Transparent Run-Time Defense Against Stack Smashing Attacks

The exploitation of buffer overflow vulnerabilities in process stacks constitutes a significant portion of security attacks. This paper presents new methods to detect and handle such attacks. In contrast to previous methods, these new methods require no source code and can be implemented transparently, even on a system-wide basis. The first method intercepts all calls to library functions that are known to be vulnerable. A substitute version of the corresponding function implements the original functionality, but in a manner that ensures that any buffer overflows are contained within the current stack frame. The second method implements a form of canary verification via binary modification of the process memory image. We have implemented both methods on Linux systems and shown that both methods detect several known attacks. The performance overhead of these methods typically ranges from negligible to 15%.