Data processing: software development – installation – and managem – Software program development tool – Translation of code
Reexamination Certificate
1999-03-18
2001-10-09
Powell, Mark R. (Department: 2122)
Data processing: software development, installation, and managem
Software program development tool
Translation of code
C713S152000, C709S241000
Reexamination Certificate
active
06301699
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to a method for detecting unauthorized access attempts within a computer system, in general and to a method for detecting an attempt to exploit the buffer overflow-related weakness within a computer system, in particular.
BACKGROUND OF THE INVENTION
Computer systems, which provide services to a plurality of users, are known in the art. Such services are provided through enabling access to a variety of system resources.
It will be appreciated to those skilled in the art that such computer systems are often configured and administered so each user is granted access to predetermined and limited resources of the system. For example, one user can have supervisor authorization, thereby being able to access and control most or all of the resources of the system. Such a user is also called a super-user. Similarly, another user can have a low level of authorization, thereby enabling him to access a limited set of resources of the system.
Reference is now made to
FIG. 1
, which is a schematic illustration of a computer system and a plurality of user stations, connected thereto. Computer system
10
includes a communication device
12
, a CPU
14
, a memory
22
and a plurality of system resources such as storage unit
16
, printer
18
and multi-media unit
20
. CPU
14
is connected to communication device
12
, storage unit
16
, printer
18
and multi-media unit
20
. System
10
is connected to external users via computer systems
30
,
32
and
34
, and via a network
24
.
Each of external users accessing system
10
via computer systems
30
,
32
and
34
is allocated a different level of authorization, with respect to system
10
. The user using computer system
30
is predetermined as a super-user, thereby being able to access and control all of the resources of computer system
10
. The user using computer system
32
is predetermined as a high-level user, thereby being able to access storage unit
16
, printer
18
and multi-media unit
20
. The user using computer system
34
is predetermined as a low-level user, thereby being able to access printer
18
.
Operating systems, such as the Unix based Solaris operating system produced and manufactured by Sun Computers Incorporated, allow discretionary access control to computer system components. Such systems allow programmers to grant or revoke user access rights to objects within a computer system. Conventionally, objects within a computer system include files, directories, computer programs and the like.
While a computer program is running, the computer program may be required to access objects for which the user executing the program does not have necessary privileges. Conventionally, system
10
administrator can provide such computer programs with predetermined enhanced privileges. Thus enabling non privileged user to access a privileged computer system resource in a controlled manner.
When a computer program is executed a computer program process is created. Conventionally, a computer program process is the manner of execution of the computer program.
Computer system
10
is vulnerable to attack techniques attempting to exploit enhanced privileges (for example, gaining super user privileges) within the computer system
10
via the Network
24
and the communication device
12
.
One such technique is known as induced buffer overflow and is known in the art. Buffer overflow can be exploited in order to gain super user privileges within a computer system. Gaining super user privileges within a computer system allows non-authorized users access to privileged resources.
Buffer overflow is caused when a computer system attempts to write past the end of a defined array. Arrays are predefined allocated memory devices within a computer system. A computer program process is allocated an array of user address space. User address space is a memory device wherein the computer program processes are executed.
Reference is now made to
FIG. 2A
, which is a schematic illustration of an array of user address space locations, generally referenced
50
, known in the art.
A computer program comprises instructions. Such instructions are executed by the computer system. Functions are part of a computer program. Functions contain several computer program instructions. Functions exchange variables by means of parameter passing, implemented within the stack segment user address space. User address space is organized in three parts, text
52
, data
56
and stack segments
54
.
The stack segment
54
, of the array of user address space
50
, contains and handles local variables, which are used by a function. The stack segment
54
of the array of user address space
50
further passes parameters to and from functions.
Reference is now made to
FIG. 2B
, which is a schematic illustration in detail of the stack segment array
54
of the array of user address space in
FIG. 2A
, known in the art.
When a computer program process is started the system
10
dynamically allocates an available stack segment block
61
of the stack segment array
54
to the process. Such stack segment block is deallocated when the process is completed.
When a function is invoked within a process, a frame
62
is allocated to the computer program process. Frames include the information needed by a single execution of a function.
Such information includes the temporary values field
69
holding the evaluation of expressions and the local data field
68
holding data for the execution of the process. Such information further includes the return address field
67
. The return address field
67
includes the return address for the calling function. Such return address is the next computer program instruction subsequent the function call. Other information includes the optional access link field
66
pointing to data held in other frames, the optional control link field
65
and the actual parameters field
64
holding the parameters to be passed to the calling program or function. Such a frame is deallocated when the function ends.
Reference is now made to
FIG. 3
, which is a schematic illustration of a function stack segment array, generally referenced
70
, and of a computer program, generally referenced
80
, which are known in the art.
In the present example, computer program
80
includes three program elements
82
,
84
and
86
, which are performed in sequence. Program elements
82
and
86
are general computer program instructions. Program element
84
is a function call. Accordingly, function call
84
is performed after computer instruction
82
and before computer instruction
86
. When the function
84
is called, the flow control of the computer program
80
is altered. Typically, a function receives the computer program control, performs a predetermined task and returns the computer program control to the statement or instruction, which follows the function call.
System
10
automatically determines a function return address
72
, for function
84
and stores it within the stack segment return address field
67
of the array of user address space
50
(FIGS.
2
A and
2
B). Function return address
72
indicates the location of the computer program instruction which follows function
84
, which in the present example is instruction
86
.
One known technique to compromise the integrity and security within a computer system is to pass, as a parameter, a string containing a computer program or other executable code into the function stack segment array
74
. Such string is passed to the function stack segment array
74
by the function
84
and is stored within the stack segment frame actual parameters field
64
of the array of user address space
50
(FIGS.
2
A and
2
B). It is noted that the length of this sting exceeds the length of the destination field
64
.
When passed, such string overwrites past the end of the allotted field
64
(
FIG. 2B
) for the function
84
. By overwriting past the end of the stack segment function actual parameters field
64
(FIG.
2
B), the string further replaces the stack se
Hollander Yona
Rahman Ophir
Sagiv Shmuel
Segal Ury
Beusse James H.
Corekt Security Systems, Inc.
DeAngelis Jr. John L.
Holland & Knight LLP
Ingberg Todd
LandOfFree
Method for detecting buffer overflow for computer security does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method for detecting buffer overflow for computer security, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method for detecting buffer overflow for computer security will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2576646