Preventing stack buffer overflow attacks
Uložené v:
| Názov: | Preventing stack buffer overflow attacks |
|---|---|
| Patent Number: | 7,086,088 |
| Dátum vydania: | August 01, 2006 |
| Appl. No: | 10/144792 |
| Application Filed: | May 15, 2002 |
| Abstrakt: | A method and system for preventing stack buffer overflow attacks in a computer system are disclosed. A computer system can prevent stack buffer overflow attacks by encrypting return addresses prior to pushing them onto the runtime stack. When an encrypted return address is popped off the runtime stack, the computer system decrypts the encrypted return address to determine the actual return address. A random encryption key can be used, which can be generated from the CPU's clock cycle counter. Multitasking environments can add a seed register to the task state so that each task can use a unique seed to encrypt the return addresses. |
| Inventors: | Narayanan, Ram Gopal Lakshmi (Woburn, MA, US) |
| Assignees: | Nokia, Inc. (Irving, TX, US) |
| Claim: | 1. A method for preventing stack buffer overflow in a computer system, comprising steps of: (a) prior to their execution, scanning opcodes for a trigger opcode; (b) for each trigger opcode found, encrypting an operand associated with the trigger opcode; (c) at execution of the trigger opcode, using the operand's corresponding encrypted value instead of the operand's actual value. |
| Claim: | 2. The method of claim 1 , further comprising a step of, prior to execution, storing the operands and their corresponding encrypted values in a lookup table. |
| Claim: | 3. The method of claim 1 , wherein the trigger opcode comprises a function call opcode, and the operand comprises a return address. |
| Claim: | 4. The method of claim 3 , further comprising a step of, when the function call returns, decrypting a value off the runtime stack to determine the actual return address of the function call. |
| Claim: | 5. The method of claim 1 , wherein the trigger opcode comprises an opcode that cause the computer system to place a return address on the runtime stack. |
| Claim: | 6. The method of claim 5 , wherein the computer system comprises an X86-type CPU and the set of trigger opcode comprises a ‘call’ opcode. |
| Claim: | 7. The method of claim 1 , wherein step (b) comprises encrypting the return address using a key stored in a seed register. |
| Claim: | 8. The method of claim 7 , wherein the seed register is unique to a current task. |
| Claim: | 9. The method of claim 1 , wherein step (b) comprises using an encryption key based on a clock value. |
| Claim: | 10. The method of claim 9 , wherein the computer system comprises an X86-type CPU and step (b) comprises using an encryption key generated from a read time stamp counter (RDTSC). |
| Claim: | 11. The method of claim 1 , wherein the opcodes comprise a fixed size instruction set. |
| Claim: | 12. The method of claim 1 , wherein the opcodes comprise a variable-sized instruction set. |
| Claim: | 13. A computer system, comprising: a CPU that controls operation of the computer system based on an operating system stored in a memory, wherein the CPU scans each operation code (opcode), prior to their execution, for a trigger opcode; an encryption module that encrypts a trigger opcode's operand before the operand is stored in a runtime memory during execution of a program; and a decryption module that decrypts the trigger opcode's operand when the decrypted operand is read from the runtime memory during execution of the program. |
| Claim: | 14. The computer system of claim 13 , wherein, prior to executing the trigger opcode, the CPU stores the trigger opcode's operand and its corresponding encrypted value in a lookup table. |
| Claim: | 15. The computer system of claim 13 , wherein the CPU scans each opcode for any of a set of trigger opcodes comprising opcodes that cause the computer system to place a return address on the runtime stack. |
| Claim: | 16. The computer system of claim 13 , wherein the computer system comprises an X86-type CPU and the trigger opcode comprises a ‘call’ opcode. |
| Claim: | 17. The computer system of claim 13 , wherein the encryption and decryption modules use an encryption key stored in a seed register. |
| Claim: | 18. The computer system of claim 17 , wherein the seed register is unique to a current task. |
| Claim: | 19. The computer system of claim 13 , wherein the wherein the encryption and decryption modules use an encryption key based on a clock value. |
| Claim: | 20. The computer system of claim 19 , wherein the computer system comprises an X86-type CPU that uses an encryption key is generated from a read time stamp counter (RDTSC). |
| Claim: | 21. The computer system of claim 13 , wherein the trigger opcode comprises a function call opcode, the operand comprises a return address, and the runtime memory comprises a runtime stack. |
| Claim: | 22. A mobile terminal, comprising: a CPU that controls operation of the mobile terminal based on an operating system stored in a memory, wherein the CPU scans each operation code (opcode), prior to their execution, for a trigger opcode; an encryption module that encrypts a trigger opcode's operand before the operand is stored in a runtime memory during execution of a program; and a decryption module that decrypts the trigger opcode's operand when the decrypted operand is read from the runtime memory during execution of the program. |
| Claim: | 23. The mobile terminal of claim 22 , wherein the mobile terminal comprises a mobile telephone. |
| Claim: | 24. The mobile terminal of claim 22 , wherein the operating system comprises the encryption module. |
| Claim: | 25. The mobile terminal of claim 22 , wherein the operating system comprises the decryption module. |
| Claim: | 26. The mobile terminal of claim 22 , wherein the CPU encrypts and decrypts the return address using a key stored in a seed register. |
| Claim: | 27. The mobile terminal of claim 26 , wherein the seed register is unique to a current task. |
| Claim: | 28. The mobile terminal of claim 26 , wherein the CPU uses an encryption key based on a clock value. |
| Claim: | 29. A method for preventing stack buffer overflow attacks, comprising steps of: (a) prefetching code to be executed on a CPU; (b) scanning the prefetched code for instances of a ‘call’ operation code (opcode); (c) for each found instance of the ‘call’ opcode, encrypting a return address associated with that instance; (d) storing each found instance's return address and its corresponding encrypted value in a lookup table; (e) at execution of each instance of the ‘call’ opcode, looking up its associated return address in the lookup table, and pushing the looked up return address's encrypted value onto a runtime stack; (f) when each encrypted value is read off the runtime stack, decrypting the encrypted value to determine an execution control flow return address. |
| Claim: | 30. The method of claim 29 , wherein steps (c) and (f) comprise using an encryption key unique to a current task. |
| Current U.S. Class: | 726/22 |
| Patent References Cited: | 5881279 March 1999 Lin et al. 6044220 March 2000 Breternitz, Jr. |
| Other References: | Immunix: Adaptive System Survivability, printed from http://www.cse.ogi.edu/DISC/projects/immunix, 2 pages, Mar. 26, 2002. cited by other The IA-32 Intel® Architecture Software Developer's Manual, vol. 3: System Programming Guide, printed from http://www.developer.intel.com/design/pentium4/manuals/245472.htm, 1 page, Apr. 17, 2002. cited by other Immunix.org: The Source for Secure Linux Components and Platforms, printed from http://immunix.org/stackguard.html, 2 pages, Mar. 26, 2002. cited by other StackGuard Mechanism: Stack Integrity Checking, printed from http://immunix.org/StackGuard/mechanism.html, 1 page, Mar. 26, 2002. cited by other Aleph One, “BoS: Smashing The Stack For Fun And Profit”, printed from http://immunix.org/StackGuard/profit.html, 38 pages, Mar. 26, 2002. cited by other Cowan, Crispin et al., “StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks”, printed from http://www.cse.ogi.edu/DISC/projects/immunix, 15 pages. cited by other Cowan Crispin et al., “Protecting Systems from Stack Smashing Attacks with StackGuard”, printed from http://www.cse.ogi.edu/DISC/projects/immunix, 11 pages. cited by other Cowan Crispin et al., “Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade”, printed from http://www.cse.ogi.edu/DISC/projects/immunix, 11 pages, 1999. cited by other Hinton Heather et al., “SAM: Security Adaptation Manager”, 10 pages. cited by other Immunix.org: The Source for Secure Linux Components and Platforms, FormatGuard, printed from http://immunix.org/formatguard.html, 3 pages, Mar. 26, 2002. cited by other Cowan Crispin et al., “FormatGuard: Automatic Protection From printf Format String Vulnerabilities”, WireX Communications, Inc., USENIX Security Symposium, Aug. 2001. cited by other |
| Primary Examiner: | Song, Hosuk |
| Attorney, Agent or Firm: | Banner & Witcoff, Ltd. |
| Prístupové číslo: | edspgr.07086088 |
| Databáza: | USPTO Patent Grants |
| Abstrakt: | A method and system for preventing stack buffer overflow attacks in a computer system are disclosed. A computer system can prevent stack buffer overflow attacks by encrypting return addresses prior to pushing them onto the runtime stack. When an encrypted return address is popped off the runtime stack, the computer system decrypts the encrypted return address to determine the actual return address. A random encryption key can be used, which can be generated from the CPU's clock cycle counter. Multitasking environments can add a seed register to the task state so that each task can use a unique seed to encrypt the return addresses. |
|---|