Article

A framework for testing security mechanisms for program-based attacks

Authors:

Lori PollockAuthors Info & Claims

SESS '05: Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications

Pages 1 - 7

https://doi.org/10.1145/1083200.1083208

Published: 15 May 2005 Publication History

Abstract

Program vulnerabilities leave organizations open to malicious attacks that can result in severe damage to company finances, resources, consumer privacy, and data. Engineering applications and systems so that vulnerabilities do not exist would be the best solution, but this strategy may be impractical due to fiscal constraints or inadequate knowledge. Therefore, a variety of program and system-based solutions have been proposed to deal with vulnerabilities in a manageable way. Unfortunately, proposed strategies are often poorly tested, because current testing techniques focus on the common case whereas vulnerabilities are often exploited by uncommon inputs.In this paper, we present the design of a testing framework that enables the efficient, automatic and systematic testing of security mechanisms designed to prevent program-based attacks. The key insight of the framework is that dynamic compilation technology allows us to insert and simulate attacks during program execution. Thus, a security mechanism can be tested using any program, not only those with known vulnerabilities.

References

[1]

AlephOne. Smashing the stack for fun and profit. http://www.insecure.org/stf/smashstack.txt.

[2]

A. Baratloo, N. Singh, and T. Tsai. Transparent run-time defense against stack smashing attacks. USENIX Annual Technical Conference, 2000.

Digital Library

[3]

R. Bodík, R. Gupta, and V. Sarkar. ABCD: Eliminating array bounds checks on demand. Programming Language Design and Implementation, 2000.

Digital Library

[4]

B. Breech, A. Danalis, S. Shindo, and L. Pollock. Online impact analysis via dynamic compilation technology. International Conference on Software Maintanence, 2004.

Digital Library

[5]

B. Breech, M. Tegtmeyer, and L. Pollock. A comparison of online and dynamic impact analysis algorithms. European Conference on Software Maintenance and Reengineering, 2005.

Digital Library

[6]

D. Bruening, T. Garnett, and S. Amarasinghe. An infrastructure for adaptive dynamic optimization. In International Symposium on Code Generation and Optimization, 2003.

Digital Library

[7]

D. L. Bruening. Efficient, Transparent, and Comprehensive Runtime Code Manipulation. PhD thesis, M.I.T., 2004.

Digital Library

[8]

B. Buck and J. K. Hollingsworth. An API fro runtime code patching. Journal of Supercomputing Applications and High Performance Computing, 2000.

Digital Library

[9]

T. Chiueh and F. Hsu. RAD: A compile-time solution to buffer overflow attacks. International Conference on Distributed Computing Systems, 2001.

Digital Library

[10]

M. Conover. w00w00 on heap overflows. http://www.w00w00.org/files/articles/heaptut.txt.

[11]

C. Cowan. Re: Buffer overflow and the OS/390. http://cert.uni-stuttgart.de/archive/bugtraq/1999/02/msg00081.html, 1999.

[12]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard: Protecting pointers from buffer overflow vulnerabilities. USENIX Security Symposium, 2003.

Digital Library

[13]

C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive detection and prevention of buffer-overflow attacks. USENIX Security Symposium, 1998.

Digital Library

[14]

S. Designer. NonExecutable user stack. http://www.openwall.com/linux.

[15]

DilDog. The tao of windows buffer overflow. http://www.cultdeadcow.com/c{D}c_files/c{D}c-351.

[16]

H. Etoh and K. Yoda. GCC extension for protecting applications from stack-smashing attacks. http://www.research.ibm.com/trl/projects/security/ssp/, 2000.

[17]

R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. Automatic and Algorithm Debugging, 1997.

[18]

Klog. Frame pointer overwrite. http://www.phrack.org/show.php?p=55&a=8.

[19]

Mudge. How to write buffer overflows. http://www.insecure.org/stf/mudge_buffer_overflow_tutorial.html, 1995.

[20]

T. Newsham. Format string attacks. http://www.lava.net/~newsham/format-string-attacks.pdf.

[21]

R. Sekar, C. R. Ramakrishnan, I. V. Ramakrishnan, and S. A. Smolka. Model-carrying code (MCC): A new paradigm for mobile-code security. New Security Paradigms Workshop, 2001.

Digital Library

[22]

E. H. Spafford. The Internet worm program: An analysis. Computer Communication Review, 1988.

Digital Library

[23]

G. Zhu and A. Tyagi. Protection against indirect overflow attacks on pointers. International Information Assurance Workshop, 2004.

Digital Library

Cited By

Shahriar HZulkernine M(2012)Mitigating program security vulnerabilitiesACM Computing Surveys (CSUR)10.1145/2187671.218767344:3(1-46)Online publication date: 14-Jun-2012
https://dl.acm.org/doi/10.1145/2187671.2187673
Shahriar HZulkernine M(2011)Taxonomy and classification of automatic monitoring of program security vulnerability exploitationsJournal of Systems and Software10.1016/j.jss.2010.09.02084:2(250-269)Online publication date: 1-Feb-2011
https://dl.acm.org/doi/10.1016/j.jss.2010.09.020
Breech BTegtmeyer MPollock L(2006)An Attack Simulator for Systematically Testing Program-based Security MechanismsProceedings of the 17th International Symposium on Software Reliability Engineering10.1109/ISSRE.2006.12(136-145)Online publication date: 7-Nov-2006
https://dl.acm.org/doi/10.1109/ISSRE.2006.12
Show More Cited By

Index Terms

A framework for testing security mechanisms for program-based attacks
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging
  2. Software notations and tools
    1. General programming languages
      1. Language features
        Frameworks

Recommendations

A framework for testing security mechanisms for program-based attacks

Program vulnerabilities leave organizations open to malicious attacks that can result in severe damage to company finances, resources, consumer privacy, and data. Engineering applications and systems so that vulnerabilities do not exist would be the ...
DDoS attacks and defense mechanisms: classification and state-of-the-art

Denial of Service (DoS) attacks constitute one of the major threats and among the hardest security problems in today's Internet. Of particular concern are Distributed Denial of Service (DDoS) attacks, whose impact can be proportionally severe. With ...
An Attack Simulator for Systematically Testing Program-based Security Mechanisms
ISSRE '06: Proceedings of the 17th International Symposium on Software Reliability Engineering

The use of insecure programming practices has led to a large number of vulnerable programs that can be exploited for malicious purposes. These vulnerabilities are often difficult to find during traditional software testing. In response to these ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

SESS '05: Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications

May 2005

112 pages

ISBN:1595931147

DOI:10.1145/1083200

ACM SIGSOFT Software Engineering Notes Volume 30, Issue 4
July 2005
1514 pages
ISSN:0163-5948
DOI:10.1145/1082983
Issue’s Table of Contents

Copyright © 2005 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 May 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Acceptance Rates

Overall Acceptance Rate 8 of 11 submissions, 73%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
642
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 22 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Shahriar HZulkernine M(2012)Mitigating program security vulnerabilitiesACM Computing Surveys (CSUR)10.1145/2187671.218767344:3(1-46)Online publication date: 14-Jun-2012
https://dl.acm.org/doi/10.1145/2187671.2187673
Shahriar HZulkernine M(2011)Taxonomy and classification of automatic monitoring of program security vulnerability exploitationsJournal of Systems and Software10.1016/j.jss.2010.09.02084:2(250-269)Online publication date: 1-Feb-2011
https://dl.acm.org/doi/10.1016/j.jss.2010.09.020
Breech BTegtmeyer MPollock L(2006)An Attack Simulator for Systematically Testing Program-based Security MechanismsProceedings of the 17th International Symposium on Software Reliability Engineering10.1109/ISSRE.2006.12(136-145)Online publication date: 7-Nov-2006
https://dl.acm.org/doi/10.1109/ISSRE.2006.12
Sakai AHori YSakurai K(2010)Behavior Control Based on Dynamic Code TranslationProceedings of the 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet10.1109/SAINT.2010.103(375-378)Online publication date: 19-Jul-2010
https://dl.acm.org/doi/10.1109/SAINT.2010.103

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents