The Robert
Morris Internet WormNovember 2, 1988
The Internet Worm Program: An Analysis
Spafford, Eugene H.
Technical Report, Department of Computer Science, Purdue University
Buffer Overflow In IIS Indexing Service DLL
A vulnerability exists in the Indexing Services used
by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta
versions of Windows XP. This vulnerability allows a remote intruder to run
arbitrary code on the victim machine.
Discovered by
eEye Digital Security on June 19, 2001
"Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL
"Code Red" worm appears to merely deface web pages on affected systems and attack
other systems. However, the IIS indexing vulnerability it exploits can be used
to execute arbitrary code in the Local System security context, effectively
giving an attacker complete control of the victim system.
Reported on July
19, 2001
"Code Red II:" Another Worm Exploiting Buffer Overflow In IIS Indexing Service DLL
The Code Red II worm is self-propagating malicious code that exploits a known buffer
overflow vulnerability in Microsoft IIS servers in IIS Indexing Service DLL.
Reported on August 6, 2001
W32/Nimda worm" or the "Concept Virus (CV) v.5."
This worm propagates itself through email, open network shares, by actively scanning
and exploiting various Microsoft IIS
4.0 / 5.0 directory traversal vulnerabilities and by scanning for the back doors
left behind by the "Code Red II", and "sadmind/IIS" worms. Also denial of
service as a result of network scanning and email propagation is reported.
Reported on September 18, 2001
Microsoft SQL Server 2000 stack buffer overflow in SQL Server Resolution Service (SSRS)
The SSRS contains a stack buffer overflow that allows an attacker to execute arbitrary code by
sending a crafted request to port 1434/udp. The code within such a request will
be executed by the server host with the privileges of the SQL Server service
account.
Discovered by David Litchfield of
Next Generation Security Software Ltd. on July 24, 2002
MS-SQLSlammer Worm (a.k.a W32.Slammer worm and Sapphire worm) [
article on Sapphire Worm]
The worm targeting SQL Server computers is self-propagating malicious
code that exploits the
stack buffer overflow vulnerability
in SQL Server Resolution Service
. This vulnerability allows
for the execution of arbitrary code on the SQL Server computer which may allow
remote attackers to compromise a host.
Reported on January 25,
2003.
Remote Buffer Overflow in Sendmail
A vulnerability in sendmail that may allow remote attackers
to gain the privileges of the sendmail daemon, typically root
Discovered by
Internet Security Systems on March 3,
2003
Microsoft Windows
RPC vulnerable to buffer overflowA buffer overflow vulnerability exists
in Microsoft's Remote Procedure Call (RPC) implementation. A remote attacker
could exploit this vulnerability to execute arbitrary code or cause a denial of
service. An exploit for this vulnerability is publicly available.
Discovered
by
The
Last Stage of Delirium Research Group on July 16, 2003
W32/Blaster
wormThis worm appears to exploit known vulnerabilities in the Microsoft
Remote Procedure Call (RPC) Interface
. A remote attacker could exploit
these vulnerabilities to execute arbitrary code with Local System privileges or
to cause a denial-of-service condition.
Reported on August 11, 2003
W32/Nachi-A worm
This worm that spreads using the RPC DCOM vulnerability in a similar
fashion to the W32/Blaster-A worm. The worm also attempts to spread using a
buffer overflow exploit for ntdll.dll library in several versions of Microsoft
Windows. The exploit is attempted through a search request of the WebDAV
protocol.
Reported on August 19, 2003
*Compiled from
CERT Coordination Center and
Sophos Advisory Bulletins.
- Informative Articles on Buffer Overflow Attacks -
x86
ArchitectureSmashing the stack for fun
and profit Aleph OnePhrack Magazine 7(49), November 1996
.
How to
write buffer overflowsMudgePublished on World-Wide Web,
1997.
w00w00
on Heap Overflows.
Matt Conover. 1999.
Bypassing stackguard and
stackshield
Bulba and Kil3rPhrack Magazine 5(56), May
2000.
JPEG COM
Marker Processing Vulnerability in Netscape Browsers.
Solar Designer
Bugtraq, July 2000.
Exploting format string vulnerabilities
scut
March 2001.
Vudo - An object superstitiously believed to embody magical powers
Michel "MaXX" Kaempf
Phrack Magazine 8(57), August 2001
Once Upon a free...
Anonymous
Phrack 9(57), August 2001.
The advanced return-into-lib(c) exploits (PaX case study).
Negral
Phrack 4(58), Dec 2001.
Advances in format string exploitation
Gera and Riq
Phrack Magazine 7(59), July 2002
Bypassing PaX ASLR protection
Tyler Durden
Phrack Magazine 9(59), July 2002
Advanced malloc exploits
Jp
Phrack Magazine 6(61), August 2003
Alpha
Architecture
Buffer overflow exploit
in the alpha linux
Taeho Oh
-
Articles & Papers on Detection and Prevention of BoF Attacks
-
Static Analysis of Source Code:
A first step towards automated detection of buffer overrun vulnerabilities.
David Wagner, Jeffrey S. Foster, Eric A. Brewer, and Alexander Aiken.
In Network and Distributed System Security Symposium, San Diego, CA, 2000.
Cleanness Checking of String Manipulations in C Programs via Integer Analysis
Nurit Dor, Michael Rodeh, and Mooly Sagiv.
In Static Analysis Symposium, volume 2126 of Lecture Notes in Computer Science
June 2001, Springer Verlag,
Statically detecting likely buffer overflow vulnerabilities.
David Larochelle and David Evans.
In Proceedings of the 10th USENIX Security Symposium,
August 2001, Washington, D.C.
Detecting heap smashing attacks through fault containment wrappers.
Christof Fetzer and Zhen Xiao.
In Proceedings of the 20th IEEE Symposium on Reliable Distributed Systems
October 2001.
Accurate Buffer Overflow Detection via Abstract Payload Execution.
Thomas Toth and Christopher Kruegel,
In 5th Symposium on Recent Advances in Intrusion Detection (RAID),
Lecture Notes in Computer Science, Springer Verlag, Switzerland, October 2002.
A Comparison of Publicly Available Tools for Static Intrusion Prevention
John Wilander and Mariam Kamkar
Proceedings of the 7th Nordic Workshop on Secure IT Systems
November 2002, Karlstad, Sweden
Using Programmer-Written Compiler Extensions to Catch Security Holes
Ken Ashcraft and Dawson Engler,
Proceedings of IEEE Security and Privacy, 2002
CSSV: Towards a Realistic Tool
for Statically Detecting All Buffer Overflows in C
Nurit Dor, Michael Rodeh, Mooly Sagiv
Proceedings of the ACM SIGPLAN 2003 conference on Programming Language Design and Implementation,
June 2003, San Diego, California, USA.
Protecting C Programs from Attacks via Invalid Pointer Dereferences
Suan Hsi Yong and Susan Horwitz
Proceedings of the 9th European software engineering conference held jointly with
10th ACM SIGSOFT international symposium on Foundations of software engineering.
Helsinki, Finland, 2003
Static Analysis of Executables:
A Binary Rewriting Defense Against Stack-based Buffer Overflow Attacks
Manish Prasad and Tzi-cker Chiueh,
Proceedings of Usenix Annual Technical Conference, San Antonio, TX, June 2003.
Static Analysis of Executables to Detect Malicious Patterns
Mihai Christodorescu, Somesh Jha
In 12th USENIX Security Symposium,
Washington, DC, August 2003
Address
Obfuscation: An Approach to Combat Buffer Overflows, Format-String Attacks, and
More.Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar.In
12th USENIX Security Symposium, Washington, DC, August 2003.
Compiler
patches:
Adding
run-time checking to the portable c compiler.Joseph L.
Steffen.Software-Practice and Experience, April 1992.
Bounds Checking for C.
Richard Jones
and Paul Kelly. July 1995.
StackGuard: Automatic adaptive
detection and prevention of buffer overflowattacks.
Crispan Cowan,
Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie,
Aaron
Grier, Perry Wagle, Qian Zhang, and Heather Hinton.Procedings of the 7th
USENIX Security Conference,
pages 63-78, San Antonio, Texas, Jan 1998.
Protecting from
stack smashing attacks (Propolice).Hiroaki Etoh and Kunikazu
Yoda.IBM Research, June 2000.
Stack Shield: A "stack smashing"
technique protection tool for linuxVendicatorJanuary 2001
Rad:
A compiletime solution to buffer overflow attacks.
Tzi-cker Chiueh and
Fu-Hau Hsu. 21st International Conference on Distributed Computing, page
409,
April 2001, Phoenix, Arizona.
ProPolice: GCC
extension for protecting applications from stack-smashing attacks
H.
EtohIBM, April 2003
Pointguard: Protecting pointers from buffer overflow vulnerabilities.
Crispin Cowan, Steve Beattie, John Johansen, and PerryWagle.
In Proceedings of the 12th USENIX
Security Symposium, Washington, D.C., August 2003.
A Practical Dynamic Buffer Overflow Detector.
Olatunji Ruwase, Monica S. Lam.
In Proceedings of the 11th Annual Network and Distributed System Security Symposium, pages 159-169, February 2004.
C Library
Patches:
FreeBSD Stack Integrity Patch.
Alexander Snarskii
1997
Transparent run-time defense against stack smashing attacks (Libsafe - Libverify)
Arash Baratloo, Navjot Singh, and Timothy Tsai
Proceedings of 2000 USENIX Annual Technical Conference
San Diego,
California, USA, June 18–23, 2000
FormatGuard: Automatic Protection From printf Format String Vulnerabilities
Crispin Cowan, Matt Barringer, Steve Beattie, and Greg Kroah-Hartman
WireX Communications, Inc. 2001 USENIX Security Symposium
August 2001.
Safe C String Library v1.0.0
Matt Messier and John Viega
September 2003
Run-time Detection of Heap-based Overflows
William Robertson, Christopher Kruegel, Darren Mutz, and Fredrik Valeur
Proceedings of the 17th Large Installation Systems Administration
Conference (LISA '03), San Diego, California, Oct 29, 2003
Libparanoia
Alexandre Snarskii
Kernel / OS
Patches:
Proof-carrying code.
Necula, G.
In Proceedings of the 24th ACM Symposium on Principles of Programming Languages,
106–119, Jan. 1997
Non-executable user stack
Solar
DesignerOpenwall Project, January 2001
StackGhost: Hardware Facilitated
Stack Protection.Mike Frantzen and Mike Shuey.In USENIX
Security Symposium, Washington, DC, August 2001.
PaXPax Team 2001
Mitigating Buffer Overflows
by Operating System Randomization
Monica Chew, Dawn
SongDecember 2002
Tech Report CMU-CS-02-197
Secure Execution via Program Shepherding
Vladimir Kiriansky, Derek Bruening and Saman P. Amarasinghe
Proceedings of the 11th USENIX Security Symposium, Pages: 191 - 206, 2002
Transparent runtime randomization for security.
Jun Xu, Zbigniew Kalbarczyk, and Ravishankar K. Iyer.
Technical Report UILU-ENG-03-2207, Center for
Reliable and
High-Performance Computing, University of Illinois at
Urbana-Champaign, May 2003.
Hardware
Solutions:
Architecture Support
for Defending Against Buffer Overflow Attacks Jun Xu, Zbigniew
Kalbarczyk, Sanjay Patel, and Ravishankar K. IyerInvited talk at the
Second Workshop on Evaluating and Architecting System dependabilitY
(EASY)
October 2002, San Jose, California, U.S.A.
SmashGuard: A Hardware Solution to Prevent Security Attacks on the Function Return
AddressH. Ozdoganoglu, C. E. Brodley, T. N. Vijaykumar, B. A.
Kuperman, and A. JaloteTechnical Report, Purdue University,
December 2002
Enlisting
Hardware Architecture to Thwart Malicious Code Injection Ruby B. Lee,
David K. Karig, John P. McGregor, and Zhijie ShiSecurity in Pervasive
Computing,
March 2003, Boppard, Germany
Detection and prevention of stack buffer overflow attacks
Benjamin A. Kuperman, Carla E. Brodley, Hilmi Ozdoganoglu, T. N. Vijaykumar, and Ankit Jalote
Communications of the ACM, Volume 48 , Issue 11, Pages: 50 - 56, November 2005.
- Source Code Auditing Tools
-
Static
Analysis:
Rough Auditing Tool for Security (RATS)
RATS, the Rough Auditing Tool for Security, is a
security auditing utility for C and C++ code. RATS scans source code, finding
potentially dangerous function calls. The goal of this tool is not to
definitively find bugs, but rather the current goal is to provide a reasonable
starting point for performing manual security audits.
Detecting Buffer Overvlow Exploits in HTTP Requests via Abstract Payload
ExecutionThis approach accurately detects buffer overflow code in the
packet's payload by concentrating on the sledge of the attack
Flawfinder Flawfinder is a
program that examines source code looking for security weaknesses.
ITS4 ITS4 scans source code, looking
for function calls that are potentially dangerous.
LCLint
LCLint is a tool for statically checking C programs
PScanScans C source
files for problematic uses of printf style functions
CodeWizard
(commercial)
An advanced C/ C++ source code analysis tool, uses coding
guidelines to automatically identify dangerous coding constructs that compilers
do not detect.
FlexeLint/PC-lint
(commercial)
PC-lint and FlexeLint will check your C/C++ source code and
find bugs, glitches, inconsistencies, non-portable constructs, redundant code,
and
much more.
On-the-fly Debuggers:
ElectricFence A malloc()
debugger for Linux and Unix that stops a program on the exact instruction that
overruns or under-runs a malloc() buffer.
SCC: Safe C
CompilerTodd Austin, Scott Breach, and Guri Sohi of the Wisconsin
Multiscalar GroupUniversity of Wisconsin - Madison, June 1994.
Cyclone: A safe dialect of C.
Trevor Jim, Greg Morrisett, Dan Grossman, Micheal Hicks, James Cheney, and Yanling Wang.
In USENIX Annual Technical Conference, Monterey, CA, June 2002.
CCured: Type-Safe Retrofitting of Legacy Code
George C. Necula Scott McPeak Westley Weimer
In the proceedings of the ACM Symposium on Principles of
Programming Languages, 2002
- Secure System Projects
-
Adamantix ProjectThis project will use
currently available security solutions for Linux (like kernel patches, compiler
patches, security related programs and techniques) and knit these together to a
usable highly secure Linux platform.
GRSecurityOriginally a port of
Openwall (now Owl) to Linux 2.4, GRSecurity aims a configuration free secure
Linux Platform with extensive auditing capabilities and various measures to stop
the most common exploit methods.
Owl (Openwall
GNU/*/Linux)A security-enhanced operating system with Linux and GNU
software as its core, compatible with other major distributions of
GNU/*/Linux.
OpenBSD
The OpenBSD project produces a
free, multi-platform 4.4BSD-based UNIX-like operating system that emphasizes
portability, standardization, correctness, proactive security and integrated
cryptography.
Immunix
Immunix is a family of tools
designed to enhance system integrity by hardening system components and
platforms against security attacks.
Hardened Gentoo
Hardened Gentoo is an umbrella
project which oversees the research, implementation, and maintainence of
security oriented projects for Gentoo Linux, lead by a team of very competent
individuals dedicated to bringing advanced security to Gentoo with a number of
subprojects.
The Buffer Overflow Page. Last Update October 26, 2005.
Comments