Stack Protection Mechanisms In Packet Processing Systems

As the functionality that current computer network can provide is becoming complicated, a traditional router with application-specific integrated circuit (ASIC) implementation can’t satisfy the flexibility requirements. Instead, a programmable packet forward system based on a general-purpose processor could provide the flexibility. While this system provides flexibility, a new potential security issue arises. Usually, software is involved as the packet forward system is programmable. The software’s potential vulnerability, especially as to the remote exploits, becomes an issue of network security. In this thesis work, we proposed a software stack overflow vulnerability on click modular router and show how a disastrous denial-of-service attack on click modular router could be triggered by a single packet. In our research work, click modular router runs on Linux operating system based on general-purpose hardware. We actually showed that even a software router run within a modern operating system’s protection is vulnerable by elaborate attack. And we checked the possible stack protection mechanisms on modern OS based on general-purpose hardware and proposed a possible stack protection mechanism for embedded OS.

[1]  William A. Arbaugh,et al.  Safety and security of programmable network infrastructures , 1998, IEEE Commun. Mag..

[2]  Tilman Wolf,et al.  Architecture of Network Systems , 2011 .

[3]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[4]  Yu Chen,et al.  A Survey on the Application of FPGAs for Network Infrastructure Security , 2011, IEEE Communications Surveys & Tutorials.

[5]  Tzi-cker Chiueh,et al.  Scalable network-based buffer overflow attack detection , 2006, 2006 Symposium on Architecture For Networking And Communications Systems.

[6]  Wouter Joosen,et al.  Extended Protection against Stack Smashing Attacks without Performance Loss , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[7]  Angus Wong,et al.  Network Infrastructure Security , 2009 .

[8]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[9]  Tilman Wolf,et al.  Attacks on Network Infrastructure , 2011, 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN).

[10]  Dave Ahmad The Rising Threat of Vulnerabilities Due to Integer Errors , 2003, IEEE Secur. Priv..

[11]  EDDIE KOHLER,et al.  The click modular router , 2000, TOCS.

[12]  Srinivasan Seshan,et al.  An integrated congestion management architecture for Internet hosts , 1999, SIGCOMM '99.

[13]  Wouter Joosen,et al.  Efficient Protection Against Heap-Based Buffer Overflows Without Resorting to Magic , 2006, ICICS.

[14]  Eugene H. Spafford,et al.  Implicit Buffer Overflow Protection Using Memory Segregation , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.