| Control-flow hijacking attacks allow an attacker to subvert a value that is loaded into the program counter of a running program, typically redirecting execution to his own injected code. Such attacks can be used to completely subvert a remote system, and can rapidly infect all vulnerable machines when used by a fast-spreading worm.;Currently, users of commodity software must rely on the vendor to develop and release a patch for a new vulnerability. Even when a patch is available, the end user must verify that it fixes the vulnerability without breaking functionality before installing it. In the time between the vulnerability becoming known to attackers, and the time that a patch is released and tested, the user is at the mercy of remote attackers if he continues to run the vulnerable program.;In this work, we address the problem of how end-users or 3rd parties can automatically (1) detect and diagnose attacks against previously unknown vulnerabilities, and (2) prevent attacks against diagnosed vulnerabilities with minimal impact on performance and functionality. A workable solution must do this quickly, automatically, and without source code of the vulnerable program.;Specifically, we detect attacks against unknown control-flow hijacking vulnerabilities by using dynamic taint analysis to detect when a value loaded into the program counter has been influenced by data from the network. When an attack is detected, we weed out false positives and confirm true positives by using the logged program execution to quantify how much influence the network data gained over the value loaded into the program counter. For true positives, we rewrite the vulnerable binary to detect subsequent attacks against the same vulnerability with very little performance overhead. These techniques have been used as the basis for Sting and Sweeper, which provide efficient and effective end-to-end defense against control-flow hijacking attacks in commodity software, even when used by a fast-spreading zero-day worm. |
