Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models

Zhenkai Liang
Stony Brook University

R. Sekar
Stony Brook University

Buffer overflows have become the most common target for network-based
attacks, contributing to an overwhelming majority of the security
advisories issued in the last few years. They are also the primary
mechanism used by worms and other forms of automated attacks. Although
many techniques (e.g., StackGuard, CCured) have been developed to prevent
server compromises due to these attacks, these defenses still lead to
server crashes. When attacks occur repeatedly, as in the case of worms,
these protection mechanisms lead to repeated restarts of the victim
application, rendering its service unavailable. For instance, we have
found that at a relatively low rate of 10 attacks/second, a DNS server
becomes totally unavailable. To overcome this problem, we develop a novel
approach that can learn the characteristics of a particular attack, and
filter out future instances of the same attack or its variants. Since
attacks are delivered through inputs to servers, our approach is
implemented as a layer that filters these inputs. It is implemented
without changing the server, or even having access to its source code.
Since attack-bearing inputs are dropped before they corrupt the
victim process, there is no need to restart the victim; as a result,
recovery from attacks is very fast, thereby preserving the availability of
the service in the face of repeated attacks. In our experiments, the
approach was shown to be effective against most buffer overflow attacks
prevalent today, and didn't produce false positives.

Keywords: Signature, Buffer Overflow, Worm

Read Paper Read Paper (in PDF)