4 Effectiveness against attacks

To evaluate the effectiveness of data randomization at preventing attacks, we used a benchmark with synthetic exploits and several exploits of real vulnerabilities in existing programs. This section describes the programs and the vulnerabilities. Then it presents an analysis of the security afforded by data randomization.

4.1 Synthetic exploits

This benchmark has run the 18 control-data attacks that exploit buffer overflow vulnerabilities. The attacks are classified according to the technique they use to overwrite control-data, the location of the buffer they overflow, and the control-data they target. There are two techniques to overwrite control-data. The first overflows a buffer until the control-data is …show more content…
SQL server is a relational database from Microsoft that was infected by the infamous Slammer worm. The vulnerability exploited by Slammer causes sprintf to overflow a stack buffer. Data randomization prevents the attack because the wrapper for sprintf randomizes the data that overwrites the current stack frame, including the return address. This causes the server to exit when freeing a local variable that was overwritten. Should the return instruction be reached, the server would jump to an invalid program location and crash.

4.3 Real vulnerabilities

In our final experiment, we tested data randomization's ability to prevent attacks with a set of real vulnerabilities in real applications: SQL server, Ghttpd, Nullhttpd, and …show more content…
The vulnerability that we chose is a stack buffer overflow when logging GET requests inside a call to vsprintf. Data randomization prevents the attack because the wrapper for vsprintf randomizes the value written by the attacker into the return address, causing the server to crash when the return address is used.
Nullhttpd is another HTTP server. This server has a heap overflow vulnerability that can be exploited by sending HTTP POST requests with a negative content length field. These requests cause the server to allocate a heap buffer that is too small to hold the data in the request. While calling recv to read the POST data into the buffer, the server overwrites the heap management data structures maintained by the C library. This vulnerability can be exploited to overwrite arbitrary words in memory. We attacked NullHttpd using the technique described in [18]. The attack works by corrupting the CGI-BIN configuration string. This string identifies a directory holding programs that may be executed while processing HTTP requests. Therefore, by corrupting it, the attacker can force NullHttpd to run arbitrary pro-grams. This is a non-control-data attack because the attacker does not subvert the intended control-flow in the server. Data randomization prevents the attack because the wrapper for recv randomizes the values written over the heap management data structures. This causes the server to crash when the values are used.