This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
SafeStack: Automatically Patching Stack-Based Buffer Overflow Vulnerabilities
Nov.-Dec. 2013 (vol. 10 no. 6)
pp. 368-379
Gang Chen, Cluster & Grid Comput. Lab., Huazhong Univ. of Sci. & Technol., Wuhan, China
Hai Jin, Cluster & Grid Comput. Lab., Huazhong Univ. of Sci. & Technol., Wuhan, China
Deqing Zou, Cluster & Grid Comput. Lab., Huazhong Univ. of Sci. & Technol., Wuhan, China
Bing Bing Zhou, Centre for Distrib. & High Performance Comput., Univ. of Sydney, Sydney, NSW, Australia
Zhenkai Liang, Dept. of Comput. Sci., Nat. Univ. of Singapore, Singapore, Singapore
Weide Zheng, Cluster & Grid Comput. Lab., Huazhong Univ. of Sci. & Technol., Wuhan, China
Xuanhua Shi, Cluster & Grid Comput. Lab., Huazhong Univ. of Sci. & Technol., Wuhan, China
Buffer overflow attacks still pose a significant threat to the security and availability of today's computer systems. Although there are a number of solutions proposed to provide adequate protection against buffer overflow attacks, most of existing solutions terminate the vulnerable program when the buffer overflow occurs, effectively rendering the program unavailable. The impact on availability is a serious problem on service-oriented platforms. This paper presents SafeStack, a system that can automatically diagnose and patch stack-based buffer overflow vulnerabilities. The key technique of our solution is to virtualize memory accesses and move the vulnerable buffer into protected memory regions, which provides a fundamental and effective protection against recurrence of the same attack without stopping normal system execution. We developed a prototype on a Linux system, and conducted extensive experiments to evaluate the effectiveness and performance of the system using a range of applications. Our experimental results showed that SafeStack can quickly generate runtime patches to successfully handle the attack's recurrence. Furthermore, SafeStack only incurs acceptable overhead for the patched applications.
Index Terms:
software reliability,buffer storage,Linux,program diagnostics,security of data,service-oriented architecture,Linux system,automatic stack-based buffer overflow vulnerability patching,SafeStack,computer systems,buffer overflow attacks,vulnerable program,service-oriented platforms,stack-based buffer overflow vulnerability diagnosis,memory access virtualization,protected memory regions,Software reliability,Computer security,Computer viruses,Fault diagnosis,attack prevention,Software reliability,buffer overflow vulnerability diagnosis
Citation:
Gang Chen, Hai Jin, Deqing Zou, Bing Bing Zhou, Zhenkai Liang, Weide Zheng, Xuanhua Shi, "SafeStack: Automatically Patching Stack-Based Buffer Overflow Vulnerabilities," IEEE Transactions on Dependable and Secure Computing, vol. 10, no. 6, pp. 368-379, Nov.-Dec. 2013, doi:10.1109/TDSC.2013.25
Usage of this product signifies your acceptance of the Terms of Use.