SigFree: A signature-free buffer overflow attack blocker

15th USENIX Security Symposium

Volumn , Issue , 2006, Pages 225-240

  Wang, Xinran ^a   Pan, Chi Chun ^b   Liu, Peng ^b   Zhu, Sencun ^a,b  

^a The Pennsylvania State University   (United States)

^b PENNSYLVANIA STATE UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BUFFER STORAGE; CODES (SYMBOLS);

APPLICATION LAYERS; BUFFER OVERFLOW ATTACKS; CODE ABSTRACTION; CODE INJECTION ATTACKS; CODE OBFUSCATION; INTERNET SERVICES; MAINTENANCE COST; THROUGHPUT DEGRADATION;

WEB SERVICES;

EID: 85027555608     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (55)

1. Buffer overrun in jpeg processing (gdi+) could allow code execution (833987). http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
2. Fnord snort preprocessor. http://www.cansecwest.com/spp fnord.c.
3. Intel ia-32 architecture software developer’s manual volume 1: Basic architecture.
4. Metasploit project. http://www.metasploit.com.
5. Security advisory: Acrobat and adobe reader plug-in buffer overflow. http://www.adobe.com/support/techdocs/321644.html.
6. Stunnel – universal ssl wrapper. http://www.stunnel.org.
7. Symantec security response: backdoor.hesive. http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hesive.html
8. Winamp3 buffer overflow. http://www.securityspace.com/ smysecure/catid.html?id=11530.
9. Pax documentation. http://pax.grsecurity.net/docs/pax.txt, November 2003.
10. BARATLOO, A., SINGH, N., AND TSAI, T. Transparent run-time defense against stack smashing attacks. In Proc. 2000 USENIX Technical Conference (June 2000).
11. BARRANTES, E., ACKLEY, D., PALMER, T., STEFANOVIC, D., AND ZOVI, D. Randomized instruction set emulation to disrupt binary code injection attacks. In Proceedings of the 10th ACM conference on Computer and communications security (October 2003).
12. BERNERS-LEE, T., MASINTER, L., AND MCCAHILL, M. Uniform Resource Locators (URL). RFC 1738 (Proposed Standard). Updated by RFCs 1808, 2368, 2396, 3986.
13. BHATKAR, S., SEKAR, R., AND DUVARNEY, D. C. Efficient techniques for comprehensive protection from memory error exploits. In USENIX Security (2005).
14. CHEN, H., DEAN, D., AND WAGNER, D. Model checking one million lines of c code. In NDSS (2004).
15. CHINCHANI, R., AND BERG, E. V. D. A fast static analysis approach to detect exploit code inside network flows. In RAID (2005).
16. CHRISTODORESCU, M., AND JHA, S. Static analysis of executables to detect malicious patterns. In Proceedings of 12th USENIX Security Symposium (August 2003).
17. CHRISTODORESCU, M., JHA, S., SESHIA, S. A., SONG, D., AND BRYANT, R. E. Semantics-aware malware detection. In IEEE Symposium on Security and Privacy, Oakland (May 2005).
18. CKER CHIUEH, T., AND HSU, F.-H. Rad: A compile-time solution to buffer overflow attacks. In ICDCS (2001).
19. COLLBERG, C., THOMBORSON, C., AND LOW, D. A taxonomy of obfuscating transformations. Tech. Rep. 148, Department of Computer Science,University of Auckland, July 1997.
20. CORMEN, T. H., LEISERSON, C. E., AND RIVEST, R. L. Introduction to Algorithms. MIT Press/McGraw-Hill, 1990.
21. COSTA, M., CROWCROFT, J., CASTRO, M., ROWSTRON, A., ZHOU, L., ZHANG, L., AND BARHAM, P. Vigilante: End-to-end containment of internet worms. In SOSP (2005).
22. COWAN, C., PU, C., MAIER, D., HINTON, H., WALPOLE, J., BAKKE, P., BEATTIE, S., GRIER, A., WAGLE, P., AND ZHANG, Q. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of 7th USENIX Security Conference (January 1998).
23. DETRISTAN, T., ULENSPIEGEL, T., MALCOM, Y., AND UNDERDUK, M. S. V. Polymorphic shellcode engine using spectrum analysis. http://www.phrack.org/show.php?p=61&a=9.
24. EVANS, D., AND LAROCHELLE, D. Improving security using extensible lightweight static analysis. IEEE Software 19, 1 (2002).
25. FOSDICK, L. D., AND OSTERWEIL, L. Data flow analysis in software reliability. ACM Computing Surveys 8 (September 1976).
26. HUANG, J. Detection of data flow anomaly through program instrumentation. IEEE Transactions on Software Engineering 5, 3 (May 1979).
27. JUNG, J., PAXSON, V., BERGER, A., AND BALAKRISHNAN, H. Fast portscan detection using sequential hypothesis testing. In Proc. IEEE Symposium on Security and Privacy (2004).
28. KC, G., KEROMYTIS, A., AND PREVELAKIS, V. Countering code-injection attacks with instruction-set randomization. In Proceedings of the 10th ACM conference on Computer and communications security (October 2003).
29. KIM, H.-A., AND KARP, B. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th Usenix Security Symposium (August 2004).
30. KIRIANSKY, V., BRUENING, D., AND AMARASINGHE, S. Secure execution via program shepherding. In Proceedings of USENIX Security Symposium (2002).
31. KOLESNIKOV, O., AND LEE, W. Advanced polymorphic worms: Evading ids by blending in with normal traffic.
32. KRUEGEL, C., KIRDA, E., MUTZ, D., ROBERTSON, W., AND VIGNA, G. Polymorphic worm detection using structural information of executables. In RAID (2005).
33. KRUEGEL, C., ROBERTSON, W., VALEUR, F., AND VIGNA, G. Static disassembly of obfuscated binaries. In Proceedings of USENIX Security 2004 (August 2004).
34. KUPERMAN, B. A., BRODLEY, C. E., OZDOGANOGLU, H., VIJAYKUMAR, T. N., AND JALOTE, A. Detecting and prevention of stack buffer overflow attacks. Communications of the ACM 48, 11 (2005).
35. LAKHOTIA, A., AND ERIC, U. Stack shape analysis to detect obfuscated calls in binaries. In Proceedings of Fourth IEEE International Workshop on Source Code Analysis and Manipulation (September 2004).
36. LIANG, Z., AND SEKAR, R. Automatic generation of buffer overflow attack signatures: An approach based on program behavior models. In Proceedings of the Annual Computer Security Applications Conference(ACSAC) (2005).
37. LIANG, Z., AND SEKAR, R. Fast and automated generation of attack signatures: A basis for building self-protecting servers. In Proc. 12th ACM Conference on Computer and Communications Security (2005).
38. LINN, C., AND DEBRAY, S. Obfuscation of executable code to improve resistance to static disassembly. In 10th ACM Conference on Computer and Communications Security (CCS) (October 2003).
39. LOCASTO, M. E., WANG, K., KEROMYTIS, A. D., AND STOLFO, S. J. Flips: Hybrid adaptive intrusion prevention. In RAID (2005).
40. MACAULAY, S. Admmutate: Polymorphic shellcode engine. http://www.ktwo.ca/security.html.
41. MCGREGOR, J., KARIG, D., SHI, Z., AND LEE, R. A processor architecture defense against buffer overflow attacks. In Proceedings of International Conference on Information Technology: Research and Education (ITRE) (2003), pp. 243 – 250.
42. NEWSOME, J., KARP, B., AND SONG, D. Polygraph: Automatic signature generation for polymorphic worms. In IEEE Security and Privacy Symposium (May 2005).
43. NEWSOME, J., AND SONG, D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In NDSS (2005).
44. PANG, R., YEGNESWARAN, V., BARFORD, P., PAXSON, V., AND PETERSON, L. Characteristics of internet background radiation. In Proc. ACM IMC (2004).
45. RIX. Writing ia32 alphanumeric shellcodes. http://www.phrack.org/show.php?p=57&a=15, 2001.
46. SCHWARZ, B., DEBRAY, S. K., AND ANDREWS, G. R. Disassembly of executable code revisited. In Proc. IEEE 2002 Working Conference on Reverse Engineering (WCRE) (October 2002).
47. SINGH, S., ESTAN, C., VARGHESE, G., AND SAVAGE, S. The earlybird system for real-time detection of unknown worms. Tech. rep., University of California at San Diego, 2003.
48. S.KC, G., AND KEROMYTIS, A. D. e-nexsh: Achieving an effectively non-executable stack and heap via system-call policing. In Proceedings of the Annual Computer Security Applications Conference(ACSAC) (2005).
49. SMIRNOV, A., AND CKER CHIUEH, T. Dira: Automatic detection, identification, and repair of control-hijacking attacks. In NDSS (2005).
50. TOTH, T., AND KRUEGEL, C. Accurate buffer overflow detection via abstract payload execution. In RAID (2002).
51. WAGNER, D., FOSTER, J. S., BREWER, E. A., AND AIKEN, A. A first step towards automated detection of buffer overrun vulnerabilities. In Network and Distributed System Security Symposium (February 2000).
52. WANG, H. J., GUO, C., SIMON, D. R., AND ZUGENMAIER, A. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In Proceedings of the ACM SIGCOMM Conference (August 2004).
53. WANG, K.,, CRETU, G., AND STOLFO, S. J. Anomalous payload-based worm detection and signature generation. In RAID (2005).
54. WANG, K., AND STOLFO, S. J. Anomalous payload-based network instrusion detection. In RAID (2004).
55. XU, J., NING, P., KIL, C., ZHAI, Y., AND BOOKHOLT, C. Automatic diagnosis and response to memory corruption vulnerabilities. In Proc. 12th ACM Conference on Computer and Communications Security (2005).