- 學位論文
以動態轉譯機制偵測緩衝區溢位攻擊之設計
Detection of Buffer Overflow Attacks via Dynamic Binary Translation
摘要
摘要 電腦與網際網路的發展,帶給人們方便的生活,卻也迫使我們面臨嚴重的資訊安全問題。緩衝區溢位攻擊(Buffer Overflow Attacks)是目前極具威脅性的系統入侵手法,此類型攻擊利用目標系統由外界輸入字串時,疏忽於防範,未對所接收的字串做長度驗證(Bound-checking),使得攻擊者有機會傳入超過目標系統的接收緩衝區長度的字串,造成產生溢位。過長的字串覆蓋掉與緩衝區相鄰的程式流程控制資料區,將程式的執行流程導向包含在攻擊字串內的惡意程式碼,進而執行攻擊者所選定的攻擊程序。 對於緩衝區溢位攻擊,傳統的防禦機制有其限制。等待軟體更新檔的釋出、需取得程式原始碼重新編譯、修改作業系統或硬體架構等等,皆限制傳統的防禦機制的即時性或實用性。本篇論文所提出動態偵測機制,透過動態轉譯(Dynamic Binary Translation)的技術,毋需原始碼,即可對於可能隱含漏洞的程式執行檔(binary) 提供保護,確保每一個程序的返回地址(Return Address)與堆疊框指標( Stack Frame Pointer)的正確性。一旦發現它們遭到竄改,立即對管理者發出警訊,並且能夠將對應的備份資料做復原,讓程式正常運作。 為了驗證本論文所提出的防禦機制,我們首先在Linux作業系統上,以Pin與QEMU兩種動態轉譯軟體為基礎,實際建構具備防禦機制的兩套軟體工具,並且評估兩者的安全性與效能。實驗測試結果顯示,在安全性方面,兩者皆可準確偵測攻擊的發生;在效能方面,基於QEMU的偵測工具,降低受監控程式的執行效能的幅度較低,約在11.2%至41%之間,應可讓一般使用者接受。而基於Pin的偵測工具雖然效率較差,但由於Pin這個平台本身可攜性較高,使得我們的偵測工具可同時應用在Linux與Windows作業系統,為更多使用者提供全面的動態防護。
並列摘要
Abstract Modern computer and network technologies improve some aspects of the human life, but also compel us to face numerous security problems. Buffer overflow attacks are currently the most serious threats to computer systems. A buffer overflow vulnerability is caused when a program gets an input string without cautious bound-checking. Hence, attackers could exploit this type of vulnerability by sending an input which is longer than the fixed-sized input buffer. Once the adjacent control data is corrupted by the overflowed data, the program control flow will be redirected to malicious codes. Traditional defense mechanisms against buffer overflow attacks are constrained with certain restrictions, such as waiting for the patch to fix vulnerabilities, acquiring source codes to recompile programs, modifying the operating system or hardware architecture, etc. Thus, the efficiency or practicability of those mechanisms is restricted. This thesis proposes a mechanism to dynamically detect buffer overflow attacks. With the dynamic binary translation techniques, our mechanism does not need source codes and directly provides protection for binaries that may comprise buffer overflow vulnerabilities. Our mechanism ensures the correctness of the return address and stack frame pointer. If these control data are detected to be corrupted, the detection tool will alarm the system administrator. Furthermore, corrupted control data could be recovered so that the attacked programs could preserve normal control flows. In order to verify our proposed protection mechanism, we implement two suites of tools against buffer overflow attacks based on Pin and QEMU. The Pin and QEMU are dynamic binary translation software on Linux. Besides, we evaluate the perforiv mance and safety of both tools. The experimental results showed that both tools accurately detected the occurrence of attacks in the safety experiments. And in the performance experiments, the QEMU-based tool executed the tested programs with a degradation between 11.2% and 41%, which is 11.1x faster than previous work, e.g. Read-Only RAR, and should be acceptable for common users. Although the Pin-based tool imposed higher overhead, it may work for both Windows and Linux applications because of the portability and availability of Pin on those platforms.
參考文獻
延伸閱讀
- 梁泰華(2000)。對緩衝區溢位攻擊的反制措施〔碩士論文,元智大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0009-0112200611295249
- 林律廷(2007)。緩衝區溢位偵測技術〔碩士論文,大同大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0081-0607200917242036
- 歐智文(2008)。針對遠端緩衝區溢位攻擊之自動化即時反擊系統〔碩士論文,國立中央大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0031-0207200917354980
- 余孟倫(2012)。以備份函數呼叫參數為基礎使用動態連結函式庫之自動化堆疊緩衝區溢位攻擊之防禦〔碩士論文,中原大學〕。華藝線上圖書館。https://doi.org/10.6840/cycu201200698
- Lin, S. C. (2021). A Static Malware Detection Approach Based on Vectorized Binary Semantic Representation [master's thesis, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU202101787