ROPRD: A Solution to Detect Real-time Zero-day ROP Attacks

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：13

、訪客IP：3.128.198.21

姓名

侯均靜(Hou, Chun-Ching) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(ROPRD: A Solution to Detect Real-time Zero-day ROP Attacks)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2024-6-30以後開放)

摘要(中)

返回導向程式設計（Return-Oriented Programming）是一種非常常見的緩衝區溢位攻擊，攻擊者可以蒐集程式的機器語言指令（Gadget），藉由這些指令序列來覆蓋掉堆疊上的返回地址，以達成控制程式執行流程的目的。

本論文設計了一套解決方案，名為 ROPRD ，透過修改 Linux Kernel 及 Binary Rewrite，在盡量不影響系統架構及效能的狀況下，來達成 ROP 攻擊的即時偵測。

摘要(英)

Return-Oriented Programming (ROP) is a common Buffer-Overflow Attack. The attacker can collect some machine code in the program, which called ′Gadget′, combine those gadgets, and change the return address on the stack. This will cause the program execution process to be controlled by the attacker.

We design a solution called ROPRD. We can detect ROP attacks in real-time without affecting the system architecture and performance by modifying Linux Kernel and using binary rewrite tool.

關鍵字(中)

★ 緩衝區溢位
★ 返回導向程式設計

關鍵字(英)

★ Buffer Overflow
★ ROP

論文目次

摘要 ............................. i
Abstract ......................... ii
誌謝 ............................. iii
目錄 ............................. iv
圖目錄 ........................... vi
表目錄 ........................... vii
第 1 章緒論 ..................... 1
第 2 章背景介紹 ................. 2
2.1 緩衝區溢位 .................. 2
2.2 ROP 攻擊 .................... 3
第 3 章相關研究 ................. 5
第 4 章實驗設計與實作 ........... 7
4.1 整體架構 .................... 7
4.2 Host Side ................... 8
4.2.1 Rewriter ................. 8
4.2.2 Controller ............... 10
4.2.3 Analyst .................. 10
4.3 Guest Side .................. 11
4.3.1 PID ...................... 12
4.3.2 Read ..................... 12
4.3.3 Return Address and rbp ... 13
第 5 章實驗結果及分析 ........... 15
5.1 實驗環境 .................... 15
5.2 測試案例 .................... 15
5.3 結果分析 .................... 16
第 6 章討論 ..................... 19
6.1 限制 ........................ 19
6.2 未來研究 .................... 19
第 7 章總結 ..................... 21
參考文獻 ......................... 22
附錄 A 測試程式 .................. 24
A.1 Rewriter 注入的 Overflow Detector 和 Appdata Collector .................................. 24
A.2 ret2shellcode ............... 26
A.3 ret2syscall ................. 26
A.4 ret2text .................... 27

參考文獻

[1] M. Abad, M. Budiu, Ú. Erlingsson, and J. Ligatti, “Control-flow integrity,” Proceedings of the 12th ACM conference on Computer and communications security, pp. 340–353, Nov. 7, 2005. doi: 10.1145/1102120.1102165. [Online]. Available: https://dl.acm.org/citation.cfm?id=1102165. [2] JonathanSalwan. (2019). Ropgadget, [Online]. Available: https://github.com/ JonathanSalwan/ROPgadget (visited on 07/16/2019). [3] P. Wagle and C. Cowan, “Stackguard: Simple stack smash protection for gcc,” in Proceedings of the GCC Developers Summit, Ottawa, Ontario, CA: GCC Summit, 2003, pp. 243–255. [Online]. Available: ftp://gcc.gnu.org/pub/gcc/summit/ 2003/Stackguard.pdf. [4] (2019). Gcc, [Online]. Available: https://gcc.gnu.org/ (visited on 07/16/2019). [5] T. Chiueh and F. Hsu, “Rad: A compile-time solution to buffer overflow attacks,” in Proceedings 21st International Conference on Distributed Computing Systems, Apr. 2001, pp. 409–417. doi: 10.1109/ICDSC.2001.918971. [6] Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng, “Ropecker: A generic and practical approach for defending against rop attacks,” NDSS, Feb. 22, 2014. doi: 10.14722/ndss.2014.23156. [Online]. Available: https://www.ndss-symposium. org/ndss2014/programme/ropecker-generic-and-practical-approachdefending-against-rop-attacks/. [7] P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie, “Drop: Detecting returnorientedprogrammingmaliciouscode,”inInformationSystemsSecurity,A.Prakash andI.SenGupta,Eds.,Berlin,Heidelberg:SpringerBerlinHeidelberg,2009,pp.163– 177, isbn: 978-3-642-10772-6. [8] H. Zhou, X. Wu, W. Shi, J. Yuan, and B. Liang, “Hdrop: Detecting rop attacks using performance monitoring counters,” in Information Security Practice and Experience, X. Huang and J. Zhou, Eds., Cham: Springer International Publishing, 2014, pp. 172–186, isbn: 978-3-319-06320-1. [9] M. Polychronakis and A. D. Keromytis, “Rop payload detection using speculative code execution,” in 2011 6th International Conference on Malicious and Unwanted Software, Oct. 2011, pp. 58–65. doi: 10.1109/MALWARE.2011.6112327. [10] N. Carlini and D. Wagner, “ROP is still dangerous: Breaking modern defenses,” in 23rd USENIX Security Symposium (USENIX Security 14), San Diego, CA: USENIX Association, 2014, pp. 385–399, isbn: 978-1-931971-15-7. [Online]. Available: https://www.usenix.org/conference/usenixsecurity14/technicalsessions/presentation/carlini.
22
[11] (2019). Llvm, [Online]. Available: https://llvm.org (visited on 07/16/2019). [12] F. Bellard. (2019). Qemu, [Online]. Available: https://www.qemu.org/ (visited on 07/16/2019). [13] (2011). Cve-2011-1938, [Online]. Available: https://www.exploit-db.com/ exploits/17486 (visited on 08/04/2019). [14] (2019). Mcsema, [Online]. Available: https://github.com/trailofbits/mcsema (visited on 07/16/2019).

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2019-8-16

推文