IRePf: An Instruction Reorganization Virtual Platform for Kernel Stack Overflow Detection

Abstract: Stack overflow vulnerabilities are among the most common security issues. However, the existing stack overflow detection solutions only protect the return address and ignore the imbalance between function calls and returns in the system, which will lead to a higher false-positive rate. In this paper, we propose an instruction reorganization virtual platform technique for kernel stack overflow detection, named IRePf. It can dynamically monitor the kernel stack when the system is running through dynamic reorgani… Show more

“…To implement the stack jump mechanism, it is necessary to find dangerous functions derived from application code and libraries. The dangerous functions that have been discovered are indicated in various vulnerability libraries provided by National Vulnerability Database [1] and China National Vulnerability Database of Information Security [2] . Therefore, DID can identify the dangerous function contained in the source code based on the vulnerability library information.…”

“…If the dangerous function depends on the stack frame data of the calling function, it will access these data [1] https://nvd.nist.gov/ [2] https://www.cnnvd.org.cn/ during execution. When the dangerous function is being called, it uses the new rbp or new rsp to locate the stack data on the stack frame of the calling function.…”

“…Author details 1 School of Computer Science and Technology, China University of Mining and Technology, XuZhou. 2 School of Data Science, Chinese University of Hong Kong, ShenZhen, ShenZhen.…”

“…The overflow attack [1,2,3] is a main form to break data isolation. After the isolation is broken, the data stored on heap or stack will be overwritten.…”

DID: Data Isolation via Dynamic Adjustment of Permissions and Spaces

“…To implement the stack jump mechanism, it is necessary to find dangerous functions derived from application code and libraries. The dangerous functions that have been discovered are indicated in various vulnerability libraries provided by National Vulnerability Database [1] and China National Vulnerability Database of Information Security [2] . Therefore, DID can identify the dangerous function contained in the source code based on the vulnerability library information.…”

“…If the dangerous function depends on the stack frame data of the calling function, it will access these data [1] https://nvd.nist.gov/ [2] https://www.cnnvd.org.cn/ during execution. When the dangerous function is being called, it uses the new rbp or new rsp to locate the stack data on the stack frame of the calling function.…”

“…Author details 1 School of Computer Science and Technology, China University of Mining and Technology, XuZhou. 2 School of Data Science, Chinese University of Hong Kong, ShenZhen, ShenZhen.…”

“…The overflow attack [1,2,3] is a main form to break data isolation. After the isolation is broken, the data stored on heap or stack will be overwritten.…”

DID: Data Isolation via Dynamic Adjustment of Permissions and Spaces