Title :
Secure Bit Enhanced Canary: Hardware Enhanced Buffer-Overflow Protection
Author :
Piromsopa, Krerk ; Chiamwongpaet, Sirisara
Author_Institution :
Dept. of Comput. Eng., Chulalongkorn Univ., Bangkok
Abstract :
Piromsopa and Enbody (2006) proposed Secure Bit, an architectural approach to protect against buffer-overflow attacks on control data (return-addresses and function pointers). This paper explores the possibility of extending Secure Bit to protect non-control data (variables, pointers and arrays). A hardware bit, provided by Secure Bit, helps preserving the integrity of an associated address. We propose putting a Canary Word adjacent to variables and using Secure Bit to protect the integrity of this word. In this extension, we introduce a new hardware instruction that is used to validate the Secure Bit of an adjacent word. An important differentiating aspect of Secure Bit is that once a Canary Word (data) has been marked as insecure there is no instruction to remark it as secure. Thus, it is theoretically not possible to bypass the mechanism by overflowing the Canary Word with a valid value. Our preliminary study has shown a promising solution to buffer overflow on arbitrary data. Robustness and performance are demonstrated by emulating the hardware, booting Linux on the emulator, running application software on that Linux, and performing known attacks.
Keywords :
Linux; buffer storage; firmware; microprogramming; security of data; Canary word; Linux; buffer-overflow attack; hardware bit; hardware enhanced buffer-overflow protection; hardware instruction; secure bit enhanced Canary; Application software; Buffer overflow; Computer worms; Data engineering; Hardware; Linux; Parallel processing; Protection; Protocols; Robustness; Buffer overflow; Protection; Security; invasive software; security kernels;
Conference_Titel :
Network and Parallel Computing, 2008. NPC 2008. IFIP International Conference on
Conference_Location :
Shanghai
Print_ISBN :
978-0-7695-3354-4
DOI :
10.1109/NPC.2008.49
