TY - JOUR
T1 - A robust kernel-based solution to control-hijacking buffer overflow attacks
AU - Chen, L. I.Han
AU - Hsu, F. U.Hau
AU - Huang, Cheng Hsien
AU - Ou, Chih Wen
AU - Lin, Chia Jun
AU - Liu, Szu Chi
PY - 2011/5
Y1 - 2011/5
N2 - In this paper, we propose a robust kernel-based solution, called AURORA, to a ubiquitous security problem - control-hijacking Buffer Overflow Attacks (BOAs). AURORA utilizes either the addresses of the buffers storing input strings or signatures to detect and block control-hijacking BOA strings in the kernel, including zero-day ones. Although AURORA detects some types of BOAs through signatures, AURORA does not need to create any new signature for new attack instances after its installation because AURORA'S signatures are created based on commonality of control-hijacking BOAs. Moreover, even a process is under a BOA, AURORA allows it to continue its execution or to be terminated gracefully without the cost of process idleness or repeated process crashes. Thus, AURORA is robust to control-hijacking BOAs. AURORA does not need to modify the source code of any application programs. Furthermore, AURORA is compatible with existing operating systems and application programs; hence, AURORA could work with other protection mechanisms to provide an extra layer of protection. Our experimental results show that with less than 1% overhead and negligible false positives, AURORA can accurately block various control-hijacking BOAs.
AB - In this paper, we propose a robust kernel-based solution, called AURORA, to a ubiquitous security problem - control-hijacking Buffer Overflow Attacks (BOAs). AURORA utilizes either the addresses of the buffers storing input strings or signatures to detect and block control-hijacking BOA strings in the kernel, including zero-day ones. Although AURORA detects some types of BOAs through signatures, AURORA does not need to create any new signature for new attack instances after its installation because AURORA'S signatures are created based on commonality of control-hijacking BOAs. Moreover, even a process is under a BOA, AURORA allows it to continue its execution or to be terminated gracefully without the cost of process idleness or repeated process crashes. Thus, AURORA is robust to control-hijacking BOAs. AURORA does not need to modify the source code of any application programs. Furthermore, AURORA is compatible with existing operating systems and application programs; hence, AURORA could work with other protection mechanisms to provide an extra layer of protection. Our experimental results show that with less than 1% overhead and negligible false positives, AURORA can accurately block various control-hijacking BOAs.
KW - AURORA
KW - Buffer overflow attack
KW - Control hijacking boa
KW - Retum-into-libc attack
KW - Stack smashing attack
UR - http://www.scopus.com/inward/record.url?scp=79958162477&partnerID=8YFLogxK
M3 - 期刊論文
AN - SCOPUS:79958162477
SN - 1016-2364
VL - 27
SP - 869
EP - 890
JO - Journal of Information Science and Engineering
JF - Journal of Information Science and Engineering
IS - 3
ER -