RADARBOR: Automatic Detection and Repair of Buffer Overflow Attacks
This work has been done at SUNY Stony Brook
Project Members
Introduction
The researches have addressed the problem of protecting programs from
computer worms in the past. Most of those proposals deal with
detection of buffer overflows rather than post-attack repair. When an
attack is detected the program is restarted. If, however, the same
attack is mounted repeatedly then the result is the denial of service
for a given network daemon. DIRA aims at automatic
program repair whose goal is to log memory updates that the program
performs when it runs normally and use the log to restore memory state
of the program when an attack is detected.
Existing project did not ever try to adapt the execution state of the program so that the program will avoid the attacks naturally. The goal of this project called RADARBOR is to design and implement a compiler-based solution which will transform the source code of a program so that the program will detect stack-based buffer overflow attacks and adjust its environment, that is, its memory layout to accommodate the effects of the attack. The application then continues execution in the updated memory layout.
RADARBOR uses RAD to detect attacks. The repair of memory layout leverages correlation techniques similar to those used in ARBOR and COVERS.
Existing project did not ever try to adapt the execution state of the program so that the program will avoid the attacks naturally. The goal of this project called RADARBOR is to design and implement a compiler-based solution which will transform the source code of a program so that the program will detect stack-based buffer overflow attacks and adjust its environment, that is, its memory layout to accommodate the effects of the attack. The application then continues execution in the updated memory layout.
RADARBOR uses RAD to detect attacks. The repair of memory layout leverages correlation techniques similar to those used in ARBOR and COVERS.
System Architecture
The detection mechanism generates a page fault whenever an
out-of-bounds array access is performed. The programs' registers are
then saved on the stack and the page fault handler is invoked. It
repairs the attacked program in two steps: (1) it reallocates the
overflown array; (2) it fixes all stack-based array references and
registers of the program. After the page fault handler returns, the OS
tries to re-execute the faulting instruction after restoring the
registers. The novel feature of this project is that it takes
advantage of the OS's capability to automatically restart the
execution from the point where an anomaly was detected.
Paper
RADARBOR:
Automatic Detection and Repair of Buffer Overflow Attacks,
Technical Report, 2006.
Related Work
- T.-C. Chiueh and F.-H. Hsu. RAD: A compile-time solution to buffer overflow attacks, In Proc. of ICDCS'2001.
- Z. Liang and R. Sekar. Automatic generaiton of buffer overflow attack signatures: an approach based on program behavior models. In Proc. of ACSAC'2005.
- Z. Liang and R. Sekar. Fast and automated generation of attack signatures: a basis for building self-protecting systems. In Proc. of ACM CCS'2005.