内存信息泄露的运行中随机化防御方法的研究与改进

发布时间：2018-01-27 03:33

本文关键词： 运行中随机化代码复用攻击面向返回编程内存信息泄露软件安全　出处：《南京大学》2017年硕士论文　论文类型：学位论文

【摘要】：运行中随机化是针对基于内存信息泄露的代码复用攻击提出的一种防御方法。在程序运行过程中触发随机化操作,使攻击者难以获得有效的内存布局信息用于组织攻击。现有的运行中随机化方法TASR使用write/read操作配对出现作为运行中随机化的触发条件。然而,触发条件过于宽泛,使得没有风险的write操作也会触发运行中随机化,导致程序性能下降,I/0密集型程序所受影响尤为严重。因此,本文研究内存信息泄露的运行中随机化防御方法,细化运行中随机化触发条件,以避免不必要且耗时的随机化操作,提高运行中随机化方法的有效性。本文主要的研究工作如下:(1)分析、总结了不同类型的内存布局信息泄露以及基于随机化的防御方法的原理,重点分析了现有运行中随机化方法存在的运行开销问题以及其随机化触发条件不合理的原因。TASR的运行中随机化触发条件为write/read操作配对出现,因此善意的write操作也会触发运行中随机化,造成程序性能损失。(2)为细化运行中随机化触发条件,定义了安全敏感区域的概念,并以write操作访问安全敏感区域作为随机化操作的触发条件,同时给出了程序安全敏感区域的分析、提取方法,以及程序运行中检查方法。安全敏感区域是包含有助于攻击者分析程序内存布局信息的内存区域,对其进行write操作访问可使攻击者获得内存布局相关信息,因此为有风险的内存访问操作。通过分析目标文件的元数据以及监控装载/卸载过程能获得安全敏感区域的范围,而对write操作访问目标进行检查,判断是否与安全敏感区域相交来区分有、无风险的操作,以此细化随机化的触发条件。(3)通过分析目标文件的段表和节表来提取安全敏感区域的信息,以及对装载/卸载操作相关的系统调用进行监控,来确定安全敏感区域的最终位置。然后对输入/输出相关的系统调用进行监控来判断是否要触发运行中随机化,以此实现了改进方法的原型系统。理论分析表明,改进方法可保持与原方法相同的安全性。以Nginx网络服务器作为I/O密集型程序样本,进行了服务能力实验。实验结果表明,改进方法能显著降低原方法对I/O密集型程序造成的额外开销。
[Abstract]:Randomization in operation is a defense against code reuse attacks based on memory information leakage, which triggers randomization operations during the running of programs. It is difficult for an attacker to obtain valid memory layout information for organizing attacks. Existing run-time randomization method TASR uses write/read operation pairing as a trigger condition for randomization during run. ... but... Trigger conditions are so broad that risk-free write operations can also trigger randomization in the run, resulting in poor program performance and particularly severe impact on I- / 0 intensive programs. In order to avoid unnecessary and time-consuming randomization operation, this paper studies the method of randomization defense of memory information leakage in operation, and refines the trigger condition of randomization in operation. In this paper, the main research work is as follows: 1) Analysis, summarizes the different types of memory layout information leakage and the principle of defense methods based on randomization. This paper mainly analyzes the problem of running overhead existing in the existing randomization methods and the reason why the randomization trigger condition is unreasonable. The randomization trigger condition in the running of TASR is write/read operation matching. Yeah, show up. Therefore, the bona fide write operation also triggers randomization in operation, which results in the loss of program performance. 2) in order to refine the trigger condition of randomization in operation, the concept of security sensitive region is defined. The write operation access to the security sensitive area is used as the trigger condition of the randomization operation, and the analysis and extraction method of the program security sensitive area are given. Security sensitive areas are memory areas that contain information that helps an attacker analyze the program's memory layout. Write access to it can enable an attacker to obtain information about the memory layout. Therefore, for risky memory access operations, the scope of the security sensitive area can be obtained by analyzing the metadata of the target file and monitoring the load / unload process, while checking the access target for the write operation. Judging whether to intersect with the security sensitive area to distinguish the operation without risk, so as to refine the trigger condition of randomization. 3) to extract the information of the security sensitive area by analyzing the segment table and section table of the target file. And monitoring the system calls associated with the load / unload operation. To determine the final location of the security-sensitive area. Then monitor the input / output related system calls to determine whether to trigger run-time randomization. Theoretical analysis shows that the improved method can maintain the same security as the original method. The Nginx network server is used as the sample of I / O intensive program. The experimental results show that the improved method can significantly reduce the cost of I / O intensive programs caused by the original method.
【学位授予单位】：南京大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP333.1;TP309

【相似文献】