Heap Detective : Detect Heap-based Memory Corruption by Simulating Heap

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：23

、訪客IP：3.137.183.14

姓名

楊安傑(An-Jie Yang) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(Heap Detective : Detect Heap-based Memory Corruption by Simulating Heap)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

在資訊安全的領域中，Memory Corruption 的問題越來越嚴重，從緩衝區溢位攻擊 ( Buffer Overflow Attack ) 以來，已經越來越多種會造成 Memory Corruption 並導致可以控制流程的攻擊手法也越來越多，近年來，Address Space Layout Randomization 及 StackGuard 被提出來已經減少很多攻擊的發生，但 Memory Corruption 的問題還是非常嚴重，特別是在記憶體分配使用不當時所造成的 Heap 上的漏洞像是 Use-after-free 及 Double Free 等，常常導致非常大的危害。
最近，也有許多研究人員提出了 HeapShied 等 Heap 區段的防護機制，特別針對 Heap 區段的漏洞進行保護，也有研究人員開發出了 Memcheck 工具來方便開發人員檢測記憶體分配上的問題，但大部份的方式都需要原始碼，但總會有一些檢查不到或是回報的錯誤報告不易開發人員除錯等問題。
本篇論文提出了 Heap Detective 這套系統，利用完整模擬 Glibc 的 Memory Allocator 來檢測一些Heap區段上的Memory Corruption 的問題，橫跨所有GDB支援的架構且不需要任何程式的原始碼，另外也提供了資安人員研究攻擊流量 Heap 區段記憶體分析工具，也方便資安人員開發攻擊程式。

摘要(英)

In the Information Security, the issue of memory corruption is getting worse. From Buffer Overflow Attack, there were more and more vulnerabilities cause memory corruption and can lead to control flow redirection. In recent years, because the study of Address Space of Layout Randomization and StackGuard, it has reduced a lot of attacks. But the issue of memory corruption is still very serious, particularly Use after Free and Double Free, which is vulnerability on heap, often lead to very great impact. Recently, many researchers have proposed some protective mechanisms, which protect against the vulnerability on heap segment, such as HeapShied, and some researchers developed a tool, which is Memcheck, to facilitate the development detect the issue of memory corruption. But most of all the way need source code, and there are numerous false negative error reports, and the error reports is not easy developer debugging problems. This paper presents Heap Detective, a memory check tool that simulate the memory allocator of Glibc to detect the issue of memory corruption on heap segment across all architectures, which GDB supported. Heap Detective does not require source code, in addition, it provide memory analysis tools on heap segment let security researcher study attack traffic and develop exploit tool.

關鍵字(中)

★ Memory Corruption
★ Double Free
★ Heap Overflow

關鍵字(英)

★ Memory Corruption
★ Double Free
★ Heap Overflow

論文目次

目錄
摘　　要 i
Abstract ii
目錄 iii
表目錄 ix
第 1 章緒論 1
1.1 動機 1
1.2 論文概述 2
1.3 章節架構 2
第 2 章背景介紹 4
2.1 Glibc Memory Allocator 4
2.2 Ptmalloc2 4
2.3 系統呼叫 4
2.4 資料結構 5
2.4.1.1 Chunk 6
2.4.1.2 Bin 9
2.4.1.3 Main arena header 13
2.4.2 Merge & Unlink 13
2.5 Memory Check in Glibc 14
2.5.1 Check in Malloc 14
2.5.2 Check in Free 14
2.6 Heap Overflow 15
2.6.1 House of Force 15
2.6.2 Shrink Heap Attack 16
2.7 Use after Free 19
2.8 Double Free 19
2.8.1 Fastbin Corruption Attack 20
第 3 章相關研究 24
3.1 編譯期機制 ( Compiler Time Mechanism ) 24
3.2 AddressSanitizer 24
3.3 系統層機制 ( System Level Mechanism ) 24
3.3.1 Address Space Layout Randomization (ASLR) 25
3.4 執行時期機制 ( Run-time Mechanism ) 25
3.4.1 Memcheck 25
3.4.2 HeapShield 26
3.4.3 Run-time Detection of Heap-based Overflow 27
第 4 章系統設計與實作 28
4.1 設計起源 28
4.2 設計原理 30
4.2.1 Shadow heap mapping table 30
4.2.2 Memory Allocate Simulator 31
4.2.3 Heap State Parser 34
4.3 系統實作 35
4.3.1 Heap Allocator Trace Checker 35
4.3.2 Double Free Correction 41
4.3.3 Heap State Parse Checker 42
1.1.1 Heap Exploit Develop Tool 43
4.4 設計考量 43
4.4.1 Infinite loop in Parse Checker 43
4.4.2 Memory Error in Parse Checker 43
4.4.3 C++ 支援 44
第 5 章效能分析 45
5.1 實驗環境 45
5.2 有效性驗證 45
5.3 效能評估 49
第 6 章探討 52
6.1 Overhead 52
6.2 Limitation 53
第 7 章結論 54
7.1 貢獻 54
7.2 未來研究 54
7.2.1 Kernel Memory Corruption Detection 54
7.2.2 Symbolic Execution in GDB 55
7.2.3 Automatic Exploit Generation on Heap 55
參考文獻 56

參考文獻

參考文獻
[1] C. Cowan, C. Pu, D. Maier, J. Walpole, P. Bakke, S. Beattie, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," in Usenix Security, 1998, pp. 63-78.
[2] E. D. Berger, "HeapShield: Library-based heap overflow protection for free," UMass CS TR, pp. 06-28, 2006.
[3] E. H. Spafford, "The Internet worm program: An analysis," ACM SIGCOMM Computer Communication Review, vol. 19, pp. 17-57, 1989.
[4] The GNU C Library (glibc) [Online]. Available: https://www.gnu.org/software/libc/
[5] Using freed memory [Online]. Available: https://www.owasp.org/index.php/Using_freed_memory
[6] Double Free [Online]. Available: https://www.owasp.org/index.php/Double_Free
[7] K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov, "AddressSanitizer: a fast address sanity checker," in Presented as part of the 2012 USENIX Annual Technical Conference (USENIX ATC 12), 2012, pp. 309-318.
[8] N. Nethercote and J. Seward, "Valgrind: a framework for heavyweight dynamic binary instrumentation," in ACM Sigplan notices, 2007, pp. 89-100.
[9] J. Seward and N. Nethercote, "Using Valgrind to Detect Undefined Value Errors with Bit-Precision," in USENIX Annual Technical Conference, General Track, 2005, pp. 17-30.
[10] J. Shen, M. Hamal, and S. Ganzenmüller, "DYNAMIC MEMORY ALLOCATION ON REAL-TIME LINUX," Architecture, vol. 86, p. 32.
[11] D. Lea, "A Memory Allocator Called Doug Lea’s Malloc or dlmalloc for Short," Available online [March 26, 2010]: http://gee. cs. oswego. edu/dl/html/malloc. html, 1996.
[12] brk, sbrk – change data segment size [Online]. Available: http://man7.org/linux/man-pages/man2/sbrk.2.html
[13] mmap,munmap – map or unmap files or devices into memory” [Online]. Available: http://man7.org/linux/man-pages/man2/mmap.2.html
[14] malloc_chunk [Online]. Available: http://osxr.org/glibc/source/malloc/malloc.c#1104
[15] Bins [Online]. Available: http://osxr.org/glibc/source/malloc/malloc.c#1357
[16] malloc_state [Online]. Available: http://osxr.org/glibc/source/malloc/malloc.c#1667
[17] Dynamic Memory Allocation and Fragmentation in C and C++ [Online]. Available: http://www.design-reuse.com/articles/25090/dynamic-memory-allocation-fragmentation-c.html
[18] unlink macro [Online]. Available: http://osxr.org:8080/glibc/source/malloc/malloc.c - 1410
[19] P. Phantasmagoria, "The malloc maleficarum," Bugtraq mailinglist, 2005.
[20] Google Project Zero. The poisoned NULL byte, 2014 edition [Online]. Available: http://googleprojectzero.blogspot.tw/2014/08/the-poisoned-nul-byte-2014-edition.html
[21] P. Team, "PaX address space layout randomization (ASLR)," 2003.
[22] C.K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, 等, "Pin: building customized program analysis tools with dynamic instrumentation," in ACM Sigplan Notices, 2005, pp. 190-200.
[23] D. Hutchins, Just in time: Gower Publishing, Ltd., 1999.
[24] Intermediate representation [Online]. Available: https://en.wikipedia.org/wiki/Intermediate_representation
[25] Self-modifying Code [Online]. Available: https://en.wikipedia.org/wiki/Self-modifying_code
[26] W. K. Robertson, C. Kruegel, D. Mutz, and F. Valeur, "Run-time Detection of Heap-based Overflows," in LISA, 2003, pp. 51-60.
[27] Dangling pointer [Online]. Available: https://en.wikipedia.org/wiki/Dangling_pointer
[28] _int_malloc [Online]. Available: http://osxr.org:8080/glibc/source/malloc/malloc.c#3298
[29] _int_free [Online]. Available: http://osxr.org:8080/glibc/source/malloc/malloc.c#3810
[30] GDB:The GNU Project Debugger [Online]. Available: https://www.gnu.org/software/gdb/
[31] realloc [Online]. Available: http://linux.die.net/man/3/realloc
[32] memalign [Online]. Available: http://linux.die.net/man/3/memalign
[33] new and delete (C++) [Online]. Available: https://en.wikipedia.org/wiki/New_and_delete_(C++)
[34] Sequence container (C++) [Online]. Available: https://en.wikipedia.org/wiki/Sequence_container_(C++)
[35] CVE-2015-0235 [Online]. Available: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235
[36] ls command [Online]. Available: https://en.wikipedia.org/wiki/Ls
[37] time command [Online]. Available: http://man7.org/linux/man-pages/man2/time.2.html
[38] PEDA – Python Exploit Development Assistance for GDB [Online]. Available: https://github.com/longld/
[39] Gdbinit [Online]. Available: https://github.com/gdbinit/Gdbinit
[40] jemalloc [Online]. Available: http://www.canonware.com/jemalloc/
[41] tcmalloc [Online]. Available: http://goog-perftools.sourceforge.net/doc/tcmalloc.html
[42] P. Argyroudis and C. Karamitas, "Exploiting the jemalloc Memory Allocator: Owning Firefox’s Heap," Blackhat USA, 2012.
[43] Race condition [Online]. Available: https://en.wikipedia.org/wiki/Race_condition
[44] J. C. King, "Symbolic execution and program testing," Communications of the ACM, vol. 19, pp. 385-394, 1976.
[45] T. Avgerinos, S. K. Cha, A. Rebert, E. J. Schwartz, M. Woo, and D. Brumley, "Automatic exploit generation," Communications of the ACM, vol. 57, pp. 74-84, 2014.

指導教授

許富皓、黃世昆

審核日期

2016-7-19

推文