記憶體保護者用來防禦堆疊型緩衝區溢位攻擊

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：75

、訪客IP：18.219.79.245

姓名

林忠立(Chung-li Lin) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

記憶體保護者用來防禦堆疊型緩衝區溢位攻擊
(MP: A Memory Protector against Stack-Based Buffer Overflow Attacks)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

在本篇論文中我們提出一個新的防禦機制來解決資訊系統安全上普遍存在的問題 — 堆疊型緩衝區溢位攻擊，緩衝區溢位攻擊這一類型的攻擊利用程式在將資料寫入緩衝區時，沒有做緩衝區的Bound checking而導致的漏洞，將一些控制程式流程的資料結構(例如：返回位址及函式指標)加以修改，進而將程式的流程轉向到攻擊者所注入的程式碼(Code Injection Attacks)，或攻擊者所選擇的程式碼(return-into-libc attacks）。
傳統的防禦機制通常僅著重於防止shell code的執行，而忽略被攻擊的程序可能會不正常的終止，因為當攻擊者發起攻擊時，如果沒有成功地達到她/他的目的(取得系統管理最高權限)，不成功的攻擊很有可能會破壞被攻擊程序的記憶體內容，進而導致被攻擊程序的不正常終止，使程式的事後除錯程序，與證據保存更為困難。
我們提出一個全新的以作業系統核心為基礎的防禦機制—記憶體保護者(MP，Memory Protector)來同時保護系統免於Code Injection型式的堆疊型緩衝區溢位攻擊與保護記憶體內容的完整性。此機制在不正常的資料串寫入被攻擊程序的記憶體區塊之前，即偵測出該攻擊字串，並將之擋在被攻擊的程序之外，所以此系統不但防止一般來自外部的緩衝區溢位攻擊並且防止被攻擊程序記憶體內容的失真，進而使得被攻擊的程式在偵測出緩衝區溢位攻擊後仍能正常地終止。另外，在只降低些微的程式執行效能，與低誤判率的情況下，此一機制可有效的偵測出code injection 型式的緩衝區溢位攻擊，即使是zero day attack。因為Linux普及率快速提升的趨勢和作業系統核心程式碼的取得來源問題，我們選擇了在Linux作業系統來實做這一套防禦機制。

摘要(英)

In this paper, we proposed a new defense mechanism solves the universal existence problems in the information system security — Stack-Based buffer Overflow Attacks, This type of Buffer Overflow Attacks exploit the loopholes result from that when the process write data to the buffer, not done Bound checking. It will modify some control-flow data structure(ex:return addresses and function pointers),and then force procedure to execute the injected code of attackers (Code Injection Attacks) or the attacker’s choice of code(Return into Libc Attacks).
The traditional defense mechanisms are usually only focused on preventing the execution of shell code, but neglect the procedures be attacked may be abnormally terminated. Since, as the attacker launched the attack and unsuccessfully achieve the attack objective(obtain the root privilege),in such a situation, the attack is likely to corrupting the memory of the procedure which be attacked, and then result in the abnormal termination of the procedure which be attacked. It become more difficult that to debugging and keeping evidence.
We propose a novel defense mechanism based on operating system — Memory Protector(MP), to protect systems from Code Injection attacks of Stack-Based buffer overflow attacks and keep the integrity of memory.The mechanism can detect the malicious data before it be writed to memory block of the procedure which be attacked and the malicious data is blocked outside the procedure which be attacked, so the mechanism not only prevent the Buffer Overflow Attacks but also avoid the corruption of memory and then the procedure which be attacked can normally be terminated. Moreover, it only slightly reduce the effectiveness of the implementation of the program and has the low rate of false positive, this can be an effective mechanism for the detection of Code Injection types of Buffer Overflow Attacks, even if is zero day attack. Because the Linux popular rate fast promotion tendency and the source of operating system core, We chose the Linux operating system to implement this defense mechanism.

關鍵字(中)

★ 堆疊型
★ 防禦
★ 保護
★ 緩衝區
★ 緩衝區溢位攻擊
★ 記憶體
★ 攻擊
★ 溢位

關鍵字(英)

★ Attack
★ Stack
★ Overflow
★ Buffer
★ Stack-Based
★ Protector
★ Attacks
★ Memory

論文目次

摘要 i
Abstract ii
誌謝 iv
目錄 v
圖目錄 vii
表目錄 viii
第一章緒論 1
1-1 背景與目的 1
1-2 方法概述 3
1-3 章節架構 5
第二章緩衝區溢位攻擊 6
2-1 緩衝區溢位 6
2-2 注入程式碼與返回位址值 6
2-3 NOP sled 7
第三章實作 8
3-1 溢位緩衝區的記憶體位置 8
3-2 Memory Protector運作機制 9
3-2-1 方法概要 9
3-2-2 偵測惡意的位址值 10
3-2-3 分批接收資料串 15
3-2-4 實例資料收集&合理的比對範圍 15
3-2-5 偵測NOP sled 18
3-3 Memory Protector額外的安全機制 18
3-4 作業系統核心修改 21
3-4-1 本地端檔案資料與遠端資料read系統呼叫 21
3-4-2 偵測演算法 22
3-5 討論 23
3-5-1 MP偵測特徵與應用程式接收資料內容 23
3-5-2 NOP sled的變形 24
3-5-3 從外部接收資料之後Function Call的深度 24
第四章實驗與分析 25
4-1 效果測試 25
4-1-1 False Positive 25
4-1-2 False Negative 28
4-2 效能分析 29
第五章相關研究 31
5-1 基於編譯器保護機制 31
5-2 與MP類似保護之機制 32
5-3 隨機排列記憶體區段與內容 32
5-4 限制記憶體執行區段 33
5-5 其它 33
第六章結論 34
6-1 貢獻 34
6-2 未來工作 34
6-2-1 當不予許資料串寫入緩衝區時 34
6-2-2 其它類型的緩衝區溢位攻擊或高級方法的攻擊 34
參考文獻 35
附錄一 40
附錄二 41
程式碼 42

參考文獻

〔1〕 CERT.
http://www.us-cert.gov/
〔2〕 C. Cowan, C. Pu, D. Maier, H. Hinton, J. Wadpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang,“StackGuard: Automatic Detection and Prevention of Buffer-overrun Attacks,”In Proceedings of the 7th USENIX Security Symposium, January 1998.
〔3〕 Yves Younan, Davide Pozza, Frank Piessens and Wouter Joosen, “Extended protection against stack smashing attacks without performance loss” Proceedings of the Twenty-Second Annual Computer Security Applications Conference (ACSAC 2006), Miami Beach, Florida, U.S.A., IEEE, IEEE Press December 2006.
〔4〕 Bulba and Kil3r, “Bypassing StackGuard and StackShield”.
http://www.phrack.org/issues.html?issue=56&id=5
〔5〕 Fu-Hau Hsu, Fanglu Guo, and Tzi-cker Chiueh, “Scalable Network-based Buffer Overflow Attack Detection ,” in Proceedings of ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS 2006), San Jose, California, USA, December, 2006.
〔6〕 Ethereal: A Network Protocol Analyzer.
http://www.ethereal.com
〔7〕 S. Bhatkar, D. DuVarney, and R. Sekar. “Address obfuscation: An efficient approach to combat a broad range of memory error exploits”. In V. Paxson, editor, Proc. 12th USENIX Sec. Symp, USENIX, Aug. 2003.
〔8〕 The PaX Address Space Layout Randomization project.
http://pax.grsecurity.net/
〔9〕 H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. “ On the effectiveness of address space randomization”, derandomization attack, page 2. In Proc. of the ACM Conf. on Computer and Communications Security, 2004.
〔10〕 Gaurav S. Kc, Angelos D. Keromytis, Vassilis Prevelakis, ” Countering code-injection attacks with instruction-set randomization” Proceedings of the 10th ACM conference on Computer and communications security, Washington D.C., USA,2003.
〔11〕 StackShield.
http://www.angelfire.com/sk/stackshield
〔12〕 Richarte G. Four Different Tricks to Bypass StackShield and StackGuard Protection. http://www.coresecurity.com/files/files/11/StackguardPaper.pdf, 2002.
〔13〕 Ana Nora Sovarel, David Evans, Nathanael Paul，
“where’s the FEEB? The Effectiveness of Instruction Set Randomization”, Proceedings of the 14th conference on USENIX Security Symposium - Volume 14 SSYM'05 , July 2005.
〔14〕 Solar Designer , Non-Executable Stack,
http://www.usenix.org/publications/library/proceedings/sec98/full_papers/cowan/cowan_html/node21.html
〔15〕 Defeating Solar Designer's Non-executable Stack Patch
http://insecure.org/sploits/non-executable.stack.problems.html
〔16〕 Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle.“Pointguard: Protecting pointers from buffer overflow vulnerabilities”. In Proceedings of the 12th USENIX Security Symposium, Washington, D.C., August 2003.
〔17〕 ProPolice
http://www.x.org/wiki/ProPolice
〔18〕 C.Cowan, C.Pu, D.Maier, J.Walpole, P.Bakke, S.Beattie, A.Grier, P.Wagle, Q.Zhang, and H.Hinton, “StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks,” in Proceedings of 7th USENIX Security Conference, San Antonio, Texas, Jan. 1998
〔19〕 Steve M.Bellovin, “Distributed Denial of Service Attacks,”
http://www,research,att.com/smb.
〔20〕 MARC http://marc.info/
〔21〕 Full-Disclosure https://lists.grok.org.uk/mailman/listinfo/full-disclosure
〔22〕 National Vulnerability Database http://nvd.nist.gov/
〔23〕 Derkeiler http://www.derkeiler.com/
〔24〕 SECUREROOT http://www.secureroot.com/
〔25〕中國IT總部 http://www.ie100.cn/
〔26〕 iDefense Labs http://labs.idefense.com/
〔27〕 Security tracker http://www.securitytracker.com/
〔28〕 SECWATCH.ORG http://www.secwatch.org/
〔29〕 Tengu.be http://www.tengu.be/index.php
〔30〕 Thttpd http://www.acme.com/software/thttpd/
〔31〕 Cfengine http://www.cfengine.org/download.phtml
〔32〕 LScube http://live.polito.it/
〔33〕 Gopher http://gopher.quux.org:70/devel/gopher/Downloads/old
〔34〕 Micq http://linux.maruhn.com/sec/micq.html
〔35〕 Monkeyd http://monkeyd.sourceforge.net/
〔36〕 Mplayer
http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre5.tar.bz2
〔37〕 Pptpd http://www.poptop.org/

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2007-7-21

推文