Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:

Slides:



Advertisements
Similar presentations
Object-oriented Software Change Dynamic Impact Analysis Lulu Huang and Yeong-Tae Song Dept. of Computer and Information Sciences Towson University Towson,
Advertisements

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Preventing Buffer Overflows (for C programmers)
Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
K. Salah1 Buffer Overflow The crown jewel of attacks.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Design of a Framework for Testing Security Mechanisms for Program-Based Attacks Ben “Security” Breech and Lori Pollock University of Delaware.
Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,
SQL Injection and Buffer overflow
Lecture 16 Buffer Overflow
C Programmer Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: For C Programmers Author: Jedidiah.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
1CMSC 345, Version 4/04 Verification and Validation Reference: Software Engineering, Ian Sommerville, 6th edition, Chapter 19.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
Unit Testing & Defensive Programming. F-22 Raptor Fighter.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Verification and Validation Yonsei University 2 nd Semester, 2014 Sanghyun Park.
Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:
1 Debugging and Testing Overview Defensive Programming The goal is to prevent failures Debugging The goal is to find cause of failures and fix it Testing.
An Introduction to Information Security Why there’s more to hide than you might think and why hiding it is a lot tougher than you ever dreamed of in your.
Introduction to Buffer Overflows Author: Jedidiah R. Crandall, Distributed: 14 July 2002 Embry-Riddle Aeronautical University in Prescott,
Computer Security and Penetration Testing
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Detection and Prevention of Buffer Overflow Exploit Cai Jun Anti-Virus Section Manager R&D Department Beijing Rising Tech. Corp. LTD.
Attacking Applications: SQL Injection & Buffer Overflows.
Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Introduction to Buffer Overflows Author:
Overview of Key Security Concepts and Vocabulary This Document was Funded by the National Science Foundation Federal Cyber Service Scholarship For Service.
Embry-Riddle Aeronautical University Prescott, Arizona
ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and.
Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
Buffer Overflow Causes Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: Buffer Overflow Causes Author:
Security - Why Bother? Your projects in this class are not likely to be used for some critical infrastructure or real-world sensitive data. Why should.
Buffer Overflow Defenses Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: Buffer Overflow Defenses.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
RELIABILITY ENGINEERING 28 March 2013 William W. McMillan.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
How to Use BO Demos. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. How to Use Buffer Overflow Demos (applets)
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
Buffer overflow and stack smashing attacks Principles of application software security.
Intro to Buffer Overflow Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: Buffer Overflow Intro Author:
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 9: Designing Exceptionally.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Defensive Programming. Good programming practices that protect you from your own programming mistakes, as well as those of others – Assertions – Parameter.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Case Study: Code Red Author: Jedidiah.
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
Classic Buffer OVERFLOW ATTACKS CSCE 548 Student Presentation Mouiad Al Wahah.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Buffer Overflow Defenses
Buffer Overflows Incomplete Access Control
Sabrina Wilkes-Morris CSCE 548 Student Presentation
SE-1021 Software Engineering II
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Buffer Overflow Defenses
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Quiz: Buffer Overflow Causes
Software Security Lesson Introduction
Case Study: Code Red Author: Jedidiah R. Crandall,
Buffer Overflow Defenses
Preventing Buffer Overflows (for C programmers)
Understanding and Preventing Buffer Overflow Attacks in Unix
Exception Handling and Event Handling
Defensive Programming
Presentation transcript:

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author: Jedidiah R. Crandall, This Document was Funded by the National Science Foundation Federal Cyber Service Scholarship For Service Program: Grant No Distributed July 2002 Embry-Riddle Aeronautical University Prescott, Arizona USA

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses This section presents some defenses against buffer overflows and their pros and cons in a not-too- technical manner Caveats: 1. This is not intended to be a complete list of products that defend against buffer overflows. 2. There is no silver bullet that will stamp out buffer overflows, but some of these tools may help.

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Kinds of Defenses Better software engineering practices Find-and-patch methods Language tools Analysis tools Compiler tools Operating system tools

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Better software engineering practices Examples: Testing, code inspection, documentation of reused code Pros: Can prevent all types of buffer overflows before the software is released Cons: Time consuming, and time is money

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Find-and-patch methods Examples: Software patches, anti-virus software Pros: Very effective at preventing known attacks, or even unknown attacks on known vulnerabilities Usually does not require that the software be recompiled Cons: Not effective at preventing attacks on unknown vulnerabilities, or sometimes unknown attacks on known vulnerabilities

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Language tools Examples: Java, Perl, Ada, Cyclone, or any language that is not as susceptible to buffer overflows as C/C++, or components/libraries for C/C++ that are less susceptible to buffer overflows Pros: Use of better languages or libraries will greatly ameliorate the buffer overflow problem Cons: The programmer still has to be able to know how to handle long input strings – Should the input be truncated? Rejected? Should the buffer be resized? Should the program halt? C/C++ are popular languages and there are valid reasons for using them Reused C code must be heavily modified to use new libraries

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Analysis tools Examples: static analysis tools that search the source code for possible buffer overflows, dynamic analysis tools that help identify buffer overflows during program execution for testing Pros: Static analysis tools can be very useful for code inspection Dynamic analysis tools can help you catch errors during testing that you might not have caught otherwise Cons: Static analysis tools produce many false positives and only look for certain kinds of buffer overflows, such as unsafe library function calls

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Compiler tools Examples: Add automatic bounds checking to a C compiler, or protecting the return pointer (see StackGaurd applet) Pros: Adding automatic bounds checking to a C compiler can prevent many buffer oveflows Protecting the return pointer virtually eliminates stack smashing, which is currently the most prevalent and disastrous kind of buffer overflow attack Cons: There is a performance overhead, especially for adding bounds checking to C compilers Protecting the return pointer does not prevent heap-based attacks, denial-of-service attacks, or data corruption

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Operating system tools Examples: Intrusion detection, disabling execution of code where there shouldn’t be code Pros: Disabling the execution of code where there shouldn’t be code usually has a negligible performance cost Intrusion detection systems can detect unknown attacks by monitoring user behavior for anomalies or likely attack patterns Cons: Neither of these will prevent every kind of buffer overflow attack Intrusion detection is a developing technology and is not perfect

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. About this Project This presentation is part of a larger package of materials on buffer overflow vulnerabilities, defenses, and software practices. For more information, go to: Also available are: Demonstrations of how buffer overflows occur (Java applets) PowerPoint lecture-style presentations on an introduction to buffer overflows, preventing buffer overflows (for C programmers), and a case study of Code Red Checklists and Points to Remember for C Programmers An interactive module and quiz set with alternative paths for journalists/analysts and IT managers as well as programmers and testers A scavenger hunt on implications of the buffer overflow vulnerability Please complete a feedback form at to tell us how you used this material and to offer suggestions for improvements.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.