RAD: a compile-time solution to buffer overflow attacks
Tzi-Cker Chiueh; Fu-Hau Hsu
Distributed Computing Systems, 2001. 21st International Conference on.
Volume , Issue , Apr 2001 Page(s):409 - 417
Digital Object Identifier 10.1109/ICDSC.2001.918971
Summary:Buffer overflow attack can inflict upon almost arbitrary programs
and is one of the most common vulnerabilities that can seriously
compromise the security of a network-attached computer system. This
paper presents a compiler-based solution to the notorious buffer
overflow attack problem. Using this solution, users can prevent
attackers from compromising their systems by changing the return address
to execute injected code, which is the most common method used in buffer
overflow attacks. Return address defender (RAD) is a simple compiler
patch that automatically creates a safe area to store a copy of return
addresses and automatically adds protection code into applications that
it compiles to defend programs against buffer overflow attacks. Using it
to protect a program does not need to modify the source code of the
protected programs. Moreover, RAD does not change the layout of stack
frames, so binary code it generated is compatible with existing
libraries and other object files. Empirical performance measurements on
a fully operational RAD prototype show that programs protected by RAD
only experience a factor of between 1.01 to 1.31 slow-down. In this
paper we present the principle of buffer overflow attacks, a taxonomy of
defense methods, the implementation details of RAD, and the performance
analysis of the RAD prototype
View citation and abstract |
Cart
