A methodology for designing countermeasures against current and future code injection attacks

Proceedings - 3rd IEEE International Workshop on Information Assurance, IWIA 2005

Volumn , Issue , 2005, Pages 3-20

  Younan, Yves ^a   Joosen, Wouter ^a   Piessens, Frank ^a  

^a KU Leuven   (Belgium)

Author keywords

Advanced exploitation techniques; Buffer overflows; C; C++; Code injection; Countermeasures

Indexed keywords

CODES (SYMBOLS); COMPUTER SOFTWARE; NETWORK SECURITY;

'CURRENT; ADVANCED EXPLOITATION TECHNIQUE; BUFFER OVERFLOWS; C; C++; CODE INJECTION; CODE INJECTION ATTACKS; COUNTERMEASURE; EXPLOITATION TECHNIQUES; MEMORY LOCATIONS;

C++ (PROGRAMMING LANGUAGE);

EID: 84908340657     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (52)

1. Linux Programmer's Manual, section 3, printf().
2. anonymous. Once upon a free(). Phrack, 57, 2001.
3. T. M. Austin, S. E. Breach, and G. S. Sohi. Efficient detection of all pointer and array access errors. In Proceedings of the ACM SIGPLAN'94 Conference on Programming Language Design and Implementation, pages 290-301, Orlando, Florida, U.S.A., June 1994. ACM.
4. A. Baratloo, N. Singh, and T. Tsai. Transparent run-time defense against stack smashing attacks. In USENIX 2000 Annual Technical Conference Proceedings, pages 251-262, San Diego, California, U.S.A., June 2000. USENIX Association.
5. E. G. Barrantes, D. H. Ackley, S. Forrest, T. S. Palmer, D. Stefanović, and D. D. Zovi. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS2003), pages 281-289, Washington, District of Columbia, U.S.A., Oct. 2003. ACM.
6. BBP. BSD heap smashing. http://www.security-protocols.com/modules.php? name=News&file=article&si%d=1586, May 2003.
7. blexim. Basic integer overflows. Phrack, 60, Dec. 2002.
8. P. Bouchareine. atexit in memory bugs. Posted on the vuln-dev mailinglist http://www.securityfocus.com/archive/82/151343, Dec. 2000.
9. B. Bray. Compiler security checks in depth. http://msdn.microsoft.com/library/en-us/dv\_vstechart/html/vctchCompile% rSecurityChecksInDepth.asp, Feb. 2002.
10. Bulba and Kil3r. Bypassing Stackguard and stackshield. Phrack, 56, 2000.
11. T. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buffer overflow attacks. In Proceedings of the 21st International Conference on Distributed Computing Systems, pages 409-420, Phoenix, Arizona, USA, Apr. 2001. IEEE Computer Society, IEEE Press.
12. C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, pages 91-104, Washington, District of Columbia, U.S.A., Aug. 2003. USENIX Association.
13. C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63-78, San Antonio, Texas, U.S.A., Jan. 1998. USENIX Association.
14. I. Dobrovitski. Exploit for CVS double free() for linux pserver. http://seclists.org/lists/bugtraq/2003/Feb/0042.html, Feb. 2003.
15. H. Etoh and K. Yoda. Protecting from stack-smashing attacks. Technical report, IBM Research Divison, Tokyo Research Laboratory, June 2000.
16. M. Frantzen and M. Shuey. StackGhost: Hardware facilitated stack protection. In Proceedings of the 10th USENIX Security Symposium, pages 55-66, Washington, District of Columbia, U.S.A., Aug. 2001. USENIX Association.
17. Free Software Foundation. The gnu compiler collection. http://gcc.gnu.org/.
18. Intel Corporation. IA-32 Intel Architecture Software Developer's Manual Volume 1: Basic Architecture, 2001. Order Nr 245470.
19. T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang. Cyclone: A safe dialect of C. In USENIX Annual Technical Conference, pages 275-288, Monterey, California, U.S.A., June 2002. USENIX Association.
20. R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the 3rd International Workshop on Automatic Debugging, number 009-02 in Linköping Electronic Articles in Computer and Information Science, pages 13-26, Linköping, Sweden, 1997. Linköping University Electronic Press.
21. JTC 1/SC 22/WG 14. ISO/IEC 9899:1999: Programming languages - C. Technical report, International Organization for Standards, 1999.
22. M. Kaempf. Vudo - an object superstitiously believed to embody magical powers. Phrack, 57, 2001.
23. P. A. Karger and R. R. Schell. Multics security evaluation: Vulnerability analysis. Technical Report ESD-TR-74-193, HQ Electronic Systems Division, Hanscom Air Force Base, Massachusetts, U.S.A., June 1974.
24. G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS2003), pages 272-280, Washington, District of Columbia, U.S.A., Oct. 2003. ACM.
25. S. C. Kendall. Bcc: Runtime checking for C programs. In Proceedings of the USENIX Summer 1983 Conference, pages 5-16, Toronto, Ontario, Canada, July 1983. USENIX Association.
26. klog. The frame pointer overwrite. Phrack, 55, 1999.
27. A. Krennmair. ContraPolice: a libc extension for protecting applications from heap-smashing attacks. http://www.synflood.at/contrapolice/, Nov. 2003.
28. J. R. Larus, T. Ball, M. Das, R. DeLine, M. Fähndrich, J. Pincus, S. K. Rajamani, and R. Venkatapathy. Righting software. IEEE Software, 21(3):92-100, May/June 2004.
29. D. Lea and W. Gloger. glibc-2.2.3/malloc/malloc.c. Comments in source code.
30. J. R. Levine. Linkers and Loaders. Morgan-Kauffman, Oct. 1999.
31. K.-S. Lhee and S. J. Chapin. Type-assisted dynamic buffer overflow detection. In Proceedings of the 11th USENIX Security Symposium, pages 81-90, San Francisco, California, U.S.A., Aug. 2002. USENIX Association.
32. D. Litchfield. Defeating the stack based buffer overflow prevention mechanism of microsoft windows 2003 server. http://www.nextgenss.com/papers/defeating-w2k3-stack-protection.pdf, Sept. 2003.
33. Microsoft. Vault: a programming language for reliable systems. http://research.microsoft.com/vault/.
34. G. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy code. In Conference Record of POPL 2002: The 29th SIGPLANSIGACT Symposium on Principles of Programming Languages, pages 128-139, Portland, Oregon, U.S.A., Jan. 2002. ACM.
35. Y. Oiwa, T. Sekiguchi, E. Sumii, and A. Yonezawa. Fail-safe ANSI-C compiler: An approach to making C programs secure: Progress report. In Proceedings of International Symposium on Software Security 2002, pages 133-153, Tokyo, Japan, Nov. 2002.
36. J. M. B. Rivas. Overwriting the.dtors section. Posted on the Bugtraq mailinglist http://www.securityfocus.com/archive/1/150396, Dec. 2000.
37. rix. Smashing C++ VPTRs. Phrack, 56, 2000.
38. W. Robertson, C. Kruegel, D. Mutz, and F. Valeur. Run-time detection of heap-based overflows. In Proceedings of the 17th Large Installation Systems Administrators Conference, pages 51-60, San Diego, California, U.S.A., Oct. 2003. USENIX Association.
39. O. Ruwase and M. S. Lam. A practical dynamic buffer overflow detector. In Proceedings of the 11th Annual Network and Distributed System Security Symposium, San Diego, California, U.S.A., Feb. 2004. Internet Society.
40. J. H. Saltzer. Repaired security bugs in multics. In Ancillary Reports: Kernel Design Project, number MIT/LCS/TM-87, pages 1-4, Cambridge, Massachusetts, U.S.A., June 1977. Massachusetts Institute of Technology.
41. scut. Exploiting format string vulnerabilities. http://www.team-teso.net/articles/formatstring/, 2001.
42. Solar Designer. Non-executable stack patch. http://www.openwall.com.
43. Solar Designer. Getting around non-executable stack (and fix). Posted on the Bugtraq mailinglist http://www.securityfocus.com/archive/1/7480, Aug. 1997.
44. Solar Designer. JPEG COM marker processing vulnerability in netscape browsers. http://www.openwall.com/advisories/OW-002-netscape-jpeg.txt, July 2000.
45. J. L. Steffen. Adding run-time checking to the portable C compiler. Software: Practice and Experience, 22(4):305-316, Apr. 1992. ISSN: 0038-0644.
46. The PaX Team. Documentation for the PaX project. http://pageexec.virtualave.net/docs/.
47. Vendicator. Documentation for stackshield. http://www.angelfire.com/sk/stackshield.
48. R. Wojtczuk. Defeating solar designer non-executable stack patch. Posted on the Bugtraq mailinglist http://www.securityfocus.com/archive/1/8470, Jan. 1998.
49. J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. In 22nd International Symposium on Reliable Distributed Systems (SRDS'03), pages 260-269, Florence, Italy, Oct. 2003. IEEE Computer Society, IEEE Press.
50. S. H. Yong and S. Horwitz. Protecting C programs from attacks via invalid pointer dereferences. In Proceedings of the 9th European software engineering conference held jointly with 10th ACM SIGSOFT international symposium on Foundations of software engineering, pages 307-316. ACM, ACM Press, Sept. 2003.
51. Y. Younan. An overview of common programming security vulnerabilities and possible solutions. Master's thesis, Vrije Universiteit Brussel, 2003.
52. Y. Younan, W. Joosen, and F. Piessens. Code injection in C and C++: A survey of vulnerabilities and countermeasures. Technical Report CW386, Departement Computerwetenschappen, Katholieke Universiteit Leuven, July 2004.