Secure Bit: Hardware Buffer-Overflow Prevention
Krerk Piromsopa, Richard J. Enbody · U.S. Patent application Serial No. PCT/US2005/039896 · Filed November 2004
Secure Bit 2 is a patent pending, transparent, hardware solution against buffer-overflow attacks on control data — return-address and function-pointer attacks in particular. It is a continuation of our original work on Secure Bit: both are based on an added Secure Bit, but the management of the bit is dramatically different. We refer to the new management scheme as Secure Bit 2. Secure Bit is a concept to provide a hardware bit to protect the integrity of addresses for the purpose of preventing buffer-overflow attacks. Secure Bit 2 is our second implementation of a protocol to manage the Secure Bit.
Secure Bit 2 is completely transparent to software, and provides 100% backward compatibility with legacy code. Unlike several methods that only reduce the probability of a successful attack, Secure Bit 2 can detect and prevent all address-corrupting buffer-overflow attacks. It has little run-time performance penalty (almost none). The goal of Secure Bit 2 is to provide hardware support to protect against current and future generations of buffer-overflow attacks by protecting the integrity of addresses: addresses passed in buffers between processes are invalid. Robustness and transparency are demonstrated by emulating the hardware, booting Linux on the emulator, running application software on that Linux, and performing known attacks.
For details, see: Piromsopa and Enbody, “Secure Bit: Transparent, Hardware Buffer-Overflow Protection,” IEEE Transactions on Dependable and Secure Computing, Vol. 3, No. 4, October–December 2006.