Abstract
Despite the fact that protection mechanisms like StackGuard, ASLR and NX are widespread, the development on new defense strategies against stack-based buffer overflows has not yet come to an end. In this paper, we present a compiler-level protection called SCADS: Separated Control- and Data-Stacks. In our approach, we protect return addresses and saved frame pointers on a separate stack, called the Control-Stack (CS). In common computer programs, a single user mode stack is used to store control information next to data buffers. By separating control information from the Data-Stack (DS), we protect sensitive pointers of a program’s control flow from being overwritten by buffer overflows. As we make control flow information simply unreachable for buffer overflows, many exploits are stopped at an early stage of progression with only little performance overhead. To substantiate the practicability of our approach, we provide SCADS as an open source patch for the LLVM compiler infrastructure for AMD64 hosts.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
TIOBE Software.: TIOBE Programming Community Index, December 2013. http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html
Aleph One.: Smashing the Stack for Fun and Profit. Phrack Magazine (1996)
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls on the x86. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, US, pp. 552–561. University of California, ACM Press. San Diego, October 2007
National Cyber Security Division.: National Vulnerability Database: Automation of Vulnerability Management, December 2013. http://nvd.nist.gov/
Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium (USENIX 1998), San Antonio, Texas, US. Oregon Graduate Institute of Science and Technology, January 1998
StackShield: A Stack Smashing Technique Protection Tool for Linux, January 2000
Saravanan, S., Qin, Z., Wong, W.-F.: Protection against Malicious Return Address Modifications, Transparent Runtime Shadow Stack (2008)
Bulba Kil3r.: Bypassing StackGuard and StackShield. Phrack Magazine, May 2000
Richarte, G.: Four Different Tricks to Bypass StackShield and StackGuard Protection. Technical report, Core Security Technologies (2002)
Silberman, P., Johnson, R.: A comparison of buffer overflow prevention implementations and weaknesses. In: Black Hat Briefings, Las Vegas (2004)
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 298–307. ACM, New York (2004)
Tyler Durden. Bypassing PaX ASLR protection. Phrack Magazine, July 2002
Müller, T., Piminedis, L.: ASLR smack & laugh reference. In: Seminar on Advanced Exploitation Techniques. RWTH Aachen University, Germany (2008)
Hund, R., Willems, C., Holz, T.: Space, practical timing side channel attacks against kernel, ASLR. In: IEEE Symposium on Security and Privacy, for IT Security. San Francisco, California: Horst-Goertz Institute. Ruhr-University Bochum, IEEE Computer Society (2013)
Buchanan, E., Roemer, R., Savage, S.: Return-oriented programming: exploits without code injection. In: Black Hat USA Briefings 2008, Las Vegas, NV, US. University of California, San Diego, July 2008
Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to RISC. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS), pp. 27–38, Alexandria, VA, US. University of San Diego, October 2008
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), pp. 559–572. ACM, Chicago, October 2010
Schwartz, E., Avgerinos, T., Brumley, D.: Q: exploit hardening made easy. In: Proceedings of the 20th USENIX Security Symposium (USENIX 2011), San Francisco, CA. Carnegie Mellon University, Pittsburgh, August 2011
Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inf. Syst. Secur.(TISSEC) 15(1), 2:1–2:34 (2012)
Team Teso Scut.: Exploiting Format String Vulnerabilities. http://crypto.stanford.edu/cs155/papers/formatstring-1.2.pdf, September 2001
System V Application Binary Interface - AMD64 Architecture Processor Supplement. www.86--64.org/documentation/abi.pdf, October 2013
Younan, Y., Joosen, W., Piessens, F.: Code Injection in C and C++: A Survey of Vulnerabilities and Countermeasures. Technical report, Katholieke Universiteit Leuven, Department of Computer Science, Belgium, July 2004
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
Rights and permissions
Copyright information
© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Kugler, C., Müller, T. (2015). SCADS. In: Tian, J., Jing, J., Srivatsa, M. (eds) International Conference on Security and Privacy in Communication Networks. SecureComm 2014. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 152. Springer, Cham. https://doi.org/10.1007/978-3-319-23829-6_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-23829-6_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23828-9
Online ISBN: 978-3-319-23829-6
eBook Packages: Computer ScienceComputer Science (R0)