DIRA: Automatic Detection, Identification, and Repair of Control-HijackingAttacksAlexey Smirnov Tzi-cker ChiuehComputer Science DepartmentState University of New York at Stony BrookStony Brook, NY 11794-4400{alexey, chiueh}@cs.sunysb.eduAbstractBuffer overflow attacks are known to be the most com-mon type of attacks that allow attackers to hijack a re-mote system by sending a specially crafted packet to avulnerable network application running on it. A compre-hensive defense strategy against such attacks should in-clude (1) an attack detection component that determinesthe fact that a program is compromised and prevents theattack from further propagation, (2) an attack identifica-tion component that identifies attack packets so that onecan block such packets in the future, and (3) an attackrepair component that restores the compromised applica-tion’s state to that before the attack and allows it to con-tinue running normally. Over the last decade, a significantamount of research has been vested in the systems thatcan detect buffer overflow attacks either statically at com-pile time or dynamically at run time. However, not mucheffort is spent on automated attack packet identificationor attack repair. In this paper we present a unified solu-tion to the three problems mentioned above. We imple-mented this solution as a GCC compiler extension calledDIRA that transforms a program’s source code so thatthe resulting program can automatically detect any bufferoverflow attack against it, repair the memory damage leftby the attack, and identify the actual attack packet(s). Weused DIRA to compile several network applications withknown vulnerabilities and tested DIRA’s effectiveness byattacking the transformed programs with publicly avail-able exploit code. The DIRA-compiled programs werealways able to detect the attacks, identify the attack pack-ets and most often repair themselves to continue normalexecution. The average run-time performance overheadfor attack detection and attack repair/identification is 4%and 25% respectively.1. IntroductionA control-hijacking attack overwrites some data struc-tures in a victim program that affect its control flow, andeventually hijacks the control of the program and possiblythe underlying system. A data structure that can affect thecontrol flow of a program is called a control-sensitive datastructure, examples of which include return address, func-tion pointer, global offset table/import table, C++ virtualfunctions table pointer, etc. Once an attacker grabs con-trol of the victim program, she can invoke any operationto which the victim program’s effective user is entitled.Control-hijacking attacks are considered the most danger-ous type of attacks because they exploit software bugs di-rectly without requiring any user actions, and because ma-licious computer worms use them as basic building blocksto propagate themselves from one machine to another.Over the last decade, a significant amount of researchhas been invested in the detection of control-hijacking at-tacks. Some are based on program analysis techniques[38, 12, 19, 26, 32, 37] that statically determine whethera given program contains buffer overflow vulnerability.Others use program transformation techniques [8, 11, 10,14, 36, 9] to convert applications into a form that can ei-ther detect control-hijacking attacks [8, 10, 14, 9] or pre-vent control-sensitive data structures from being modifiedat run time [11]. Still others develop operating systemmechanisms that ensure that it is not possible to executecode injected into the victim program [34, 27]. Regardlessof their approach, most if not all of these efforts could onlydetermine whether a program is under a control-hijackingattack, but could not actively repair a victim program af-ter it has been compromised. Typically, upon detecting anattack, they simply terminate the victim application, andrestart another instance if necessary. While terminating acompromised application helps prevent further propaga-tion of the attack, it may lead to a denial of service at-tack. For network applications with a substantial amountof state such as a DNS sever, it takes some time for themD I RStackguard [10], RAD[8] + - -Buttercup [29], Autograph [21] - + -Flashback [33], IGOR [13] - - +DIRA + + +Table 1. Previous work addressing problemsof attack (D)etection, (I)dentification, and(R)epair.to re-acquire the necessary state at start-up in order to pro-vide the full service. For these applications, abrupt termi-nation is not an acceptable attack recovery strategy. More-over, because existing control-hijacking attack detectionsystems cannot prevent the same attacks from taking placeagain, vulnerable applications may be repeatedly victim-ized and re-started in the presence of recurring attacks asin the case of worms. In the mean time, these applicationscannot render any useful service to their intended users.To address the limitations of existing systems that focusonly on detection of control-hijacking attacks, this projectaims to develop a program transformation system calledDIRA that can automatically transform an arbitrary appli-cation into a form that• Can detect a control-hijacking attack when thecontrol-sensitive data structure it tampers with is ac-tivated,• Can identify the network packets that lead to thecontrol-hijacking attack, and send these packets toa front-end content fi lter to prevent the same attackfrom compromising the application again, and• Can repair itself by erasing all the side effects of theattack packets as if it never received them.To the best of our knowledge, attack detection, repairand identification have never been considered togetherpreviously. Table 1 puts in perspective related projectsin each of these three areas. The main contribution ofthis paper is the development of a unified solution to allthree problems. Even though on the surface attack detec-tion, identification, and recovery appear to be completelyorthogonal functions, a careful examination reveals thatthey can actually be unified into a single implementationframework that is based on memory update logging.Torepair a program’s memory state, all updates to its ad-dress space should be logged so that these updates canbe reversed. To detect a control-hijacking attack, the be-fore image of a control-sensitive data structure should bestored away, and checked at the time of activation to seeif any tampering took place. To trace back the packets re-sponsible for a