论文信息 - Enhancements to the Linux Kernel for Blocking Buffer Overflow Based Attacks

Enhancements to the Linux Kernel for Blocking Buffer Overflow Based Attacks

We present the design and implementation of a cost-effective mechanism which controls the invocation of critical, from the security viewpoint, system calls. The integration into existing UNIX operating systems is carried out by instrumenting the code of the system calls so that the system call itself once invoked checks to see whether the invoking process and the argument values passed comply with the rules held in an access control database. A working prototype able to detect and block buffer overflow attacks is available as a small set of "patches" to the Linux operating system kernel source.

[1] Douglas Comer,et al. Internetworking with TCP/IP: volume III: client-server programming and applications (Windows sockets version) , 1997 .

[2] A. One,et al. Smashing The Stack For Fun And Profit , 1996 .

[3] Daniel F. Sterne,et al. A Domain and Type Enforcement UNIX Prototype , 1995, Comput. Syst..

[4] Ian Goldberg,et al. A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[5] R. Sekar,et al. On Preventing Intrusions by Process Behavior Monitoring , 1999, Workshop on Intrusion Detection and Network Monitoring.

[6] Calton Pu,et al. Buffer overflows: attacks and defenses for the vulnerability of the decade , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.