This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks
January-March 2006 (vol. 3 no. 1)
pp. 78-90
Stack smashing is still one of the most popular techniques for computer system attack. In this work, we present an anti-stack-smashing defense technique for Microsoft Windows systems. Our approach works at install-time, and does not rely on having access to the source-code: The user decides when and which executables to vaccinate. Our technique consists of instrumenting a given executable with a mechanism to detect stack smashing attacks. We developed a prototype implementing our technique and verified that it successfully defends against actual exploit code. We then extended our prototype to vaccinate DLLs, multithreaded applications, and DLLs used by multithreaded applications, which present significant additional complications. We present promising performance results measured on SPEC2000 benchmarks: Vaccinated executables were no more than 8 percent slower than their un-vaccinated originals.

[1] E.G. Barrantes, D.H. Ackley, S. Forrest, T.S. Palmer, D. Stefanovic, and D.D. Zovi, “Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.
[2] A. Baratloo, N. Singh, and T. Tsai, “Transparent Runtime Defense against Stack Smashing Attacks,” Proc. USENIX Ann. Technical Conf., 2000.
[3] “Hotfoon Dialer Buffer Overflow Vulnerability,” Bugtraq id 6156, Nov. 2002, http://www.securityfocus.com/bid6156.
[4] “Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability,” Bugtraq id 8205, July 2003, http://www. securityfocus.com/bid8205.
[5] “Microsoft Windows RegEdit.exe Registry Key Value Buffer Overflow Vulnerability,” Bugtraq id 7411, Apr. 2003, http://www.securityfocus.com/bid7411.
[6] “Adding Sections to PE Files: Enhancing Functionality of Programs by Adding Extra Code,” 1999, http://bib.universitas-virtualis.orggo. php?id=bibuv-gdl-grey-2004-c0v3rt-119 .
[7] C. Cowan, S. Beattie, J. Johansen, and P. Wagle, “PointGuard: Protecting Pointers from Buffer Overflow Vulnerabilities,” Proc. 12th USENIX Security Symp., 2003.
[8] C. Cifuentes and M. Van Emmerik, “Recovery of Jump Table Case Statements from Binary Code,” Science of Computer Programming, vol. 40, nos. 2-3, pp. 171-188, 2001.
[9] CERT/cc Statistics 1988-2001, 2002, http://www.cert.orgstats/.
[10] “CERT Advisory CA-2003-16: Buffer Overflow in Microsoft RPC,” July 2003, http://www.cert.org/advisoriesCA-2003-16.html .
[11] “CERT Advisory CA-2003-20: W32/Blaster Worm,” Aug. 2003, http://www.cert.org/advisoriesCA-2003-20.html .
[12] “CERT Vulnerability Note VU#579324: Cisco IOS HTTP Server Vulnerable to Buffer Overflow When Processing Overly Large Malformed HTTP GET Request,” 31 July 2003, http://www.kb. cert.org/vuls/id579324.
[13] S. Cho, “Windows Disassembler, v0.22,” 2000, http://cyber. chongju.ac.kr/~sangchoindex.html .
[14] C. Cifuentes, “Partial Automation of an Integrated Reverse Engineering Environment of Binary Code,” Proc. Working Conf. Reverse Eng., pp. 50-56, 1996.
[15] C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, and H. Hinton, “StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks,” Proc. Seventh USENIX Security Symp., pp. 63-78, Jan. 1998.
[16] N. Dor, M. Rodeh, and M. Sagiv, “Cleanness Checking of String Manipulations in C Programs via Integer Analysis,” Proc. Eighth Int'l Static Analysis Symp. (SAS), 2001.
[17] N. Dor, M. Rodeh, and M. Sagiv, “CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C,” Proc. ACM SIGPLAN 2003 Conf. Programming Language Design and Implementation, pp. 155-167, 2003.
[18] D.C. DuVarney, V.N. Venkatakrishnan, and S. Bhatkar, “SELF: A Transparent Security Extension for ELF Binaries,” Proc. 2003 Workshop New Security Paradigms, pp. 29-38, 2003.
[19] D. Evans and D. Larochelle, “Improving Security Using Extensible Lightweight Static Analysi,” IEEE Software, vol. 19, no. 1, pp. 42-51, 2002.
[20] M.W. Eichin and J.A.A. Rochlis, “With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988,” Proc. IEEE Symp. Security and Privacy, 1989.
[21] A.K. Ghosh and T. O'Connor, “Analyzing Programs for Vulnerability to Buffer Overrun Attacks,” Proc. 21st NIST-NCSC Nat'l Information Systems Security Conf., pp. 274-382, 1998.
[22] G. Hunt and D. Brubacher, “Detours: Binary Interception of Win32 Functions,” Proc. Third USENIX NT Symp., pp. 135-144, 1999.
[23] M. Howard and D. LeBlanc, Writing Secure Code, second ed. Microsoft Press, 2002.
[24] “The IDA Pro Disassembler and Debugger,” v4.51, 2003, http://www.datarescue.comidabase/.
[25] Immunix Secured Solutions, 2003, http:/www.immunix.com.
[26] T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney, and Y. Wang, “Cyclone: A Safe Dialect of C,” Proc. USENIX Ann. Technical Conf., June 2002.
[27] G.S. Kc, A.D. Keromytis, and V. Prevelakis, “Countering Code-Injection Attacks with Instruction-Set Randomization,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.
[28] S. Kuo, “Execute Disable Bit Functionality Blocks Malware Code Execution,” White paper, Intel, 2005, http://www.intel.com/cd/ids/developer/asmo-na/ eng/dc/pentium4/optimization149308.htm .
[29] J.R. Larus and T. Ball, “Rewriting Executable Files to Measure Program Behavior,” Technical Report CS-TR-92-1083, Univ. of Wisconsin, Madison, 25 Mar. 1992.
[30] K.-s. Lhee and S.J. Chapin, “Type-Assisted Dynamic Buffer Overflow Detection,” Proc. 11th USENIX Security Symp., 2002.
[31] C. Linn and S. Debray, “Obfuscation of Executable Code to Improve Resistance to Static Disassembly,” Proc. 10th ACM Conf. Computer and Comm. Security (CCS), 2003.
[32] R.B. Lee, D.K. Karig, J.P. McGregor, and Z. Shi, “Enlisting Hardware Architecture to Thwart Malicious Code Injection,” Proc. Int'l Conf. Security in Pervasive Computing (SPC-2003), Mar. 2003.
[33] Microsoft Portable Executable and Common Object File Format Specification, rev. 6.0, 1999, http://www.microsoft. com/whdc/hwdev/hardware pecoff.mspx.
[34] “Microsoft Visual C++ Compiler Options: /gs (Control Stack Checking Calls),” Online documentation, 2001, http://msdn. microsoft.com/library/default.asp?url=/ library/en-us/vccore/html_core_.2f.gs.asp .
[35] G.C. Necula, S. McPeak, and W. Weimer, “CCured: Type-Safe Retrofitting of Legacy Code,” Proc. Symp. Principles of Programming Languages, pp. 128-139, 2002.
[36] D. Nebenzahl and A. Wool, “Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks,” Technical Report EES2003-9, School of Electrical Eng., Tel Aviv Univ., 2003.
[37] D. Nebenzahl and A. Wool, “Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks,” Proc. 19th IFIP Int'l Information Security Conf., pp. 225-240, Aug. 2004.
[38] M. Prasad and T.-c. Chiueh, “A Binary Rewriting Defense against Stack Based Overflow Attacks,” Proc. USENIX 2003 Ann. Technical Conf., 2003.
[39] “PEDasm: A Symbolic Disassembler for Win32,” 2003, http://www.geocities.com/SiliconValley/Lab 6307/.
[40] G. Richarte, Four Different Tricks to Bypass StackShield and StackGuard Protection, Core Security Tech nologies, 2002, http://downloads.securityfocus.com/library StackGuard. pdf.
[41] O. Ruwase and M. Lam, “A Practical Dynamic Buffer Overflow Detector,” Proc. Network and Distributed System Security (NDSS) Symp., pp. 159-169, Feb. 2004.
[42] “SecureStack v1.0: Buffer Overflow Protection for Windows NT/2000,” 2001, no longer available, a similar design can be found at http://datasecuritysoftware.comindex.html .
[43] Solar Designer, “Nonexecutable User Stack,” http://www.false. com/securitylinux-stack /, 2006.
[44] E.H. Spafford, “The Internet Worm Program: An Analysis,” Technical Report CSD-TR-823, Purdue Univ., West Lafayette, IN 47907-2004, 1988.
[45] SPEC CPU2000 V1.2. Standard Performance Evaluation Corporation, 2000, http://www.specbench.org/osgcpu2000/.
[46] C. Small and M. Seltzer, “MiSFIT: A Tool for Constructing Safe Extensible Systems,” IEEE Concurrency, pp. pp. 33-41, 1998.
[47] Stackshield, 2000, http://www.angelfire.com/skstackshield.
[48] Z. Shao, Q. Zhuge, Y. He, and E.H.-M. Sha, “Defending Embedded Systems against Buffer Overflow via Hardware/Software,” Proc. Ann. Computer Security Applications Conf., 2003.
[49] D. Wagner, J.S. Foster, E.A. Brewer, and A. Aiken, “A First Step towards Automated Detection of Buffer Overrun Vulnerabilities,” Proc. Network and Distributed System Security Symp. (NDSS), pp. 3-17, Feb. 2000.
[50] J. Wilander and M. Kamkar, “A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention,” Proc. 10th Network and Distributed System Security Symp. (NDSS), pp. 149-162, Feb. 2003.

Index Terms:
Computer security, buffer overflow, instrumentation.
Citation:
Danny Nebenzahl, Mooly Sagiv, Avishai Wool, "Install-Time Vaccination of Windows Executables to Defend against Stack Smashing Attacks," IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 1, pp. 78-90, Jan.-March 2006, doi:10.1109/TDSC.2006.14
Usage of this product signifies your acceptance of the Terms of Use.