Comparison of Dynamic Buffer Overflow Protection Tools

Viking, Pontus

January 2006

<p>As intrusion attacks on systems become more and more complex, the tools trying to stop these attacks must follow. This thesis has developed a testbed to test and evaluated three freely available protection tools for the GNU/Linux platform to see how they fare against attacks.</p>

Buffer overflow

Computer science

Datalogi

Comparison of Dynamic Buffer Overflow Protection Tools

Viking, Pontus

January 2006

As intrusion attacks on systems become more and more complex, the tools trying to stop these attacks must follow. This thesis has developed a testbed to test and evaluated three freely available protection tools for the GNU/Linux platform to see how they fare against attacks.

Buffer overflow

Computer Sciences

Datavetenskap (datalogi)

Buffer Overflow Attack and Prevention for Embedded Systems

Sikiligiri, Amjad Basha M.

26 September 2011

No description available.

Computer Engineering

Buffer overflow

Embedded systems

Association rules for exploit code analysis to prevent Buffer Overflow

Li, Chang-Yu

01 August 2007

As the development of software applications and Internet, the security issues that come with get more serious. Buffer Overflow is an unavoidable problem while software programming. According to the advisories of each year, they show that many security vulnerabilities are from Buffer Overflow. Buffer Overflow is also the cause of intrusion made by hackers. The users of software applications usually depend on the software updates released by software venders to prevent the attacks caused by Buffer Overflow. So before applying software updates, that how to avoid attacks to software and prolong the save period of software is an important issue to prevent Buffer Overflow. By collecting and analyzing the exploit codes used by hackers, we can build the overall pattern of Buffer Overflow attacks, and we can take this pattern as the basis for preventing future Buffer Overflow attacks. Association rules can find the relations of unknown things, so it can help to build the common pattern between Buffer Overflow attacks. So this work applies association rules to build the pattern of Buffer Overflow attacks, and to find out the relations of system calls inside the exploit codes. We experiment and build a group of system call rules that can differentiate the attack behavior and the normal behavior. These rules can detect the Buffer Overflow attacks exactly and perform well in false positives. And then they can help to do further defenses after detecting attacks and alleviate the seriousness of Buffer Overflow attacks to computer systems.

system call

association rules

Buffer Overflow

exploit code

Stack Protection Mechanisms In Packet Processing Systems

Wu, Peng

01 January 2013

As the functionality that current computer network can provide is becoming complicated, a traditional router with application-specific integrated circuit (ASIC) implementation can't satisfy the flexibility requirements. Instead, a programmable packet forward system based on a general-purpose processor could provide the flexibility. While this system provides flexibility, a new potential security issue arises. Usually, software is involved as the packet forward system is programmable. The software's potential vulnerability, especially as to the remote exploits, becomes an issue of network security. In this thesis work, we proposed a software stack overflow vulnerability on click modular router and show how a disastrous denial-of-service attack on click modular router could be triggered by a single packet. In our research work, click modular router runs on Linux operating system based on general-purpose hardware. We actually showed that even a software router run within a modern operating system's protection is vulnerable by elaborate attack. And we checked the possible stack protection mechanisms on modern OS based on general-purpose hardware and proposed a possible stack protection mechanism for embedded OS.

Stack Protection

Buffer Overflow

Packet Processing Systems

Digital Communications and Networking

Metriky pro detekci útoků v síťovém provozu / Metrics for Intrusion Detection in Network Traffic

Homoliak, Ivan

January 2012

Publication aims to propose and apply new metrics for intrusion detection in network traffic according to analysis of existing metrics, analysis of network traffic and behavioral characteristics of known attacks. The main goal of the thesis is to propose and implement new collection of metrics which will be capable to detect zero day attacks.

Evaluating error when estimating the loss probability in a packet buffer

Wahid, Amna Abdul

January 2016

In this thesis we explore precision in measurement of buffer overflow and loss probability. We see how buffer overflow probability compares with queuing delay measurements covered in the literature. More specifically, we measure the overflow probability of a packet buffer for various sampling rates to see the effect of sampling rate on the estimation. There are various reasons for measurement in networks; one key context assumed here is Measurement Based Admission Control. We conduct simulation experiments with analytically derived VoIP and bursty traffic parameters, in Matlab, while treating the buffer under consideration as a two-state Markov Chain. We note that estimation error decreases with increase in sampling gap (or in other words precision improves/variance decreases with decrease in sampling rate). We then perform experiments for VoIP and bursty data using NS-2 simulator and record the buffer states generated therein. We see a similar trend of increase in precision with increase in sampling gap. In our simulations, we have mainly considered static traffic passing through the buffer, and we use elastic traffic (TCP) for comparison. We see from our results that the sampling error becomes constant beyond certain asymptotic level. We thus look into asymptotic error in estimation,for the lowest sampling gap, to establish a lower bound on estimation error for buffer loss probability measurement. We use formulae given in recent literature for computing the experimental and theoretic asymptotic variance of the buffer state traces in our scenarios. We find that the theoretical and experimental asymptotic variance of overflow probability match when sampling a trace of buffer states modelled as a two-state Markov Chain in Matlab. We claim that this is a new approach to computing the lower bound on the measurement of buffer overflow probability, when the buffer states are modelled as a Markov process. Using Markov Chain modelling for buffer overflow we further explore the relationship between sampling rate and accuracy. We find that there is no relationship between sampling gap and bias of estimation. Crucially we go on to show that a more realistic simulation of a packet buffer reveals that the distribution of buffer overflow periods is not always such as to allow simple Markov modelling of the buffer states; while the sojourn periods are exponential for the smaller burst periods, the tail of the distribution does not fit to the same exponential fitting. While our work validates the use of a two-state Markov model for a useful approximation modelling the overflow of a buffer, we have established that earlier work which relies on simple Markovian assumptions will thereby underestimate the error in the measured overflow probabilities.

Uma ferramenta multiplataforma para prevenção de buffer overflow / A Multiplatform tool to prevent buffer overflows

Mello, Paulo Estima

January 2009

Este trabalho apresenta um método para prevenir as vulnerabilidades causadas por erros de programação insegura que, normalmente, é resultado da solução de um problema proposto ou do desenvolvimento de funcionalidade sem levar em consideração a segurança do sistema como um todo. Os erros de programação (no contexto da segurança de um sistema e não apenas da sua funcionalidade) são normalmente frutos da ignorância do programador sobre as vulnerabilidades apresentadas pelas suas ferramentas para construção de programas. O estado da arte é brevemente apresentado demonstrando as soluções atuais em termos de proteção contra ataques de buffer overflow baseado em pilha. Soluções em tempo de compilação e pós-compilação por parte do sistema operacional são as mais comuns. Neste escopo é demonstrada a solução proposta por um protótipo funcional que valida o modelo para uma série de aplicações em duas plataformas diferentes (Windows e Linux). A solução converge a instrumentação de aplicações com o uso de um repositório de endereços de retorno para prevenir o retorno de funções a endereços não legalmente especificados. Testes do protótipo foram realizados em ambas as plataformas e mostraram a eficácia do protótipo prevenindo falhas em casos reais de buffer overflow baseado em pilha. / This paper presents a method to prevent the vulnerabilities caused by insecure programming which, usually, is an outcome of taking into account only the solution of a proposed problem or the development of new functionalities disregarding security on development of the system as a whole. The programming mistakes (in the context of the system security despite the system's functionality) are usually a result of the unawareness of the programmed about the vulnerabilities contained on the tools they use to develop software. The state of the art is briefly presented showing the current solutions related to preventing buffer overflows based on stack. Both compile time and post-compilation solutions (usually as part of the operating system) are the most widely used. In this work the proposed solution is demonstrated by a functional prototype which validates the model for a set of applications in two different platforms (Windows and Linux). The solution converges process instrumentation with a return address repository to prevent a function from returning to an address not legally specified. Testes of the prototype were performed in both platforms previously mentioned and have proved the correctness of the prototype by actually preventing exploitation on real case scenarios of real world applications.

Seguranca : Computadores

Tolerancia : Falhas : Software

Security

Instrumentation

Buffer overflow

Programming error

Failure-Oblivious Computing and Boundless Memory Blocks

Rinard, Martin C.

01 1900

Memory errors are a common cause of incorrect software execution and security vulnerabilities. We have developed two new techniques that help software continue to execute successfully through memory errors: failure-oblivious computing and boundless memory blocks. The foundation of both techniques is a compiler that generates code that checks accesses via pointers to detect out of bounds accesses. Instead of terminating or throwing an exception, the generated code takes another action that keeps the program executing without memory corruption. Failure-oblivious code simply discards invalid writes and manufactures values to return for invalid reads, enabling the program to continue its normal execution path. Code that implements boundless memory blocks stores invalid writes away in a hash table to return as the values for corresponding out of bounds reads. he net effect is to (conceptually) give each allocated memory block unbounded size and to eliminate out of bounds accesses as a programming error. We have implemented both techniques and acquired several widely used open source servers (Apache, Sendmail, Pine, Mutt, and Midnight Commander).With standard compilers, all of these servers are vulnerable to buffer overflow attacks as documented at security tracking web sites. Both failure-oblivious computing and boundless memory blocks eliminate these security vulnerabilities (as well as other memory errors). Our results show that our compiler enables the servers to execute successfully through buffer overflow attacks to continue to correctly service user requests without security vulnerabilities. / Singapore-MIT Alliance (SMA)

Memory Errors

Buffer Overflow Attacks

Failure-Oblivious Computing

Acceptability-Oriented Computing

Mutation-based testing of buffer overflows, SQL injections, and format string bugs

Shahriar, Hossain

20 August 2008

Testing is an indispensable mechanism for assuring software quality. One of the key issues in testing is to obtain a test data set that is able to effectively test an implementation. An adequate test data set consists of test cases that can expose faults in a software implementation. Mutation-based testing can be employed to obtain adequate test data sets, and numerous mutation operators have been proposed to date to measure the adequacy of test data sets that reveal functional faults. However, implementations that pass functionality tests are still vulnerable to malicious attacks. Despite the rigorous use of various existing testing techniques, many vulnerabilities are discovered after the deployment of software implementations, such as buffer overflows (BOF), SQL injections, and format string bugs (FSB). Successful exploitations of these vulnerabilities may result in severe consequences such as denial of services, application state corruptions, and information leakage. Many approaches have been proposed to detect these vulnerabilities. Unfortunately, very few approaches address the issue of testing implementations against vulnerabilities. Moreover, these approaches do not provide an indication whether a test data set is adequate for vulnerability testing or not. We believe that bringing the idea of traditional functional test adequacy to vulnerability testing can help address the issue of test adequacy. In this thesis, we apply the idea of mutation-based adequate testing to perform vulnerability testing of buffer overflows, SQL injections, and format string bugs. We propose mutation operators to force the generation of adequate test data sets for these vulnerabilities. The operators mutate source code to inject the vulnerabilities in the library function calls and unsafe implementation language elements. The mutants generated by the operators are killed by test cases that expose these vulnerabilities. We propose distinguishing or killing criteria for mutants that consider varying symptoms of exploitations. Three prototype tools are developed to automatically generate mutants and perform mutation analysis with input test cases and the effectiveness of the proposed operators is evaluated on several open source programs containing known vulnerabilities. The results indicate that the proposed operators are effective for testing the vulnerabilities, and the mutation-based vulnerability testing process ensures the quality of the applications against these vulnerabilities. / Thesis (Master, Computing) -- Queen's University, 2008-08-18 13:53:04.036

Vulnerability testing

Buffer overflow

SQL injection

Format string bug

Test adequacy