论文信息 - Buttercup: on network-based detection of polymorphic buffer overflow vulnerabilities

Buttercup: on network-based detection of polymorphic buffer overflow vulnerabilities

Attack polymorphism is a powerful tool for the attackers in the Internet to evade signature-based intrusion detection/prevention systems. In addition, new and faster Internet worms can be coded and launched easily by even high school students anytime against our critical infrastructures, such as DNS or update servers. We believe that polymorphic Internet worms will be developed in the future such that many of our current solutions might have a very small chance to survive. In this paper, we propose a simple solution called "Buttercup" to counter against attacks based on buffer-overflow exploits (such as CodeRed, Nimda, Slammer, and Blaster). We have implemented our idea in SNORT, and included 19 return address ranges of buffer-overflow exploits. With a suite of tests against 55 TCPdump traces, the false positive rate for our best algorithm is as low as 0.01%. This indicates that, potentially, Buttercup can drop 100% worm attack packets on the wire while only 0.01% of the good packets will be sacrificed.

[1] Ina Ruck,et al. USA , 1969, The Lancet.

[2] A. One,et al. Smashing The Stack For Fun And Profit , 1996 .

[3] Danilo Bruschi,et al. A Tool for Pro-active Defense Against the Buffer Overrun Attack , 1998, ESORICS.

[4] Crispan Cowan,et al. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[5] Martin Roesch,et al. Snort - Lightweight Intrusion Detection for Networks , 1999 .

[6] David A. Wagner,et al. A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[7] Tzi-cker Chiueh,et al. RAD: a compile-time solution to buffer overflow attacks , 2001, Proceedings 21st International Conference on Distributed Computing Systems.

[8] Eric Chien,et al. BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES , 2002 .

[9] Christopher Krügel,et al. Accurate Buffer Overflow Detection via Abstract Payload Execution , 2002, RAID.