Browse > Article
http://dx.doi.org/10.3745/KIPSTC.2006.13C.4.397

Software Attack Detection Method by Validation of Flow Control Instruction’s Target Address  

Choi Myeong-Ryeol (국가보안기술연구소)
Park Sang-Seo (국가보안기술연구소)
Park Jong-Wook (국가보안기술연구소)
Lee Kyoon-Ha (인하대학교 컴퓨터공학부)
Publication Information
The KIPS Transactions:PartC / v.13C, no.4, 2006 , pp. 397-404 More about this Journal
Abstract
Successful software attacks require both injecting malicious code into a program's address space and altering the program's flow control to the injected code. Code section can not be changed at program's runtime, so malicious code must be injected into data section. Detoured flow control into data section is a signal of software attack. We propose a new software attack detection method which verify the target address of CALL, JMP, RET instructions, which alter program's flow control, and detect a software attack when the address is not in code section. Proposed method can detect all change of flow control related data, not only program's return address but also function pointer, buffer of longjmp() function and old base pointer, so it can detect the more attacks.
Keywords
Software Attack Detection; Flow Control Instruction; Target Address Validation;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 김윤삼, 조은선, '이진 코드 변환을 이용한 효과적인 버퍼 오버플로우 방지기법,' 정보처리학회논문지C, 제12-C권 제3호, pp.323-330, 2005   과학기술학회마을   DOI
2 Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie and Jonathan Walpole, 'Buffer Overflows: Attack and Defenses for the Vulnerability of the Decade,' DARPA Information Survivability Conference and Exposition (DISCEX 2000), Jan., 2000   DOI
3 John Wilander and Mariam Kamkar, 'A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention,' Network and Distributed System Security Symposium (NDSS) '03, Feb., 2003
4 AlephOne, Smashing the Stack for Fun and Profit, Phrack, Volume 7, Issue 49, http://www.phrack.org/phrack/49/P49-14, 1996.11
5 Microsoft, Changes to Functionality in Microsoft Windows XP Service Pack 2 - Part 3: Memory Protection Technologies, http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx
6 Wikipedia, Return-to-libc attack, http://en.wikipedia.org/wiki/Return-to-libc
7 CERT Condination Center, http://www.cert.org/advisories
8 Matt Conover and w00w00 Security Team, w00w00 on Heap Overflows, http://www.w00w00.org/files/articles/heaptut/txt, 1999.1
9 Tim Newsham, Format String Attacks - White Paper, http://www.lava.net/~newsham/format-string-attacks.pdf, Setp., 2000
10 Peter Silberman and Richard Johnson, 'A Comparison of Buffer Overflow Prevention Implementations and Their Weaknesses,' Black Hat USA 2004 Briefings and Training, Jun., 2004
11 Intel, Intel Architecture Software Developer's Manual Vol. 2: Instruction Set Reference
12 Daniel Bovet and Marco Cesati, Understanding the LINUX Kernel: From I/O Ports to Process Management, 2nd Ed., pp.670-672, Dec., 2002
13 Hiroaki Etoh and Kunikazu Yoda, Protecting from Stacksmashing Attacks, http://www.trl.ibm.com/projects/security/ssp/main.html, Jun., 2000
14 Microsoft, Microsoft Security Developer Center, http://msdn.microsoft.com/security/
15 Crispin Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang and Heather Hinton, 'StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks,' 7th USENIX Security Symposium, Jan., 1998
16 Vendicator, StakShield: A Stack Smashing Technique Protection Tool for Linux, http://www.angelfire.com/sk/stackshield
17 김종의, 이성욱, 홍만표, '버퍼오버플로우 공격 방지를 위한 컴파일러 기법,' 정보처리학회논문지C, 제9-C권 제4호, pp.453-458, 2002   과학기술학회마을   DOI