作者: Christopher Kruegel , Thomas Toth
DOI:
关键词: Executable 、 Computer network 、 Code (cryptography) 、 Network packet 、 Payload (computing) 、 Computer science 、 Host (network) 、 Exploit 、 Buffer overflow 、 Intrusion detection system
摘要: Static buffer overflow exploits belong to the most feared and frequently launched attacks on todays Internet. These target vulnerabilities in daemon processes which provide important network services. Ever since hacking technique has reached a broader audience due Morris Internet worm [21] 1988 infamous paper by AlephOne phrack magazine [1], new weaknesses many programs have been discovered abused. Current intrusion detection systems (IDS) address this problem different ways. Misuse based IDS attempt detect signature of known payload packets. This can be easily evaded skilled intruder as attack code changed, reordered or even partially encrypted. Anomaly sensors neglect packet only analyze bursts traffic thus missing overflows altogether. Host anomaly detectors that monitor process behavior notice successful exploit but a-posteriori when it already successful. In addition, both variants suffer from high false positive rates. we present an approach accurately detects request's concentrating sledge attack. The is used increase chances providing long segment simply moves program counter towards immediately following code. Although some freedom shaping executable processor. We perform abstract execution identify such sequences with virtually no positives. A prototype implementation our sensor integrated into Apache web server. evaluated effectivity system several well performance impact