liu.seSearch for publications in DiVA
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
RIPE: Runtime Intrusion Prevention Evaluator
Linköping University, Department of Computer and Information Science, PELAB - Programming Environment Laboratory. Linköping University, The Institute of Technology.
Katholieke Universiteit, Leuven, Belgium.
Katholieke Universiteit, Leuven, Belgium.
Linköping University, Department of Computer and Information Science, PELAB - Programming Environment Laboratory. Linköping University, The Institute of Technology.
Show others and affiliations
2011 (English)In: Proceedings of the 27th Annual Computer Security Applications Conference, 2011, 41-50 p.Conference paper, Published paper (Other academic)
Abstract [en]

Despite the plethora of research done in code injection countermeasures, buffer overflows still plague modern software. In 2003, Wilander and Kamkar published a comparative evaluation on runtime buffer overflow prevention technologies using a testbed of 20 attack forms and demonstrated that the best prevention tool missed 50% of the attack forms. Since then, many new prevention tools have been presented using that testbed to show that they performed better, not missing any of the attack forms. At the same time though, there have been major developments in the ways of buffer overflow exploitation.

In this paper we present RIPE, an extension of Wilander's and Kamkar's testbed which covers 850 attack forms. The main purpose of RIPE is to provide a standard way of testing the coverage of a defense mechanism against buffer overflows. In order to test RIPE we use it to empirically evaluate some of the newer prevention techniques. Our results show that the most popular, publicly available countermeasures cannot prevent all of RIPE's buffer overflow attack forms. ProPolice misses 60%, LibsafePlus+TIED misses 23%, CRED misses 21%, and Ubuntu 9.10 with nonexecutable memory and stack protection misses 11%.

Place, publisher, year, edition, pages
2011. 41-50 p.
Keyword [en]
Security intrusion; buffer overflow; intrusion prevention; dynamic analysis
National Category
Computer Science
Identifiers
URN: urn:nbn:se:liu:diva-90030DOI: 10.1145/2076732.2076739ISBN: 978-1-4503-0672-0 (print)OAI: oai:DiVA.org:liu-90030DiVA: diva2:611279
Conference
27th Annual Computer Security Applications Conference (ACSAC 2011), December 5-9, Orlando, Florida, USA
Available from: 2013-03-15 Created: 2013-03-15 Last updated: 2013-03-25Bibliographically approved
In thesis
1. Contributions to Specification, Implementation, and Execution of Secure Software
Open this publication in new window or tab >>Contributions to Specification, Implementation, and Execution of Secure Software
2013 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

This thesis contributes to three research areas in software security, namely security requirements and intrusion prevention via static analysis and runtime detection.

We have investigated current practice in security requirements by doing a field study of eleven requirement specifications on IT systems. The conclusion is that security requirements are poorly specified due to three things:  inconsistency in the selection of requirements, inconsistency in level of detail, and almost no requirements on standard security solutions. A follow-up interview study addressed the reasons for the inconsistencies and the impact of poor security requirements. It shows that the projects had relied heavily on in-house security competence and that mature producers of software compensate for poor requirements in general but not in the case of security and privacy requirements specific to the customer domain.

Further, we have investigated the effectiveness of five publicly available static analysis tools for security. The test results show high rates of false positives for the tools building on lexical analysis and low rates of true positives for the tools building on syntactical and semantical analysis. As a first step toward a more effective and generic solution we propose decorated dependence graphs as a way of modeling and pattern matching security properties of code. The models can be used to characterize both good and bad programming practice as well as visually explain code properties to programmers. We have implemented a prototype tool that demonstrates how such models can be used to detect integer input validation flaws.

Finally, we investigated the effectiveness of publicly available tools for runtime prevention of buffer overflow attacks. Our initial comparison showed that the best tool as of 2003 was effective against only 50 % of the attacks and there were six attack forms which none of the tools could handle. A follow-up study includes the release of a buffer overflow testbed which covers 850 attack forms. Our evaluation results show that the most popular, publicly available countermeasures cannot prevent all of these buffer overflow attack forms.

Place, publisher, year, edition, pages
Linköping: Linköping University Electronic Press, 2013. 249 p.
Series
Linköping Studies in Science and Technology. Dissertations, ISSN 0345-7524 ; 1503
National Category
Engineering and Technology
Identifiers
urn:nbn:se:liu:diva-88330 (URN)978-91-7519-681-7 (ISBN)
Public defence
2013-04-22, Visionen, hus B, Campus Valla, Linköpings universitet, Linköping, 13:15 (English)
Opponent
Supervisors
Available from: 2013-03-15 Created: 2013-02-01 Last updated: 2017-03-28Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full text

Authority records BETA

Wilander, JohnKamkar, Mariam

Search in DiVA

By author/editor
Wilander, JohnKamkar, Mariam
By organisation
PELAB - Programming Environment LaboratoryThe Institute of Technology
Computer Science

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 146 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf