1. Field of the Invention
The present invention relates to computers, and more particularly, to methods and apparatuses for detecting and recovering from buffer overflow attacks that impede the operation of a computer.
2. Description of the Related Art
The buffer overflow attack is the single most dominant and lethal form of malicious code attack as evidenced by recent worm outbreaks such as Code Red and the SQL Slammer Worm.
The present invention provides methods of detecting and recovering from such a malicious code attack.
Buffer overflow attacks usually result in abnormal behaviors such as the destruction of data or a change in a program execution flow in a system. These abnormal behaviors can be easily detected by checking the safety of instruction and data references at runtime using hardware. The present invention suggests apparatuses for checking the safety of instruction and data references and a more aggressive technique referred to as corruption recovery buffer (CRB), which can further increase the level of security. Combined with such safety guards, the CRB can be used to temporarily save suspicious writes operations resulting from a buffer overflow attack and can restore the original memory state before the attack.
Vulnerability to buffer overflows and malicious code attacks exploiting such vulnerability are considered as the most serious security problem among Internet/computer security problems. A first reason lies in that the overflow of a buffer not only corrupts data nearby the buffer but also can usurp the control of a program and execute any arbitrary code with a malicious intention. A second reason lies in that malicious code can replicate and propagate itself without any manual activation such that it has the fastest propagation speed among all forms of malicious code attacks. A third reason lies in that buffer overflow attacks originating from worm viruses, which first occurred in 1988, have persisted and are expected to continue longer than other forms. Finally, buffer overflow attacks are the most frequent form of attack among malicious code attacks.
Although various software solutions have been proposed in the forms of operating system fixes, compiler tools and patches, debugging tools, runtime libraries, etc., these techniques have not been widely adopted since they are inherently helpless in legacy applications or they often involve significant performance overhead. Still, the most prevalent forms of countermeasures are manual downloads of individual patches and fixes that are obtained by modifying and recompiling a vulnerable source code. However, this only addresses the particular vulnerability of a particular product after the vulnerability source is publicly known and is not a fundamental countermeasure.