簡易檢索 / 詳目顯示
| 研究生: |
林忠立 Chung-li Lin |
|---|---|
| 論文名稱: |
記憶體保護者用來防禦堆疊型緩衝區溢位攻擊 MP: A Memory Protector against Stack-Based Buffer Overflow Attacks |
| 指導教授: |
許富皓
Fu-Hau Hsu |
| 口試委員: | |
| 學位類別: |
碩士 Master |
| 系所名稱: |
資訊電機學院 - 資訊工程學系 Department of Computer Science & Information Engineering |
| 畢業學年度: | 95 |
| 語文別: | 中文 |
| 論文頁數: | 90 |
| 中文關鍵詞: | 堆疊型 、防禦 、保護 、緩衝區 、緩衝區溢位攻擊 、記憶體 、攻擊 、溢位 |
| 外文關鍵詞: | Attack, Stack, Overflow, Buffer, Stack-Based, Protector, Attacks, Memory |
| 相關次數: | 點閱:7 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
在本篇論文中我們提出一個新的防禦機制來解決資訊系統安全上普遍存在的問題 — 堆疊型緩衝區溢位攻擊,緩衝區溢位攻擊這一類型的攻擊利用程式在將資料寫入緩衝區時,沒有做緩衝區的Bound checking而導致的漏洞,將一些控制程式流程的資料結構(例如:返回位址及函式指標)加以修改,進而將程式的流程轉向到攻擊者所注入的程式碼(Code Injection Attacks),或攻擊者所選擇的程式碼(return-into-libc attacks)。
傳統的防禦機制通常僅著重於防止shell code的執行,而忽略被攻擊的程序可能會不正常的終止,因為當攻擊者發起攻擊時,如果沒有成功地達到她/他的目的(取得系統管理最高權限),不成功的攻擊很有可能會破壞被攻擊程序的記憶體內容,進而導致被攻擊程序的不正常終止,使程式的事後除錯程序,與證據保存更為困難。
我們提出一個全新的以作業系統核心為基礎的防禦機制—記憶體保護者(MP,Memory Protector)來同時保護系統免於Code Injection型式的堆疊型緩衝區溢位攻擊與保護記憶體內容的完整性。此機制在不正常的資料串寫入被攻擊程序的記憶體區塊之前,即偵測出該攻擊字串,並將之擋在被攻擊的程序之外,所以此系統不但防止一般來自外部的緩衝區溢位攻擊並且防止被攻擊程序記憶體內容的失真,進而使得被攻擊的程式在偵測出緩衝區溢位攻擊後仍能正常地終止。另外,在只降低些微的程式執行效能,與低誤判率的情況下,此一機制可有效的偵測出code injection 型式的緩衝區溢位攻擊,即使是zero day attack。因為Linux普及率快速提升的趨勢和作業系統核心程式碼的取得來源問題,我們選擇了在Linux作業系統來實做這一套防禦機制。
In this paper, we proposed a new defense mechanism solves the universal existence problems in the information system security — Stack-Based buffer Overflow Attacks, This type of Buffer Overflow Attacks exploit the loopholes result from that when the process write data to the buffer, not done Bound checking. It will modify some control-flow data structure(ex:return addresses and function pointers),and then force procedure to execute the injected code of attackers (Code Injection Attacks) or the attacker’s choice of code(Return into Libc Attacks).
The traditional defense mechanisms are usually only focused on preventing the execution of shell code, but neglect the procedures be attacked may be abnormally terminated. Since, as the attacker launched the attack and unsuccessfully achieve the attack objective(obtain the root privilege),in such a situation, the attack is likely to corrupting the memory of the procedure which be attacked, and then result in the abnormal termination of the procedure which be attacked. It become more difficult that to debugging and keeping evidence.
We propose a novel defense mechanism based on operating system — Memory Protector(MP), to protect systems from Code Injection attacks of Stack-Based buffer overflow attacks and keep the integrity of memory.The mechanism can detect the malicious data before it be writed to memory block of the procedure which be attacked and the malicious data is blocked outside the procedure which be attacked, so the mechanism not only prevent the Buffer Overflow Attacks but also avoid the corruption of memory and then the procedure which be attacked can normally be terminated. Moreover, it only slightly reduce the effectiveness of the implementation of the program and has the low rate of false positive, this can be an effective mechanism for the detection of Code Injection types of Buffer Overflow Attacks, even if is zero day attack. Because the Linux popular rate fast promotion tendency and the source of operating system core, We chose the Linux operating system to implement this defense mechanism.
〔1〕 CERT.
http://www.us-cert.gov/
〔2〕 C. Cowan, C. Pu, D. Maier, H. Hinton, J. Wadpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang,“StackGuard: Automatic Detection and Prevention of Buffer-overrun Attacks,”In Proceedings of the 7th USENIX Security Symposium, January 1998.
〔3〕 Yves Younan, Davide Pozza, Frank Piessens and Wouter Joosen, “Extended protection against stack smashing attacks without performance loss” Proceedings of the Twenty-Second Annual Computer Security Applications Conference (ACSAC 2006), Miami Beach, Florida, U.S.A., IEEE, IEEE Press December 2006.
〔4〕 Bulba and Kil3r, “Bypassing StackGuard and StackShield”.
http://www.phrack.org/issues.html?issue=56&id=5
〔5〕 Fu-Hau Hsu, Fanglu Guo, and Tzi-cker Chiueh, “Scalable Network-based Buffer Overflow Attack Detection ,” in Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS 2006), San Jose, California, USA, December, 2006.
〔6〕 Ethereal: A Network Protocol Analyzer.
http://www.ethereal.com
〔7〕 S. Bhatkar, D. DuVarney, and R. Sekar. “Address obfuscation: An efficient approach to combat a broad range of memory error exploits”. In V. Paxson, editor, Proc. 12th USENIX Sec. Symp, USENIX, Aug. 2003.
〔8〕 The PaX Address Space Layout Randomization project.
http://pax.grsecurity.net/
〔9〕 H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. “ On the effectiveness of address space randomization”, derandomization attack, page 2. In Proc. of the ACM Conf. on Computer and Communications Security, 2004.
〔10〕 Gaurav S. Kc, Angelos D. Keromytis, Vassilis Prevelakis, ” Countering code-injection attacks with instruction-set randomization” Proceedings of the 10th ACM conference on Computer and communications security, Washington D.C., USA,2003.
〔11〕 StackShield.
http://www.angelfire.com/sk/stackshield
〔12〕 Richarte G. Four Different Tricks to Bypass StackShield and StackGuard Protection. http://www.coresecurity.com/files/files/11/StackguardPaper.pdf, 2002.
〔13〕 Ana Nora Sovarel, David Evans, Nathanael Paul,
“where’s the FEEB? The Effectiveness of Instruction Set Randomization”, Proceedings of the 14th conference on USENIX Security Symposium - Volume 14 SSYM''05 , July 2005.
〔14〕 Solar Designer , Non-Executable Stack,
http://www.usenix.org/publications/library/proceedings/sec98/full_papers/cowan/cowan_html/node21.html
〔15〕 Defeating Solar Designer''s Non-executable Stack Patch
http://insecure.org/sploits/non-executable.stack.problems.html
〔16〕 Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle.“Pointguard: Protecting pointers from buffer overflow vulnerabilities”. In Proceedings of the 12th USENIX Security Symposium, Washington, D.C., August 2003.
〔17〕 ProPolice
http://www.x.org/wiki/ProPolice
〔18〕 C.Cowan, C.Pu, D.Maier, J.Walpole, P.Bakke, S.Beattie, A.Grier, P.Wagle, Q.Zhang, and H.Hinton, “StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks,” in Proceedings of 7th USENIX Security Conference, San Antonio, Texas, Jan. 1998
〔19〕 Steve M.Bellovin, “Distributed Denial of Service Attacks,”
http://www,research,att.com/smb.
〔20〕 MARC http://marc.info/
〔21〕 Full-Disclosure https://lists.grok.org.uk/mailman/listinfo/full-disclosure
〔22〕 National Vulnerability Database http://nvd.nist.gov/
〔23〕 Derkeiler http://www.derkeiler.com/
〔24〕 SECUREROOT http://www.secureroot.com/
〔25〕 中國IT總部 http://www.ie100.cn/
〔26〕 iDefense Labs http://labs.idefense.com/
〔27〕 Security tracker http://www.securitytracker.com/
〔28〕 SECWATCH.ORG http://www.secwatch.org/
〔29〕 Tengu.be http://www.tengu.be/index.php
〔30〕 Thttpd http://www.acme.com/software/thttpd/
〔31〕 Cfengine http://www.cfengine.org/download.phtml
〔32〕 LScube http://live.polito.it/
〔33〕 Gopher http://gopher.quux.org:70/devel/gopher/Downloads/old
〔34〕 Micq http://linux.maruhn.com/sec/micq.html
〔35〕 Monkeyd http://monkeyd.sourceforge.net/
〔36〕 Mplayer
http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre5.tar.bz2
〔37〕 Pptpd http://www.poptop.org/
