- 學位論文
一個基於加強Return Address Stack安全性之改進
An Enhancement of Return Address Stack for Security
若您是本文的作者,可授權文章由華藝線上圖書館中協助推廣。
摘要
Stack smashing is still one of the most popular techniques for hijacking program controls. A return address of a program is the best-known target, and its previous frame pointer is the second best. Various techniques have been proposed to defeat stack smashing attacks, but most techniques need to alter compilers or require hardware support, and only few of them are developed for Windows. We discover there is a potential security risk in those schemes which dynamically allocate a return address stack to backup return addresses against stack smashing attacks. We are able to hijack the program control from applications that are protected by them via manipulating Memory Pointer Corruption Attack because they only pay attention to protect the return address stack and all neglect to protect Entry Pointer of the return address stack. In this thesis, we design a Secure Return Address Stack to protect both of them from stack smashing attacks on Windows. Moreover, we also extend our approach to instrument a DLL, a multi-thread application, and DLLs used by multi-thread applications. In contrast to previous researches, our approach properly instruments DLLs. Finally, benchmark GnuWin32 shows that the relative performance overhead of our approach is only between 3.47% and 8.59%.
並列摘要
Stack Smashing依然是攔截程式控制權最常用的方法之一。return address是一個程式裡最常被攻擊的目標,而previous frame pointer僅次於它。已經有許多的防禦機制被提出來抵擋Stack Smashing Attack,但是大部份都須要修改compiler或硬體支援,而且只有少數是發展在Windows上。我們發現了一個潛在的安全性問題針對於那些使用動態配置Return Address Stack來抵抗Stack Smashing Attack的方法。我們能夠攔截受這些方法保護程式的程式控制權經由操作Memory Pointer Corruption Attack,因為這些方法只注意到要保護Return Address Stack而完全忽略Return Address Stack的Entry Pointer也是須要保護的。在這篇論文裡,我們將設計一種Secure Return Address Stack來保護上述二者以防禦Stack Smashing Attack在Windows上。此外,我們還延伸我們的方法去處理一個DLL、一個multi-thread程式、多個DLL被應用於multi-thread程式。相較於先前的研究,我們的方法更完善的處理DLL問題。最後,benchmark GnuWin32顯示我們的方法只有增加3.47%到8.59%的performance overhead而已。
參考文獻
[2] K. Avijit, P. Gupta, and D. Gupta. TIED, LibsafePlus: Tools for Runtime Buffer Overflow Protection. In Proceedings of the 13th Conference on USENIX Security Symposium, pages 45-56, 2004.
[3] K. Avijit, P. Gupta, and D. Gupta. Binary Rewriting and Call Interception for Efficient Runtime Protection against Buffer Overflows: Research Articles. John Wiley and Sons, New York, 2006.
[9] T. Chiueh and F. Hsu. RAD: A Compile-Time Solution to Buffer Overflow Attacks. In Proceedings of the 21th International Conference on Distributed Computing Systems, pages 409-419, 2001.
[11] M. L. Corliss, E. C. Lewis, and A. Roth. Using DISE to Protect Return Addresses from Attack. SIGARCH Computer Architecture News, pages 65-72, 2005.
[14] C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. In Proceedings of the DARPA Information Survivability Conference and Expo, pages 119-129, 1999.
延伸閱讀
- 李宏哲(2017)。一種基於編譯器的保護返回位址的方法〔碩士論文,義守大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0074-0808201712531000
- Rau, R. S. (2009). 針對暫存器轉移階層驗證而專門設計之可滿足性解法器 [master's thesis, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU.2009.02745
- Hsieh, C. H. (2017). 糾刪碼(erasure code)架構之多雲儲存服務的資料擺放最佳化方法設計與實作 [master's thesis, National Tsing Hua University]. Airiti Library. https://www.airitilibrary.com/Article/Detail?DocID=U0016-0401201816001235
- Hsieh, K. C. (2013). 利用適應性的多個快取置換策略來提高一個基址暫存器的快取的命中率 [master's thesis, National Chiao Tung University]. Airiti Library. https://doi.org/10.6842/NCTU.2013.00012
- Chu, H. T. (2014). A Distributed Architecture for Remote Access to Home Media Contents [doctoral dissertation, National Chi Nan University]. Airiti Library. https://doi.org/10.6837/NCNU.2014.00248