Windows平台下ROP攻击缓解技术研究
发布时间:2018-12-07 07:18
【摘要】:互联网是二十一世纪最具活力和创新的产业,它深深的扎根于人类社会的每一个角落中。人们享受互联网带来的便捷生活的同时,却忽视伴随而来的安全问题。近年来网络安全事件层出不穷,如Google北极光APT事件、Hacking Team信息泄露事件和百度应用Wormhole漏洞事件都造成了极大的破坏,从中可以看出当今互联网安全局势十分严峻。在安全事件中,ROP攻击越来越受到黑客和安全研究员的重视,因为这种攻击方法能绕过当前大多数防御措施。本文正是针对当前漏洞攻防中ROP攻击泛滥的严重局势,在研究正常程序跳转的基础上,提出了一种全新的ROP攻击缓解方法,并设计实现了相应的缓解原型系统。本文的主要工作包括:第一,在调试器原理的基础上,通过Windows系统独有的页面守护异常提出了热点动态链接库分析方法,并依据该方法实现了HMAT指令分析工具。HMAT指令分析工具能够细致的分析程序在运行期间汇编指令层面的执行特点,并根据用户需求单独分析进程中的某些动态链接库。利用HMAT指令分析工具,在分析Windows系统中几款自带软件的基础上,对call、jmp和ret三类间接跳转指令进行了详细研究。通过研究发现,三类间接跳转指令在正常执行过程中有别于受到ROP攻击情况下的执行特点,通过鉴别执行过程中三类间接跳转的完备性从而检测出当前程序是否受到ROP攻击。第二,研究了在检测和防御ROP攻击过程中需要面对的三个问题,分别是在程序运行过程中什么时候检测、在哪个点检测以及通过什么方法识别ROP攻击。在结合传统检测方法基础上,确定了在关键函数被调用时来检测当前程序是否受到攻击并确定了函数选择标准,最后创新性的提出,利用单步调试技术来识别执行的每一条指令,通过鉴别指令序列中间接跳转的完备性来判断当前是否受到ROP攻击。第三,基于三个问题研究成果的基础上提出了ROP攻击缓解方案,并依据设计方案实现了原型系统。本文对缓解系统的实现目标和各模块的设计进行了详细阐述。最后通过三个漏洞样本,对ROP攻击缓解原型系统进行了详细测试,测试结果表明该系统能有效的防御ROP攻击。
[Abstract]:Internet is the most dynamic and innovative industry in the 21 century. It is deeply rooted in every corner of human society. People enjoy the convenient life brought by the Internet, but ignore the accompanying security problems. In recent years, network security incidents emerge in endlessly, such as the Google Northern Lights APT event, Hacking Team information leak event and Baidu application Wormhole vulnerability incident have caused great damage, from which we can see that the current Internet security situation is very serious. In security incidents, ROP attacks have attracted increasing attention from hackers and security researchers because they can bypass most of the current defense measures. In this paper, aiming at the serious situation of ROP attack in current vulnerability attack and defense, a new method of ROP attack mitigation is proposed based on the study of normal program jump, and the corresponding prototype system is designed and implemented. The main work of this paper is as follows: first, on the basis of debugger principle, this paper puts forward the analysis method of hot spot dynamic link library through the unique page daemon exception of Windows system. According to this method, the HMAT instruction analysis tool is implemented. The HMAT instruction analysis tool can analyze the execution characteristics of the program at the command level during the run time, and analyze some dynamic link libraries in the process separately according to the user's needs. On the basis of analyzing several software in Windows system, three kinds of indirect jump instructions of call,jmp and ret are studied in detail by using HMAT instruction analysis tool. It is found that the three kinds of indirect jump instructions are different from those under ROP attack during normal execution. By identifying the completeness of the three kinds of indirect jump during execution, we can find out whether the current program is attacked by ROP. Secondly, three problems that need to be faced in the process of detecting and defending ROP attacks are studied. They are when to detect in the process of program running, which points to detect and how to identify ROP attacks. On the basis of the traditional detection method, it is determined whether the current program is attacked or not when the key function is called, and the criteria of function selection are determined. Finally, the innovative proposal is put forward. The single-step debugging technique is used to identify each instruction executed and the completeness of indirect jump in the sequence of instructions is used to determine whether the instruction is currently under ROP attack. Thirdly, the ROP attack mitigation scheme is proposed based on the research results of three problems, and the prototype system is implemented according to the design scheme. In this paper, the realization goal of the mitigation system and the design of each module are described in detail. Finally, through three vulnerability samples, the prototype system of ROP attack mitigation is tested in detail. The test results show that the system can effectively defend against ROP attack.
【学位授予单位】:电子科技大学
【学位级别】:硕士
【学位授予年份】:2016
【分类号】:TP393.08
本文编号:2366804
[Abstract]:Internet is the most dynamic and innovative industry in the 21 century. It is deeply rooted in every corner of human society. People enjoy the convenient life brought by the Internet, but ignore the accompanying security problems. In recent years, network security incidents emerge in endlessly, such as the Google Northern Lights APT event, Hacking Team information leak event and Baidu application Wormhole vulnerability incident have caused great damage, from which we can see that the current Internet security situation is very serious. In security incidents, ROP attacks have attracted increasing attention from hackers and security researchers because they can bypass most of the current defense measures. In this paper, aiming at the serious situation of ROP attack in current vulnerability attack and defense, a new method of ROP attack mitigation is proposed based on the study of normal program jump, and the corresponding prototype system is designed and implemented. The main work of this paper is as follows: first, on the basis of debugger principle, this paper puts forward the analysis method of hot spot dynamic link library through the unique page daemon exception of Windows system. According to this method, the HMAT instruction analysis tool is implemented. The HMAT instruction analysis tool can analyze the execution characteristics of the program at the command level during the run time, and analyze some dynamic link libraries in the process separately according to the user's needs. On the basis of analyzing several software in Windows system, three kinds of indirect jump instructions of call,jmp and ret are studied in detail by using HMAT instruction analysis tool. It is found that the three kinds of indirect jump instructions are different from those under ROP attack during normal execution. By identifying the completeness of the three kinds of indirect jump during execution, we can find out whether the current program is attacked by ROP. Secondly, three problems that need to be faced in the process of detecting and defending ROP attacks are studied. They are when to detect in the process of program running, which points to detect and how to identify ROP attacks. On the basis of the traditional detection method, it is determined whether the current program is attacked or not when the key function is called, and the criteria of function selection are determined. Finally, the innovative proposal is put forward. The single-step debugging technique is used to identify each instruction executed and the completeness of indirect jump in the sequence of instructions is used to determine whether the instruction is currently under ROP attack. Thirdly, the ROP attack mitigation scheme is proposed based on the research results of three problems, and the prototype system is implemented according to the design scheme. In this paper, the realization goal of the mitigation system and the design of each module are described in detail. Finally, through three vulnerability samples, the prototype system of ROP attack mitigation is tested in detail. The test results show that the system can effectively defend against ROP attack.
【学位授予单位】:电子科技大学
【学位级别】:硕士
【学位授予年份】:2016
【分类号】:TP393.08
【相似文献】
相关期刊论文 前10条
1 林丽华;;让Windows Media Player的跳转列表不再贪污[J];电脑迷;2010年09期
2 梁阿磊;吴浩;李小勇;;动态二进制翻译中的跳转优化技术[J];四川大学学报(自然科学版);2007年06期
3 朱俊华;;一种高速的条件跳转指令硬件实现[J];计算机技术与发展;2008年07期
4 白锋,程旭;一种针对短循环的跳转隐藏技术[J];计算机工程与应用;2003年22期
5 罗文华;;基于Windows7环境下的跳转列表解析用户操作行为[J];警察技术;2014年03期
6 飘零雪;;Windows 7跳转列表延伸到所有程序[J];电脑迷;2010年13期
7 大江东去;;利用CCleaner快速清理跳转列表[J];电脑迷;2012年02期
8 齐宁;赵荣彩;;IA-64代码翻译中的跳转表恢复技术[J];计算机工程;2006年23期
9 苏铭,宋宗宇,赵荣彩,齐宁;IA-64二进制翻译中跳转表恢复技术[J];微计算机信息;2005年17期
10 刘曼;;使用跳转指令时应注意的问题[J];江西科学;2007年04期
相关重要报纸文章 前5条
1 彭茂山 黄贵清 林直友;Unix下子目录的模糊跳转[N];计算机世界;2001年
2 秤杆;轻松搞定 Windows 7的跳转列表[N];中国电脑教育报;2009年
3 北京 YATE;PowerPoint使用技巧[N];中国电脑教育报;2001年
4 本报评论员 付小为;归家之路浓缩国家社会变迁[N];长江日报;2014年
5 广西 可爱的木阿;给Flash作品加把锁[N];电脑报;2003年
相关硕士学位论文 前3条
1 许云清;Windows平台下ROP攻击缓解技术研究[D];电子科技大学;2016年
2 孙廷韬;动态二进制翻译中跳转分析与优化[D];上海交通大学;2010年
3 朱艳坤;双稳态层合板跳转过程分析与新型柔性蜂窝结构性能评价[D];大连理工大学;2014年
,本文编号:2366804
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2366804.html
