標題: 快速偵測與恢復軟體溢位錯誤之方法
An Efficient Method for Buffer Overflow Detection and Recovery
作者: 賴怡良
Yi-Liang Lai
吳毅成
I-Chen Wu
資訊科學與工程研究所
關鍵字: 緩衝區溢位;溢位偵測;溢位恢復;阻斷服務攻擊;Out-of-Bounds Access;Buffer Overflow Detection/Recovery;Boundless Memory Blocks;Denial of Service Attacks
公開日期: 2005
摘要: 緩衝區溢位(buffer overflow)是一個常見的軟體漏洞,現今許多應用程式都發現有過這種漏洞,因而造成嚴重的安全問題。為了要能夠有效地解決緩衝區溢位問題,研究者提出各種緩衝區溢位的偵測與恢復機制,而這些機制所造成的額外效能負擔多寡是這些機制是否實用的關鍵。此外,我們經由實驗得知,一個沒有恢復能力的偵測機制,受其保護的程式在遭遇攻擊時,服務的能力將大幅度下降,所以我們的研究中專注在有效率的緩衝區溢位偵測與恢復機制上。

目前被認為偵測範圍最廣的CRED (C Range Error Detector) 偵測技術與以CRED為基礎的BMB (Boundless Memory Blocks) 恢復技術,某些情形下會造成執行效能相較原程式約30倍的低落。本論文提出一個名叫BODAR(Buffer Overflow Detection And Recovery)的方法,能夠在執行時期利用作業系統的分頁保護機制,以事件驅動的方式正確且有效率地偵測緩衝區溢位的發生。此外,BODAR離散地配置各個緩衝區,使得各緩衝區後都有一塊未配置區域能夠用來容忍溢位的資料,進行恢復時只需直接增長緩衝區至未配置區域。如此除了能得到與CRED近乎相同的偵測與恢復能力以外,亦能有相當優良的效能表現。我們的實驗顯示有BODAR保護的程式只比原來的程式多增加了10%到80%的執行時間。
Buffer overflow is a kind of common software vulnerabilities. Today, it exists in many applications and therefore causes serious security problems. In order to solve such problems, many researchers have proposed mechanisms for buffer overflow detection and recovery. On one hand, the practicability of these mechanisms could be primarily decided by the amount of overhead in runtime. On the other hand, according to our experiments, when attacking a server with the detection ability but without recovery ability, we found that its service availability would be degraded significantly. Based on the two observations, our research is focused on an efficient buffer overflow detection and recovery mechanism.

Two past solutions, CRED(C Range Error Detector) and BMB(Boundless Memory Blocks), have been recognized as the best protection method in overflow-detecting and the most practical recovery method base on CRED, respectively. However, in certain situations, both could result in lower performance by a factor of 30. In this paper, we proposed a method named BODAR for the buffer overflow problem. BODAR uses the page protection mechanism of OS which is event-driven to detect buffer overrun correctly and efficiently. BODAR also sparsely setup an unallocated region behind each buffer. The unallocated regions would be allocated for tolerance of out-of-bound data when recovering. Our experiments showed that the execution time of BODAR-enable programs was only 10% to 80% slower than that of non-protected ones.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT009317554
http://hdl.handle.net/11536/78764
Appears in Collections:Thesis


Files in This Item:

  1. 755401.pdf

If it is a zip file, please download the file and unzip it, then open index.html in a browser to view the full text content.