3rd International ICST Symposium on Information Assurance and Security

Research Article

Automatic Patch Generation for Buffer Overflow Attacks

  • @INPROCEEDINGS{10.1109/IAS.2007.87,
        author={Alexey  Smirnov and Tzi-cker  Chiueh},
        title={Automatic Patch Generation for Buffer Overflow Attacks},
        proceedings={3rd International ICST Symposium on  Information Assurance and Security},
        keywords={Automatic control  Automatic generation control  Automatic testing  Buffer overflow  Control systems  Filtering  Instruments  Intrusion detection  Prototypes  Seals},
  • Alexey Smirnov
    Tzi-cker Chiueh
    Year: 2007
    Automatic Patch Generation for Buffer Overflow Attacks
    DOI: 10.1109/IAS.2007.87
Alexey Smirnov1, Tzi-cker Chiueh1
  • 1: Computer Science Department Stony Brook University


Control-hijacking attacks exploit vulnerabilities in network services to take control of them and eventually their underlying machines. Although much work has been done on detection and prevention of control-hijacking attacks, most of them did not address the problem of repairing the attacked network services so as to prevent the same attacks from recurring. Ideally, post-attack repair should consist of an attack signature generation component that creates a filtering rule for front-end firewall or intrusion prevention system to block the detected attack and its variants, and a patch generation component that creates a fix to permanently eliminate the vulnerabilities that the detected attack exploits. This paper describes the design, implementation and evaluation of a program transformation and execution trace analysis system called PASAN that can automatically instrument the source code of network service programs in such a way that it can detect control-hijacking attacks and automatically generate patches to seal the vulnerability being exploited by the detected attack. We have implemented the first PASAN prototype as a GNU C compiler extension that aims at stack- based buffer overflow attacks but could be easily generalized to accommodate other control-hijacking attacks. Testing this prototype with seven network daemon programs with known vulnerabilities show that the automatically generated patches can successfully fix the vulnerability. In addition, these patches are similar in their structure to those that are manually created. The run-time performance overhead of application programs instrumented by PASAN is between 10% and 23%, except two programs, whose CPU consumption is low.