Secure Patrol: Patrolling Against Buffer Overflow Exploits

Abstract

ABSTRACTBuffer overflow attacks are caused due to exploitation of stack or heap in computer memory. One of the targets behind buffer overflow attacks is the return address of a function. Another potential actor in buffer overflow attacks is Global Offset Table (GOT); exploiting it can also lead to disastrous results, such as a call to printf(), which can be transformed to a system() call. This paper focuses on mitigation of stack-based buffer overflow attacks and securing GOT. The proposed approach is a compiler-level protection aimed at preventing such exploits using shadow stacks, a linked list behaving as a stack, that stores the return addresses and frame pointers. The return address and frame pointer are pushed into these stacks during the prologue of every function, and in the epilogue it is compared with the one residing inside actual stack. If they match, the program continues; otherwise, it is terminated and this event is recorded into the system log. To make these shadow stacks invisible from the attacker, the address of the top of shadow stack is stored inside Thread Local Storage (TLS) for the process to refer it later. In order to forestall GOT manipulation, the proposed approach uses a global array which contains the backup of GOT; when a call to GOT entry is made, the value inside that entry and the respective value inside the backup table are compared. If they match, the program continues; otherwise, it terminates the process instantaneously. The proposed approach, Secure Patrol, is efficient, secure against stack-based buffer overflow and resistant to GOT manipulation.