A Framework for Detecting Network-based Code Injection Attacks Targeting Windows and UNIX

Stig Andersson
Information Security Institute, Queensland University of Technology
Australia

Andrew Clark
Information Security Institute, Queensland University of Technology
Australia

George Mohay
Information Security Institute, Queensland University of Technology
Australia

Bradley Schatz
Information Security Institute, Queensland University of Technology
Australia

Jakub Zimmermann
Information Security Institute, Queensland University of Technology
Australia

Code injection vulnerabilities continue to prevail. Attacks of this kind such as stack buffer overflow, heap buffer overflow and format string bugs account for roughly half of the vulnerabilities discovered in software every year. The research presented in this paper extends earlier work in the area of code injection attack detection in UNIX environments. It presents a framework for detecting new or previously unseen code injection attacks in a heterogenous networking environment and compares code injection attack and detection strategies used in the UNIX and Windows environments. The approach presented is capable of detecting both obfuscated attacks and attacks transmitted in clear text, and methods for implementing a monitoring environment for Windows are discussed. Finally a prototype intrusion detection system (IDS) capable of detecting code injection attacks, both clear text attacks and obfuscated attacks, which targets Windows systems is presented.

Keywords: Code injection attack, Buffer overflow, Windows, Intrusion detection, Sandboxing, Network based intrusion detection, IDS, NIDS

Read Paper Read Paper (in PDF)