The computer industry has suffered from numerous security vulnerabilities over the past several years, and the number of vulnerabilities continues to rise. More of these vulnerabilities have been turned into attacks which compromise the integrity of the machine under attack. The root cause of many of these attacks is programming errors made when creating or modifying code.
Several solutions have been attempted. Courses on writing secure code have been run by many groups. A managed run time environment (MRTE) is effective where used, but does not encompass the entire programming space. None of the efforts has managed to reverse the downward spiral of vulnerability, attack, and patch. Reducing the number of programming errors would result in reducing the number of security vulnerabilities and improve system integrity.
One common vulnerability is a buffer overflow attack. One example of such an attack occurs when malicious code overwrites a return address of a function that is stored in a stack. Upon returning from the function, a modified return address is pushed into the instruction pointer (extended instruction counter (EIP) register). This modified return address may cause execution of malicious code and/or a stack execution error. Such an attack is typically enabled by poor programming practices, such as unchecked buffer transfers. In contrast, a well-structured program maps memory into structured portions, including a text portion to include program code, a data segment to store initialized and uninitialized global data, and a portion shared by the stack and heap. The stack may be used to store function call-by arguments, local variables and values of selected registers, such as the EIP register. The heap holds dynamic variables. Poor programming practices may cause these segments to be overwritten.
There are other places where unchecked buffers can reside. An example of such a place is a buffer overflow to the heap memory. Heap memory is memory allocated from a common pool and used by a program to store variable and other run time data.
A need thus exists to provide for more protection from security vulnerabilities.