Home

A Dynamic Mechanism for Recovering from Buffer Overflow Attacks

Stelios Sidiroglou; Giannis Giovanidis; Angelos D. Keromytis

Title:
A Dynamic Mechanism for Recovering from Buffer Overflow Attacks
Author(s):
Sidiroglou, Stelios
Giovanidis, Giannis
Keromytis, Angelos D.
Date:
Type:
Articles
Department:
Computer Science
Permanent URL:
Part Number:
3650
Book/Journal Title:
Information Security: 8th International Conference, ISC 2005, Singapore, September 20-23, 2005: Proceedings
Book Author:
Zhou, Jianying
Publisher:
Springer
Publisher Location:
New York
Abstract:
We examine the problem of containing buffer overflow attacks in a safe and efficient manner. Briefly, we automatically augment source code to dynamically catch stack and heap-based buffer overflow and underflow attacks, and recover from them by allowing the program to continue execution. Our hypothesis is that we can treat each code function as a transaction that can be aborted when an attack is detected, without affecting the application's ability to correctly execute. Our approach allows us to enable selectively or disable components of this defensive mechanism in response to external events, allowing for a direct tradeoff between security and performance. We combine our defensive mechanism with a honeypot-like configuration to detect previously unknown attacks, automatically adapt an application's defensive posture at a negligible performance cost, and help determine worm signatures. Our scheme provides low impact on application performance, the ability to respond to attacks without human intervention, the capacity to handle previously unknown vulnerabilities, and the preservation of service availability. We implement a stand-alone tool, DYBOC, which we use to instrument a number of vulnerable applications. Our performance benchmarks indicate a slow-down of 20% for Apache in full-protection mode, and 1.2% with selective protection. We provide preliminary evidence towards the validity of our transactional hypothesis via two experiments: first, by applying our scheme to 17 vulnerable applications, successfully fixing 14 of them; second, by examining the behavior of Apache when each of 154 potentially vulnerable routines are made to fail, resulting in correct behavior in 139 cases (90%), with similar results for sshd (89%) and Bind (88%).
Subject(s):
Computer science
Publisher DOI:
http://dx.doi.org/10.1007/11556992_1
Item views:
116
Metadata:
text | xml

In Partnership with the Center for Digital Research and Scholarship at Columbia University Libraries/Information Services | Terms of Use