Check out the new USENIX Web site. next up previous
Next: Experimental Results Up: StackGuard: Making the Stack Previous: Preventing Return Address Changes

Adaptive Defense Strategies


StackGuard is a product of the Immunix project [11], whose focus is adaptive responses to security threats. Thus we provide an adaptive response to intrusions, switching between the more performant Canary version, and the more robust MemGuard versions of StackGuard.

The basic model of operation for StackGuard is that when a buffer overflow is detected, either by the Canary or by MemGuard, the process is terminated. The process must exit, because an unknown amount of state has already been corrupted at the time the attack is detected, and so it is impossible to safely recover the state of the process. Thus the process exits, using only static data and code, so as to avoid any possible corruption from the attacker.

Replacing the dead process is context-dependent. In many cases, it suffices to just let inetd re-start the daemon when a connection requests service. However, if the daemon is not managed by inetd, then it may be necessary for a watch-dog process to re-start the daemon, most especially in the case of inetd itself.

It is also possible for these re-start mechanisms to adaptively select which form of protection to use next. The Canary and MemGuard variants of StackGuard offer different points in the trade-off between security and performance. The Canary version is more performant, while the MemGuard version is more secure (see Section 4). More specifically, the important security vulnerability in the Canary variant is that it is potentially subject to guessing of the canary value. The Canary variant can defend itself against guessing by exiting, and replacing the attacked Canary-guarded daemon with a MemGuard-guarded daemon.

This adaptive response allows systems to run in a relatively high-performance state most of the time, and adaptively switch to a lower-performance, higher-security state when under attack. At worst, the attacker can carry out a degradation-of-service attack by periodically attacking daemons, forcing them to run in the lower-performance MemGuard mode most of the time. However, service is not totally denied, because the daemons continue to function, and the attacker no longer is able to obtain illegitimate privilege via buffer overflow attack.

next up previous
Next: Experimental Results Up: StackGuard: Making the Stack Previous: Preventing Return Address Changes

Crispin Cowan
Tue Dec 9 16:04:30 PST 1997