《计算机应用研究》|Application Research of Computers

一种针对非控制数据攻击的改进防御方法

Improved defense method against non-control-data attacks

免费全文下载 (已被下载 次)  
获取PDF全文
作者 刘小龙,郑滔
机构 南京大学 a.计算机软件新技术国家重点实验室;b.软件学院,南京 210093
统计 摘要被查看 次,已被下载
文章编号 1001-3695(2013)12-3762-05
DOI 10.3969/j.issn.1001-3695.2013.12.063
摘要 非控制数据攻击(non-control-data attack)是一种有别于传统攻击模式的新方式, 通过窜改系统中的安全关键数据, 实现不改变程序控制流程进行攻击。针对已有的防御措施中静态分析方法依赖源代码, 而动态分析方法存在严重的误报漏报, 提出了一种指针污点分析方法。该方法基于动态污点分析技术, 标记内存数据的污染属性、指针属性, 跟踪标记信息在程序执行时的传播, 监控是否存在指针的非法解引用(dereference)。设计实现了原型系统DPTA, 通过实验证明本方法可以有效地防御控制数据攻击和大部分非控制数据攻击, 并减少误报漏报。
关键词 非控制数据攻击;程序安全;动态污点分析;指针着色;内存破坏
基金项目 国家自然科学基金资助项目(61073027,61105069)
本文URL http://www.arocmag.com/article/01-2013-12-063.html
英文标题 Improved defense method against non-control-data attacks
作者英文名 LIU Xiao-long, ZHENG Tao
机构英文名 a. State Key Laboratory for Novel Software Technology, b. Software Institute, Nanjing University, Nanjing 210093, China
英文摘要 Non-control-data attack is a new attack method which corrupts security data instead of the target programs control data. Existing static analysis methods require recompiling. Dynamic analysis methods have high false-positive and false-negative rate. This paper proposed pointer taint analysis method based on dynamic taint analysis. This method used taint tag and pointer tag to mark memory data. It propagated these two tags during programs execution, and detected attacks when an invalid pointer was dereferenced and this pointer has been manipulated by attackers. It implemented a tool based on dynamic binary instrumentation framework Pin. The results of the experiment show this method can detect control-data attacks and most of non-control-data attacks.
英文关键词 non-control-data attack; programming security; dynamic taint analysis; pointer taint; memory corruption
参考文献 查看稿件参考文献
  [1] ROEMER R, BUCHANAN E, SHACHAM H, et al. Return-oriented programming:systems, languages, and applications[J] . ACM Trans on Information and System Security, 2012, 15(1):2.
[2] CHEN Shuo, XU Jun, SEZER E C, et al. Non-control-data attacks are realistic threats[C] //Proc of the 14th Conference on USENIX Security Symposium. Berkeley:USENIX Association, 2005:12.
[3] SLOWINSKA J M. Using information flow tracking to protect legacy binaries[M] . [S. l. ] :Vrije Universiteit, 2012.
[4] NEWSOME J, SONG D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software[EB/OL] . (2005). http://valgrind. org/docs/newsome 2005. pdf.
[5] EGELE M, SCHOLTE T, KIRDA E, et al. A survey on automated dynamic malware-analysis techniques and tools[J] . ACM Computing Surveys, 2012, 44(2):6.
[6] 王蕊, 冯登国, 杨轶, 等. 基于语义的恶意代码行为特征提取及检测方法[J] . 软件学报, 2012, 23(2):378-393.
[7] 刘杰, 王嘉捷, 欧阳永基, 等. 基于污点指针的二进制代码缺陷检测[J] . 计算机工程, 2012, 38(24):46-49.
[8] LUK C K, COHN R, MUTH R, et al. Pin:building customized program analysis tools with dynamic instrumentation[C] //Proc of ACM SIGPLAN Conference on Programming Language Design and Implementation. New York:ACM Press, 2005:190-200.
[9] SCHLESINGER C, PATTABIRAMAN K, SWAMY N, et al. Modular protections against non-control data attacks[C] //Proc of the 24th IEEE Computer Security Foundations Symposium. 2011:131-145.
[10] Van ACKER S, NIKIFORAKIS N, PHILIPPAERT P, et al. Valueguard:protection of native applications against data-only buffer overflows[M] //Information Systems Security. Berlin:Springer, 2011:156-170.
[11] BHATKAR S, SEKAR R. Data space randomization[M] //Detection of Intrusions and Malware, and Vulnerability Assessment. Berlin:Springer, 2008:1-22.
[12] XU Jun, NAKKA N. Defeating memory corruption attacks via pointer taintedness detection[C] //Proc of International Conference on Dependable Systems and Networks. Washington DC:IEEE Computer Socitey, 2005:378-387.
[13] DALTON M, KANNAN H, KOZYRAKIS C. Real-world buffer overflow protection for userspace & kernelspace[C] //Proc of the 17th Conference on Security Symposium. [S. l. ] :USENIX Association, 2008:395-410.
[14] 汪洁, 杨柳. 基于蜜罐的入侵检测系统的设计与实现[J] . 计算机应用研究, 2012, 29(2):667-671.
[15] SLOWINSKA A, BOS H. Pointer tainting still pointless:(but we all see the point of tainting)[J] . ACM SIGOPS Operating Systems Review, 2010, 44(3):88-92.
[16] KEMERLIS V P, PORTOKALIDIS G, JEE K, et al. Libdft:practical dynamic data flow tracking for commodity systems[C] //Proc of the 8th ACM SIGPLAN/SIGOPS Conference on Virtual Execution Environments. [S. l. ] :ACM Press, 2012:121-132.
[17] Polymorph filename buffer overflow vulnerability[EB/OL] . (2003). http://www. securityfocus. com/bid/7663.
[18] ATPHTTPD buffer overflow exploit code[EB/OL] . (2001). http://www. securiteam. com/exploits/6B00K003GY. html.
[19] SAVOLA P. LBNL traceroute heap corruption vulnerability[EB/OL] . (2000). http://www. securityfocus. com/bid/1739.
[20] DOWD M. Sendmail header processing buffer overflow vulnerability[EB/OL] . http://www. securityfocus. com/bid/6991.
收稿日期
修回日期
页码 3762-3766
中图分类号 TP309
文献标志码 A