Protection against indirect overflow attacks on pointers

Buffer overflow has accounted for a large fraction of Internet based attacks since 1988. Many solutions have been proposed to protect against a direct stack smashing attack overwriting a return address. Here, we target indirect buffer overflow attacks that overflow a buffer in memory to repoint a function pointer to the attacker's program. This type of attack could bypass most of the current stack protection mechanisms. Our proposed approach encrypts a function pointer before it is put into the memory and decrypts it before it is taken from the memory. Each function pointer is encrypted with a unique key that is randomized by the loader/linker for each program run. This leads to two desirable properties: (1) orthogonality of key space, (2) zero incremental knowledge gain for the adversary between two attacks on two different program runs. The key space orthogonality does not allow a one key compromise to propagate to other function pointers. The "zero knowledge gain" forces the adversary to compromise all (or most of) the keys in the same run. This is difficult since loader/linker based key randomization leads to a 232 iteration brute force attack on each key for a 32-bit architecture. This scheme was incorporated into GCC-3.0 on RedHat 7.0 Linux distribution. The performance overhead of this scheme is below 4.5% on Apache Web server version 1.3.22 with WebStone 2.5 as benchmark.

[1]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[2]  Gyungho Lee,et al.  Encoded Program Counter: Self-Protection from Buffer Overflow Attacks , 2000, International Conference on Internet Computing.

[3]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[4]  Eugene H. Spafford,et al.  The Internet Worm Incident , 1989, ESEC.

[5]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[6]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[7]  Akashi Satoh,et al.  Hardware-Focused Performance Comparison for the Standard Block Ciphers AES, Camellia, and Triple-DES , 2003, ISC.

[8]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[9]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[10]  Calton Pu,et al.  Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[11]  John Johansen,et al.  PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.

[12]  Steve J. Chapin,et al.  Type-Assisted Dynamic Buffer Overflow Detection , 2002, USENIX Security Symposium.

[13]  Carleen Maitland,et al.  Trust in cyberspace , 2000 .

[14]  Steven S. Muchnick,et al.  Advanced Compiler Design and Implementation , 1997 .

[15]  Navjot Singh,et al.  Transparent Run-Time Defense Against Stack-Smashing Attacks , 2000, USENIX Annual Technical Conference, General Track.