Return Protector: A Protection Mechanism for Return-into-libc Attacks by Checking the Return Address

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：14

、訪客IP：3.145.93.210

姓名

許齊顯(Chi-Hsien Hsu) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(Return Protector: A Protection Mechanism for Return-into-libc Attacks by Checking the Return Address)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

自從1960年代緩衝區溢位問題（Buffer Overflow Problem）出現以來，時至今日，已經有許多研究者提出解決方法。近年來，由於不可執行之堆疊區段（Non-executable Stack）的研究，已經大大的削減了在堆疊注入惡意程式碼的可能性，甚至讓硬體廠商認可並提供支援，如Intel的XD（「eXecute Disable」）。
但是，儘管如此，緩衝區溢位攻擊仍然未完全解決，Return-into-libc就是未解決的一部分。這種攻擊方式所執行的函式，是利用系統中早已載入的函式庫（Library）或程式碼，由於此方法並未在堆疊中注入任何程式碼，也因此不會受到「不可執行之堆疊區段」的影響。然而目前緩衝區溢位問題所提供較有效的解決方案，大部分的機制在實作上都相當複雜，甚至需要針對系統進行機制上的修改，而且或多或少都還存在一些缺陷。
因此，在「不可執行之堆疊區段」已經相當普遍的現在，本篇論文將在這種機制之上，提出了一種針對Return-into-libc的保護機制──Return Protector，藉由在程式碼中附加特定格式的指令，使函式在執行返回指令時，將檢查返回位址是否有效。本方法之實作完全不需要修改系統本身的機制，而且實作方式相當簡單，是一種可以容易佈置在各種平台上的防禦機制。

摘要(英)

Since the first buffer overflow attack occurred at 1960s, many researchers have provided some solutions today. In recent years, because the study of non-executable stack, the possibility of injecting malicious code into the stack have been decreased greatly. Even the hardware manufacturer has agreed to it and provides some supports, like the XD (“eXecute Disable”) of Intel.
But although so, buffer over flow attacks are not solved completely yet, return-into-libc is one unsolved part of it. This kind of attacks uses the already loaded libraries or program code. The method doesn’t injecting any code into stack, so it would not be affected by “non-executable stack.” And now most of the more effective solutions are too complex in the implementations.
So, because of the popularity of “non-executable stack,” we provide a protection mechanism of return-into-libc, “Return Protector,” in this paper. It would check that the return address is valid or not when the function returns. For each time the function calls, we append a sequence specific code. When the function will return, we identify the returned code chunk with the code chunk that made the function call. This mechanism is very simple, so we can easily port it to other platforms.

關鍵字(中)

★ 堆疊
★ 緩衝區溢位

關鍵字(英)

★ Buffer Overflow
★ Stack

論文目次

摘要 i
ABSTRACT ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 vii
第一章緒論 1
1-1 動機 1
1-2 論文概述 3
1-3 章節架構 3
第二章相關研究 4
2-1 型別安全的語言（Type-Safety Language） 4
2-2 程式碼分析（Code Analysis） 5
2-3 編譯期機制（Compiler Time Mechanism） 5
2-3-1 Canary 6
2-3-2 Control-Flow Integrity 6
2-4 系統層機制（System Level Mechanism） 7
2-4-1 Address Space Layout Randomization（ASLR） 7
2-4-2 Non-Executable Stack 7
2-5 執行期監視器（Run-Time Monitor） 8
2-5-1 入侵偵測系統（Intrusion Detection System, IDS） 8
2-5-2 Software-based Fault Isolation（Sandbox） 9
第三章系統設計 10
3-1 設計起源 10
3-2 設計原理 11
3-2-1 Call Pattern 12
3-2-2 Ret Pattern 12
3-2-3 防禦機制分析 13
3-3 設計考量 13
3-3-1 Call Pattern的設計考量 14
3-3-2 Ret Pattern的設計考量 15
第四章系統實作及效能分析 17
4-1 系統實作 17
4-2 有效性驗證 17
4-3 效能評估 20
4-3-1 Micro Benchmark 20
4-3-2 Macro Benchmark 21
第五章結論 23
5-1 貢獻 23
5-2 未來展望 23
第六章參考文獻 24

參考文獻

［1］ Crispin Cowan, “Re: Buffer overflow and OS/390,” Posting to Bugtraq, February 1999.
［2］ Eugene H. Spafford, “The Internet Worm Program: An Analysis, ”Purdue Technical Report, CSD-TR-823, November 1988.
［3］ Common Vulnerabilities and Exposures (CVE)
http://cve.mitre.org/
［4］ Solar Designer, “Getting around non-executable stack (and fix),” Posting to Bugtraq, August 1997.
［5］ Hovav Shacham, “The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86),” 14th ACM Conference on Computer and Communications Security, October 2007.
［6］ The Source for Java Developers
http://java.sun.com/
［7］ Visual C#
http://msdn.microsoft.com/en-us/library/kx37x362.aspx
［8］ TIOBE Programming Community Index
http://www.tiobe.com/tiobe_index/index.htm
［9］ Arash Baratloo, Timothy Tsai and Navjot Singh, “Libsafe：Protecting Critical Elements of Stacks,” Bell Labs, Lucent Technologies, December 1999.
［10］ Emre C. Sezer, Peng Ning, Chongkyung Kil, and Jun Xu, “MemSherlock: An Automated Debugger for Unknown Memory Corruption Vulnerabilities,” 14th ACM Conference on Computer and Communications Security, October 2007.
［11］ Crispin Cowan, “StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks,” 7th USENIX Security Symposium, January 1998.
［12］ GCC, the GNU Compiler Collection,
http://gcc.gnu.org/
［13］ Hiroaki Etoh, “GCC extension for protecting applications from stack-smashing attacks,”
取自http://www.research.ibm.com/trl/projects/security/ssp/
［14］ Microsoft Windows, “/GS (Buffer Security Check),”
取自http://msdn.microsoft.com/en-us/library/8dbf701c(VS.80).aspx
［15］ Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti, “Control-Flow Integrity: Principles, Implementations, and Applications,” 12th ACM Conference on Computer and Communications Security, November 2005.
［16］ Periklis Akritidis, Cristian Cadar, Costin Raiciu, Manuel Costa, and Miguel Castro, “Preventing memory error exploits with WIT,” 2008 IEEE Symposium on Security and Privacy, May 2008.
［17］ Wietse Venema, “Isolation Mechanisms for Commodity Applications and Platforms,” IBM Research Report, RC24725, January 2009.
［18］ PaX project, “address space layout randomization,” PaX project, March 2003,
取自http://pax.grsecurity.net/docs/aslr.txt
［19］ Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, and Dan Boneh, “On the Effectiveness of Address-Space Randomization,” 11th ACM Conference on Computer and Communications Security, October 2004.
［20］ Ollie Whitehouse, “An Analysis of Address Space Layout Randomization on Windows Vista,” Symantec Advanced Threat Research, 2007.
［21］ Hagen Fritsch, “Buffer overflows on linux-x86-64,” BlackHat Europe, April 2009.
［22］ PaX project, “segmentation based non-executable pages,” PaX project, May 2003,
取自http://pax.grsecurity.net/docs/segmexec.txt
［23］ Arjan van de Ven, “New Security Enhancements in Red Hat Enterprise Linux v.3, update 3,” Red Hat, Inc., August 2004.
［24］ OpenBSD 3.3 Release,
取自http://www.openbsd.org/33.html
［25］ Microsoft Windows,“Data Execution Prevention,”
取自http://technet.microsoft.com/en-us/library/cc738483(WS.10).aspx
［26］ Zhenkai Liang and R. Sekar, “Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models,” 2005 Annual Computer Security Applications Conference, December 2005.
［27］ Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji, “Intrusion Detection using Sequences of System Calls,” Journal of Computer Security archive, Volume 6, Issue 3, August 1998.
［28］ Robert Wahbe, Steven Lucco, Thomas E. Anderson, and Susan L. Graham, “Efficient software-based fault isolation,” 14th ACM Symposium on Operating Systems Principles, December 1995.
［29］ The gzip home page
http://www.gzip.org/

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2009-7-20

推文