Check out the new USENIX Web site. next up previous
Next: Related Work Up: Discussion Previous: Performance Optimizations

Future Work


StackGuard defends against stack smashing buffer overflow attacks that over-write the return address and inject attack code. While this is the most common form of buffer overflow attack, it is not the only form, as illustrated by SuperProbe in Section 4.1.

In the general case, buffer overflow attacks can write arbitrary data to arbitrary pieces of process state, with arbitrary results limited only by the opportunities offered by buggy programs. However, some data structures are far easier to exploit than others. Notably, function pointers are highly susceptible to buffer overflow attack. An attacker could conceivably use a buffer overflow to over-write a function pointer that is on the heap, pointing it to attack code injected into some other buffer on the heap. The attack code need not even overflow its buffer.

We propose to treat this problem by extending StackGuard to protect other data sensitive structures in addition to function return addresses. ``Sensitive data structures'' would include function pointers, as well as other structures as indicated by the programmer, or clues in the source code itself.

This extension highlights a property of StackGuard, which is that it is ``destination oriented.'' Rather than trying to prevent buffer overflow attacks at the source, StackGuard strives to defend that which the attacker wants to alter. Following the notion that a TCB should be small to be verifiable (and thus secure) we conjecture that the set of data structures needing defending is smaller than the set of data structures exposed to attackers. Thus it should be easier to defend critical data structures than to find all poorly defended interfaces.

Crispin Cowan
Tue Dec 9 16:04:30 PST 1997