Research And Practice In Buffer Overflow Attack Technology Based On Multi-stage Network Attack Model

Buffer overflow is the most common kind of vulnerability in recent ten years. According to the CERT vulnerabilities advisories, it is inferred that buffer overflow vulnerabilities take up more than 50 percent of vulnerabilities total number. To carry out National Information Security Strategy, the State Council Informationization office has managed to launch the National E-Government Information Security Trial Work. Chongqing city is one of the four experimental cities. After analyzed the vulnerabilities summary of the experimental unit, we drew a conclusion that remote program execution result from buffer overflow occupy the 53 percent of vulnerabilities total number.Network attack is evolving with the co-operative and multi-stage tendency. A Network invasion constitutes a series of actions which are communicated with each other. The increasing complexity of network attack requires the formal modeling methodology for it. We made use of first-order predicate calculus to formally model the threats and vulnerabilities in the network system and proposed the MB-MSNAM, Mealy machine-Based Multi-stage Network Attack Model. And then we set up the buffer overflow attack model with in the trial. In order to obtain the accurate success probability of every buffer overflow attack, we have applied the Analytic Hierarchy Process to modeling the factors of buffer overflow attack success. we calculated the weight of every factor based on the established Analytic Hierarchy Model. The MB-MSNAM model production concludes the most effective attack path and trusted reference for the trial work security solution. we have developed the buffer overflow attack system to reflect the feature of MB-MSNAM and verify the attack path. This system achieves extremely good scalability. We have set up the network simulation for the buffer overflow attack experiment and tested the performance of the buffer overflow attack system.This paper is one of achievements of the National E-Government Information Security Trial Work launched by the State Council Informationization office.