Buffer Overflow Attack Analysis And Real-time Detection Methods

With the computer showing the importance at all aspects of society computer network and information security are paid close attention by people.Exploiting buffer overflow to perform the damage accounts for the large part of computer security events. There are already many research achievements against buffer overflow for example using security code during programming and applying detection software to detect buffer overflow vulnerability and repairing program before program released etc. Then there are some defense measures of preventing occurrence of attack, but the events that buffer overflow vulnerability is exploited and defense measure is invalid and system is broken often occur. We still demand to study new defense method to prohibit buffer overflow attack.The attack code usual exploits buffer overflow vulnerability to modify function return address and function entry address. Then when program executes function return instruction and function call instruction it would change program flow and jump to execute the attack code.During program execution procedure when making use of these data to decide program execution flow if we make some protection to the data that can change program flow and we detect if the data are modified or if the error occurs we can find out if there is the attack behavior. Based on studying the structure features of ELF file and the characteristics of program code execution the paper present an approach of buffer overflow attack real-time detection. The approach uses the PIN that is a tool for the dynamic instrumentation of programs and provides numbers of API functions to design a tool which processes runtime program. During program execution procedure when executing the instructions such as calling function and operating function it detects the correctness of the data such as function return address and function entry address etc and furthermore decides if there is attack code. The best feature of the method is that we don't need to alter the software and hardware system and don't need to know the source code of program and direct to process binary code.The paper expounds the background and current status on research of the subject and analyses the principle and attack method and defense measures on buffer overflow attack. It describes dynamic link procedure of ELF file and memory space layout of the image file. Based on summarizing the characteristics of present buffer overflow attack it presents the approach of real-time detection against several kinds of buffer overflow attack and gives example to make some analysis.