CS38, Security and Privacy, Spring 2005

A number of "hackish" methods have been suggested to raise the difficulty bar for exploiting memory overwriting vulnerabilites. Here is a short list of papers on the topic. While these measures do not solve the fundamental problem, they alleviate it by discouraging simple exploits.

Stack protection schemes (require recompiling binaries with a patched compiler.

Wikipedia entry provides a good short summary: http://en.wikipedia.org/wiki/Stack-smashing_protection

• StackGuard, Crispin Cowan
  http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
  The StackGuard project pioneered the use of stack canaries. See the USENIX Security paper and other resources on the project page. At the minimum, read the paper http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/usenixsc98_html/ .

• GCC extension for protecting applications from stack-smashing attacks, Hiroaki Etoh
  http://www.research.ibm.com/trl/projects/security/ssp/
  A comprehensive patch to GCC, based on StackGuard, but also uses frame layout transformation (at the simplest, placing an array buffer closest to the beginning of the frame will prevent any other locals from being affected by the overflow -- which is useful, since an attacker might be able to affect the execution logic of a program by overwriting a local variable rather than smashing the return address). See also http://wiki.linuxfromscratch.org/index.php?pagename=ProPolice%20Smashing%20Stack%20Protector.

Randomization techniques

As far as I know, the first popular OS to include randomization of library and executable loading addresses in "production quality" was OpenBSD. Several Linux kernel patches implement this as well, most notably the PaX project and OpenWall.

Survey papers:

• Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits, Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar
  http://www.seclab.cs.sunysb.edu/seclab/pubs/papers/ao.pdf  [local papers/ao.pdf]
  

• A Multi-Faceted Defence Mechanism Against Code Injection Attacks, C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, J. H. Hartman, P. Moseley
  http://www.cs.arizona.edu/~linnc/research/CCS2004.pdf  [local papers/CCS2004.pdf]
  

Back to Dartmouth CS Home Page