-16.html.
11. "CERT Advisory CA-2003-20: W32/Blaster Worm," Aug. 2003, http://www.cert.org/advisories/CA-2003-20.html.
12. "CERT Vulnerability Note VU#579324: Cisco IOS HTTP Server Vulnerable to Buffer Overflow When Processing Overly Large Malformed HTTP GET Request," 31 July 2003, http://www.kb.cert.org/vuls/id/579324.
13. S. Cho, "Windows Disassembler, v0.22," 2000, http://cyber.chongju.ac.kr/~sangcho/index.html.
14. C. Cifuentes, "Partial Automation of an Integrated Reverse Engineering Environment of Binary Code," Proc. Working Conf. Reverse Eng., pp. 50-56, 1996.
15. C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," Proc. Seventh USENIX Security Symp., pp. 63-78, Jan. 1998.
16. N. Dor, M. Rodeh, and M. Sagiv, "Cleanness Checking of String Manipulations in C Programs via Integer Analysis," Proc. Eighth Int'l Static Analysis Symp. (SAS), 2001.
17. N. Dor, M. Rodeh, and M. Sagiv, "CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C," Proc. ACM SIGPLAN 2003 Conf. Programming Language Design and Implementation, pp. 155-167, 2003.
18. D.C. DuVarney, V.N. Venkatakrishnan, and S. Bhatkar, "SELF: A Transparent Security Extension for ELF Binaries," Proc. 2003 Workshop New Security Paradigms, pp. 29-38, 2003.
19. D. Evans and D. Larochelle, "Improving Security Using Extensible Lightweight Static Analysi," IEEE Software, vol. 19, no. 1, pp. 42-51, 2002.
20. M.W. Eichin and J.A.A. Rochlis, "With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988," Proc. IEEE Symp. Security and Privacy, 1989.
21. A.K. Ghosh and T. O'Connor, "Analyzing Programs for Vulner-ability to Buffer Overrun Attacks," Proc. 21st NIST-NCSC Nat'l Information Systems Security Conf., pp. 274-382, 1998.
22. G. Hunt and D. Brubacher, "Detours: Binary Interception of Win32 Functions," Proc. Third USENIX NT Symp., pp. 135-144, 1999.
23. M. Howard and D. LeBlanc, Writing Secure Code, second ed. Microsoft Press, 2002.
24. "The IDA Pro Disassembler and Debugger,"v4.51, 2003, http://www.datarescue.com/idabase/.
25. Immunix Secured Solutions, 2003, http://www.immunix.com.
26. T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang, "Cyclone: A Safe Dialect of C," Proc. USENIX Ann. Technical Conf., June 2002.
27. G.S. Kc, A.D. Keromytis, and V. Prevelakis, "Countering Code-Injection Attacks with Instruction-Set Randomization," Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.
28. S. Kuo, "Execute Disable Bit Functionality Blocks Malware Code Execution," White paper, Intel, 2005, http://www.intel.com/cd/ids/ developer/asmo-na/eng/dc/pentium4/optimization/149308.htm.
29. J.R. Larus and T. Ball, "Rewriting Executable Files to Measure Program Behavior," Technical Report CS-TR-92-1083, Univ. of Wisconsin, Madison, 25 Mar. 1992.
30. K.-s. Lhee and S.J. Chapin, "Type-Assisted Dynamic Buffer Overflow Detection," Proc. 11th USENIX Security Symp., 2002.
31. C. Linn and S. Debray, "Obfuscation of Executable Code to Improve Resistance to Static Disassembly," Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.
32. R.B. Lee, D.K. Karig, J.P. McGregor, and Z. Shi, "Enlisting Hardware Architecture to Thwart Malicious Code Injection," Proc. Int'l Conf. Security in Pervasive Computing (SPC-2003), Mar. 2003.
33. Microsoft Portable Executable and Common Object File Format Specification, rev. 6.0, 1999, http://www.microsoft.com/whdc/hwdev/hardware/ pecoff.mspx.
34. "Microsoft Visual C++ Compiler Options: /gs (Control Stack Checking Calls),"Online documentation, 2001, http://msdn.microsoft.com/library/ default.asp?url=/library/en-us/vccore/html/_core_.2f.gs.asp.
35. G.C. Necula, S. McPeak, and W. Weimer, "CCured: Type-Safe Retrofitting of Legacy Code," Proc. Symp. Principles of Programming Languages, pp. 128-139, 2002.
36. D. Nebenzahl and A. Wool, "Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks," Technical Report EES2003-9, School of Electrical Eng., Tel Aviv Univ., 2003.
37. D. Nebenzahl and A. Wool, "Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks," Proc. 19th IFIP Int'l Information Security Conf., pp. 225-240, Aug. 2004.
38. M. Prasad and T.-c. Chiueh, "A Binary Rewriting Defense against Stack Based Overflow Attacks," Proc. USENIX 2003 Ann. Technical Conf., 2003.
39. "PEDasm: A Symbolic Disassembler for Win32," 2003, http://www.geocities.com/SiliconValley/Lab/6307/.
40. G. Richarte, Four Different Tricks to Bypass StackShield and StackGuard Protection, Core Security Technologies, 2002, http://downloads.securityfocus. com/library/StackGuard.pdf.
41. O. Ruwase and M. Lam, "A Practical Dynamic Buffer Overflow Detector," Proc. Network and Distributed System Security (NDSS) Symp., pp. 159-169, Feb. 2004.
42. "SecureStack v1.0: Buffer Overflow Protection for Windows NT/2000," 2001, no longer available, a similar design can be found at http://datasecuritysoftware.com/index.html.
43. Solar Designer, "Nonexecutable User Stack," http://www.false.com/security/linux-stack/, 2006.
44. E.H. Spafford, "The Internet Worm Program: An Analysis," Technical Report CSD-TR-823, Purdue Univ., West Lafayette, IN 47907-2004, 1988.
45. SPEC CPU2000 V1.2. Standard Performance Evaluation Corporation, 2000, http://www.specbench.org/osg/cpu2000/.
46. C. Small and M. Seltzer, "MISFIT: A Tool for Constructing Safe Extensible Systems," IEEE Concurrency, pp. pp. 33-41, 1998.
47. Stackshield, 2000, http://www.angelfire.com/sk/stackshield.
48. Z. Shao, Q. Zhuge, Y. He, and E.H.-M. Sha, "Defending Embedded Systems against Buffer Overflow via Hardware/Software," Proc. Ann. Computer Security Applications Conf., 2003.
49. D. Wagner, J.S. Foster, E.A. Brewer, and A. Aiken, "A First Step towards Automated Detection of Buffer Overrun Vulnerabilities," Proc. Network and Distributed System Security Symp. (NDSS), pp. 3-17, Feb. 2000.
50. J. Wilander and M. Kamkar, "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention," Proc. 10th Network and Distributed System Security Symp. (NDSS), pp. 149-162, Feb. 2003.