基于数据不可信的缓冲区溢出攻击检测技术研究

发布时间：2018-05-12 21:37

本文选题：信息安全 + 缓冲区溢出　；参考：《东北大学》2014年硕士论文

【摘要】：自1988年首个利用缓冲区溢出漏洞进行传播的病毒Morris爆发以来,缓冲区溢出攻击就一直是计算机安全中最严重的攻击行为之一。近些年,它又成为了高级持续性威胁APT (Advanced Persistent Threat)的主要攻击手段。在针对伊朗核设施的APT行动中,就利用了7个缓冲区溢出漏洞。虽然工业界和学术界提出各种技术保护软件及操作系统安全,但攻击数量仍有增无减。而漏洞攻击技术也不断发展,从缓冲区溢出到最近的ROP (Return-Oriented-Programming)攻击。漏洞攻击检测是信息安全领域的研究热点,特别是如何在二进制代码级检测攻击更是业界关注的焦点,但x86指令的复杂性给检测带来诸多挑战。本文针对缓冲区溢出攻击时,攻击代码来源于程序接收的输入数据这一特点,提出了一种基于数据不可信的检测方法。当程序修改流程时,如果将要执行的代码是输入数据的子串,就表明发生了缓冲区溢出攻击。为了避免频繁进行攻击代码匹配所带来的巨大额外开销,本文提出了一个预处理方法,将显然合法的跳转目的地址与可疑的跳转目的地址区分出来,只对可疑的跳转进行攻击代码匹配,这种方式可以有效地降低额外开销。对于ROP攻击,由于在ROP攻击时ROP链也是源于原始数据,因此数据不可信的思想同样可以用于检测ROP攻击。本文提出了一个基于数据不可信的ROP攻击检测方法,检测到疑似ROP链时,将当前栈顶指针ESP (Extended Stack Pointer)指向的内容与原始输入数据比较,从而判断是否发生了ROP攻击。利用动态插桩技术,本文在Win32平台下实现了基于数据不可信的缓冲区溢出攻击检测方法的原型系统。使用该系统对多种缓冲区溢出攻击进行检测,实验证明,本文提出的基于数据不可信的检测方法在准确性上达到了良好的效果。同时,本文方法也将额外开销降低到了一个合理的范围。
[Abstract]:Since the first outbreak of Morris virus using buffer overflow vulnerability in 1988, buffer overflow attack has been one of the most serious attacks in computer security. In recent years, it has become the main attack method of Advanced Persistent threat (APT). Seven buffer overflow vulnerabilities were exploited in the APT operation against Iran's nuclear facilities. Although industry and academia put forward a variety of technologies to protect software and operating system security, but the number of attacks continues unabated. Vulnerability attack techniques have been developed from buffer overflows to recent ROP Return-Oriented-programming attacks. Vulnerability detection is a research hotspot in the field of information security, especially how to detect attacks at the binary code level is the focus of attention, but the complexity of x86 instructions brings many challenges to detection. In view of the fact that the attack code originates from the input data received by the program in buffer overflow attack, this paper proposes a detection method based on untrusted data. When the program modifies the process, if the code to be executed is a substring of input data, a buffer overflow attack occurs. In order to avoid the huge additional cost caused by frequent attack code matching, this paper proposes a preprocessing method to distinguish the apparently legitimate jump destination address from the suspicious jump destination address. Attack code matching only for suspicious jumps can effectively reduce additional overhead. For ROP attacks, because ROP chains also originate from raw data in ROP attacks, the idea that data is not trusted can also be used to detect ROP attacks. In this paper, a ROP attack detection method based on untrusted data is proposed. When a suspected ROP chain is detected, the contents of the current top stack pointer ESP extended Stack interface are compared with the original input data to determine whether a ROP attack has occurred. Using dynamic pile insertion technology, this paper implements a prototype system of buffer overflow attack detection method based on data untrusted under Win32 platform. The system is used to detect various buffer overflow attacks. Experiments show that the method proposed in this paper has good accuracy. At the same time, this method also reduces the extra cost to a reasonable range.
【学位授予单位】：东北大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【相似文献】