The researches have addressed the problem of protecting programs from
computer worms in the past. Most of those proposals deal with
detection of buffer overflows rather than post-attack repair. When an
attack is detected the program is restarted. If, however, the same
attack is mounted repeatedly then the result is the denial of service
for a given network daemon. DIRA aims at automatic
program repair whose goal is to log memory updates that the program
performs when it runs normally and use the log to restore memory state
of the program when an attack is detected.
Existing project did not ever try to adapt the execution state of the program so that the program will avoid the attacks naturally. The goal of this project called RADARBOR is to design and implement a compiler-based solution which will transform the source code of a program so that the program will detect stack-based buffer overflow attacks and adjust its environment, that is, its memory layout to accommodate the effects of the attack. The application then continues execution in the updated memory layout.
RADARBOR uses RAD to detect attacks. The repair of memory layout leverages correlation techniques similar to those used in ARBOR and COVERS.
The detection mechanism generates a page fault whenever an out-of-bounds array access is performed. The programs' registers are then saved on the stack and the page fault handler is invoked. It repairs the attacked program in two steps: (1) it reallocates the overflown array; (2) it fixes all stack-based array references and registers of the program. After the page fault handler returns, the OS tries to re-execute the faulting instruction after restoring the registers. The novel feature of this project is that it takes advantage of the OS's capability to automatically restart the execution from the point where an anomaly was detected.
RADARBOR: Automatic Detection and Repair of Buffer Overflow Attacks, Technical Report, 2006.
- T.-C. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buffer overflow attacks, In Proc. of ICDCS'2001.
- Z. Liang and R. Sekar. Automatic generaiton of buffer overflow attack signatures: an approach based on program behavior models. In Proc. of ACSAC'2005.
- Z. Liang and R. Sekar. Fast and automated generation of attack signatures: a basis for building self-protecting systems. In Proc. of ACM CCS'2005.