[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ Skip to main content
Springer Nature Link
Log in

Protecting against address space layout randomisation (ASLR) compromises and return-to-libc attacks using network intrusion detection systems

  • Published:
International Journal of Automation and Computing Aims and scope Submit manuscript

Abstract

Writable XOR executable (W⊕X) and address space layout randomisation (ASLR) have elevated the understanding necessary to perpetrate buffer overflow exploits[1]. However, they have not proved to be a panacea[1–3], and so other mechanisms, such as stack guards and prelinking, have been introduced. In this paper, we show that host-based protection still does not offer a complete solution. To demonstrate the protection inadequacies, we perform an over the network brute force return-to-libc attack against a preforking concurrent server to gain remote access to a shell. The attack defeats host protection including W⊕X and ASLR. We then demonstrate that deploying a network intrusion detection systems (NIDS) with appropriate signatures can detect this attack efficiently.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (United Kingdom)

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

Explore related subjects

Discover the latest articles, news and stories from top researchers in related subjects.

References

  1. C. Reis, A. Barth, C. Pizano. Browser security: Lessons from google chrome. Communications of the ACM, vol. 52, no. 8, pp. 45–49, 2009.

    Article  Google Scholar 

  2. H. Shacham, M. Page, B. Pfaff, E. J. Goh, N. Modadugu, D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security, ACM, New York, USA, pp. 298–307, 2004.

    Chapter  Google Scholar 

  3. A. Sotirov, M. Dowd. Bypassing Browser Memory Protections, [Online], Available: http://www.blackhat.com/ presentations/bh-usa-08/SotirovDowd/bh08-sotirovdowd.pdf, March 8, 2011.

  4. Z. Liang, R. Seikar. Fast and automated generation of attack signatures: A basis for building self-protecting. In Proceedings of the 21st Annual Computer Security Applications Conference, Tucson, USA, pp. 215–224, 2005.

  5. J. C. Foster, V. Osipov, N. Bhall, N. Heinen. Buffer Over-flow Attacks, Burlington, USA: Syngress, 2005.

    Google Scholar 

  6. SANS. The Top Cyber Security Risks, [Online], Available: http://www.sans.org/top-cyber-security-risks/#trends, March 9, 2011.

  7. TIOBE Software. TIOBE Programming Community Index for September 2008, [Online], Available: http://www.tiobe.com/index.php/content/paperinfo/tpci/ index.html, March 9, 2011.

  8. A. K. Ghosh, C. Howell, J. A. Whittaker. Building software securely from the ground up. IEEE Software, vol. 19, no. 1, pp. 14–16, 2002.

    Article  Google Scholar 

  9. C. Schmidt, T. Darby. The What, Why, and How of the 1988 Internet Worm, [Online], Available: http://www.snowplow.org/tom/worm/worm.html, March 9, 2011.

  10. C. Cowan. Buffer Overflow Attacks, [Online], Available: http://www.usenix.org/publications/library/proceedings/sec98/full_papers/cowan/cowan_html/node3.html, March 9, 2011.

  11. H. Etoh. Evaluation, [Online], Available: http://www.trl. ibm.com/projects/security/ssp/node5.html, March 9, 2011.

  12. C. Cowan, C. Pu, H. Hinton. Death, taxes and imperfect software: Surviving the inevitable. In Proceedings of the 1998 Workshop on New Security, ACM, New York, USA, pp. 54–70, 1998.

    Chapter  Google Scholar 

  13. C. Cowan, P. Wagle, C. Pu, S. Beattie, J. Walpole. Buffer overflows: Attacks and defenses for the vulnerability of the decade. IEEE Computer Society, vol. 2, pp. 119–129, 2000.

    Google Scholar 

  14. T. Bradley. Introduction to Intrusion Detection Systems, [Online], Available: http://netsecurity.about.com/cs/ hackertools/a/aa030504.htm, March 9, 2011.

  15. S. S. S. Sindhu, S. Geetha, M. Marikannan, A. Kannan. A neuro-genetic based short-term forecasting framework for network intrusion prediction system. International Journal of Automation and Computing, vol. 6, no. 4, pp. 406–414, 2009.

    Article  Google Scholar 

  16. M. Polychronakis, K. G. Anagnostakis, E. P. Markatos. Network-level polymorphic shellcode detection using emulation. Journal in Computer Virology, vol. 2, no. 4, pp. 257–274, 2006.

    Article  Google Scholar 

  17. H. L. Huang, T. J. Liu, K. H. Chen, C. R. Dow, L. C. Wu. A polymorphic shellcode detection mechanism in the network. In Proceedings of the 2nd International Conference on Scalable Information Systems, ACM, Suzhou, PRC, 2007.

    Google Scholar 

  18. R. Lippmann, S. Webster, D. Stetson. The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. In Proceedings of the 5th International Conference on Recent Advances in Intrusion Detection, ACM, pp. 307–326, 2002.

  19. Rule Performance Part One: Content Matches, [Online], Available: http://vrt-blog.snort.org/2009/07/ruleperformance-part-one-content.html, March 10, 2011.

  20. Aleph1. Smashing the Stack for Fun and Profit, [Online], Available: http://www.phrack.org/issues.html?issue=49&id=14#article, March 9, 2011.

  21. L. Haendel. The Function Pointer Tutorials, [Online], Available: http://www.newty.de/fpt/intro.html#what, March 9, 2011.

  22. Etoh. Hiroaki. Stack Protection Systems: Propolice, StackGuard, XP SP2, [Online], Available: http://pacsec.jp/psj04/psj04-hiroaki-e.ppt, March 10, 2011.

  23. H. Schildt. C++ A Beginner’s Guide, 2nd ed., Maidenhead, UK: McGraw-Hill, 2003.

    Google Scholar 

  24. C. Sanders. Buffer Overflows, Data Execution Prevention, and You, [Online], Available: http://www.windowsecurity. com/articles/Buffer-Overflows-Data-Execution-Prevention-You.htm, March 9, 2011.

  25. A. Ven. New Security Enhancements in Red Hat Enterprise Linux v.3, update 3. Raleigh, North Carolina, USA: Red Hat, 2004, [Online], Available: http://www.redhat.com/f/pdf/rhel/WHP0006US Execshield.pdf, March 9, 2011.

    Google Scholar 

  26. O. Whitehouse. An Analysis of Address Space Layout Randomization on Windows Vista. Cupertino: Symantec, 2007, [Online], Available: http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdf, March 9, 2011.

    Google Scholar 

  27. F. Losliweg. Bypassing Windows Vista’s Address Space Layout Randomization. Switzerland: skillTube.com, 2007.

    Google Scholar 

  28. W. Hu, J. Hiser, D. Williams, A. Filipi, J. W. Davidson, D. Evans. Secure and practical defense against code-injection attacks using software dynamic translation. In Proceedings of the 2nd International Conference on Virtual Execution Environments, ACM, pp. 2–12, 2006.

  29. Linux Kernel Patch from the Openwall Project, [Online], Available: http://www.openwall.com/linux/, March 9, 2011.

  30. P. Lacroix, J. Desharnais. Buffer Overflow Vulnerabilities in C and C + +. s.l., Unpublished Report, 2008.

  31. GCC steering Committe, [Online], Available: http://gcc.gnu.org/releases.html, March 9, 2011.

  32. Skape. Preventing the Exploitation of SEH Overwrites, [Online], Available: http://www.uninformed.org/?v=5&a=2&t=pdf, March 9, 2011.

  33. Security Focus. Oracle 9I Application Server PL/SQL Apache Module Buffer Overflow Vulnerability, [Online], Available: http://www.securityfocus.com/bid/3726/discuss, March 9, 2011.

  34. R. S. Stevens, B. Fenner, A. M. Rudoff. Unix Network Programming, Boston, USA: Pearson Education, 2003.

    Google Scholar 

  35. T. Durden. Defeating PaX ASLR protection Durden, s.l., Phrack, vol. 12, 2002.

  36. Workstation 7, Vmware, [Online], Available: http://www. vmware.com/workstation, March 9, 2011.

  37. Wireshark, [Online], Available: http://www.wireshark.org/, March 9, 2011.

  38. Sourcefire, [Online], Available: http://www.snort.org/, March 9, 2011.

  39. The Advanced Return-into-lib(c) Exploits, vol. 11, [Online], Available: http://www.phrack.org/issues.html?issue=58&id=4, March 9, 2011.

  40. Explotation for Phun and Profit, [Online], Available: http://dl.packetstormsecurity.net/papers/attack/phun.pdf, March 9, 2011.

  41. R. Riel, S, Feng. Documentation for /proc/sys/kernel, [Online], Available: http://www.kernel.org/doc/Documentation/sysctl/kernel.txt, March 9, 2011.

  42. Documentation for the PaX Project, [Online], Available: http://pax.grsecurity.net/docs/index.html, March 9, 2011.

  43. M. Rash. Intrusion Prevention and Active Response: Deploying Network and Host IPS, Rockland, USA: Syngress, 2005.

    Google Scholar 

  44. The GNU Netcat Project, [Online], Available: http://netcat.sourceforge.net/, March 9, 2011.

  45. LinuxManPages, [Online], Available: http://linuxmanpages.com/, March 9, 2011.

  46. J. R. Moser. Prelink and Address Space Randomization, [Online], Available: http://lwn.net/Articles/190139/, March 9, 2011.

  47. C. Cowan, P. Wagle, P. Calton. Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade, [Online], Available: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.147.3917&rep=rep1&type=pdf, March 9, 2011.

  48. Mozilla wiki, [Online], Available: https://wiki.mozilla.org/Gecko:Home_Page, March 9, 2011.

  49. Stack Smash Protection, [Online], Available: http://dsbd._alioth.debian.org/www/?page=ssp, March 9, 2011.

  50. Sourcefire Vulnerabilty Research Team, [Online], Available: http://www.sourcefire.com/resources/sourcefire-vrtwhite-paper, March 9, 2011.

  51. Writing Detection Signatures, [Online], Available: http://www.usenix.org/publications/login/2005-12/pdfs/jordan.pdf, March 9, 2011.

  52. The Snort Project. Snort Users Manual. Snort Users Manual. s.l.: Snort, 2009.

  53. IEEE Computer Society, Part 3: Carrier sense multiple access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications, [Online], Available: http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=01576509, March 9, 2011.

  54. PCRE — Perl Compatible Regular Expressions, [Online], Available: http://www.pcre.org/pcre.txt, March 9, 2011.

  55. S. Friedl. Mapping UNIX pipe descriptors to stdin and stdout in C, [Online], Available: http://unixwiz.net/techtips/remap-pipe-fds.html, March 9, 2011.

  56. S. J. Leffler. An Advanced 4.4BSD Interprocess Communication Tutorial, [Online], Available: http://docs.freebsd.org/44doc/psd/21.ipc/paper.pdf, March 9, 2011.

  57. J. J. Goyvaerts. Learn, Create, Understand, Test, Use and Save Regular Expressions with RegexBuddy, [Online], Available: http://www.regexbuddy.com/, March 9, 2011.

  58. Basic Analysis and Security Engine, [Online], Available: http://base.secureideas.net, March 9, 2011.

  59. The NTLM Authentication Protocol and Security Support Provider, [Online], Available: http://davenport.sourceforge.net/ntlm.html#ntlmhttpAuthentication, March 9, 2011.

  60. Vulnerability Note VU#878603, [Online], Available: http://www.kb.cert.org/vuls/id/878603, March 9, 2011.

  61. B. Caswell, J. Beale, A. Baker. Snort IDS and IPS Toolkit, Burlington, USA: Syngress, 2007.

    Google Scholar 

  62. W. Wilson, P. Birkin, U. Aickelin. The motif tracking algorithm. International Journal of Automation and Computing, vol. 5, no. 1, pp. 32–44, 2008.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computing and Mathematics, University of Derby, Derby, UK

    David J. Day

  2. Faculty of Information Science and Technology, Shijiazhuang Tiedao University, Shijiazhuang, PRC

    Zheng-Xu Zhao

Authors
  1. David J. Day
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zheng-Xu Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zheng-Xu Zhao.

Additional information

This work was supported by National Natural Science Foundation of China (No. 60873208).

David J. Day received the B. Sc. and M. Sc. degrees in computing systems and computer networks. He is a senior lecturer in computing and a teaching fellow for the Faculty of Business Computing and Law at the University of Derby. He is a Ph.D. candidate in networking systems.

His research interests include computing system intrusion detection and prevention, mobile device security, and computer network management.

Zheng-Xu Zhao received the B. Sc., M. Sc., and Ph. D. degrees in computing science and technology. He was a professor and chair in Applied Computing at the University of Derby from 1995 and 2008, and held a D. Sc. from Derby for his research work in information technology and scientific visualization. He is currently a professor and Dean of Faculty of Information Science and Technology at the Shijiazhuang Tiedao University, PRC.

His research interests include virtual reality systems, scientific visualization, and information organization.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Day, D.J., Zhao, ZX. Protecting against address space layout randomisation (ASLR) compromises and return-to-libc attacks using network intrusion detection systems. Int. J. Autom. Comput. 8, 472–483 (2011). https://doi.org/10.1007/s11633-011-0606-0

Download citation

  • Received:

  • Revised:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11633-011-0606-0

Keywords

Search

Navigation