|
Heap and stack buffer overflows are still among the most common attack vectors
in intrusion attempts. We asked a simple question that is surprisingly
difficult to answer: which bytes contributed to the overflow? By careful
observation of all scenarios that may occur in overflows, we identified the
information that needs to be tracked to pinpoint the offending bytes. There
are many reasons why this is a hard problem. For instance, by the time an
overflow is detected some of the bytes may already have been overwritten in
the memory, creating gaps. Additionally, it is hard to tell the offending
bytes apart from unrelated network data. In our solution, we tag data from the
network with an age stamp whenever it is written to a buffer. Doing so allows
us to distinguish between different bytes and ignore gaps, and provide precise
analysis of the offending bytes. By tracing these bytes to protocol fields, we
obtain accurate signatures that cater to polymorphic attacks.
|
 Asia Slowinska is a second-year Ph.D. student in the Computer System Group at
the Vrije Universiteit in Amsterdam. Her research concerns network intrusion
detection, signature generation, and honeypots. She is involved in the EU FP6
NoAH project.
She graduated from the Warsaw University in Poland, where she obtained M.Sc. in Mathematics, and M.Sc. in Computer Science. During her studies she also participated in One-Year Exchange Masters Program at Vrije Universiteit in Amsterdam. |
 |
 |
 |
Last modified: Wed, 28 Feb 2007 16:14:06 +0100