Nothing Special   »   [go: up one dir, main page]

Skip to main content

Accurate Buffer Overflow Detection via Abstract Pay load Execution

  • Conference paper
  • First Online:
Recent Advances in Intrusion Detection (RAID 2002)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2516))

Included in the following conference series:

Abstract

Static buffer overflow exploits belong to the most feared and frequently launched attacks on todays Internet. These exploits target vulnerabilities in daemon processes which provide important network services. Ever since the buffer overflow hacking technique has reached a broader audience due to the Morris Internet worm [21] in 1988 and the infamous paper by AlephOne in the phrack magazine [1], new weaknesses in many programs have been discovered and abused.

Current intrusion detection systems (IDS) address this problem in different ways. Misuse based network IDS attempt to detect the signature of known exploits in the payload of the network packets. This can be easily evaded by a skilled intruder as the attack code can be changed, reordered or even partially encrypted. Anomaly based network sensors neglect the packet payload and only analyze bursts of traffic thus missing buffer overflows altogether. Host based anomaly detectors that monitor process behavior can notice a successful exploit but only a-posteriori when it has already been successful. In addition, both anomaly variants suffer from high false positive rates.

In this paper we present an approach that accurately detects buffer overflow code in the request’s payload by concentrating on the sledge of the attack. The sledge is used to increase the chances of a successful intrusion by providing a long code segment that simply moves the program counter towards the immediately following exploit code. Although the intruder has some freedom in shaping the sledge it has to be executable by the processor. We perform abstract execution of the payload to identify such sequences of executable code with virtually no false positives.

A prototype implementation of our sensor has been integrated into the Apache web server. We have evaluated the effectivity of our system on several exploits as well as the performance impact on services.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. AlephOne. Smashing the stack for fun and profit. Phrack Magazine, 49(14), 1996.

    Google Scholar 

  2. Debra Anderson, Thane Frivold, Ann Tamaru, and Alfonso Valdes. Next Generation Intrusion Detection Expert System (NIDES). SRI International, 1994.

    Google Scholar 

  3. The Apache Software Foundation. http://www.apache.org.

  4. M. Bykova, S. Ostermann, and B. Tjaden. Detecting network intrusions via a statistical analysis of network packet characteristics. In Proceedings of the 33rd Southeastern Symposium on System Theory, 2001.

    Google Scholar 

  5. Crispin Cowan, Calton Pu, David Maier, Heather Hinton, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. Automatic detection and prevention of buffer-overflow attacks. In 7th USENIX Security Symposium, January 1998.

    Google Scholar 

  6. Dorothy Denning. An intrusion-detection model. In IEEE Symposium on Security and Privacy, pages 118–131, Oakland, USA, 1986.

    Google Scholar 

  7. Laurent Eschenauer. Imsafe. http://imsafe.sourceforge.net, 2001.

  8. Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. A sense of self for Unix processes. In Proceedinges of the 1996 IEEE Symposium on Research in Security and Privacy, pages 120–128. IEEE Computer Society Press, 1996.

    Google Scholar 

  9. The GNU Compiler Collection. http://gcc.gnu.org.

  10. A. Ghosh and A. Schwartzbard. A study in using neural networks for anomaly and misuse detection. In USENIX Security Symposium, 1999.

    Google Scholar 

  11. Judith Hochberg, Kathleen Jackson, Cathy Stallins, J. F. McClary, David DuBois, and Josephine Ford. NADIR: An automated system for detecting network intrusion and misuse. Computer and Security, 12(3):235–248, May 1993.

    Google Scholar 

  12. Intel. IA-32 Intel Architecture Software Developer’s Manual Volume 1–3, 2002. http://developer.intel.com/design/Pentium4/manuals/.

  13. Home of K2. http://www.ktwo.ca.

  14. Christopher Kruegel, Thomas Toth, and Clemens Kerer. Service Specific Anomaly Detection for Network Intrusion Detection. In Symposium on Applied Computing (SAC). ACM Scientific Press, March 2002.

    Google Scholar 

  15. Mudge. Compromised: Buffer-Overflows, from Intel to SPARC Version 8. http://www.l0pht.com, 1996.

  16. Peter G. Neumann and Phillip A. Porras. Experience with EMERALD to date. In 1st USENIX Workshop on Intrusion Detection and Network Monitoring, pages 73–80, Santa Clara, California, USA, April 1999.

    Google Scholar 

  17. Phillip A. Porras and Peter G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 20th NIS Security Conference, October 1997.

    Google Scholar 

  18. Martin Roesch. Snort-Lightweight Intrusion Detection for Networks. In USENIX Lisa 99, 1999.

    Google Scholar 

  19. SecurityFocus Corporate Site. http://www.securityfocus.com.

  20. Jude Shavlik, Mark Shavlik, and Michael Fahland. Evaluating software sensors for actively profiling Windows 2000 computer users. In Recent Advances in Intrusion Detection (RAID), 2001.

    Google Scholar 

  21. E. Spafford. The Internet Worm Program: Analysis. Computer Communication Review, January 1989.

    Google Scholar 

  22. Stuart Staniford, James A. Hoagland, and Joseph M. McAlerney. Practical Automated Detection of Stealthy Portscans. In Proceedings of the IDS Workshop of the 7th Computer and Communications Security Conference, Athens, 2000.

    Google Scholar 

  23. Giovanni Vigna and Richard A. Kemmerer. NetSTAT: A Network-based Intrusion Detection System. In 14th Annual Computer Security Applications Conference, December 1998.

    Google Scholar 

  24. Giovanni Vigna and Richard A. Kemmerer. NetSTAT: A Network-based Intrusion Detection System. Journal of Computer Security, 7(1):37–71, 1999.

    Google Scholar 

  25. WebSTONE-Mindcraft Corporate Site. http://www.mindcraft.com.

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2002 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Toth, T., Kruegel, C. (2002). Accurate Buffer Overflow Detection via Abstract Pay load Execution. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_15

Download citation

  • DOI: https://doi.org/10.1007/3-540-36084-0_15

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-00020-4

  • Online ISBN: 978-3-540-36084-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics