TY - JOUR
T1 - Sigfree
T2 - A signature-free buffer overflow attack blocker
AU - Wang, Xinran
AU - Pan, Chi Chun
AU - Liu, Peng
AU - Zhu, Sencun
N1 - Funding Information:
The authors would like to thank the anonymous reviewers for their valuable comments and suggestions. The authors would also like to thank Yoon-Chan Jhi for helpful suggestions and the members of Penn State Cyber Security Laboratory for collecting real traces. The works of Xinran Wang and Sencun Zhu were supported in part by the Army Research Office (W911NF-05-1-0270) and the US National Science Foundation (CNS-0524156). The works of Chi-Chun Pan and Peng Liu were supported in part by US NSF grant number CT-3352241.
PY - 2010
Y1 - 2010
N2 - We propose SigFree, an online signature-free out-of-the-box application-layer method for blocking code-injection buffer overflow attack messages targeting at various Internet services such as web service. Motivated by the observation that buffer overflow attacks typically contain executables whereas legitimate client requests never contain executables in most Internet services, SigFree blocks attacks by detecting the presence of code. Unlike the previous code detection algorithms, SigFree uses a new data-flow analysis technique called code abstraction that is generic, fast, and hard for exploit code to evade. SigFree is signature free, thus it can block new and unknown buffer overflow attacks; SigFree is also immunized from most attack-side code obfuscation methods. Since SigFree is a transparent deployment to the servers being protected, it is good for economical Internet-wide deployment with very low deployment and maintenance cost. We implemented and tested SigFree; our experimental study shows that the dependency-degree-based SigFree could block all types of code-injection attack packets (above 750) tested in our experiments with very few false positives. Moreover, SigFree causes very small extra latency to normal client requests when some requests contain exploit code.
AB - We propose SigFree, an online signature-free out-of-the-box application-layer method for blocking code-injection buffer overflow attack messages targeting at various Internet services such as web service. Motivated by the observation that buffer overflow attacks typically contain executables whereas legitimate client requests never contain executables in most Internet services, SigFree blocks attacks by detecting the presence of code. Unlike the previous code detection algorithms, SigFree uses a new data-flow analysis technique called code abstraction that is generic, fast, and hard for exploit code to evade. SigFree is signature free, thus it can block new and unknown buffer overflow attacks; SigFree is also immunized from most attack-side code obfuscation methods. Since SigFree is a transparent deployment to the servers being protected, it is good for economical Internet-wide deployment with very low deployment and maintenance cost. We implemented and tested SigFree; our experimental study shows that the dependency-degree-based SigFree could block all types of code-injection attack packets (above 750) tested in our experiments with very few false positives. Moreover, SigFree causes very small extra latency to normal client requests when some requests contain exploit code.
UR - http://www.scopus.com/inward/record.url?scp=76949091526&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=76949091526&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2008.30
DO - 10.1109/TDSC.2008.30
M3 - Article
AN - SCOPUS:76949091526
SN - 1545-5971
VL - 7
SP - 65
EP - 79
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 1
M1 - 4522563
ER -