緩衝區溢位攻擊一直是系統安全的一大課題,許多電腦病毒或蠕蟲均利用此漏洞損害許多電腦系統。雖然很多相關研究針對此漏洞去防範,但真正被廣泛使用的方法很少,主要原因乃是要能相容於現有已寫好的可執行碼的方法很少。 此篇論文以QEMU模擬器模擬硬體的行為,參改SmashGuard採用在硬體內建立額外堆疊檢測返回位址一致性的方式,使其在不修改軟體可執行碼的情況下,模擬其偵測緩衝區溢位攻擊機制。實驗結果發現其方法在系統軟體使用的假設方面有其衍生出的問題,並分析其原因。為解決此種作業系統亦可能更改堆疊返回位址的問題,本篇論文提出逐級檢測的警示機制,除檢測返回位址的一致性,並增加檢查返回位址的合法性。實驗結果顯示此檢測機制可區分與偵測到一般常見的堆疊區段緩衝區溢位的攻擊模式。 Buffer overflow has always been a dominant issue of system security. Many computer viruses or worms exploit this vulnerability to damage computer systems. Although numerous researches have been proposed to defend such attack, solutions that were really used as standard were rare. The main reason is that few solutions can be compatible with user binary code. This paper chooses QEMU emulator to emulate a hardware behavior and selects SmashGuard mechanism to test its feasibility. The result showed that it will produce some problems, and the reason was analyzed. Hence, this paper proposed a two layer checking mechanism. In addition to checking the consistency of return address, validity of return address was also checked. The result demonstrates that this mechanism can differentiate and detect typical stack-smashing attack.
