Alexey Smirnov
RADARBOR: Automatic Detection and Repair of Buffer Overflow Attacks
2006, SUNY Stony Brook
Introduction

The researches have addressed the problem of protecting programs from computer worms in the past. Most of those proposals deal with detection of buffer overflows rather than post-attack repair. When an attack is detected the program is restarted. If, however, the same attack is mounted repeatedly then the result is the denial of service for a given network daemon. DIRA aims at automatic program repair whose goal is to log memory updates that the program performs when it runs normally and use the log to restore memory state of the program when an attack is detected.
Existing project did not ever try to adapt the execution state of the program so that the program will avoid the attacks naturally. The goal of this project called RADARBOR is to design and implement a compiler-based solution which will transform the source code of a program so that the program will detect stack-based buffer overflow attacks and adjust its environment, that is, its memory layout to accommodate the effects of the attack. The application then continues execution in the updated memory layout.
RADARBOR uses RAD to detect attacks. The repair of memory layout leverages correlation techniques similar to those used in ARBOR and COVERS.

System Architecture

The detection mechanism generates a page fault whenever an out-of-bounds array access is performed. The programs' registers are then saved on the stack and the page fault handler is invoked. It repairs the attacked program in two steps: (1) it reallocates the overflown array; (2) it fixes all stack-based array references and registers of the program. After the page fault handler returns, the OS tries to re-execute the faulting instruction after restoring the registers. The novel feature of this project is that it takes advantage of the OS's capability to automatically restart the execution from the point where an anomaly was detected.

Paper

RADARBOR: Automatic Detection and Repair of Buffer Overflow Attacks, Technical Report, 2006.

Related Work

  1. T.-C. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buffer overflow attacks, In Proc. of ICDCS'2001.
  2. Z. Liang and R. Sekar. Automatic generaiton of buffer overflow attack signatures: an approach based on program behavior models. In Proc. of ACSAC'2005.
  3. Z. Liang and R. Sekar. Fast and automated generation of attack signatures: a basis for building self-protecting systems. In Proc. of ACM CCS'2005.