Buffer Overflow Attacks Research Articles

Machine Learning Approach to Intrusion Detection: Performance Evaluation

Software-Defined Networking (SDN) simplifies network administration as well as reduces the need for manual configuration on individual devices. SDN is expected to remain a crucial technology in shaping the future of network infrastructure. However due to key vulnerabilities like Open Flow Protocol Weaknesses, Flow Table Poisoning, Weak authentication and authorization mechanisms, it is prone to intrusion attacks. In this paper, authors aim to build framework based on various machine learning models (ML) to capture anomaly packets. Four models Decision tree, Support Vector Classifier, Naïve Bayes Classifier and artificial neural networks are designed and trained to capture anomaly packets. While SVC achieved an impressive accuracy of 99%, Artificial Neural Networks (ANN) demonstrated satisfactory speed and efficiency, despite their accuracy being slightly lower than SVM’s. ANN is then deployed in SDN simulated using Mininet. The model is able to detect all DOS traffic. Other types of attacks SQL Injection, U2R Attack, Buffer Overflow Attack, Probe Attack, Brute Force Attack could not be tested as there is provision to simulated these using Mininet.

Detection of Buffer Overflow Attacks with Memoization-based Rule Set

Different abnormalities are commonly encountered in computer network systems. These types of abnormalities can lead to critical data losses or unauthorized access in the systems. Buffer overflow anomaly is a prominent issue among these abnormalities, posing a serious threat to network security. The primary objective of this study is to identify the potential risks of buffer overflow that can be caused by functions frequently used in the PHP programming language and to provide solutions to minimize these risks. Static code analyzers are used to detect security vulnerabilities, among which SonarQube stands out with its extensive library, flexible customization options, and reliability in the industry. In this context, a customized rule set aimed at automatically detecting buffer overflows has been developed on the SonarQube platform. The memoization optimization technique used while creating the customized rule set enhances the speed and efficiency of the code analysis process. As a result, the code analysis process is not repeatedly run for code snippets that have been analyzed before, significantly reducing processing time and resource utilization. In this study, a memoization-based rule set was utilized to detect critical security vulnerabilities that could lead to buffer overflow in source codes written in the PHP programming language. Thus, the analysis process is not repeatedly run for code snippets that have been analyzed before, leading to a significant reduction in processing time and resource utilization. In a case study conducted to assess the effectiveness of this method, a significant decrease in the source code analysis time was observed.

A buffer overflow detection and defense method based on RISC-V instruction set extension

Buffer overflow poses a serious threat to the memory security of modern operating systems. It overwrites the contents of other memory areas by breaking through the buffer capacity limit, destroys the system execution environment, and provides implementation space for various system attacks such as program control flow hijacking. That makes it a wide range of harms. A variety of security technologies have been proposed to deal with system security problems including buffer overflow. For example, No eXecute (NX for short) is a memory management technology commonly used in Harvard architecture. It can refuse the execution of code which residing in a specific memory, and can effectively suppress the abnormal impact of buffer overflow on control flow. Therefore, in recent years, it has also been used in the field of system security, deriving a series of solutions based on NX technology, such as ExecShield, DEP, StackGuard, etc. However, these security solutions often rely too much on the processor architecture so that the protection coverage is insufficient and the accuracy is limited. Especially in the emerging system architecture field represented by RISC-V, there is still a lack of effective solutions for buffer overflow vulnerabilities. With the continuous rapid development of the system architecture, it is urgent to develop defense methods that are applicable to different system application environments and oriented to all executable memory spaces to meet the needs of system security development. Therefore, we propose BOP, A new system memory security design method based on RISC-V extended instructions, to build a RISC-V buffer overflow detection and defense system and deal with the buffer overflow threat in RISC-V. According to this method, NX technology can be combined with program control flow analysis, and NX bit mechanism can be used to manage the executability of memory space, so as to achieve a more granular detection and defense of buffer overflow attacks that may occur in RISC-V system environment. In addition, The memory management and control function of BOP is not only very suitable for solving the security problems in the existing single architecture system, but also widely applicable to the combination of multiple heterogeneous systems.Graphical abstract

FPGA design and implementation for adaptive digital chaotic key generator

BackgroundInformation security is very important in today’s digital world, especially cybersecurity. The most common requirement in securing data in all services: confidentiality, digital signature, authentication, and data integrity is generating random keys. These random keys should be tested for randomness. Hardware security is more recommended than software. Hardware security has more speed and less exposure to many attacks than software security. Software security is vulnerable to attacks like buffer overflow attacks, side-channel attacks, and Meltdown–Spectre attacks.ResultsIn this paper, we propose an FPGA Implementation for the adaptive digital chaotic generator. This algorithm is proposed and tested before. We introduce its implementation as hardware. This algorithm needs a random number seed as input. We propose two designs. The first one has an input random number. The second one has PRNG inside. The target FPGA is Xilinx Spartan 6 xc6slx9-2-cpg196. We used MATLAB HDL Coder for the design. We propose a configurable Key block’s length. For 32 bit the maximum frequency is 15.711 MHz versus 11.635 MHz for the first and second designs respectively. The area utilization of the Number of Slice Registers is 1% versus 2%. The number of Slice Look Up Tables is 40% versus 59%. number of bonded input output blocks is 64% versus 66%. otherwise are the same for the two designs.ConclusionsIn this paper, we propose an efficient and configurable FPGA Design for adaptive digital chaotic key generator. Our design has another advantage of storing the output keys internally and reading them later.

An In-Depth Survey of Bypassing Buffer Overflow Mitigation Techniques

Buffer Overflow (BOF) has been a ubiquitous security vulnerability for more than three decades, potentially compromising any software application or system. This vulnerability occurs primarily when someone attempts to write more bytes of data (shellcode) than a buffer can handle. To date, this primitive attack has been used to attack many different software systems, resulting in numerous buffer overflows. The most common type of buffer overflow is the stack overflow vulnerability, through which an adversary can gain admin privileges remotely, which can then be used to execute shellcode. Numerous mitigation techniques have been developed and deployed to reduce the likelihood of BOF attacks, but attackers still manage to bypass these techniques. A variety of mitigation techniques have been proposed and implemented on the hardware, operating system, and compiler levels. These techniques include No-EXecute (NX) and Address Space Layout Randomization (ASLR). The NX bit prevents the execution of malicious code by making various portions of the address space of a process inoperable. The ASLR algorithm randomly assigns addresses to various parts of the logical address space of a process as it is loaded in memory for execution. Position Independent Executable (PIE) and ASLR provide more robust protection by randomly generating binary segments. Read-only relocation (RELRO) protects the Global Offset Table (GOT) from overwriting attacks. StackGuard protects the stack by placing the canary before the return address in order to prevent stack smashing attacks. Despite all the mitigation techniques in place, hackers continue to be successful in bypassing them, making buffer overflow a persistent vulnerability. The current work aims to describe the stack-based buffer overflow vulnerability and review in detail the mitigation techniques reported in the literature as well as how hackers attempt to bypass them.

Buffer Overflow Vulnerabilities and Prevention

Either in terms of software error or being an attack itself, buffer overflow attacks have been one of the most important security problems accountable for a common vulnerability of software security and cyber risks. Buffer overflow vulnerabilities influence the zone of remote network penetration vulnerabilities, where an anonymous user tries to gain partial or complete control of the host. Buffer overflow attacks liable for some of the biggest data breaches in recent years. One of the notable data breach examples include Morris worm or internet worm of November 2, 1988. Morris worm is an ancient computer worm distributed via the internet, was noted for infecting around 6000 major Unix machines. This paper mainly focuses on buffer overflow attack vulnerabilities and the preventive measures to safeguard once system from being attacked. Keywords – Buffer overflow attack, susceptibility, impediment

On Security of TrustZone-M-Based IoT Systems

Internet of Things (IoT) devices have been increasingly integrated into our daily life. However, such smart devices suffer a broad attack surface. Particularly, attacks targeting the device software at runtime are challenging to defend against if IoT devices use resource-constrained microcontrollers (MCUs). TrustZone-M, a TrustZone extension designed specifically for MCUs, is an emerging hardware security technique fortifying software security of MCU-based IoT devices. This article introduces a comprehensive security framework for IoT devices using TrustZone-M-enabled MCUs, in which device security is protected in five dimensions, i.e., hardware, boot-time software, runtime software, network, and over-the-air (OTA) update. Along developing the framework, we also present the first security analysis of potential runtime software security issues in TrustZone-M-enabled MCUs. In particular, we explore the feasibility of launching stack-based buffer overflow (BOF) attack for code injection, return-oriented programming (ROP) attack, heap-based BOF attack, format string attack, and attacks against nonsecure callable (NSC) functions in the context of TrustZone-M. We validate these attacks using SAM L11, a microchip MCU with TrustZone-M and provide defense mechanisms in the runtime software dimension of the proposed framework. The security framework is implemented with a full-fledged secure and trustworthy air quality monitoring device using SAM L11 as its MCU.

Semi-Synchronized Non-Blocking Concurrent Kernel Cruising

Kernel heap buffer overflow vulnerabilities have been exposed for decades, but there are few practical countermeasure that can be applied to OS kernels. Previous solutions either suffer from high performance overhead or compatibility problems with mainstream kernels and hardware. In this paper, we present KRUISER, a concurrent kernel heap buffer overflow monitor. Unlike conventional methods, the security enforcement of which is usually inlined into the kernel execution, Kruiser migrates security enforcement from the kernel's normal execution to a concurrent monitor process, leveraging the increasingly popular multi-core architectures. To reduce the synchronization overhead between the monitor process and the running kernel, we design a novel semi-synchronized non-blocking monitoring algorithm, which enables efficient runtime detection on live memory without incurring false positives. To prevent the monitor process from being tampered and provide guaranteed performance isolation, we utilize the virtualization technology to run the monitor process out of the monitored VM, while heap memory allocation information is collected inside the monitored VM in a secure and efficient way. We have implemented a prototype of KRUISER based on Linux and the Xen/KVM hypervisor. The evaluation shows that Kruiser can detect realistic kernel heap buffer overflow attacks in cloud environment effectively with minimal cost.

FFRR: a software diversity technique for defending against buffer overflow attacks

FFRR: a software diversity technique for defending against buffer overflow attacks

FFRR: a software diversity technique for defending against buffer overflow attacks

FFRR: a software diversity technique for defending against buffer overflow attacks

CYBER ATTACKS ON SCADA BASED TRAFFIC LIGHT CONTROL SYSTEMS IN THE SMART CITIES

Abstract. There are regular developments and changes in cities. Developments in cities have affected transportation, and traffic control tools have changed. Traffic signs and traffic lights have been used to direct pedestrians and vehicles correctly. Traffic light control systems are used to ensure the safety of vehicles and pedestrians, increase the fluency in traffic, guide them in transportation, warn pedestrians and drivers, and regulate and control transportation disruptions. In order to facilitate people's lives, it is desired to control the traffic components autonomously with the developments in autonomous systems. Cyber threats arise due to the active use of the internet and signals or frequencies in the use of modules that will provide communication with traffic lights, traffic signs, and vehicles, which are traffic components at the inter-sections of many roads in the control of central systems. The study is limited to smart traffic lights, which are traffic components. If we examine the cyber-attacks, we can see that Malware Attacks, Buffer Overflow Attacks, DoS attacks, and Jamming Attacks can be made. Network-Based Intrusion Detection Systems and Host-Based Intrusion Detection Systems can be used to detect and stop Malware Attacks, Buffer Overflow Attacks, DoS attacks, and Jamming Attacks. Intrusion detection systems tell us whether the data poses a threat or does not pose after the data passing through the system is examined. In this way, system protection is ensured by controlling the data traffic in the system.

Anomaly Detection Based on Temporal Behavior Monitoring in Programmable Logic Controllers

As Programmable Logic Controllers (PLCs) are increasingly connected and integrated into the industrial Internet of things, cybersecurity threats to PLCs are also increasing. Adversaries can perform a denial of service (DoS) attack based on the transmission of a large number of network packets, and a control-logic injection attack through sophisticated packet transmission. We propose an approach to detecting and defending against attacks that exploit security vulnerabilities in a PLC system. In order to protect against indiscriminate packet transmission attacks that exploit uncontrolled resource consumption vulnerabilities, an abnormal temporal behavior detection method is proposed that monitors the CPU usage of tasks. If a temporal anomaly is detected, the proposed approach tries to detect control-flow anomalies by examining the sequences of function calls, then detects stack-based buffer overflow attacks. The proposed method is implemented in a water tank control system for evaluation purposes. The experimental results show that the proposed method can improve the security of the system by detecting anomalies in temporal behavior with little system overhead.

Real-time Attack-Scheme Visualization for Complex Exploit Technique Comprehension

Recent exploit techniques are highly complex, and it is not easy for cybersecurity learners to understand the attack strategies quickly and clearly. For efficient and comprehensive learning, this paper proposes an attack-scheme visualization system that fulfills three requirements: attack progress visualization in real-time, memory and register-level description, and concise description of the attack schemes. This paper exemplifies two cases: stack buffer overflow and ROP attacks, and demonstrates how the system operates and how users can learn that existing defense technologies are effective or ineffective depending on the execution environments.

Boundary Bit: Architectural Bound Checking for Buffer-Overflow Protection

We propose Boundary Bit, a new architectural bound-checking approach that detects and prevents buffer-overflow attacks. Boundary Bit extends an architecture by associating a bit to each memory entry. Software can set a (boundary) bit to delimit an object. On each memory access, the hardware will dynamically validate the object's bound using the boundary bit. With minimal hints from the compiler, our architectural design eliminates most (if not all) types of buffer-overflow attacks. These include attacks on non-control data (variables and arguments) and array-indexing errors. We evaluate the performance of Boundary Bit using simulation, and the results show that the majority of performance overheads lies in bit scanning operations. To mitigate performance overheads, we introduce a hardware bitmap to act as a cache. The results from our simulation shows that the hardware bitmap can absorb most overhead from bit scanning, which in the best-case scenario translated to 30 times speed up compared to the version that does not utilize bitmap cache.

Buffer Overflow Attack –Vulnerability in Heap

We advise a paper which indicates a heap attack due to buffer over .Buffer overflow attack is the oldest and maximum pervasive attack technique. A buffer overflow takes place while a method or program attempts to put in writing more statistics to a set buffer, or duration block of reminiscence than the buffer is allotted to hold. Since buffers are layout to incorporate a defined quantity of records, the extra information can revoke statistics values in memory deal with which is adjacent to the destination buffer till and unless this system include enough bounds checking to flag or discard information while an excessive amount of is despatched to a reminiscence buffer. Buffer overflow attacks are classify into two categories: Heap and stack based attack .The time period heap outline pool of memory utilized in dynamic allocation for run time environment and the heap based totally attack define the flooded reminiscence space reserved for a software, but the problem arrives when appearing such an assault it make the situation critical

Leakage is prohibited: memory protection extensions protected address space randomization

Code reuse attacks pose a severe threat to modern applications. These attacks reuse existing code segments of vulnerable applications as attack payloads and hijack the control flow of a victim application. With high code entropy and a relatively low performance overhead, Address Space Layout Randomization (ASLR) has become the most widely explored defense against code reuse attacks. However, a single memory disclosure vulnerability is able to compromise this defense. In this paper, we present Memory Protection Extensions (MPX)- assisted Address Space Layout Randomization (M-ASLR), a novel code-space randomization scheme. M-ASLR uses several characteristics of Intel MPX to restrict code pointers in memory. We have developed a fully functioning prototype of M-ALSR, and our evaluation results show that M-ASLR: (1) offers no interference with normal operation; (2) protects against buffer overflow attacks, code reuse attacks, and other sophisticated modern attacks; and (3) adds a very low performance overhead (3.3%) to C/C++ applications.

SSPFA: effective stack smashing protection for Android OS

In this paper, we detail why the stack smashing protector (SSP), one of the most effective techniques to mitigate stack buffer overflow attacks, fails to protect the Android operating system and thus causes a false sense of security that affects all Android devices. We detail weaknesses of existing SSP implementations, revealing that current SSP is not secure. We propose SSPFA, the first effective and practical SSP for Android devices. SSPFA provides security against stack buffer overflows without changing the underlying architecture. SSPFA has been implemented and tested on several real devices showing that it is not intrusive, and it is binary-compatible with Android applications. Extensive empirical validation has been carried out over the proposed solution.

SAFETY: Early Detection and Mitigation of TCP SYN Flood Utilizing Entropy in SDN

Software defined networking (SDN) is an emerging network paradigm which emphasizes the separation of the control plane from the data plane. This decoupling provides several advantages such as flexibility, programmability, and centralized control. However, SDN also introduces new vulnerabilities due to the required communication between data plane and control plane. Examples of threats that leverage such vulnerabilities are the control plane saturation and switch buffer overflow attacks. These attacks can be launched by flooding the TCP SYN packets from data plane (i.e., switches) to the control plane. This paper presents SAFETY, a novel solution for the early detection and mitigation of TCP SYN flooding. SAFETY harnesses the programming and wide visibility approach of SDN with entropy method to determine the randomness of the flow data. The entropy information includes destination IP and few attributes of TCP flags. To show the feasibility and effectiveness of SAFETY, we implement it as an extension module in Floodlight controller and evaluate it under different conditional scenarios. We run a thorough evaluation of our implementation through extensive emulation via Mininet . The experimental results show that when compared to the state-of-the-art, SAFETY brings a significant improvement (13%) regarding processing delay experienced by a legitimate node. Other parameters such as CPU utilization at the controller and attack detection time are also examined and shows improvement in various scenarios.

A Security Design for the Detecting of Buffer Overflow Attacks in IoT Device

At present, the IoT devices face many kinds of software and hardware attacks, especially buffer overflow attacks. This paper presents an architectural-enhanced security hardware design to detect buffer overflow attacks. One part of the design is instructions monitoring and verification used to trace the execution behavior of programs. Another one is secure tag validation used to monitor the attributes of every memory segment. The automated extraction tools extract the monitoring model and secure tag of each memory segment at the compile time. At run-time, the designed hardware observes its dynamic execution trace and checks whether the trace conforms to the permissible behavior, if not the appropriate response mechanisms will be triggered. The proposed schemes don’t change the compiler or the existing instruction set and imposes no restriction to the software developer. The architectural design is implemented on an actual OR1200-FPGA platform. The experimental analysis shows that the proposed techniques can detect a wide range of buffer overflow attacks. And it takes low performance penalties and minimal overheads.

Nile: A Programmable Monitoring Coprocessor

Researchers widely employ hardware performance counters (HPCs) as well as debugging and profiling tools in processors for monitoring different events such as cache hits, cache misses, and branch prediction statistics during the execution of programs. The collected information can be used for power, performance, and thermal management of the system as well as detecting anomalies or malicious behavior in the software. However, monitoring new or complex events using HPCs and existing tools is a challenging task because HPCs only provide a fixed pool of raw events to monitor. To address this challenge, we propose the implementation of a programmable hardware monitor in a complete system framework including the hardware monitor architecture and its interface with an in-order single-issue RISC-V processor as well as an operating system. As a proof of concept, we demonstrate how to programmatically implement a shadow stack using our hardware monitor and how the programmed shadow stack detects stack buffer overflow attacks. Our hardware monitor design incurs a 26 percent power overhead and a 15 percent area overhead over an unmodified RISC-V processor. Our programmed shadow stack has less than 3 percent performance overhead in the worst case.