自從1960年代緩衝區溢位問題(Buffer Overflow Problem)出現以來,時至今日,已經有許多研究者提出解決方法。近年來,由於不可執行之堆疊區段(Non-executable Stack)的研究,已經大大的削減了在堆疊注入惡意程式碼的可能性,甚至讓硬體廠商認可並提供支援,如Intel的XD(「eXecute Disable」)。 但是,儘管如此,緩衝區溢位攻擊仍然未完全解決,Return-into-libc就是未解決的一部分。這種攻擊方式所執行的函式,是利用系統中早已載入的函式庫(Library)或程式碼,由於此方法並未在堆疊中注入任何程式碼,也因此不會受到「 不可執行之堆疊區段」的影響。然而目前緩衝區溢位問題所提供較有效的解決方案,大部分的機制在實作上都相當複雜,甚至需要針對系統進行機制上的修改,而且或多或少都還存在一些缺陷。 因此,在「不可執行之堆疊區段」已經相當普遍的現在,本篇論文將在這種機制之上,提出了一種針對Return-into-libc的保護機制──Return Protector,藉由在程式碼中附加特定格式的指令,使函式在執行返回指令時,將檢查返回位址是否有效。本方法之實作完全不需要修改系統本身的機制,而且實作方式相當簡單,是一種可以容易佈置在各種平台上的防禦機制。 Since the first buffer overflow attack occurred at 1960s, many researchers have provided some solutions today. In recent years, because the study of non-executable stack, the possibility of injecting malicious code into the stack have been decreased greatly. Even the hardware manufacturer has agreed to it and provides some supports, like the XD (“eXecute Disable”) of Intel. But although so, buffer over flow attacks are not solved completely yet, return-into-libc is one unsolved part of it. This kind of attacks uses the already loaded libraries or program code. The method doesn’t injecting any code into stack, so it would not be affected by “non-executable stack.” And now most of the more effective solutions are too complex in the implementations. So, because of the popularity of “non-executable stack,” we provide a protection mechanism of return-into-libc, “Return Protector,” in this paper. It would check that the return address is valid or not when the function returns. For each time the function calls, we append a sequence specific code. When the function will return, we identify the returned code chunk with the code chunk that made the function call. This mechanism is very simple, so we can easily port it to other platforms.
