- 學位論文
一種應用於Windows Vista之加強DLL Random Entropy的保護機制
A DLL Protection Mechanism with Larger Random Entropy for Windows Vista
若您是本文的作者,可授權文章由華藝線上圖書館中協助推廣。
摘要
Recent year, we have seen increased attention being given to Address Space Layout Randomization, or ASLR, in diversity research. The continuing improvements in ASLR on Linux have led to decreasing the probability of attacking vulnerable machines. Windows system also adopts ASLR technique in the operating system on Windows Vista and Windows Server 2008. We investigate the behavior of the ASLR implementation on Windows Vista. Windows Vista randomizes the base addresses of executable and DLLs (Dynamic Link Libraries) from a range of 256 (8-bit) values once per reboot. This entropy is much less than the PaX ASLR. However, the possible of breaking ASLR on Linux has generated wide interest in our research that Windows Vista ASLR technique can be broken by brute-force attack. They broke the PaX ASLR by a novel return-into-libc attack on an Apache HTTP Server. This novel attack only guesses 16-bit offset instead of knowing the address of both the library segment and the stack. Therefore, the aim of this paper attempts to avoid attackers breaking the ASLR technique on Windows Vista by using a novel return-into-dlls attack similar to this novel return-into-libc attack. To that end, we present a comprehensive system that provides: (1) 13-bit randomness at preprocessing phase, and (2) an additional re-randomizing phase to relocate the entrance of each Win32 API after called. Experiments show that our system imposes no significant overhead on the whole program. Moreover, we explore how our system defeats the classes of attacks that previous ASLR approaches cannot defense. To conclude, our security mechanism increases the effectiveness of randomization.
並列摘要
近年來,許多位址空間佈局隨機化的技術已受到廣泛的重視。位址空間佈局隨機化可以使得攻擊者不能藉由相同的攻擊程式達到像蠕蟲一樣廣泛攻擊的目的。現今,這項技術已經被廣泛的應用於Unix-like的系統上,Windows也將位址空間佈局隨機化的技術整合進新推出的作業系統Vista上。然而,Windows Vista上位址空間佈局隨機化的技術只提供8-bit的值,遠比PaX位址空間佈局隨機化(16-bit)的機制少很多。此外,Windows Vista只有在每次重新開機時,作業系統才會重新佈局DLL在記憶體中的位址空間。近年來已有研究利用return-into-libc attack破解PaX位址空間佈局隨機化的機制,我們也將利用相同的方式(return-into-dlls attack)來破解Windows Vista上位址空間佈局隨機化的機制。在本篇論文中,我們將設計一種應用於Windows Vista上之加強動態鏈結程式庫隨機化的機制並且能夠防止攻擊者透過retrun-into-dlls attack來達到攻擊的目的。我們不但提供了13-bit隨機化的值,而且在每次呼叫完Win32 API後,隨機改變Win32 API的入口位址,達到每次呼叫隨機化的目的。實驗結果顯示我們的系統可以抵擋傳統位址空間佈局隨機化的機制所不能抵擋的攻擊,例如:資訊揭露攻擊(information leakage attack)。此外,我們的系統對整體效能影響不大,平均只有增加大約8%的時間。
參考文獻
[2] E. G. Barrantes, D. H. Ackley, S. Forrest, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized Instruction Set Emulation to Disrupt Binary Code
[5] CERT. Multiple Vulnerabilities in Oracle Servers.
[7] S. Forrest, A. Somayaji, and D. H. Ackley. Building Diverse Computer Systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems, page 67-72, Washington, DC, USA, 1997. IEEE Computer Society.
[8] M. Howard. Address Space Layout Randomization in Windows
[10] X. Jiang, H. J. Wang, D. Xu, and Y.-M. Wang. RandSys: Thwarting Code Injection Attacks with System Service Interface Randomization. In Proceedings of the 26th IEEE International Symposium on Reliable Distributed Systems, pages 209-218, Washington, DC, USA, 2007. IEEE Computer Society.
延伸閱讀
- 王禹軒、張柏駿、趙翊廷(2021)。SELinux資安強固技術在Embedded System上的應用。電腦與通訊,(186),35-43。https://www.airitilibrary.com/Article/Detail?DocID=1019391x-202106-202107090010-202107090010-35-43
- 曹偉駿、林士嘉、蘇琮凱(2011)。有效的Windows核心模式Rootkits惡意軟體防禦機制。載於中華民國資訊安全學會(主編),全國資訊安全會議(頁395-402)。中華民國資訊安全學會。https://doi.org/10.29615/CISC.201105.0395
- 李開暉、邱佩玲、彭國維(2010)。一個適用於一般存取結構的擴充型視覺密碼加密機制。載於中華民國資訊安全學會(主編),全國資訊安全會議(頁13-18)。中華民國資訊安全學會。https://doi.org/10.29615/CISC.201005.0013
- 高玟瑜(2017)。An Extensible and Modularized Kernel-level Intrusion Prevention System〔碩士論文,國立暨南國際大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0020-2308201714181600
- 鄭伯炤、陳瑞文、莊明霓(2006)。Design and Implementation of the Web Application Intrusion Prevention System。網際網路技術學刊,7(2),161-167。https://doi.org/10.6138/JIT.2006.7.2.05