使用QEMU模擬器偵測緩衝區溢位攻擊; Detection of Buffer Overflow Attacks with QEMU Emulator

NCUIR > College of Electrical Engineering & Computer Science > Graduate Institute of Computer Science and Information Engineering > Electronic Thesis & Dissertation > Item 987654321/9502

Please use this identifier to cite or link to this item: http://ir.lib.ncu.edu.tw/handle/987654321/9502

Title:	使用QEMU模擬器偵測緩衝區溢位攻擊;Detection of Buffer Overflow Attacks with QEMU Emulator
Authors:	郭后翔;Hou-Xiang Kuo
Contributors:	資訊工程研究所
Keywords:	緩衝區溢位;堆疊區段緩衝區溢位攻擊;SmashGuard;QEMU;SmashGuard attack;Buffer overflow;QEMU
Date:	2007-09-10
Issue Date:	2009-09-22 11:49:10 (UTC+8)
Publisher:	國立中央大學圖書館
Abstract:	緩衝區溢位攻擊一直是系統安全的一大課題，許多電腦病毒或蠕蟲均利用此漏洞損害許多電腦系統。雖然很多相關研究針對此漏洞去防範，但真正被廣泛使用的方法很少，主要原因乃是要能相容於現有已寫好的可執行碼的方法很少。此篇論文以QEMU模擬器模擬硬體的行為，參改SmashGuard採用在硬體內建立額外堆疊檢測返回位址一致性的方式，使其在不修改軟體可執行碼的情況下，模擬其偵測緩衝區溢位攻擊機制。實驗結果發現其方法在系統軟體使用的假設方面有其衍生出的問題，並分析其原因。為解決此種作業系統亦可能更改堆疊返回位址的問題，本篇論文提出逐級檢測的警示機制，除檢測返回位址的一致性，並增加檢查返回位址的合法性。實驗結果顯示此檢測機制可區分與偵測到一般常見的堆疊區段緩衝區溢位的攻擊模式。 Buffer overflow has always been a dominant issue of system security. Many computer viruses or worms exploit this vulnerability to damage computer systems. Although numerous researches have been proposed to defend such attack, solutions that were really used as standard were rare. The main reason is that few solutions can be compatible with user binary code. This paper chooses QEMU emulator to emulate a hardware behavior and selects SmashGuard mechanism to test its feasibility. The result showed that it will produce some problems, and the reason was analyzed. Hence, this paper proposed a two layer checking mechanism. In addition to checking the consistency of return address, validity of return address was also checked. The result demonstrates that this mechanism can differentiate and detect typical stack-smashing attack.
Appears in Collections:	[Graduate Institute of Computer Science and Information Engineering] Electronic Thesis & Dissertation

Files in This Item:

File	Size	Format

社群 sharing

Loading...