Buffer overflow attacks have been causing serious security problems for decades. With more embedded systems networked, it becomes an important research problem to defend embedded systems against buffer overflow attacks. In this paper, we propose the Hardware/Software Address Protection (HSAP) technique to solve this problem. We first classify buffer overflow attacks into two categories (stack smashing attacks and function pointer attacks) and then provide two corresponding defending strategies. In our technique, hardware boundary check method and function pointer XOR method are used to protect a system against stack smashing attacks and function pointer attacks, respectively. Although the focus of the HSAP technique is on embedded systems because of the availability of hardware support, we show that the HSAP technique can be applied to any type of processors to defend against buffer overflow attacks. We use four classes of processors to illustrate that the applicability of our technique is independent of architectures. We experiment with our HSAP technique in ARM Evaluator-7T simulation development environments. The results show that our HSAP technique can defend a system against more types of buffer overflow attacks with little overhead than the previous work. 1

Abstract not found

Implementation errors relating to memory-safety are the most common vulnerabilities used by attackers to gain control over the execution-flow of an application. By carefully crafting an exploit for these vulnerabilities, attackers can make an application transfer execution-flow to code that they have injected. Such code injection attacks are among the most powerful and common attacks against software applications. This report documents possible vulnerabilities in C and C++ applications that could lead to situations that allow for code injection and describes the techniques generally used by attackers to exploit them. A fairly large number of defense techniques have been described in literature. An important goal of this report is to give a comprehensive survey of all available preventive and defensive countermeasures that either attempt to eliminate specific vulnerabilities entirely or attempt to combat their exploitation. Finally, the report presents a synthesis of this survey that allows the reader to weigh the advantages and disadvantages of using a specific countermeasure as opposed to using another more easily.

Abstract not found

This paper presents an approach for analyzing security-critical software for vulnerability to buffer overrun attacks. In practice, buffer overruns are a commonly exploited attack against security-critical software systems. Buffer overrun attacks are made possible by flaws in designing and implementing software. This paper describes a software analysis tool that dynamically analyzes software sourcecode to determine the potential to successfully overrun program buffers in order to execute arbitrary system commands. The methodology employs software fault injection to insert malicious strings into potentially vulnerable buffers during execution. If the buffer overrun attack is successful, arbitrary code can be executed at the whim of the attacker on the host system. Programs that are found to be vulnerable can be fortified to prevent buffer overrun attacks from being successful in the field. Three new algorithms for buffer overrun analysis are presented.

With more embedded systems networked, it becomes an important problem to effectively defend embedded systems against buffer overflow attacks. Due to the increasing complexity and strict requirements, off-the-shelf software components are widely used in embedded systems especially for military and other critical applications. Therefore, in addition to effective protection, we also need to provide an approach for system integrators to efficiently check whether software components have been protected. This paper proposes the HSDefender (Hardware/Software Defender) technique to perform protection and checking together. Our basic idea is to design secure call instructions so systems can be secured and checking can be easily performed. In the paper, we classify buffer overflow attacks into two categories and provide two corresponding defending strategies. We show that the HSDefender technique can be applied to any type of processors to defend against buffer overflow attacks. We analyze the HSDefender technique with respect to hardware cost, security, and performance. We experiment with our HSDefender technique on the SimpleScalar/ARM simulator with benchmarks from MiBench, an embedded benchmark suite. The results show that our HSDefender technique can defend a system against more types of buffer overflow attacks with less overhead compared with the previous work.

The growth of Internet-based electronic commerce, with its potential to create new business markets and streamline corporate operations, has been hindered over the past three years by concerns over the security of the system. While several secure transaction protocols have emerged to allay concerns, most security violations in practice are made possible by aws in e-commerce client/server software. The approach outlined in this paper develops a certi cation process for testing software components for security properties. The anticipated results from this research is a process and set of core white-box and black-box testing technologies to certify the security of software components. The manifestation of the product is a stamp of approval in the form of a digital signature. 1

The Human Factor has long been recognized as the weakest link in computer systems security, yet, nothing technically significant has been done to address this problem in an attack agnostic manner. In this paper, we introduce the mantra of “The User is the Enemy ” for security designers and developers alike as an underlying current towards addressing the weak human factor. We present different notions of the user and the system and argue from parallel tracks that user actions, both ignorant and non-compliant, are detrimental to the organization. We further show how the paradigm has been applied in a rather unconscious manner and contend that security mechanisms borne out of a conscious application will be more effective towards addressing this systemic problem. Our position is not meant to be a cynical attitude towards users; rather, it is meant to be the focal point of security design attitude, similar to the mantra “All user input is evil ” for addressing buffer overflow attacks.

One of the most critical steps of any security review involves identifying the trust boundaries that an application is exposed to. While methodologies such as threat modeling can be used to help obtain this understanding from an application’s design, it can be difficult to accurately map this understanding to an application’s implementation. This difficulty suggests that there is a need for techniques that can be used to gain a better understanding of the trust boundaries that exist within an application’s implementation. To help address this problem, this paper describes a technique that can be used to model the trust boundaries that are created by securable objects on Windows. Dynamic instrumentation is used to generate object trace logs which describe the contexts in which securable objects are defined, used, and have their security descriptor updated. This information is used to identify the data flows that are permitted by the access rights granted to securable objects. It is then shown how these data flows can be analyzed to gain an understanding of the trust boundaries, threats, and potential elevation paths that exist within a given system. 1

Machine) formalism has been used for describing the structure and abstract behaviour of a specific architecture (i.e., the one of a compiler) in [Inverardi & Wolf 1995]. The Z language has been used to characterise architectural styles and has later led to define a framework for such characterisations so as to enable comparing styles sharing a common semantic model [Abowd et al. 1995]. Logic has been used in [Moriconi et al. 1995] for supporting correct stepwise refinement of configurations. Graph grammars are exploited in [Le Metayer 1996] for enabling constrained architecture evolution. The advantages of introducing ADLs over the above works are obvious with respect to leveraging the elaboration of software architectures. An overview of existing ADLs is provided hereafter, and is followed by a discussion about the relation of such notations with the UML standard software modelling language that is becoming a major player in industry. We conclude this section by sketching some ongoing...