15th USENIX Security Symposium Abstract
Pp. 225240 of the Proceedings
SigFree: A Signature-free Buffer Overflow Attack Blocker
Xinran Wang, Chi-Chun Pan, Peng Liu, and Sencun Zhu, The Pennsylvania State University
We propose SigFree, a realtime, signature-free, out-of-the-box, application layer blocker for preventing buffer
overflow attacks, one of the most serious cyber security
threats. SigFree can filter out code-injection buffer overflow attack messages targeting at various Internet services
such as web service. Motivated by the observation
that buffer overflow attacks typically contain executables
whereas legitimate client requests never contain executables
in most Internet services, SigFree blocks attacks by
detecting the presence of code. SigFree first blindly dissembles
and extracts instruction sequences from a request.
It then applies a novel technique called code abstraction,
which uses data flow anomaly to prune useless
instructions in an instruction sequence. Finally it compares
the number of useful instructions to a threshold
to determine if this instruction sequence contains code.
SigFree is signature free, thus it can block new and unknown
buffer overflow attacks; SigFree is also immunized
from most attack-side code obfuscation methods.
Since SigFree is transparent to the servers being protected,
it is good for economical Internet wide deployment
with very low deployment and maintenance cost.
We implemented and tested SigFree; our experimental
study showed that SigFree could block all types of codeinjection
attack packets (above 250) tested in our experiments.
Moreover, SigFree causes negligible throughput
degradation to normal client requests.
- View the full text of this paper in HTML and PDF. Listen to the presentation and Q & A in MP3 format.
Until August 2007, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2006 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.