Computer systems are often the target of attacks in the form of viruses, worms, and other forms of hacker attacks. Recovery from such attacks can be costly and time-consuming, and occasionally important or valuable data may be permanently lost. It is therefore desirable to constantly improve security measures taken to prevent such attacks.
One of the most common types of hacker attacks is the “buffer overrun attack” (used by both the 2002 ‘Code Red’ and the 2003 ‘SQL Slammer’ worms). This is a technique in which an attacker feeds an overly large text string or array into a vulnerable system. The system fails to check the size of the input, and copies it into a “buffer” (a defined space in memory) too small to hold it. The extra data spills over one end, overwriting other memory variables or flow control pointers on the process “stack.” In some cases, this overflow may simply cause the running program to crash or malfunction in a random fashion. However, in more sophisticated attacks, the attacker can carefully construct the input data, so that the overflow portion is not random, but rather consists of specific values chosen to force the process to perform actions of the attacker's choosing. Such actions may include, for example, formatting a disk or granting admin rights. In order to plan and execute such an attack, the attacker relies on a “mirror stack,” an installed image of the program installed on the attacker's system that is identical to those installed on other computer systems.
Existing methods to protect against such attacks exist, but all either impose a severe performance penalty on a system, are vulnerable to attack themselves, or both. Further, some require the original source code of a software system to be partially rewritten or translated into another language, which can be prohibitively costly. Therefore, it is desirable to improve on existing methods for protecting against buffer overrun attacks.