Method of preventing buffer overflow attacks by intercepting DLL functions

Yu An Tan; Yuan Da Cao

Method of preventing buffer overflow attacks by intercepting DLL functions

Yu An Tan^*, Yuan Da Cao

^*Corresponding author for this work

School of Cyberspace Science and Technology

Beijing Institute of Technology

Research output: Contribution to journal › Article › peer-review

1 Citation (Scopus)

Abstract

The way of intercepting Windows DLL functions against buffer overflow attacks is evaluated. It's produced at the expense of hooking vulnerable DLL functions by addition of check code. If the return address in the stack belongs to a heap or stack page, the call is from illicit code and the program is terminated. The signature of malicious code is recorded, so it is possible for the next attack to be filtered out. The return-into-libc attacks are detected by comparing the entry address of DLL functions with the overwritten return address in the stack. The presented method interrupts the execution of malicious code and prevents the system from being hijacked when these intercepted DLL functions are invoked in the context of buffer overflow.

Original language	English
Pages (from-to)	255-259
Number of pages	5
Journal	Journal of Beijing Institute of Technology (English Edition)
Volume	14
Issue number	3
Publication status	Published - Sept 2005

Keywords

Buffer overflow
Network security
Vulnerability defenses

Cite this

@article{5248d97d713249489512195bee6fce40,

title = "Method of preventing buffer overflow attacks by intercepting DLL functions",

abstract = "The way of intercepting Windows DLL functions against buffer overflow attacks is evaluated. It's produced at the expense of hooking vulnerable DLL functions by addition of check code. If the return address in the stack belongs to a heap or stack page, the call is from illicit code and the program is terminated. The signature of malicious code is recorded, so it is possible for the next attack to be filtered out. The return-into-libc attacks are detected by comparing the entry address of DLL functions with the overwritten return address in the stack. The presented method interrupts the execution of malicious code and prevents the system from being hijacked when these intercepted DLL functions are invoked in the context of buffer overflow.",

keywords = "Buffer overflow, Network security, Vulnerability defenses",

author = "Tan, {Yu An} and Cao, {Yuan Da}",

year = "2005",

month = sep,

language = "English",

volume = "14",

pages = "255--259",

journal = "Journal of Beijing Institute of Technology (English Edition)",

issn = "1004-0579",

publisher = "Beijing Institute of Technology",

number = "3",

}

TY - JOUR

T1 - Method of preventing buffer overflow attacks by intercepting DLL functions

AU - Tan, Yu An

AU - Cao, Yuan Da

PY - 2005/9

Y1 - 2005/9

N2 - The way of intercepting Windows DLL functions against buffer overflow attacks is evaluated. It's produced at the expense of hooking vulnerable DLL functions by addition of check code. If the return address in the stack belongs to a heap or stack page, the call is from illicit code and the program is terminated. The signature of malicious code is recorded, so it is possible for the next attack to be filtered out. The return-into-libc attacks are detected by comparing the entry address of DLL functions with the overwritten return address in the stack. The presented method interrupts the execution of malicious code and prevents the system from being hijacked when these intercepted DLL functions are invoked in the context of buffer overflow.

AB - The way of intercepting Windows DLL functions against buffer overflow attacks is evaluated. It's produced at the expense of hooking vulnerable DLL functions by addition of check code. If the return address in the stack belongs to a heap or stack page, the call is from illicit code and the program is terminated. The signature of malicious code is recorded, so it is possible for the next attack to be filtered out. The return-into-libc attacks are detected by comparing the entry address of DLL functions with the overwritten return address in the stack. The presented method interrupts the execution of malicious code and prevents the system from being hijacked when these intercepted DLL functions are invoked in the context of buffer overflow.

KW - Buffer overflow

KW - Network security

KW - Vulnerability defenses

UR - http://www.scopus.com/inward/record.url?scp=27244449605&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:27244449605

SN - 1004-0579

VL - 14

SP - 255

EP - 259

JO - Journal of Beijing Institute of Technology (English Edition)

JF - Journal of Beijing Institute of Technology (English Edition)

IS - 3

ER -

Method of preventing buffer overflow attacks by intercepting DLL functions

Abstract

Keywords

Other files and links

Fingerprint

Cite this