基于地址完整性检查的函数指针攻击检测

doi:10.11772/j.issn.1001-9081.2015.02.0424

计算机应用 ›› 2015, Vol. 35 ›› Issue (2): 424-429.DOI: 10.11772/j.issn.1001-9081.2015.02.0424

基于地址完整性检查的函数指针攻击检测

代伟¹, 刘智², 刘益和¹

1. 内江师范学院计算机科学学院, 四川内江 641112;
2. 电子科技大学计算机科学与工程学院, 成都 611731

收稿日期:2014-08-11 修回日期:2014-11-04 出版日期:2015-02-10 发布日期:2015-02-12
通讯作者: 代伟
作者简介:代伟(1978-),男,四川内江人,讲师,硕士,主要研究方向:计算机网络与信息安全; 刘智(1985-),男,四川南充人,博士研究生,主要研究方向:程序安全与恶意代码; 刘益和(1964-),男,四川内江人,教授,博士,主要研究方向:计算机网络与信息安全。
基金资助:
2013年四川省学术和技术带头人培养资金资助项目(13XSJS002)。

Function pointer attack detection with address integrity checking

DAI Wei¹, LIU Zhi², LIU Yihe¹

1. College of Computer Science, Neijiang Normal University, Neijiang Sichuan 641112, China;
2. School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu Sichuan 611731, China

Received:2014-08-11 Revised:2014-11-04 Online:2015-02-10 Published:2015-02-12

摘要/Abstract

摘要：

针对传统函数指针攻击检测技术无法检测面向返回编程(ROP)攻击的问题,提出了一种基于跳转地址完整性检查的新方法,在二进制代码层面能够检测多种类型的函数指针攻击。首先,通过静态分析得到函数地址信息,然后动态检查跳转目标地址是否位于合法函数区间。分析了非入口点跳转,提出一种动静结合方法检测ROP攻击。基于二进制代码插桩工具实现原型系统fpcheck,对真实攻击和正常程序进行了测试。实验结果表明fpcheck能够检测包括ROP在内的多种函数指针攻击,通过准确的检测策略,误报率显著下降,性能损失相比原始插桩仅升高10%~20%。

关键词: 缓冲区溢出, 面向返回编程, 非入口点跳转, 动态分析, 二进制代码插桩

Abstract:

Traditional detection techniques of function pointer attack cannot detect Return-Oriented-Programming (ROP) attack. A new approach by checking the integrity of jump address was proposed to detect a variety of function pointer attacks on binary code. First, function address was obtained with static analysis, and then target addresses of jump instructions were checked dynamically whether they fell into allowed function address space. The non-entry function call was analyzed, based on which a new method was proposed to detect ROP attack by combining static and dynamic analysis. The prototype system named fpcheck was developed using binary instrumentation tool, and evaluated with real-world attacks and normal programs. The experimental results show that fpcheck can detect various function pointer attacks including ROP, the false positive rate reduces substantially with accurate policies, and the performance overhead only increases by 10% to 20% compared with vanilla instrumentation.

Key words: buffer overflow, Return-Oriented-Programming (ROP), non-entry function call, dynamic analysis, binary instrumentation

中图分类号:

TP309
TP311

代伟, 刘智, 刘益和. 基于地址完整性检查的函数指针攻击检测[J]. 计算机应用, 2015, 35(2): 424-429.

DAI Wei, LIU Zhi, LIU Yihe. Function pointer attack detection with address integrity checking[J]. Journal of Computer Applications, 2015, 35(2): 424-429.

参考文献

[1] ZHANG C, TAO W, CHEN Z, et al. Practical control flow integrity & randomization for binary executables [C]//Proceedings of the 2013 IEEE Symposium on Security and Privacy. Washington, DC: IEEE Computer Society, 2013: 559-573.
[2] RODES B D, NGUYEN-TUONG A, HISER J D, et al. Defense against stack-based attacks using speculative stack layout transformation [C]//RV 2012: Proceedings of the Third International Conference on Runtime Verification, LNCS 7687. Berlin: Springer-Verlag, 2013: 308-313.
[3] COWAN C, PU C, MAIER D, et al. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks [C]//SSYM'98: Proceedings of the 7th Conference on USENIX Security Symposium. Berkeley: USENIX Association, 1998, 7: 63-78.
[4] BHATKAR S, DUVARNEY D, SEKAR R. Address obfuscation: an efficient approach to combat a broad range of memory error exploits [C]//Proceedings of the 12th USENIX Security Symposium. Berkeley: USENIX Association, 2003: 105-120.
[5] RATANWORABHAN P, LIVSHITS B, ZORN, B. NOZZLE: a defense against heap-spraying code injection attacks [C]//SSYM '09: Proceedings of the 18th USENIX Security Symposium. Berkeley: USENIX Association, 2009: 169-186.
[6] SHACHAM H, PAGE M, PFAFF B, et al. On the effectiveness of address-space randomization [C]//CCS '04: Proceedings of the 11th ACM Conference on Computer and Communications Security. New York: ACM, 2004: 298-307.
[7] SHACHAM H. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) [C]//CCS '07: Proceedings of the 14th ACM conference on Computer and Communications Security. New York: ACM, 2007: 552-561.
[8] COWAN C, BEATTIE S, JOHNSEN J, et al. PointGuard: protecting pointers from buffer overflow vulnerabilities [C]//SSYM '03: Proceedings of the 12th Conference on USENIX Security Symposium. Berkeley: USENIX Association, 2003: 91-104.
[9] WANG H, GUO Y, CHEN X. FPValidator: validating type equivalence of function pointers on the fly [C]//ACSAC '09: Proceedings of Annual Computer Security and Applications. Washington, DC: IEEE Computer Society, 2009: 51-59.
[10] ABADI M, BUDIU M, ERLINGSSON U, et al. Control flow integrity [C]//CCS '05: Proceedings of 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005: 340-351.
[11] KIMBALL W B, PERUGINI S. Software vulnerabilities by example: a fresh look at the buffer overflow problem-bypassing SafeSEH [J]. Journal of Information Assurance & Security, 2012, 7(1): 1-13.
[12] BALARKISHNAN G, REPS T. WYSINWYX: What you see is not what you execute [J]. ACM Transactions on Programming Languages and Systems, 2010, 32(6): Article No. 23.
[13] LIN Z, WANG Y, MAO B, et al. SafeBird: a dynamic and transparent toolkit for run-time buffer overflow oreventions[J]. Acta Electronica Sinica, 2007, 35(5): 882-889. (林志强,王逸,茅兵,等.SafeBird:一种动态和透明的运行时缓冲区溢出防御工具集[J]. 电子学报, 2007, 35(5): 882-889.)
[14] HAN H, MAO B, XIE L. Dynamic runtime detection system for return-oriented-programming attack [J]. Computer Engineering, 2012, 38(4): 121-125. (韩浩,茅兵,谢立.针对ROP攻击的动态运行实时监测系统[J]. 计算机工程, 2012, 38(4): 121-125.)
[15] CHEN P, XIAO H, SHEN X, et al. DROP: detecting return-oriented-programming malicious code [C]//ICISS 2009: Proceedings of the 5th International Conference on Information Systems Security, LNCS 5905. Berlin: Springer-Verlag, 2009, 5905: 163-177.
[16] DAVI L, SADEGHI A, WINANDY M. ROPDefender: a detection tool to defend against return-oriented programming attacks [C]//ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. New York: ACM, 2011: 40-51.
[17] HUANG Z, ZHENG T. Program attack and protection based on return-oriented-programming[J]. Computer Science, 2012: 39(1): 1-5. (黄志军, 郑滔. 基于Return-Oriented Programming的程序攻击与防护[J]. 计算机科学, 2012, 39(1): 1-5.)
[18] ONARLIOGLU K, BILGE L, LANZI A, et al. G-Free: defeating return-oriented-programming through gadget-less binaries [C]//ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference. New York: ACM, 2010: 49-58.
[19] SEWAN J. ROPGadget, automatic gadgets finder [EB/OL]. [2014-05-20]. http://shell-storm.org/project/ROPgadget/.
[20] PacketStorm.[EB/OL]. [2014-04-20]. http://packetstormsecurity.com.

基于地址完整性检查的函数指针攻击检测

Function pointer attack detection with address integrity checking

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 7

编辑推荐

Metrics

[1]	周敏, 周安民, 刘亮, 贾鹏, 谭翠江. 组件拒绝服务漏洞自动挖掘技术[J]. 计算机应用, 2017, 37(11): 3288-3293.
[2]	王柳滨魏国珩李政. 嵌入式系统缓冲区溢出攻击防范技术研究[J]. 计算机应用, 2012, 32(12): 3449-3452.
[3]	钟达夫唐懿芳李肖坚. 面向网络对抗的缓冲区溢出攻击描述语言研究[J]. 计算机应用, 2009, 29(10): 2816-2819.
[4]	王开建罗晓波张天刚. 一种新型漏洞利用方式的探讨和防护[J]. 计算机应用, 2008, 28(5): 1152-1155.
[5]	何乔吴廖丹张天刚. 基于shellcode检测的缓冲区溢出攻击防御技术研究[J]. 计算机应用, 2007, 27(5): 1044-1046.
[6]	彭锋沈向洋 . 一种基于随机匹配算法的堆溢出防范策略[J]. 计算机应用, 2006, 26(10): 2344-2346.
[7]	黄金志，胡健生，廖赟，柴仁. 基于Petri网的程序缓冲区溢出检测方法[J]. 计算机应用, 2005, 25(05): 1219-1221.