This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Secure Bit: Transparent, Hardware Buffer-Overflow Protection
October-December 2006 (vol. 3 no. 4)
pp. 365-376
ASCII Text
x 
 
Krerk Piromsopa, Richard J. Enbody, "Secure Bit: Transparent, Hardware Buffer-Overflow Protection," IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 4, pp. 365-376, October-December, 2006.
 
 
BibTex
x
 
@article{ 10.1109/TDSC.2006.56,
author = {Krerk Piromsopa and Richard J. Enbody},
title = {Secure Bit: Transparent, Hardware Buffer-Overflow Protection},
journal ={IEEE Transactions on Dependable and Secure Computing},
volume = {3},
number = {4},
issn = {1545-5971},
year = {2006},
pages = {365-376},
doi = {http://doi.ieeecomputersociety.org/10.1109/TDSC.2006.56},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
}
 
 
RefWorks Procite/RefMan/Endnote
x 
 
TY - JOUR
JO - IEEE Transactions on Dependable and Secure Computing
TI - Secure Bit: Transparent, Hardware Buffer-Overflow Protection
IS - 4
SN - 1545-5971
SP365
EP376
EPD - 365-376
A1 - Krerk Piromsopa,
A1 - Richard J. Enbody,
PY - 2006
KW - Buffer overflow
KW - invasive software
KW - security kernels
KW - security and protection.
VL - 3
JA - IEEE Transactions on Dependable and Secure Computing
ER -
 
We propose a minimalist, architectural approach, Secure Bit (patent pending), to protect against buffer overflow attacks on control data (return-address and function-pointer attacks in particular). Secure Bit provides a hardware bit to protect the integrity of addresses for the purpose of preventing such buffer-overflow attacks. Secure Bit is transparent to user software: It provides backward compatibility with legacy user code. It can detect and prevent all address-corrupting buffer-overflow attacks with little runtime performance penalty. Addresses passed in buffers between processes are marked insecure, and control instructions using those addresses as targets will raise an exception. An important differentiating aspect of our protocol is that, once an address has been marked as insecure, there is no instruction to remark it as secure. Robustness and transparency are demonstrated by emulating the hardware, booting Linux on the emulator, running application software on that Linux, and performing known attacks.

[1] Microsoft Corp., “Microsoft Security Bulletin MS04-028: Buffer Overrun in JPEG Processing,” 2004, http://www.microsoft. com/technet/security/ bulletinMS04-028.mspx.
[2] T. Alives and D. Felton, “TrustZone Technology,” ARM white paper, http://www.arm.com/pdfs/TZ%20WhitePaper.pdf , 2004.
[3] A. Baratloo, N. Singh, and T. Tsai, “Transparent Run-Time Defense against Stack Smashing Attacks,” Proc. USENIX Ann. Technical Conf., 2000.
[4] S. Bhatkar, D.C. Duvarney, and R. Sekar, “Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits,” Proc. 12th USENIX Security Symp., 2003.
[5] M. Bishop, Computer Security. Addison-Wesley, 2002.
[6] Blexim, “Basic Integer Overflow,” Phrack Magazine 10(60), http://www.phrack.org/phrack/60p60-0x0a.txt , 2002.
[7] Bochs IA-32 Emulator Project, http:/bochs.sourceforge.net/, 2005.
[8] Compuware Corp., DevPartner for Visual C++ BoundsChecker Suite, http://www.compuware.com/products/devpartner bounds.htm, 2005.
[9] Bulba, Kil3e, “Bypassing Stackguard and Stackshield,” Phrack Magazine 5(56), http://www.phrack.org/phrack/56p56-0x05, 2002.
[10] F. Chang, A. Itzkovitz, and V. Karamcheti, “User-Level Resource-Constrained Sandboxing,” Proc. Fourth USENIX Windows Systems Symp., pp. 25-36, Aug. 2000.
[11] E. Chien and P. Ször, “Blended Attacks Exploits, Vulnerabilities, and Buffer-Overflow Techniques in Computer Viruses,” Proc. Virus Bull. Conf., Sept. 2002.
[12] T. Chiueh and F. Hsu, “RAD: A Compile-Time Solution to Buffer Overflow Attacks,” Proc 21st Int'l Conf. Distributed Computing Systems, 2001.
[13] R.P. Colwell, “Instruction Sets and Beyond: Computers, Complexity and Controversy,” Computer, vol. 18, pp. 8-19, Sept. 1985.
[14] M.L. Corliss, E.C. Lewis, and A. Roth, “Using DISE to Protect Return Addresses from Attack,” SIGARCH Computer Architecture News, vol. 33, no. 1, pp. 65-72, Mar. 2005.
[15] C. Cowan, M. Barringer, M. Arringer, S. Beattie, G. Kroah-Hartman, “FormatGuard: Automatic Protection from printf Format String Vulnerabilites,” Proc. 2001 USENIX Security Symp., 2001.
[16] C. Cowan, S. Beattie, R.F. Day, C. Pu, P. Wagle, and E. Walthinsen, “Protecting Systems from Stack Smashing Attacks with StackGuard,” Proc. Linux Expo, 1999.
[17] C. Cowan, S. Beattie, J. Johansen, and P. Wagle, “PointGuard: Protecting Pointers from Buffer Overflow Vulnerabilities,” Proc. 12th USENIX Security Symp., 2003
[18] C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, “StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks,” Proc. Seventh USENIX Security Symp., 1998.
[19] C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole, “Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade,” Proc. DARPA Information Survivability Conf. and Expo (DISCEX), 2000.
[20] J.R. Crandall and F.T. Chong, “Minos: Control Data Attack Prevention Orthogonal to Memory Model,” Proc. Int'l Symp. Microarchitecture, 2004.
[21] J.R. Crandall and F.T. Chong, “A Security Assessment of the Minos Architecture,” ACM SIGARCH Computer Architecture News, vol. 33, no. 1, 2005.
[22] S.H. Dahlby, G.G. Henry, D.N. Reynolds, and P.T. Taylor, “The IBM System/38: A High-Level Machine,” Computer Structures: Principles and Examples, chapter 32, McGraw-Hill, 1982.
[23] D. Dean, E.W. Felten, and D.S. Wallach, “Java Security: From HotJava to Netscape and Beyond,” Proc. IEEE Symp. Security and Privacy, 1996.
[24] J. Etoh and K. Yoda, “GCC Extension for Protecting Applications from Stack-Smashing Attacks,” http://www.research.ibm.com/trl/projects/ security/sspmain.html, 2000.
[25] D. Evans and D. Larochelle, “Improving Security Using Extensible Lightweight Static Analysis,” IEEE Software, vol. 19, no. 1, pp. 42-51, Jan./Feb. 2002.
[26] D. Wheeler, “Flawfinder,” 2002, http://www.dwheeler.com flawfinder/.
[27] M.S. Frantzen, “StackGhost: Hardware Facilitated Stack Protection,” Proc. 10th USENIX Security Symp., 2000.
[28] D. Geer, “Just How Secure Are Security Products?” Computer, vol. 37, no. 6, pp. 14-16, June 2004.
[29] E.F. Genhringer and J.L. Keedy, “Tagged Architecture: How Compelling Are Its Advantages?” Proc. Int'l Symp. Computer Architecture, pp. 162-170, 1985.
[30] A. Glew, “Segments, Capabilities, and Buffer Overrun Attacks,” ACM SIG Computer Architecture, vol. 31, no. 4, pp. 26-31, Sept. 2003.
[31] E. Haugh and M. Bishop, “Testing C Programs for Buffer Overflow Vulnerabilities,” Proc. 2003 Symp. Networked and Distributed System Security, Feb. 2003.
[32] S. Henson, OpenSSL Security Advisory, July 2002.
[33] H. Hinton, C. Cowan, L. Delcambre, and S. Bowers, “SAM: Security Adaptation Manager,” Proc. Ann. Security Applications Conf., 1999.
[34] M. Howard and D. Leblanc, “All Input Is Evil!” Writing Secure Code, second ed., chapter 10, Microsoft Press, 1965.
[35] S. Hsiangren, “Apache/mod_ssl (Slapper) Worm,” GIAC Certified Incident Handler, SANS, 2002.
[36] G. Huglund and G. Mcgraw, “Buffer Overflow,” Exploiting Software: How to Break Code, chapter 7, Pearson Education, Inc., 1966.
[37] I. Molnar, “Exec Shield, New Linux Security Feature,” http://lwn.net/Articles31032/, 2004.
[38] K. Inoue, “Energy-Security Tradeoff in a Secure Cache Architecture against Buffer Overflow Attacks,” ACM SIGARCH Computer Architecture News, vol. 33, no. 1, 2005.
[39] Intel Corp., “LaGrande Technology. Architectural Overview,” http://www.intel.com/technologysecurity /, 2003.
[40] R.W.M. Jones and P.H.J. Kelly, “Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs,” Proc. Third Int'l Workshop Automated and Algorithmic Debugging, 1997.
[41] G.S. Kc, A.D. Keromytis, and V. Prevelakis, “Countering Code-Injection Attacks with Instruction-Set Randomization,” Proc. 10th ACM Conf. Computer and Comm. Security, 2003.
[42] T. Kgil, L. Falk, and T. Mudge, “ChipLock: Support for Secure Microarchitectures,” ACM SIGARCH Computer Architecture News, vol. 33, no. 1, 2005.
[43] D. Kirovski, M. Drinic, and M. Potkonjak, “Enabling Trusted Software Integrity,” Proc. ACM Int'l Conf. Architectural Support for Programming Languages and Operating Systems, 2002.
[44] T. Krazit, “PCWorld—News—AMD Chips Guard against Trojan Horses,” IDG News Service, 2004.
[45] D. Litchfield, “Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server,” NGSSoftware, 2003.
[46] R. Macdonald, S.W. Smith, J. Marchesini, and O. Wild, “Bear: An Open-Source Virtual Secure Coprocessor Based on TCPA,” Technical Report TR2003-471, Dept. of Computer Science, Dartmouth College, 2003.
[47] J.P. Mcgregor, D.K. Karig, Z. Shi, and R.B. Lee, “A Processor Architecture Defense against Buffer Overflow Attacks,” Proc. IEEE Int'l Conf. Information Technology: Research and Education (ITRE '03), pp.243-250, 2003.
[48] Microsoft Corp., “The Next-Generation Secure Computing Base: An Overview,” http://www.microsoft.com/resources/ngscb default.mspx, 2004.
[49] M. Milenkovie, A. Milenkovic, and E. Jovanov, “Using Instruction Block Signatures to Counter Code Injection Attacks,” ACM SIGARCH Computer Architectures, vol. 33, no. 1, 2005.
[50] D.A. Moon, “Symbolics Architecture,” Computer Archive, vol. 20, no. 1, pp. 43-52, Jan. 1987.
[51] G.C. Necula, S. Mcpeak, and W. Weimer, “CCured: Type-Safe Retrofitting to Legacy Code,” Proc. Principles of Programming Languages, 2002.
[52] T. Newsham, “Re: StackGuard: Automatic Protection from Stack-Smashing Attacks,” BugTraq Archive, 1997.
[53] A. One, “Smashing Stack for Fun and Benefit,” Phrack Magazine, vol. 49, no. 7, 1996.
[54] E. Organick, A Programmer's View of the Intel 432 System. McGraw-Hill, 1983.
[55] H. Ozdoganoglu, T.N. Vijaykumar, C.E. Brodley, A. Jalote, and B.A. Kuperman, “SmashGuard: A Hardware Solution to Prevent Security Attacks on the Function Return Address,” Technical Report TR-ECE 03-13, Dept. of Electrical and Computer Eng., Purdue Univ., 2003.
[56] PAX TEAM, Documentation for the PaX Project, 2003, http:/pax.grsecurity.net/.
[57] D.S. Peterson, M. Bishop, and R. Pandey, “Flexible Containment Mechanism for Executing Untrusted Code,” Proc. 11th USENIX UNIX Security Symp., 2002.
[58] J. Pincus and B. Baker, “Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns,” IEEE Security and Privacy, vol. 2, no. 4, pp. 20-27, July/Aug. 2004.
[59] K. Piromsopa and R. Enbody, “Buffer Overflow: Fundamental,” Technical Report #MSU-SE-04-47, Dept. of Computer Science and Eng., Michigan State Univ., 2004.
[60] K. Piromsopa, M. Fletcher, and R. Enbody, “Secure Bit: Hardware, Buffer-Overflow Prevention,” Technical Report #MSU-CSE-04-48, Dept. of Computer Science and Eng., Michigan State Univ., 2004.
[61] K. Piromsopa and R. Enbody, “Secure Bit2: Transparent, Hardware Buffer-Overflow Protection,” Technical Report #MSU-CSE-05-9, Dept. of Computer Science and Eng., Michigan State Univ., 2005.
[62] M. Prasad and T. Chiueh, “A Binary Rewriting Defense against Stack Based Buffer Overflow Attacks,” Proc. Usenix Ann. Technical Conf., general track, 2003.
[63] IBM Corp., IBM Rational PurifyPlus, http://www-306.ibm.com/software/awdtools purifyplus/, 2004.
[64] Secure Software, Inc., RATS—Rough Auditing Tool for Security, http://www.securesoftware.com/resources/ download _rats.html, 2004.
[65] C. Schmidt and T. Darby, “The What, Why, and How of the 1988 Internet Worm,” http://www.snowplow.org/tom/wormworm.html , 2001.
[66] U. Shankar, K. Talway, J.S. Foster, and D. Wagner, “Detecting Format String Vulnerabilities with Type Qualifiers,” Proc. 10th USENIX Security Symp., 2001.
[67] Z. Shao, Q. Zhuge, Y. He, and E.H.-M. Sha, “Defending Embedded Systems against Buffer Overflow via Hardware/Software,” Proc. 20th Ann. Computer Security Applications Conf., 2004
[68] SimpleScalar, http:/www.simplescalar.com/, 2005.
[69] Solar Designer, Linux Kernel Patch from the Openwall Project (Non-Executable User Stack), http:/www.openwall.com/, 2002.
[70] Sun Alert Notification, Document ID 57643: Netscape NSS Library Vulnerability Affects Sun Java Enterprise System, 2004.
[71] F. Swiderski and W. Snyder, Threat Modeling. Microsoft Press, 2004.
[72] L. Tarvalds, “Re: PATCH SECURITY suid procs exec'd with bad 0,1,2 fds,” NEWS Archive, http://old.lwn.net/1998/0806/alinus-noexec.html , 1998.
[73] Trusted Computing Platform Alliance, TCPA IT white paper, 2004.
[74] N. Tuck, B. Calder, and G. Varghese, “Hardware and Binary Modification Support for Code Pointer Protection from Buffer Overflow,” Proc. 37th Int'l Symp. Microarchitecture, 2004.
[75] US Dept. of Energy Computer Incident Advisory Capability, “O-130: Perl and ActivePerl win32_stat Buffer Overflow,” http://www.ciac.org/ciac/bulletinso-130.shtml , 2004.
[76] Vendicator, Stack Shield Technical info file v0.7, 2000.
[77] J. Viega and G. Mcgraw, “Buffer Overflows,” Building Secure Software, chapter 7, pp. 135-185, Addison Wesley, 2002.
[78] J. Viega, J.T. Bloch, Y. Kohno, and G. Mcgraw, “ITS4: A Static Vulnerability Scanner for C and C++ Code,” Proc. 16th Ann. Computer Security Applications Conf., 2000.
[79] D. Wagner, J.S. Foster, E.A. Brewer, and A. Aiken, “A First Step towards Automated Detection of Buffer Overrun Vulnerabilities,” Proc. 10th USENIX Security Symp., 2001.
[80] Webopedia Computer Dictionary, “What Is Buffer Overflow?” 2003.
[81] J. Wilander and M. Kamkar, “A Comparison of Publicly Available Tools for Static Intrusion Prevention,” Proc. Seventh Nordic Workshop Secure IT Systems, 2002.
[82] J. Wilander and K. Kamkar, “A Comparison of Publicly Available Tools for Dynamic Intrusion Prevention,” Proc. 10th Network and Distributed System Security Symp. (NDSS), 2003.
[83] E. Witchel, J. Cates, and K. Asanovic, “Mondrian Memory Protection,” Proc. 10th Int'l Conf. Architectural Support for Programming Languages and Operating Systems, Oct. 2002.
[84] J. Xu, Z. Kalbarczyk, S. Patel, and R.K. Iyer, “Architecture Support for Defending against Buffer Overflow Attacks,” Proc. Workshop Evaluating and Architecting Systems for Dependability, 2002.
[85] D. Ye and D. Kaeli, “A Reliable Return Address Stack: Microarchitectural Features to Defeat Stack Smashing,” ACM SIGARCH Computer Architecture News, vol. 33, no. 1, 2005.
[86] W.D. Young, “Coding for a Believable Specification to Implementation Mapping,” Proc. IEEE Symp. Security and Privacy, pp. 140-149, 1987.
[87] S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R.K. Iyer, “Defeating Memory Corruption Attacks via Pointer Taintedness Detection,” Proc. IEEE Int'l Conf. Dependable Systems and Networks (DSN), 2005.
[88] J.S. Shapiro and N. Hardy, “EROS: A Principle-Driven Operating System from the Ground Up,” IEEE Software, Jan./Feb. 2002.
[89] A. Anisimov, “Defeating Microsoft Windows XP SP2 Heap Protection and DEP Bypass,” Positive Technologies, http://www.maxpatrol.comdefeating-xpsp2-heap-protection.htm , 2005.
[90] E. Organick, Computer System Organization: The B5700/B6700 Series. Academic Press, 1973.
[91] A. Mayer, “The Architecture of the Burroughs B5000: 20 Years Later and Still Ahead of the Times?” ACM SIGARCH Computer Architecture News, vol. 10, no. 4, 1982.
[92] P.A. Karger and R.R. Schell, “Thirty Years Later: Lessons from the Multics Security Evaluation,” Proc. 18th Ann. Computer Security Applications Conf., pp. 119-126, Dec. 2002.

Index Terms:
Buffer overflow, invasive software, security kernels, security and protection.
Citation:
Krerk Piromsopa, Richard J. Enbody, "Secure Bit: Transparent, Hardware Buffer-Overflow Protection," IEEE Transactions on Dependable and Secure Computing, vol. 3, no. 4, pp. 365-376, Oct.-Dec. 2006, doi:10.1109/TDSC.2006.56
Usage of this product signifies your acceptance of the Terms of Use.