SigFree: a signature free buffer overflow attack blocker

Sigfree is a new kind of buffer overflow protection scheme for code injection attacks. Sigfree works at the application level and the authors claim that this tool works in real-time, is economically deployable and out of the box solution. The authors observe that most input to internet based applications does not contain executable code so their protection scheme is based on detecting requests which have executable code in their payload and checking if they can cause any potential harm to the system.

The authors quickly introduce what a buffer overflow attack is and then identify 4 desired requirements for a buffer overflow protection schemes. They use these desired requirements as metrics to compare other protection schemes for buffer overflow attacks.

They identify three related fields to which their research is closely related  They then classify the existing protection schemes into 6 classes. it to worm detection and also machine code analysis.

IN section three they describe their attack model and the assumptions they make and then describe the architecture of their tool. The tool will first differentiate between the normal input and input containing machine code then it analyzes the machine code to see if it can cause any harm.
In section four they describe two methods to describe how they dis assemble the binary code and extract a control flow graph. In section five they describe two schemes to determine if the instruction distilled in the previous round are just a bunch of random instructions or a fragment of a program. They use the number of useful instructions as the  criteria to determine if a set of instructions is malicious or not.. Then they describe their test scenarios and performance evaluation. They then describe their strengths, limitations and applicability of their tool.

Pros:

A well written paper and easy to understand.
The major impact of this paper is that there are no signatures involved in detecting the malicious input so useful in detecting new and unknown attacks


Cons:

There are many places in the paper where we have to refer back in order to understand the various details about the attacks and defences. This makes reading cumbersome.

Also the major drawback of this method is that it is application specific and will not scale well if we have to use this approach for detecting buffer overflow attacks in  applications which involve a lot of binary data like NFS .

In the discussions that followed the SRG came up with several ways in which this method could be overridden

Some ways are
1.    encoding the binary instruction in base 64
2.    having shell code in the data
3.    one more is that they have a threshold of 15 useful instructions but they themselves point out that there is attack which has only 7 useful instructions.

Overall : Weak accept: 8
       Weak reject: 4