DOI QR코드

DOI QR Code

Efficient Stack Smashing Attack Detection Method Using DSLR

DSLR을 이용한 효율적인 스택스매싱 공격탐지 방법

  • 황도영 (홍익대학교 산업융합형동과정) ;
  • 유동영 (홍익대학교 소프트웨어융합과)
  • Received : 2023.05.30
  • Accepted : 2023.08.11
  • Published : 2023.09.30

Abstract

With the recent steady development of IoT technology, it is widely used in medical systems and smart TV watches. 66% of software development is developed through language C, which is vulnerable to memory attacks, and acts as a threat to IoT devices using language C. A stack-smashing overflow attack inserts a value larger than the user-defined buffer size, overwriting the area where the return address is stored, preventing the program from operating normally. IoT devices with low memory capacity are vulnerable to stack smashing overflow attacks. In addition, if the existing vaccine program is applied as it is, the IoT device will not operate normally. In order to defend against stack smashing overflow attacks on IoT devices, we used canaries among several detection methods to set conditions with random values, checksum, and DSLR (random storage locations), respectively. Two canaries were placed within the buffer, one in front of the return address, which is the end of the buffer, and the other was stored in a random location in-buffer. This makes it difficult for an attacker to guess the location of a canary stored in a fixed location by storing the canary in a random location because it is easy for an attacker to predict its location. After executing the detection program, after a stack smashing overflow attack occurs, if each condition is satisfied, the program is terminated. The set conditions were combined to create a number of eight cases and tested. Through this, it was found that it is more efficient to use a detection method using DSLR than a detection method using multiple conditions for IoT devices.

최근 IoT 기술이 꾸준하게 발전되면서 의료 시스템, 스마트 TV 시계 등에서 많이 활용되고 있다. 소프트웨어 개발의 66%가 메모리 공격에 취약한 C 언어를 통해 개발되고 C 언어를 사용하는 IoT 기기에 위협적으로 작용한다. 스택스매싱 오버플로 공격은 사용자가 정의한 버퍼 크기보다 큰 값을 삽입하여 반환 주소가 저장된 영역을 덮어쓰게 하여 프로그램이 정상적으로 동작하지 못하게 한다. 메모리 가용량이 적은 IoT 기기는 스택스매싱 오버플로 공격에 취약하다. 또한, 기존의 백신 프로그램을 그대로 적용하게 되면 IoT 기기가 정상적으로 동작하지 못한다. 연구에서는 IoT 기기에 대한 스택스매싱 오버플로 공격을 방어하기 위해 여러 탐지 방법 중 카나리아를 사용하여 각각 무작위 값, 체크썸, DSLR(무작위 저장 위치)로 조건을 설정했다. 2개의 카나리아를 버퍼 내에 배치하여 하나는 버퍼의 끝인 반환 주소 앞에 배치하고 나머지 하나는 버퍼 내 무작위 위치에 저장했다. 이는 고정된 위치에 저장된 카나리아 값은 공격자가 위치를 예측하기 쉬우므로 무작위한 위치에 카나리아를 저장하여 공격자가 카나리아의 위치를 예측하기 어렵게 했다. 탐지 프로그램 실행 후 스택스매싱 오버플로 공격이 발생 후 각 조건을 만족하게 되면 프로그램이 종료된다. 설정한 조건을 각각 조합하여 8가지 경우의 수를 만들었고 이를 테스트했다. 이를 통해 IoT 기기에는 다중 조건을 사용한 탐지 방법보다 DSLR을 이용한 탐지 방법을 사용하는 것이 더 효율적이라는 결과를 얻었다.

Keywords

References

  1. C. Bradley, S. El-Tawab, and M. H. Heydari, "Security analysis of an IoT system used for indoor localization in healthcare facilities," In 2018 Systems and Information Engineering Design Symposium, pp.147-152, 2018.
  2. P. Black, M. Badger, B. Guttman, and E. Fong, "Dramatically reducing software vulnerabilities: Report to the white house office of science and technology policy," No. NIST Internal or Interagency Report (NISTIR) 8151 (Draft), National Institute of Standards and Technology, 2016.
  3. K. V. English, I. Obaidat, and M. Sridhar, "Exploiting memory corruption vulnerabilities in connman for iot devices," In 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp.247- 255, 2019.
  4. C. M. Chen, S. M. Chen, W. C. Ting, C. Y. Kao, and H. M. Sun, "An enhancement of return address stack for security," Computer Standards & Interfaces, Vol.38, pp.17- 24, 2015. https://doi.org/10.1016/j.csi.2014.08.008
  5. H. Etoh and K. Yoda, "ProPolice: Protecting from stack-smashing attacks," Technical Report, IBM Research Division, Tokyo Research Laboratory, 2000.
  6. R. S. Ferreira and F. Vargas, "ShadowStack: A new approach for secure program execution," Microelectronics Reliability, Vol.55, pp.2077-2081, 2015.
  7. D. Jiang and J. Mai, "A new approach against stack overrun: Separates the stack to two parts," In 2011 First International Conference on Instrumentation, Measurement, Computer, Communication and Control, pp.441-444, 2011.
  8. N. R. Kisore, "A qualitative framework for evaluating buffer overflow protection mechanisms," International Journal of Information and Computer Security, Vol.8, No.3, pp.272-307, 2016. https://doi.org/10.1504/IJICS.2016.079187
  9. P. Wu and T. Wolf, "Stack protection in packet processing systems," In 2014 International Conference on Computing, Networking and Communications (ICNC), pp.53-57, 2014.
  10. H. M., Gisbert and I. Ripoll, "On the effectiveness of nx, ssp, renewssp, and aslr against stack buffer overflows," In 2014 IEEE 13th International Symposium on Network Computing and Applications, pp.145-152, 2014.
  11. Z. Lin, R. D. Riley, and D. Xu, "Polymorphing software by randomizing data structure layout," In Detection of Intrusions and Malware, and Vulnerability Assessment: 6th International Conference, DIMVA 2009, Como, Italy, Vol.6, pp.107-126, 2009.
  12. Q. Zhou, H. Dai, L. Liu, K. Shi, J. Chen, and H. Jiang, "The final security problem in IOT: Don't count on the canary!," In 2022 7th IEEE International Conference on Data Science in Cyberspace (DSC), pp.599-604, 2022.
  13. N. Huang, S. Huang, and Z. Deng, "Automatic detection of stack overflow attack in canary," In 2018 Eighth International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC), pp.1418- 1423, 2018.
  14. K. Lehniger and P. Langendorfer, "Window Canaries: Rethinking stack canaries for architectures with register windows," IEEE Transactions on Dependable and Secure Computing, 2022.
  15. J. Sun, X. Zhou, W. Shen, Y. Zhou, and K. Ren, "PESC: A per system-call stack canary design for Linux kernel," In Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy, pp.365-375, 2020.
  16. D. A. H. Shehab and O. A. Batarfi, "RCR for preventing stack smashing attacks bypass stack canaries," In 2017 Computing Conference, pp.795-800, 2017.
  17. J. Zhu, W. Zhou, Z. Wang, D. Mu, and B. Mao, "Diffguard: Obscuring sensitive information in canary based protections," In Security and Privacy in Communication Networks: 13th International Conference, SecureComm 2017, Vol.13, pp.738-751, 2018.
  18. H. Marco-Gisbert and I. Ripoll-Ripoll, "SSPFA: Effective stack smashing protection for Android OS," International Journal of Information Security, Vol.18, No.4, pp.519-532, 2019. https://doi.org/10.1007/s10207-018-00425-8
  19. S. Zhou and J. Chen, "Experimental evaluation of the defense capability of arm-based systems against buffer overflow attacks in wireless networks," In 2020 IEEE 10th International Conference on Electronics Information and Emergency Communication (ICEIEC), pp.375-378, 2020.