STACKFENCES: A RUN-TIME APPROACH FOR DETECTING STACK OVERFLOWS

André Zúquete

2004

Abstract

This paper describes StackFences, a run-time technique for detecting overflows in local variables in C programs. This technique is different from all others developed so far because it tries to detect explicit overflow occurrences, instead of detecting if a particular stack value, namely a return address, was corrupted because of a stack overflow. Thus, StackFences is useful not only for detecting intrusion attempts but also for checking the run-time robustness of applications. We also conceived different policies for deploying StackFences, allowing a proper balancing between detection accuracy and performance. Effectiveness tests confirmed that all overflows in local variables are detected before causing any severe damage. Performance tests ran with several tools and parameters showed an acceptable performance degradation.

References

  1. Aleph One (1996). Smashing The Stack For Fun And Pro t. Phrack Magazine, 7(49).
  2. Baratloo, A., Singh, N., and Tsai, T. (2000). Transparent Run-Time Defense Against Stack Smashing Attacks. In Proc. of the USENIX Annual Technical Conf., San Diego, CA, USA.
  3. Bellard, F. (2003). Tiny C Compiler, version 0.9.20. http://fabrice.bellard.free.fr/tcc.
  4. Chiueh, T.-C. and Hsu, F.-H. (2001). RAD: A Compile-time Solution to Buffer Over ow Attacks. In IEEE Int. Conf. on Distr. Computing Systems (ICDCS), Phoenix, AZ, USA.
  5. Cowan, C., Beattie, S., Johansen, J., and Wagle, P. (2003). PointGuard: Protecting Pointers From Buffer Overow Vulnerabilities. In 12th USENIX Security Symp., Washington, D.C., USA.
  6. Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., and Zhang, Q. (1998). StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Over ow Attacks. In Proc. 7th USENIX Security Conf., pages 63-78, San Antonio, TX, USA.
  7. Etoh, H. and Yoda, K. (2000). propolice: Improved stack-smashing attack detection. IPSJ SIGNotes Computer SECurity Abstract, 43(12). http://www.ipsj.or.jp/members/ Journal/Eng/4312/article053.html.
  8. Frantzen, M. and Shuey, M. (2001). StackGhost: Hardware Facilitated Stack Protection. In Proc. of the 10th USENIX Security Symp., Washington, D.C., USA.
  9. Larochelle, D. and Evans, D. (2001). Statically Detecting Likely Buffer Over ow Vulnerabilities. In Proc. of the 10th USENIX Security Symp., pages 177-190, Washington, D.C., USA.
  10. McGraw, G. (2002). Building Secure Software. In RTO/NATO Real-Time Intrusion Detection Symp., Estoril, Portugal. Invited Talk.
  11. Spafford, E. H. (1989). The Internet Worm Incident. In Ghezzi, C. and McDermid, J. A., editors, ESEC89 2nd European Software Engineering Conf., University of Warwick, Coventry, United Kingdom. Springer.
  12. Wagle, P. and Cowan, C. (2003). StackGuard: Simple Stack Smash Protection for GCC. In Proc. of the GCC Developers Summit, pages 243-255.
  13. Wagner, D., Foster, J. S., Brewer, E. A., and Aiken, A. (2000). A First Step towards Automated Detection of Buffer Overrun Vulnerabilities. In Proc. of the Internet Soc. Symp. on Network and Distr. Systems Security (NDSS 00), pages 3-17, San Diego, CA, USA.
  14. Wilander, J. and Kambar, M. (2002). A Comparison of Publicly Available Tools for static intrusion prevention. In Proc. of the 7th Nordic Workshop on Secure IT Systems, pages 68-84, Karlstad, Sweden.
  15. Xu, J., Kalbarczyk, Z., Patel, S., and Iyer, R. K. (2002). Architecture Support for Defending Against Buffer Over ow Attacks. In 2nd Works. on Evaluating and Architecting System Dependability (EASY), San Jose, CA, USA.
Download


Paper Citation


in Harvard Style

Zúquete A. (2004). STACKFENCES: A RUN-TIME APPROACH FOR DETECTING STACK OVERFLOWS . In Proceedings of the First International Conference on E-Business and Telecommunication Networks - Volume 2: ICETE, ISBN 972-8865-15-5, pages 76-84. DOI: 10.5220/0001398000760084


in Bibtex Style

@conference{icete04,
author={André Zúquete},
title={STACKFENCES: A RUN-TIME APPROACH FOR DETECTING STACK OVERFLOWS},
booktitle={Proceedings of the First International Conference on E-Business and Telecommunication Networks - Volume 2: ICETE,},
year={2004},
pages={76-84},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001398000760084},
isbn={972-8865-15-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the First International Conference on E-Business and Telecommunication Networks - Volume 2: ICETE,
TI - STACKFENCES: A RUN-TIME APPROACH FOR DETECTING STACK OVERFLOWS
SN - 972-8865-15-5
AU - Zúquete A.
PY - 2004
SP - 76
EP - 84
DO - 10.5220/0001398000760084