Next: Related Work Up: Protecting Web Services from Previous: Protecting Web Services from
A great number of remote binary execution vulnerabilities including buffer overflow and format string vulnerabilities have been found in web servers and web applications [1]. This type of vulnerabilities allow attackers to use a crafted HTTP request to inject a piece of exploit binary code into the ``body" of the web servers and applications. Once such exploit binary code injection attacks succeed, the attacker may gain full control of the victim machine. In different attacks, exploit code may be either a piece of shellcode to break into web servers or an infection vector for worms.
We propose STILL, a real-time, out-of-the-box,
signature-free, remote exploit binary code injection attack blocker to protect web servers.
STILL is motivated by an important observation that the
request messages to web servers are
exclusively data and not binary executable code.
Since remote exploits are typically binary executable code,
this observation indicates that if we can
precisely distinguish (service requesting) messages that
contain binary code from those that do not contain any binary code,
we can protect web servers as well as other Internet services (which accept data only)
from binary code-injection attacks by
blocking the messages that contain binary code. Figure ![[*]](/usr/share/latex2html/icons/crossref.png){kind=icon}
shows that an application layer proxy-based STILL is deployed between
the web server and the corresponding firewall to protect web servers.
STILL (including static taint analysis and initialization analysis) detect not only unobfuscated exploit code, traditional polymorphic and metamorphic exploit code, but also self-modifying and indirect jump obfuscation code that could easily defeat previous static analysis approaches. Indeed, STILL is robust to almost all anti-signature, anti-static-analysis and anti-emulation obfuscation. STILL is signature free, thus it can block new and unknown remote code injection attacks such as zero-day exploit code. STILL is also good for economical Internet wide deployment with very low deployment cost.
The main merits of STILL are as follows. First, STILL (including static taint analysis and initialization analysis) is the first static analysis technology that can detect both self-modifying code and indirect jump, whereas previous static analysis approaches [4,3,6] could be easily thwarted by these obfuscation techniques. Second, STILL is robust to almost all anti-signature, anti-static-analysis and anti-emulation obfuscation. Third, STILL is signature free, thus it can block new and unknown binary code-injection attacks. Finally, STILL is also transparent to the web systems being protected and is good for economical Internet wide deployment with very low deployment cost.
