針對遠端緩衝區溢位攻擊之自動化即時反擊系統

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：20

、訪客IP：3.129.69.151

姓名

歐智文(Chih-wen Ou) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

針對遠端緩衝區溢位攻擊之自動化即時反擊系統
(ARCS:Automatic real-time counterattack system against remote buffer overflow attack)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統
★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection	★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks
★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection	★ Shark: Phishing Information Recycling from Spam Mails
★ FFRTD: Beat Fast-Flux by Response Time Differences	★ Antivirus Software Shield against Antivirus Terminators
★ MAC-YURI : My ACcount, YoUr ResponsIbility	★ KKBB: Kernel Keylogger Bye-Bye
★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment	★ PrivacyGuard：A Kernel-based Solution to Enhance the User Privacy When Using Private Browsing

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 ( 永不開放)

摘要(中)

在資訊安全的世界中，緩衝區溢位漏洞與攻擊是一個極為關鍵的領域，影響著全世界許許多多的系統使用者。連接性越來越緊密的全球網路，再加上開發資訊系統越來越競爭的全球市場，在時間跟成本壓力下，許多未經仔細開發以及完整驗證的服務跟程式在網路上被廣泛使用著，而這些程式具有許多漏洞，其中最嚴重，就是可被利用於執行遠端植入的惡意程式碼的緩衝區溢位漏洞。隨著商業活動的數位化，掌控電腦跟掌握資訊同時也成為致富的另一途徑，此趨勢使得攻擊者將入侵電腦當作生財的方式，因而使得他們的攻擊形態轉以隱匿化，小型化的方式來進行。直到今日，在許多新開發的程式上出現的緩衝區溢位漏洞從沒減少過，且現今有效的解決方案大多只是讓緩衝區溢位攻擊的成功率降到最低，在擁有足夠的時間與足夠的攻擊主機的情況下，不用太大的攻擊強度，這些解決方案仍難以抵擋多嘗試幾次的攻擊。
　　有組織且低調的緩衝區溢位攻擊，代表著長時間的低強度的重複攻擊是必須的，無論是Botnet或是蠕蟲擴張，最有效的方式就是利用緩衝區溢位攻擊。儘管變的低調，變的聰明，但不變的是緩衝區溢位攻擊目標是程式的漏洞，且發動攻擊的主機及有可能也含有相同漏洞。在更積極，以及更有效率的前提下，我們希望可以對付的不僅僅是緩衝區溢位攻擊本身，還有發動攻擊的電腦，甚至是搖控這一切的遠端惡意攻擊集團。因此攻擊的發現與偵測必須要夠有效率，夠有彈性之外，我們所採取的攻擊反應作為必須能夠嚇阻背後的主事者。
　　綜合上述概念我們建構出一個自動化即時反擊概念。希望透過自動化即時反擊的實作以及即時反擊方法的研究，以積極嚇阻代替消極抵禦，以即時反擊機制代替抵銷攻擊策略，降低遭受惡意攻擊者攻擊的機率。同時，透過反擊讓攻擊者發動攻擊有所顧慮；透過攻擊資料的搜集讓隱身於世界各角落的攻擊者無所遁形。

摘要(英)

In this paper, we shall discuss a new idea against remote buffer overflow attack launched by internet worms, Botnet owners or unknown attackers. Meanwhile, we also develop the prototype system called Arcs (Automatic Real-time Counterattack System) to evaluate the performance of this architecture. The result of system testing shows that this mechanism indeed works, which means it is usable and efficient to combat the remote buffer overflow attack from internet worm propagation and Botnet than other strategies came up before.
The propagation of worm depends on which vulnerabilities they exploit. And also we understand that remote buffer overflow attack is still an efficient method for Botnet to control these vulnerable hosts. This vulnerability oriented characteristic tells us that one compromised host without patched, is possible to be compromised again. Different from rough, invasive and indulgent white worm strategy, we propose a controllable and acceptable automatic real-time counterattack mechanism, which just attacks to those who attacks us. After attacking detected, we make a duplicate of the original attacking string, replace malicious injected code of this duplicate with our own fight back injected code and then use it to counterattack. For ideal situation, we can successfully compromise the attacking host and execute our injected code instead of original malicious one. We build a database to record the information of counterattack, including the address of attacking hosts and Port, the time and the result of fighting back. We have a detailed discussion about the possible Arcs based worm and Botnet solution and contribution of Arcs because of its efficiency and flexibility. Arcs can be used for many different purposes for different system administrators’ needs.
This paper focuses on introduction of Arcs, modification of remote buffer overflow attack string, its influence and possible Arcs based worm and Botnet solutions.

關鍵字(中)

★ 緩衝區溢位攻擊
★ 蠕蟲
★ 機器人網路

關鍵字(英)

★ buffer overflow attack
★ worm
★ botnet

論文目次

目錄
口試委員審定書中文摘要 i
中文摘要 ii
英文摘要 iii
誌謝 iv
目錄 v
圖目錄 vii
表目錄 viii
公式目錄 ix
1-1　動機 1
1-2　背景 3
1-3　方法概述 4
1-4　方法分析 6
1-4-1　可利用之反擊字串的產生 6
1-4-2　反擊作為所造成的影響 6
第二章　相關研究 9
2-1　緩衝區溢位的解決方案 9
2-2　網路蠕蟲研究 10
2-3　網路蠕蟲偵測抵禦方案 10
第三章　緩衝區溢位攻擊字串 12
3-1　緩衝區溢位攻擊字串 12
3-2　定義緩衝區溢位攻擊字串之需修改段與固定段 15
第四章　自動即時反擊系統(ARCS) 18
4-1　自動化即時反擊（Arcs）概述 18
4-2　Arcs Core 21
4-2-1　sys_mwwf()實作 22
4-2-2　核心反擊佇列 22
4-3　Arcser 23
4-3-1　Arcser概述 23
4-3-2　反擊發動 24
4-3-3　Arcs事件紀錄資料庫 24
4-4　Arcs範例以及總結 24
第五章　實驗與效能分析 26
5-1　實驗一：可行性測試 26
5-2　實驗二：Arcs時間成本分析 30
5-3　實驗三：Arcs主機效能分析 33
第六章　討論 35
6-1　以自動化即時反擊對抗蠕蟲 35
6-2　不成功的自動化即時反擊 41
6-2-1　拒絕連線 42
6-2-2　後門連線失敗 42
6-3　自動化即時反擊系統的限制與問題 44
6-3-1　偵測躲避 44
6-3-2　反擊或是改寫閃避 45
6-3-3　反擊風險 46
6-3-4　網路流量 47
6-4　系統部署隱密性考量分析 47
6-5　未來工作 48
第七章　結論 49
第八章　參考文獻 50
附錄1：注入程式碼列表 53

參考文獻

[1]P. Baeched et al., "The Nepenthes Platform: An Efficient Approach to Collect Malware", The 9th International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2006
[2]Yong Tang and Shigang Chen, “Defending Against Internet Worms: A Signature-Based Approach “, IEEE INFOCOM, Miami, FL, March, 2005.
[3]Michele Garetto, Weibo Gong, and Don Towsley, “Modeling Malware Spreading Dynamics“, IEEE INFOCOM, San Francisco, CA, USA, April, 2003.
[4] Moheeb Abu Rajab, Fabian Monrose, Andreas Terzis “On the Effectiveness of Distributed Worm Monitoring “, USENIX Security Symposium, 2005
[5] Zhenkai Liang, R. Sekar, “Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models “Annual Computer Security Applications Conference (ACSAC 2005)
[6]Gaurav Kataria,Gaurav Anand, Rudolph Araujo, Ramayya Krishnan,Adrian Perrig "A Distributed Stealthy Coordination Mechanism for Worm Synchronization", IEEE Securecomm & Workshop, 2006.
[7]Zhenkai Liang, R. Sekar" Fast and automated generation of attack signatures: a basis for building self-protecting servers", Conference on Computer and Communications Security, Proceedings of the 12th ACM conference on Computer and communications security
[8]Randy Smith, Cristian Estan, Somesh Jha" Backtracking Algorithmic Complexity Attacks Against a NIDS ", Annual Computer Security Applications Conference (ACSAC 2006)
[9] “2003 CSI/FBI Computer Crime and Security Survey. Security”,
http:// www.reddshell.com/docs/csi_fbi_2003.pdf
[10]“Linux Networking Kernel”,
http://www.ecsl.cs.sunysb.edu/elibrary/linux/network/LinuxKernel.pdf
[11] H. Shacham, M. Page, B. Pfaff, Eu-Jin Goh, N. Modadugu, and Dan Boneh, “On the Effectiveness of Address-Space Randomization ” , Proceedings of the 11th ACM conference on Computer and communications security, 2004
[12]T. Bu, A. Chen, S. V. Wiel, and T. Woo “Design And Evaluation of A Fast And Robust Worm Detection Algorithm”, INFOCOM 2006. In the Proceedings of 25th IEEE International Conference on Computer Communications.
[13]D. Moore, C. Shannon, G. M. Voelker, and S. Savage “Internet Quarantine: Requirements for Containing Self-Propagating Code” , infocom 2003
[14]Fu-Hau Hsu, Fanglu Guo, and Tzi-cker Chiueh, “Scalable Network-based Buffer Overflow Attack Detection”, in Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS 2006), San Jose, California, USA, December, 2006.
[15]S. Staniford, V. Paxson and N. Weaver “The Top Speed of Flash Worms”, In the proceedings of the ACM Workshop on Rapid Malcode (WORM ), Fairfax, VA, Oct. 2004
[16] J. Xu, P. Ning, C. Kil, Y. Zhai, C. Bookholt, "Automatic diagnosis and response to memory corruption vulnerabilities", ACM Conference on Computer Communications Security (CCS 2005)
[17]J. Ma, G. M. Voelker, and Stefan Savage “Self-Stopping Worms”, In the proceedings of the ACM Workshop on Rapid Malcode (WORM ), Fairfax, VA, Oct. 2005
[18]Zheng, H., & Duan, H. “Active Technologies to Contain Internet Worm.”, Worm blog. Retrieved April 1, 2007, from http://wiki.ccert.edu.cn/doc/spark/
ActiveTechnologiestoContainInternetWorm.pdf
[19] N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, “A Taxonomy of Computer Worms”, Proceedings of the 2003 ACM workshop on Rapid Malcode, 2003
[20] S. Staniford, V. Paxson and N. Weaver “How To Own The Internet In Your Spare Time”, In the Proceedings of USENIX Security Symposium, San Francisco, CA, Aug. 2002
[21] PAX Project http://pax.grsecurity.net/
[22] Paul Bächer, Thorsten Holz, Markus Kötter, Georg Wicherski, “Know your Enemy:Tracking Botnets”, http://www.honeynet.org/papers/bots/
[23] “Smashing The Stack For Fun And Profit”, http://www.cs.wright.edu/~tkprasad/courses/cs781/alephOne.html
[24] Wiki, “Buffer overflow”http://en.wikipedia.org/wiki/Buffer_overflow
[25] Gaurav S. Kc, Angelos D. Keromytis, Vassilis Prevelakis, ”Countering code-injection attacks with instruction-set randomization”, Conference on Computer and Communications Security, Proceedings of the 10th ACM conference on Computer and communications security
[26]CAIDA, http://www.caida.org/home/
[27]DShield, http://www.dshield.org/
[28]Eugene H. Spafford,” The internet worm: the Crisis and aftermath”, CACM, June 1989, vol32, number 6
[29] Milw0rm, http://www.milw0rm.com/shellcode/linux/x86
[30] Izik, “Advanced Buffer Overflow Methods”,
http://events.ccc.de/congress/2005/fahrplan/attachments/539-Paper_AdvancedBufferOverflowMethods.pdf

指導教授

許富皓(Fu-hau Hsu)

審核日期

2008-7-21

推文