previous index next

How does an attack actually happen? We can divide it into three stages. In the first stage, malformed data is introduced that exploits a bug in an application, such as a buffer overflow, and is able to clobber memory. The second stage is the use of that memory overwrite to hijack the program's control flow to execute malicious code, which is often introduced with the malformed data. The final stage is the actual payload of the attack -- say, reading the password file, or erasing the hard drive.

The enter stage is very hard to stop -- you'd have to either fix all bugs (which is not going to happen) or distinguish good writes from bad, which is infeasible. At the attack stage, it's also very difficult to tell good behavior from bad, since there are many legitimate uses of the system calls that an attack would use. But the hijack stage's transfer of control is a promising prevention point.

  Copyright © 2004 Derek Bruening