DIRA: Automatic Detection, Identification, and Repair of Control-Hijacking Attacks

Presented at DEF CON 13 (2005), July 31, 2005, 11 a.m. (50 minutes)

Buffer overflow attacks are known to be the most common type of attacks that allow attackers to hijack a remote system by sending a specially crafted packet to a vulnerable network application running on it. A comprehensive defense strategy against such attacks should include (1) an attack detection component that determines the fact that a program is compromised and prevents the attack from further propagation, (2) an attack identification component that identifies attack packets and generates attack signatures so that one can block such packets in the future, and (3) an attack repair component that restores the compromised application's state to that before the attack and allows it to continue running normally. Over the last decade, a significant amount of research has been vested in the systems that can detect buffer overflow attacks either statically at compile time or dynamically at run time. However, not much effort is spent on automated attack packet identification or attack repair. We present a unified solution to the three problems mentioned above. We implemented this solution as a GCC compiler extension called DIRA that transforms a program's source code so that the resulting program can automatically detect any buffer overflow attack against it, repair the memory damage left by the attack, and generate the attack signature. We used DIRA to compile several network applications with known vulnerabilities and tested DIRA's effectiveness by attacking the transformed programs with publicly available exploit code. The DIRA-compiled programs were always able to detect the attacks, produce attack signatures, and most often repair themselves to continue normal execution. The automatically produced signatures are context-aware as they describe all attack packets and accurate because each of the packets is described as a regular expressions. To the best of our knowledge DIRA is the first system capable of producing accurate attack signatures from a single attack instance and performing post-attack repair. Related tools: GCC, http://gcc.gnu.org Project home page: http://www.ecsl.cs.sunysb.edu/dira


  • Tzi-cker Chiueh - Professor, SUNY, Stony Brook
    Dr. Tzi-cker Chiueh is a Professor in the Computer Science Department of Stony Brook University, and the Chief Scientist of Rether Networks Inc. He received his B.S. in EE from National Taiwan University, M.S. in CS from Stanford University, and Ph.D. in CS from University of California at Berkeley in 1984, 1988, and 1992, respectively. He received an NSF CAREER award in 1995, and has published over 130 technical papers in refereed conferences and journals in the areas of operating systems, networking, and computer security. He has developed several innovative security systems/products in the past several years, including SEES (Secure Mobile Code Execution Service), PAID (Program Semantics-Aware Intrusion Detection), DOFS (Display-Only File Server), and CASH.
  • Alexey Smirnov - Student, SUNY Stony Brook
    Alexey Smirnov is a PhD student in the department of Computer Science at Stony Brook University. His is broadly interested in computer security, operating systems, and networks. He has been working on various systems research projects in the past such as Repairable Database Systems and DIRA. Alexey expects to complete his PhD within the next two or three years.


Similar Presentations: