基于QEMU的内核代码重用型攻击检测系统

发布时间：2018-05-31 18:13

本文选题：内核代码重用型攻击 + QEMU　；参考：《西安电子科技大学》2014年硕士论文

【摘要】：作为一种新型的攻击方式,代码重用型攻击不需要向系统内注入任何代码,而是仅仅利用已有的(合法)代码就能实施完整攻击,危害巨大。代码重用型攻击可以绕过多种传统安全防护机制(比如代码完整性保护),攻击的成功率大大增加。利用缓冲区溢出等技术手段篡改跳转指令的跳转地址(比如返回地址),可以获得对系统指令流程的控制;同时,由于跳转指令的数量巨大,攻击者可以有多种选择。虽然研究人员开发出一些能够检测这种攻击的方法,但是,由于攻击方式的多样化和兼容性问题,仍然无法满足系统安全的需求。论文以QEMU虚拟机管理器为平台,通过对QEMU源代码的学习与研究,掌握了QEMU动态二进制翻译技术的原理和其TCG(Tiny Code Generator)中间代码的专业技术,并基于此设计实现了一种代码重用型攻击检测系统。注意到代码重用型攻击使用的主要攻击方式是篡改跳转指令的跳转地址,改变系统指令的执行流程,从而达到攻击的目的,所以需要对内核中的跳转指令进行监控和检测。这一类指令主要包括ret指令、间接call指令和中断指令。使用QEMU虚拟机管理器运行操作系统内核,由于QEMU是基于二进制指令翻译技术实现,系统内核的每一条指令都会在QEMU虚拟机管理器中翻译运行。通过对QEMU虚拟机管理器的功能模块进行修改,遍历检测操作系统内核中每一条指令,从中识别ret指令、间接call指令和中断指令的翻译方式,然后记录这些指令的跳转目标地址,通过将记录信息与合法信息进行对比,就可以实现对代码重用型攻击的检测。最后,论文基于QEMU和Linux操作系统实现了原型系统,并对原型系统进行了输出测试和性能测试。测试结果表明,原型系统能够有效地将代码重用型攻击所篡改的跳转指令记录下来,通过对比即可得出系统是否被攻击,并且经过专业工具测试,原始系统的性能开销与添加功能模块的系统性能开销差别在4%左右,系统消耗很小。
[Abstract]:As a new type of attack, code reuse attacks do not need to inject any code into the system, but only use the existing (legal) code to implement the complete attack, which is very harmful. Code reuse attacks can bypass many traditional security mechanisms, such as code integrity protection, and the success rate of attacks is greatly increased. Using buffer overflow and other techniques to tamper with the jump address of jump instruction (such as return address) can obtain the control of the system instruction flow. At the same time, because of the large number of jump instructions, the attacker can have a variety of choices. Although researchers have developed some methods to detect this attack, however, due to the diversity of attack methods and compatibility problems, it is still unable to meet the security requirements of the system. On the platform of QEMU virtual machine manager, through the study and research of QEMU source code, this paper grasps the principle of QEMU dynamic binary translation technology and the specialized technology of TCG(Tiny Code generator intermediate code. Based on this design, a code reuse attack detection system is implemented. It is noted that the main attack mode used in code reuse attacks is to tamper with the jump address of jump instructions and to change the execution flow of system instructions so as to achieve the purpose of the attack. So it is necessary to monitor and detect the jump instructions in the kernel. This kind of instruction mainly includes ret instruction, indirect call instruction and interrupt instruction. The QEMU virtual machine manager is used to run the operating system kernel. Because QEMU is based on the binary instruction translation technology, every instruction of the system kernel will be translated and run in the QEMU virtual machine manager. By modifying the functional modules of the QEMU virtual machine manager, traversing every instruction in the kernel of the operating system, recognizing the translation of the ret instruction, indirect call instruction and interrupt instruction, recording the jump target address of these instructions. By comparing the recorded information with the legal information, the detection of code reuse attacks can be realized. Finally, the prototype system is implemented based on QEMU and Linux operating system, and the output and performance of the prototype system are tested. The test results show that the prototype system can effectively record the jump instructions tampered with by the code reuse attack, and can get whether the system is attacked or not by comparison, and is tested by professional tools. The performance cost of the original system is about 4% different from that of adding the function module, and the system consumption is very small.
【学位授予单位】：西安电子科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【相似文献】