Secure Patrol: Patrolling Against Buffer Overflow Exploits

Buffer overflow attacks are caused due to exploitation of stack or heap in computer memory. One of the targets behind buffer overflow attacks is the return address of a function. Another potential actor in buffer overflow attacks is Global Offset Table (GOT); exploiting it can also lead to disastrou...

Full description

Saved in:
Bibliographic Details
Published in:Information security journal. 2014-05, Vol.23 (3), p.107-117
Main Authors: Solanki, Jaydeep, Shah, Aenik, Das, Manik Lal
Format: Article
Language:English
Subjects:
Applied sciences
Backups
buffer overflow
Buffers
Computer science
control theory
systems
Exact sciences and technology
Frames
global offset table
Language processing and microprogramming
Mathematical analysis
Mathematical models
Memory and file management (including protection and security)
Memory organisation. Data processing
procedure linkage table
Programming languages
shadow stack
Shadows
Software
Stacks
Tables (data)
thread local storage
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Buffer overflow attacks are caused due to exploitation of stack or heap in computer memory. One of the targets behind buffer overflow attacks is the return address of a function. Another potential actor in buffer overflow attacks is Global Offset Table (GOT); exploiting it can also lead to disastrous results, such as a call to printf() , which can be transformed to a system() call. This paper focuses on mitigation of stack-based buffer overflow attacks and securing GOT. The proposed approach is a compiler-level protection aimed at preventing such exploits using shadow stacks, a linked list behaving as a stack, that stores the return addresses and frame pointers. The return address and frame pointer are pushed into these stacks during the prologue of every function, and in the epilogue it is compared with the one residing inside actual stack. If they match, the program continues; otherwise, it is terminated and this event is recorded into the system log. To make these shadow stacks invisible from the attacker, the address of the top of shadow stack is stored inside Thread Local Storage (TLS) for the process to refer it later. In order to forestall GOT manipulation, the proposed approach uses a global array which contains the backup of GOT; when a call to GOT entry is made, the value inside that entry and the respective value inside the backup table are compared. If they match, the program continues; otherwise, it terminates the process instantaneously. The proposed approach, Secure Patrol, is efficient, secure against stack-based buffer overflow and resistant to GOT manipulation.
ISSN:1939-3555
1939-3547
DOI:10.1080/19393555.2014.972597