Abstract
Static buffer overflow exploits belong to the most feared and frequently launched attacks on todays Internet. These exploits target vulnerabilities in daemon processes which provide important network services. Ever since the buffer overflow hacking technique has reached a broader audience due to the Morris Internet worm [21] in 1988 and the infamous paper by AlephOne in the phrack magazine [1], new weaknesses in many programs have been discovered and abused.
Current intrusion detection systems (IDS) address this problem in different ways. Misuse based network IDS attempt to detect the signature of known exploits in the payload of the network packets. This can be easily evaded by a skilled intruder as the attack code can be changed, reordered or even partially encrypted. Anomaly based network sensors neglect the packet payload and only analyze bursts of traffic thus missing buffer overflows altogether. Host based anomaly detectors that monitor process behavior can notice a successful exploit but only a-posteriori when it has already been successful. In addition, both anomaly variants suffer from high false positive rates.
In this paper we present an approach that accurately detects buffer overflow code in the request’s payload by concentrating on the sledge of the attack. The sledge is used to increase the chances of a successful intrusion by providing a long code segment that simply moves the program counter towards the immediately following exploit code. Although the intruder has some freedom in shaping the sledge it has to be executable by the processor. We perform abstract execution of the payload to identify such sequences of executable code with virtually no false positives.
A prototype implementation of our sensor has been integrated into the Apache web server. We have evaluated the effectivity of our system on several exploits as well as the performance impact on services.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
AlephOne. Smashing the stack for fun and profit. Phrack Magazine, 49(14), 1996.
Debra Anderson, Thane Frivold, Ann Tamaru, and Alfonso Valdes. Next Generation Intrusion Detection Expert System (NIDES). SRI International, 1994.
The Apache Software Foundation. http://www.apache.org.
M. Bykova, S. Ostermann, and B. Tjaden. Detecting network intrusions via a statistical analysis of network packet characteristics. In Proceedings of the 33rd Southeastern Symposium on System Theory, 2001.
Crispin Cowan, Calton Pu, David Maier, Heather Hinton, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. Automatic detection and prevention of buffer-overflow attacks. In 7th USENIX Security Symposium, January 1998.
Dorothy Denning. An intrusion-detection model. In IEEE Symposium on Security and Privacy, pages 118–131, Oakland, USA, 1986.
Laurent Eschenauer. Imsafe. http://imsafe.sourceforge.net, 2001.
Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. A sense of self for Unix processes. In Proceedinges of the 1996 IEEE Symposium on Research in Security and Privacy, pages 120–128. IEEE Computer Society Press, 1996.
The GNU Compiler Collection. http://gcc.gnu.org.
A. Ghosh and A. Schwartzbard. A study in using neural networks for anomaly and misuse detection. In USENIX Security Symposium, 1999.
Judith Hochberg, Kathleen Jackson, Cathy Stallins, J. F. McClary, David DuBois, and Josephine Ford. NADIR: An automated system for detecting network intrusion and misuse. Computer and Security, 12(3):235–248, May 1993.
Intel. IA-32 Intel Architecture Software Developer’s Manual Volume 1–3, 2002. http://developer.intel.com/design/Pentium4/manuals/.
Home of K2. http://www.ktwo.ca.
Christopher Kruegel, Thomas Toth, and Clemens Kerer. Service Specific Anomaly Detection for Network Intrusion Detection. In Symposium on Applied Computing (SAC). ACM Scientific Press, March 2002.
Mudge. Compromised: Buffer-Overflows, from Intel to SPARC Version 8. http://www.l0pht.com, 1996.
Peter G. Neumann and Phillip A. Porras. Experience with EMERALD to date. In 1st USENIX Workshop on Intrusion Detection and Network Monitoring, pages 73–80, Santa Clara, California, USA, April 1999.
Phillip A. Porras and Peter G. Neumann. EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In Proceedings of the 20th NIS Security Conference, October 1997.
Martin Roesch. Snort-Lightweight Intrusion Detection for Networks. In USENIX Lisa 99, 1999.
SecurityFocus Corporate Site. http://www.securityfocus.com.
Jude Shavlik, Mark Shavlik, and Michael Fahland. Evaluating software sensors for actively profiling Windows 2000 computer users. In Recent Advances in Intrusion Detection (RAID), 2001.
E. Spafford. The Internet Worm Program: Analysis. Computer Communication Review, January 1989.
Stuart Staniford, James A. Hoagland, and Joseph M. McAlerney. Practical Automated Detection of Stealthy Portscans. In Proceedings of the IDS Workshop of the 7th Computer and Communications Security Conference, Athens, 2000.
Giovanni Vigna and Richard A. Kemmerer. NetSTAT: A Network-based Intrusion Detection System. In 14th Annual Computer Security Applications Conference, December 1998.
Giovanni Vigna and Richard A. Kemmerer. NetSTAT: A Network-based Intrusion Detection System. Journal of Computer Security, 7(1):37–71, 1999.
WebSTONE-Mindcraft Corporate Site. http://www.mindcraft.com.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Toth, T., Kruegel, C. (2002). Accurate Buffer Overflow Detection via Abstract Pay load Execution. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_15
Download citation
DOI: https://doi.org/10.1007/3-540-36084-0_15
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00020-4
Online ISBN: 978-3-540-36084-1
eBook Packages: Springer Book Archive