在本篇論文中我們提出一個新的防禦機制來解決資訊系統安全上普遍存在的問題 — 堆疊型緩衝區溢位攻擊,緩衝區溢位攻擊這一類型的攻擊利用程式在將資料寫入緩衝區時,沒有做緩衝區的Bound checking而導致的漏洞,將一些控制程式流程的資料結構(例如:返回位址及函式指標)加以修改,進而將程式的流程轉向到攻擊者所注入的程式碼(Code Injection Attacks),或攻擊者所選擇的程式碼(return-into-libc attacks)。 傳統的防禦機制通常僅著重於防止shell code的執行,而忽略被攻擊的程序可能會不正常的終止,因為當攻擊者發起攻擊時,如果沒有成功地達到她/他的目的(取得系統管理最高權限),不成功的攻擊很有可能會破壞被攻擊程序的記憶體內容,進而導致被攻擊程序的不正常終止,使程式的事後除錯程序,與證據保存更為困難。 我們提出一個全新的以作業系統核心為基礎的防禦機制—記憶體保護者(MP,Memory Protector)來同時保護系統免於Code Injection型式的堆疊型緩衝區溢位攻擊與保護記憶體內容的完整性。此機制在不正常的資料串寫入被攻擊程序的記憶體區塊之前,即偵測出該攻擊字串,並將之擋在被攻擊的程序之外,所以此系統不但防止一般來自外部的緩衝區溢位攻擊並且防止被攻擊程序記憶體內容的失真,進而使得被攻擊的程式在偵測出緩衝區溢位攻擊後仍能正常地終止。另外,在只降低些微的程式執行效能,與低誤判率的情況下,此一機制可有效的偵測出code injection 型式的緩衝區溢位攻擊,即使是zero day attack。因為Linux普及率快速提升的趨勢和作業系統核心程式碼的取得來源問題,我們選擇了在Linux作業系統來實做這一套防禦機制。 In this paper, we proposed a new defense mechanism solves the universal existence problems in the information system security — Stack-Based buffer Overflow Attacks, This type of Buffer Overflow Attacks exploit the loopholes result from that when the process write data to the buffer, not done Bound checking. It will modify some control-flow data structure(ex:return addresses and function pointers),and then force procedure to execute the injected code of attackers (Code Injection Attacks) or the attacker’s choice of code(Return into Libc Attacks). The traditional defense mechanisms are usually only focused on preventing the execution of shell code, but neglect the procedures be attacked may be abnormally terminated. Since, as the attacker launched the attack and unsuccessfully achieve the attack objective(obtain the root privilege),in such a situation, the attack is likely to corrupting the memory of the procedure which be attacked, and then result in the abnormal termination of the procedure which be attacked. It become more difficult that to debugging and keeping evidence. We propose a novel defense mechanism based on operating system — Memory Protector(MP), to protect systems from Code Injection attacks of Stack-Based buffer overflow attacks and keep the integrity of memory.The mechanism can detect the malicious data before it be writed to memory block of the procedure which be attacked and the malicious data is blocked outside the procedure which be attacked, so the mechanism not only prevent the Buffer Overflow Attacks but also avoid the corruption of memory and then the procedure which be attacked can normally be terminated. Moreover, it only slightly reduce the effectiveness of the implementation of the program and has the low rate of false positive, this can be an effective mechanism for the detection of Code Injection types of Buffer Overflow Attacks, even if is zero day attack. Because the Linux popular rate fast promotion tendency and the source of operating system core, We chose the Linux operating system to implement this defense mechanism.