STRIDE : POLYMORPHIC SLED DETECTION THROUGH INSTRUCTION SEQUENCE
暂无分享,去创建一个
Despite considerable effort, buffer overflow attacks remain a major security threat today, especially when coupled with self-propagation mechanisms as in worms and viruses. This paper considers the problem o f designing networklevel mechanisms for detecting polymorphic instances o f such attacks. The starting point for our work is the observation that many buffer overflow attacks require a "sled" component to transfer control o f the system to the exploit code. While previous work has shown that it is possible to detect certain types o f sleds, including obfuscated instances, this paper demonstrates that the proposed detection heuristics can be thwarted by more elaborate sled obfuscation techniques. To address this problem, we have designed a new sled detection heuristic, called STRIDE, that offers three main improvements over previous work: it detects several types o f sleds that other techniques are blind to, has a lower rate o f false positives, and is significantly more computationally efficient, and hence more suitable for use at the networklevel.
[1] Navjot Singh,et al. Transparent Run-Time Defense Against Stack-Smashing Attacks , 2000, USENIX Annual Technical Conference, General Track.
[2] A. One,et al. Smashing The Stack For Fun And Profit , 1996 .
[3] Crispin Cowan,et al. FormatGuard: Automatic Protection From printf Format String Vulnerabilities , 2001, USENIX Security Symposium.
[4] John Johansen,et al. PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities , 2003, USENIX Security Symposium.