從1950年開始,緩衝區溢位攻擊便不斷地在網際網路上肆虐著。由於發起容易,目標眾多,及強大的破壞力,長久以來緩衝區溢位攻擊便一直是網際網路最大的安全威脅問題之一。不僅internet worm利用這種程式漏洞大量繁殖,許多的攻擊者也利用此種程式漏洞奪取電腦系統的控制權。且在理論上來說,利用這類型的攻擊手法可以讓攻擊者在數十分鐘內攻破成千上萬的電腦。這些安全威脅不僅嚴重地影響到每一台使用網路的電腦系統的可靠度,並且威脅到使用者對於使用這些網路服務的信心。有鑑於此,開發出一套有效的緩衝區溢位攻擊防禦方法便成為目前網路安全研究中迫切且重要的議題。 隨著眾多防禦方法的提出,緩衝區溢位攻擊這類的攻擊手法也不斷地演化成不同的形態,以繞過這些保護機制。而研究顯示,若要對鎖定的系統造成傷害攻擊者通常必需執行系統呼叫,而在i386的架構下系統呼叫的執行則必需透過int 80或 sysenter指令,因此在本篇論文中我們將針對 (一)防止攻擊者自行提供的int 80指令的執行 (二)防止程式內原有的int 80被攻擊者盜用,兩項議題提出解決方案,進而解決破壞力強大的植入惡意程式之緩衝區溢位攻擊。 在不需重新編譯使用者程式並提供可執行堆疊的前提下、本篇論文提出了一種借由修改kernel和libc的方法使int 80 指令僅能由程式中特定的int 80指令產生、此外借由模糊位置技巧及偽造int 80指令的加入,使得攻擊者很難利用程式中已向Kernel註冊的int 80指令執行系統呼叫、進而防止多種型態的緩衝區溢位攻擊,實驗顯示在僅需微量的工作負擔下,本法可有效地解決植入惡意程式碼的緩衝區溢位攻擊。 Since its first appearance in 1950, buffer overflow attacks have buffeted the Internet for more than half a century. Due to the simplicity to launch a BOA, the tremendous available targets in the Internet, and the damage power a BOA can create, buffer overflow attacks have continuously been one of the most hazardous security threats in the Internet. Not only Internet worms utilize this attack to proliferate themselves but also malicious users exploit it to take the control of a computer system. Internet incidents are often related to buffer overflow attacks. And theoretically, by utilizing this attack method a malicious user can compromise thousands of hundreds hosts in 20 minutes. The above security threats severely influence the reliability of a computer and network system and also reduce people's confidence on the computer and network system. Therefore, developing an efficient and effective approach to protect a computer and network system become a critical and emergent issues modern cyber community. As more protection approaches are developed, BOAs also evolve into different mutants to bypass the proposed protection mechanism. Among the various mutants there are stack smashing attacks, heap overflow attacks, function pointer attacks, jump table overflow attacks, and so on. Attackers usually have to damage target system by system calls, and in i386 architecture it must use int 80 or sysenter. In our research we focus on (1) prevent executing int 80 provided by attacker (2) prevent executing int 80 existed in memory to protect system from BOAs. We propose a new method to protect system calls by registering valid int 80 on premise that we don’t have to recompile source code. Besides of that, we introduce Address Obfuscation and forge fake int 80 instructions to make attackers hardly use system calls registered in system and then protect system from many kinds of injected code Attack. And the experimental results show that it takes less overhead to protect system.
