The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.01 - January-March (2010 vol.7)
pp: 65-79
Xinran Wang , Pennsylvania State University, State College
Chi-Chun Pan , The Pennsylvania State University, State College
Peng Liu , The Pennsylvania State University, State College
Sencun Zhu , The Pennsylvania State University, University Park
ABSTRACT
We propose SigFree, an online signature-free out-of-the-box application-layer method for blocking code-injection buffer overflow attack messages targeting at various Internet services such as web service. Motivated by the observation that buffer overflow attacks typically contain executables whereas legitimate client requests never contain executables in most Internet services, SigFree blocks attacks by detecting the presence of code. Unlike the previous code detection algorithms, SigFree uses a new data-flow analysis technique called code abstraction that is generic, fast, and hard for exploit code to evade. SigFree is signature free, thus it can block new and unknown buffer overflow attacks; SigFree is also immunized from most attack-side code obfuscation methods. Since SigFree is a transparent deployment to the servers being protected, it is good for economical Internet-wide deployment with very low deployment and maintenance cost. We implemented and tested SigFree; our experimental study shows that the dependency-degree-based SigFree could block all types of code-injection attack packets (above 750) tested in our experiments with very few false positives. Moreover, SigFree causes very small extra latency to normal client requests when some requests contain exploit code.
INDEX TERMS
Intrusion detection, buffer overflow attacks, code-injection attacks.
CITATION
Xinran Wang, Chi-Chun Pan, Peng Liu, Sencun Zhu, "SigFree: A Signature-Free Buffer Overflow Attack Blocker", IEEE Transactions on Dependable and Secure Computing, vol.7, no. 1, pp. 65-79, January-March 2010, doi:10.1109/TDSC.2008.30
REFERENCES
[1] B.A. Kuperman, C.E. Brodley, H. Ozdoganoglu, T.N. Vijaykumar, and A. Jalote, "Detecting and Prevention of Stack Buffer Overflow Attacks," Comm. ACM, vol. 48, no. 11, 2005.
[2] J. Pincus and B. Baker, "Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns," IEEE Security and Privacy, vol. 2, no. 4, 2004.
[3] G. Kc, A. Keromytis, and V. Prevelakis, "Countering Code-Injection Attacks with Instruction-Set Randomization," Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), Oct. 2003.
[4] E. Barrantes, D. Ackley, T. Palmer, D. Stefanovic, and D. Zovi, "Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks," Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), Oct. 2003.
[5] J. Newsome and D. Song, "Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software," Proc. 12th Ann. Network and Distributed System Security Symp. (NDSS), 2005.
[6] M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham, "Vigilante: End-to-End Containment of Internet Worms," Proc. 20th ACM Symp. Operating Systems Principles (SOSP), 2005.
[7] Z. Liang and R. Sekar, "Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers," Proc. 12th ACM Conf. Computer and Comm. Security (CCS), 2005.
[8] J. Xu, P. Ning, C. Kil, Y. Zhai, and C. Bookholt, "Automatic Diagnosis and Response to Memory Corruption Vulnerabilities," Proc. 12th ACM Conf. Computer and Comm. Security (CCS), 2005.
[9] S. Singh, C. Estan, G. Varghese, and S. Savage, "The Earlybird System for Real-Time Detection of Unknown Worms," technical report, Univ. of California, San Diego, 2003.
[10] H.-A. Kim and B. Karp, "Autograph: Toward Automated, Distributed Worm Signature Detection," Proc. 13th USENIX Security Symp. (Security), 2004.
[11] J. Newsome, B. Karp, and D. Song, "Polygraph: Automatic Signature Generation for Polymorphic Worms," Proc. IEEE Symp. Security and Privacy (S&P), 2005.
[12] R. Chinchani and E.V.D. Berg, "A Fast Static Analysis Approach to Detect Exploit Code inside Network Flows," Proc. Eighth Int'l Symp. Recent Advances in Intrusion Detection (RAID), 2005.
[13] T. Toth and C. Kruegel, "Accurate Buffer Overflow Detection via Abstract Payload Execution," Proc. Fifth Int'l Symp. Recent Advances in Intrusion Detection (RAID), 2002.
[14] C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna, "Polymorphic Worm Detection Using Structural Information of Executables," Proc. Eighth Int'l Symp. Recent Advances in Intrusion Detection (RAID), 2005.
[15] The Metasploit Project, http:/www.metasploit.com, 2007.
[16] Jempiscodes—A Polymorphic Shellcode Generator, http://www.shellcode.com.ar/enproyectos.html , 2007.
[17] S. Macaulay, Admmutate: Polymorphic Shellcode Engine, http://www.ktwo.casecurity.html, 2007.
[18] T. Detristan, T. Ulenspiegel, Y. Malcom, and M.S.V. Underduk, Polymorphic Shellcode Engine Using Spectrum Analysis, http://www.phrack.orgshow.php?p=61&a=9 , 2007.
[19] D. Wagner, J.S. Foster, E.A. Brewer, and A. Aiken, "A First Step towards Automated Detection of Buffer Overrun Vulnerabilities," Proc. Seventh Ann. Network and Distributed System Security Symp. (NDSS '00), Feb. 2000.
[20] D. Evans and D. Larochelle, "Improving Security Using Extensible Lightweight Static Analysis," IEEE Software, vol. 19, no. 1, 2002.
[21] H. Chen, D. Dean, and D. Wagner, "Model Checking One Million Lines of C Code," Proc. 11th Ann. Network and Distributed System Security Symp. (NDSS), 2004.
[22] C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, "Stackguard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," Proc. Seventh USENIX Security Symp. (Security '98), Jan. 1998.
[23] GCC Extension for Protecting Applications from Stack-Smashing Attacks, http://www.research.ibm.com/trl/projects/ securityssp, 2007.
[24] T. cker Chiueh and F.-H. Hsu, "Rad: A Compile-Time Solution to Buffer Overflow Attacks," Proc. 21st Int'l Conf. Distributed Computing Systems (ICDCS), 2001.
[25] A. Smirnov and T. cker Chiueh, "Dira: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks," Proc. 12th Ann. Network and Distributed System Security Symp. (NDSS), 2005.
[26] Pax Documentation, http://pax.grsecurity.net/docspax.txt, Nov. 2003.
[27] A. Baratloo, N. Singh, and T. Tsai, "Transparent Run-Time Defense against Stack Smashing Attacks," Proc. USENIX Ann. Technical Conf. (USENIX '00), June 2000.
[28] G.S. Kc and A.D. Keromytis, "E-NEXSH: Achieving an Effectively Non-Executable Stack and Heap via System-Call Policing," Proc. 21st Ann. Computer Security Applications Conf. (ACSAC), 2005.
[29] J. McGregor, D. Karig, Z. Shi, and R. Lee, "A Processor Architecture Defense against Buffer Overflow Attacks," Proc. Int'l Conf. Information Technology: Research and Education (ITRE '03), pp. 243-250, 2003.
[30] S. Bhatkar, R. Sekar, and D.C. DuVarney, "Efficient Techniques for Comprehensive Protection from Memory Error Exploits," Proc. 14th USENIX Security Symp. (Security), 2005.
[31] V. Kiriansky, D. Bruening, and S. Amarasinghe, "Secure Execution via Program Shepherding," Proc. 11th USENIX Security Symp. (Security), 2002.
[32] Z. Liang and R. Sekar, "Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models," Proc. 21st Ann. Computer Security Applications Conf. (ACSAC), 2005.
[33] R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson, "Characteristics of Internet Background Radiation," Proc. ACM Internet Measurement Conf. (IMC), 2004.
[34] Z. Li, M. Sanghi, Y. Chen, M.Y. Kao, and B. Chavez, "Hamsa: Fast Signature Generation for Zero-Day Polymorphic Worms with Provable Attack Resilience," Proc. IEEE Symp. Security and Privacy (S&P '06), May 2006.
[35] X.F. Wang, Z. Li, J. Xu, M.K. Reiter, C. Kil, and J.Y. Choi, "Packet Vaccine: Black-Box Exploit Detection and Signature Generation," Proc. 13th ACM Conf. Computer and Comm. Security (CCS), 2006.
[36] H.J. Wang, C. Guo, D.R. Simon, and A. Zugenmaier, "Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits," Proc. ACM SIGCOMM '04, Aug. 2004.
[37] K. Wang and S.J. Stolfo, "Anomalous Payload-Based Network Intrusion Detection," Proc. Seventh Int'l Symp. Recent Advances in Intrusion Detection (RAID), 2004.
[38] K. Wang, G. Cretu, and S.J. Stolfo, "Anomalous Payload-Based Worm Detection and Signature Generation," Proc. Eighth Int'l Symp. Recent Advances in Intrusion Detection (RAID), 2005.
[39] O. Kolesnikov, D. Dagon, and W. Lee, "Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic," Technical Report GIT-CC-04-13, College of Computing, Georgia Tech, 2004.
[40] M. Christodorescu and S. Jha, "Static Analysis of Executables to Detect Malicious Patterns," Proc. 12th USENIX Security Symp. (Security '03), Aug. 2003.
[41] M. Christodorescu, S. Jha, S.A. Seshia, D. Song, and R.E. Bryant, "Semantics-Aware Malware Detection," Proc. IEEE Symp. Security and Privacy (S&P), 2005.
[42] A. Lakhotia and U. Eric, "Abstract Stack Graph to Detect Obfuscated Calls in Binaries," Proc. Fourth IEEE Int'l Workshop Source Code Analysis and Manipulation (SCAM '04), Sept. 2004.
[43] C. Kruegel, W. Robertson, F. Valeur, and G. Vigna, "Static Disassembly of Obfuscated Binaries," Proc. 13th USENIX Security Symp. (Security), 2004.
[44] Fnord Snort Preprocessor, http://www.cansecwest.comspp_fnord.c, 2007.
[45] B. Schwarz, S.K. Debray, and G.R. Andrews, "Disassembly of Executable Code Revisited," Proc. Ninth IEEE Working Conf. Reverse Eng. (WCRE), 2002.
[46] C. Linn and S. Debray, "Obfuscation of Executable Code to Improve Resistance to Static Disassembly," Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), Oct. 2003.
[47] T.H. Cormen, C.E. Leiserson, and R.L. Rivest, Introduction to Algorithms. MIT Press/McGraw-Hill, 1990.
[48] L.D. Fosdick and L. Osterweil, "Data Flow Analysis in Software Reliability," ACM Computing Surveys, vol. 8, Sept. 1976.
[49] J. Huang, "Detection of Data Flow Anomaly through Program Instrumentation," IEEE Trans. Software Eng., vol. 5, no. 3, May 1979.
[50] Intel IA-32 Architecture Software Developer's Manual Volume 1: Basic Architecture. Intel, http://developer.intel.com/design/pentium4/ manuals253665.htm, 2007.
[51] Citeseer: Scientific Literature Digital Library, http:/citeseer.ist. psu.edu, 2007.
[52] T. Berners-Lee, L. Masinter, and M. McCahill, Uniform Resource Locators (URL), RFC 1738 (Proposed Standard), updated by RFCs 1808, 2368, 2396, 3986, http://www.ietf.org/rfcrfc1738.txt, 2007.
[53] Writing IA32 Alphanumeric Shellcodes, rix, http://www.phrack. orgshow.php?p=57&a=15 , 2001.
[54] Http Load: Multiprocessing Http Test Client, http://www.acme. com/softwarehttp_load, 2007.
[55] C. Collberg, C. Thomborson, and D. Low, "A Taxonomy of Obfuscating Transformations," Technical Report 148, Dept. Computer Science, Univ. of Auckland, 1997.
[56] S. Designer, Getting around Non-Executable Stack (and Fix), http://seclists.org/bugtraq/1997/Aug0063.html , 1997.
[57] Stunnel—Universal SSL Wrapper, http:/www.stunnel.org, 2007.
[58] Security Advisory: Acrobat and Adobe Reader Plug-In Buffer Overflow, http://www.adobe.com/support/techdocs321644.html , 2007.
[59] Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987), http://www.microsoft.com/technet/security/ bulletinMS04-028.mspx, 2007.
[60] Winamp3 Buffer Overflow, http://www.securityspace.com/ smysecurecatid.html?id=11530 .
[61] Symantec Security Response—Backdoor.Hesive, http:// securityresponse.symantec.com/avcenter/ venc/databackdoor. hesive.html, 2007.
19 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool