












Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
An overview of buffer overflow attacks, their methods, and the techniques used to prevent them. Topics include stack smashing attacks, function pointers, longjmp buffers, finding buffer overflows, and preventing them through type-safe languages, marking the stack as non-execute, run-time checking, and more. Also covered are viruses and worms, mobile code security, and java security.
Typology: Slides
1 / 20
This page cannot be seen from the preview
Don't miss anything!













Hackers find buffer overflows as follows: Run web server on local machine. Issue requests with long tags. All long tags end with “$$$$$”. If web server crashes, search core dump for “$$$$$” to find overflow location.
Some automated tools exist. (eEye Retina, ISIC).
Main problem: strcpy(), strcat(), sprintf() have no range checking. “Safe” versions strncpy(), strncat() are misleading strncpy() may leave buffer unterminated. Defenses: Type safe languages (Java, ML). Legacy code? Mark stack as non-execute. Static source code analysis. Run time checking: StackGuard, Libsafe, SafeC, (Purify). Black box testing (e.g. eEye Retina, ISIC ).
Many many run-time checking techniques …
Solutions 1: StackGuard (WireX) Run time tests for stack integrity. Embed “canaries” in stack frames and verify their integrity prior to function return.
local sfp ret^ str
top of local canary sfp ret str canary stack
Frame 2 Frame 1
Random canary: Choose random string at program startup. Insert canary string into every stack frame. Verify canary before returning from function. To corrupt random canary, attacker must learn current random string.
Terminator canary: Canary = 0, newline, linefeed, EOF String functions will not copy beyond terminator. Hence, attacker cannot use string functions to corrupt stack.
Solutions 2: Libsafe (Avaya Labs) Dynamically loaded library. Intercepts calls to strcpy (dest, src) Validates sufficient space in current stack frame: |frame-pointer – dest| > strlen(src) If so, does strcpy. Otherwise, terminates application.
Address obfuscation. (Stony Brook ’03) Encrypt return address on stack by XORing with random string. Decrypt just before returning from function. Attacker needs decryption key to set return address to desired value.
Randomize location of functions in libc. Attacker cannot jump directly to exec function.
Virus written in assembly language
Inserted into another program
Virus dormant until program executed
An executable program With a virus at the front With the virus at the end With a virus spread over free space within program
Antivirus and Anti-Antivirus Techniques
Signature based Integrity checkers Behavioral checkers Virus avoidance good OS install only shrink-wrapped software use antivirus software do not click on attachments to email frequent backups Recovery from virus attack halt computer, reboot from safe disk, run antivirus
(a) Memory divided into 1-MB sandboxes (b) One way of checking an instruction for validity
A type safe language compiler rejects attempts to misuse variable
Checks include …