混合式缓冲区溢出漏洞检测模型的研究
|
摘要
计算机系统漏洞以及软件漏洞让大规模攻击成为可能。攻击者通过利用这些漏洞控制目标主机实施攻击。缓冲区溢出漏洞二十多年来在计算机漏洞中一直扮演重要的角色。因而了解什么是缓冲区溢出,缓冲区溢出是如何发生的,如何能有效的防止缓冲区溢出攻击成为计算机安全保护的重要话题。
本文通过分析现有的危害网络安全的大规模攻击现状,提出挖掘漏洞的重要性。公司在开发应用软件时并没有考虑到其中存在的缓冲区溢出漏洞,使计算机很容易被攻击。本文详细的阐述了不同类型的缓冲区溢出攻击,以及发生缓冲区溢出的原因。然后分析了网络攻防对抗的二十多年间,微软对缓冲区溢出漏洞的防御的发展,提出了有效的检测出缓冲区溢出漏洞的重要性。最后本文通过分析现有的缓冲区溢出漏洞的检测方案,结合静态反汇编代码审核与动态检测的优点,提出利用反汇编静态代码审核与作为动态检测技术的模糊测试相结合的一种混合式缓冲区溢出漏洞检测模型。
本文模型主要是通过对静态反汇编代码审核将可能发生缓冲区溢出漏洞的函数标识为可疑函数,同时定位简单的缓冲区溢出漏洞。然后通过向可疑函数进行模糊测试确认其是否会发生缓冲区溢出。通过对模型的相关技术的研究,本文实现了所提出的模型的一种实现方案,并通过实验验证了模型的有效性。实验中首先对已知缓冲区漏洞的代码的实现验证,验证整个模型的有效性。然后利用实验二检测目标应用程序,验证本模型的整体功能。通过对实验结果的研究,证明本文提出的缓冲区溢出检测模型可以有效的检测缓冲区溢出漏洞。
System vulnerabilities and software vulnerabilities make attack in force possible. Attackers exploit them to control some Dorking to conduct of attack. Buffer overflow as the important aspect of vulnerabilities plays a significant role in last twenty years. Know what is overflow, how it happens, and how to prevent it are the important questions in the security industry.
Because safety consciousness in software industry is not enough, the attacker get the destination host by exploit the vulnerabilities in the software. This article describe the species of buffer overflow attack, reasons and counter measures of the buffer overflow, the importance of detecting buffer overflow. At the last, this article shows a kind of composite detecting method of buffer overflow.
This method uses static analysis of binary file and fuzzing method to detecting vulnerabilities in software. In the first module finding the suspicious modules is the main target. At the same time this module finds some simple vulnerability and some import modules by using code review. Then in the second module, fuzzing brute data test whether the suspicious functions are the vulnerabilities or not. At the last of this article, two experiments prove that the method is effective in detecting buffer overflow.
本文通过分析现有的危害网络安全的大规模攻击现状,提出挖掘漏洞的重要性。公司在开发应用软件时并没有考虑到其中存在的缓冲区溢出漏洞,使计算机很容易被攻击。本文详细的阐述了不同类型的缓冲区溢出攻击,以及发生缓冲区溢出的原因。然后分析了网络攻防对抗的二十多年间,微软对缓冲区溢出漏洞的防御的发展,提出了有效的检测出缓冲区溢出漏洞的重要性。最后本文通过分析现有的缓冲区溢出漏洞的检测方案,结合静态反汇编代码审核与动态检测的优点,提出利用反汇编静态代码审核与作为动态检测技术的模糊测试相结合的一种混合式缓冲区溢出漏洞检测模型。
本文模型主要是通过对静态反汇编代码审核将可能发生缓冲区溢出漏洞的函数标识为可疑函数,同时定位简单的缓冲区溢出漏洞。然后通过向可疑函数进行模糊测试确认其是否会发生缓冲区溢出。通过对模型的相关技术的研究,本文实现了所提出的模型的一种实现方案,并通过实验验证了模型的有效性。实验中首先对已知缓冲区漏洞的代码的实现验证,验证整个模型的有效性。然后利用实验二检测目标应用程序,验证本模型的整体功能。通过对实验结果的研究,证明本文提出的缓冲区溢出检测模型可以有效的检测缓冲区溢出漏洞。
System vulnerabilities and software vulnerabilities make attack in force possible. Attackers exploit them to control some Dorking to conduct of attack. Buffer overflow as the important aspect of vulnerabilities plays a significant role in last twenty years. Know what is overflow, how it happens, and how to prevent it are the important questions in the security industry.
Because safety consciousness in software industry is not enough, the attacker get the destination host by exploit the vulnerabilities in the software. This article describe the species of buffer overflow attack, reasons and counter measures of the buffer overflow, the importance of detecting buffer overflow. At the last, this article shows a kind of composite detecting method of buffer overflow.
This method uses static analysis of binary file and fuzzing method to detecting vulnerabilities in software. In the first module finding the suspicious modules is the main target. At the same time this module finds some simple vulnerability and some import modules by using code review. Then in the second module, fuzzing brute data test whether the suspicious functions are the vulnerabilities or not. At the last of this article, two experiments prove that the method is effective in detecting buffer overflow.
引文
[1]http://infosec.org.cn/news/news_view.php?newsid=15636
[2]钱林松,赵海旭.C++反汇编与逆向分析技术揭秘.机械工业出版社,2012.
[3]王清.Oday安全:软件漏洞分析技术(第二版).电子工业出版社,2011.6.
[4]http://en.wikipedia.org/wiki/Buffer_overflow
[5]姚欣洪,官云战,杨朝红.一种基于代码静态分析的缓冲区溢出检测算法(硕士学位论文).北京邮电大学网络技术研究院,装甲兵工程学院信息工程系,2010.7.
[6]贾凡,张玉琢等.缓冲区溢出攻击检测技术综述.北京交通大学,电子信息工程学院,计算机安全,2011.05.
[7]张传娟.基于源代码的缓冲区溢出预防技术,电脑知识与技术,2008年第4卷第9期.
[8]魏强,金然,王清贤.解放军信息工程大学信息工程学院计算机工程,第35卷第3期2009年2月.
[9]周宇.基于调用栈完整性的缓冲区溢出检测方法.计算机安全,2010.
[10]吴楠.基于GCC的缓冲区溢出检测研究(硕士学位论文).哈尔滨工程大学,2010.1.
[11]吕涛,曹天杰.基于内存地址确认的缓冲区溢出检测方法.微计算机信息,2009 25卷3期.
[12]张楠.缓冲区溢出攻击的动态检测与防范.西南民族大学学报,自然科学版,2007年5期.
[13]苏朋,陈性元等.基于进程执行轮廓的缓冲区溢出攻击效果检测.解放军信息工程大学电子技术学院,计算机工程,第35卷第6期,2009.06.
[14]秦肇伟.缓冲区溢出检测工具的设计与实现(硕士学位论文).电子科技大学,2010.4.
[15]史胜,任平安.一种缓冲区溢出攻击的实时检测方法.计算机工程,第37卷第10期,2011年5月.
[16]Michael Sutton and Adam Greene and Pedram Amini, Fuzzing-Brute Force Vulnerability Discovery.2007.
[17]Joao Duraes and Henrique Maderia A Methodology for the Automated Identification of Buffer Overflow Vulnerabilities in Executable Software Without Source-Code ISEC/CISUC-Polytechnic Institute of Coimbra,3030 Coimbra, Protugal.
[18]Matt Pietrek.Checking for Debug information. Windows/DOS Developer's Journal, Oct.1992.
[19]http://searchsecurity.techtarget.com/definition/buffer-overflow
[20]The Shellcoder's Handbook-Discovering and Exploiting Security Holes.
[21]C. Cowan, F. Wagle, Calton Pu, S. Beattie, and J. Walpole. Buffer overflows:attack and defenses for the vulnerability of the decade. In:Proceedings of DARPA Information Survivability Conference and Exposition, Jan.2000.119~129.
[22]张亚军.windows缓冲区溢出原理与利用研究(硕士学位论文).上海交通大学,2005.
[23]Mark Dowd, John McDonald, Justin Schuh. The Art Of Software Security Assessment,2006.
[24]Dafydd Stuttard. Marcus Pinto Writing Secure Code, Second Edition,2003.
[25]Cal Erickson. Writing secure programs. Linux Journal. Volume 2003 (115).8~9.
[26]DARKLAB Windows heap Exploitation(Win2KSP0 through WinXPSp2), Phrack Magazine 2004.
[27]Nicolas Waisman. Understanding and bypassing Windows Heap Protection, Phrack Magazine.2007.
[28]余俊松等.Windows下缓冲区溢出漏洞的利用.计算机工程,2007年17期.
[29]Alexander Sotirov. Bypassing Browser Memory Protections. Phrack Magazine.2008.
[30]Ollie Whitehouse.GS and ASLR in Windows Vista. Phrack Magazine 2007.
[31]Windows Security:The gradual improvement of SEH mechanism 《Netinfo Security》 2009-05 XU) You-ful, ZHANG Jin-han2, WEN Wei-pingl (1. Department of Information Security, SSM, Peking University, Beijing 102600, China; 2. China Information Technology Security Evaluation Center, Beijing 100085, China)
[32]ASLR Smack&Laugh Reference Seminar on Advanced Exploitation Techniques Tilo muller RwTH Aachen, Germany Chair of Computer Science 4 February 17,2008 [33]ByPassing Browser Memory Protections,2008.
[33]Stefan Le Berre, Damien Cauquil Bypassing SEHOP.2009.
[34]廖光灯.缓冲区溢出静态检测工具的研究与实现(硕士学位论文).上海交通大学,2006.
[35]Patrice Godefroid. Random testing for security:blackbox vs. whitebox fuzzing. In:Proceedings of the 2nd international workshop. Atlanta, Georgia. Nov.2007.2 Penn Plaza, Suite 701 NewYork NY, USA:ACM,2007. 1~1.
[36]Peter Oehlert. Violating Assumptions with Fuzzing. IEEE Security and Privacy, Mar.2007,3 (2):265~288.
[37]W. Du and A. P. Mathur. Vulnerability Testing of Software System Using Fault Injection. Technical Report, COAST, Purdue University, West Lafayette, IN,US, April 1998.45~48.
[38]刘为.基于模糊测试的XSS漏洞检测系统研究与实现(硕士学位论文).湖南大学,2010.
[39]曹旭,张一宁,基于逆向工程和Fuzzing技术的AdobeReader漏洞发掘技术研究.信息 工程大学学报,第10卷第2期,2009年6月.
[40]Reversing:secrets of Reverse Engineering, Eldad Eilam, Wiley 2005,4.
[41]Hocav Shacham Ruturn-Oriented Programming. Exploits Without Code Injection,2008
[42]刘飞飞等.基于缓冲区溢出的网络渗透技术的研究.电脑开发与应用,2011年24卷1期
[43]Chen Shuo, Xu Jun, Nithin Nakka, et al. Defeating memory corruption attacks via pointer taintedness.
[44]Detection. Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN05) [C], Washington, DC, USA, IEEE Computer Society,2005: 379-387.
[45]黄奕.基于模糊测试的软件安全漏洞发掘技术研究(硕士学位论文).中国科学技术大学,2010.
[46]张美超,曾凡平,黄奕.基于漏洞库fuzzing测试技术.中国科学技术大学,安徽省计算与通讯软件重点实验室,小型微型计算机系统,2011年4月第4期
[47]黄玉文等.基于可执行文件的缓冲区溢出检测模型.计算机工程2010年2期.
[48]陈帆FreeGate软件的逆向分析技术研究(硕士学位论文).上海交通大学,2008.
[49]徐欣民.一种缓冲区溢出漏洞自动挖掘及漏洞定位技术(硕士学位论文).华中科技大学,2008
[50]Chris Eagle, The IDA Pro Book&The Unofficial to the World's Most Popular Disassembler 2008 No Starch Press.
[51]Patrick Engebretson, The BASICS OF HACKING AND PENETRATION TESTING., Ethical Hacking and Penetration Testing Made Easy 2011.
[52]Tim Burrell.The Evolution of Microsoft's Exploit Mitigations, Phrack Magazine.2010.
[53]Stefan Le Berre, Damien Cauquil Bypassing SEHOP. Phrack Magazine.2009.
[54]Patrick Engebretson, The BASICS OF HACKING AND PENETRATION TESTING., Ethical Hacking and Penetration Testing Made Easy 2011.
[55]张美超,曾凡平,黄奕.基于漏洞库fuzzing测试技术.中国科学技术大学,安徽省计算与通讯软件重点实验室,小型微型计算机系统,2011年4月第4期.
[56]曹旭,张一宁,基于逆向工程和Fuzzing技术的AdobeReader漏洞发掘技术研究.信息工程大学学报,第10卷第2期,2009年6月.
[57]赖志权.计算机科学与技术,基于动态污点分析的状态协议实现软件模糊测试方式研究.国防科技大学研究生院,2010年11月.
[2]钱林松,赵海旭.C++反汇编与逆向分析技术揭秘.机械工业出版社,2012.
[3]王清.Oday安全:软件漏洞分析技术(第二版).电子工业出版社,2011.6.
[4]http://en.wikipedia.org/wiki/Buffer_overflow
[5]姚欣洪,官云战,杨朝红.一种基于代码静态分析的缓冲区溢出检测算法(硕士学位论文).北京邮电大学网络技术研究院,装甲兵工程学院信息工程系,2010.7.
[6]贾凡,张玉琢等.缓冲区溢出攻击检测技术综述.北京交通大学,电子信息工程学院,计算机安全,2011.05.
[7]张传娟.基于源代码的缓冲区溢出预防技术,电脑知识与技术,2008年第4卷第9期.
[8]魏强,金然,王清贤.解放军信息工程大学信息工程学院计算机工程,第35卷第3期2009年2月.
[9]周宇.基于调用栈完整性的缓冲区溢出检测方法.计算机安全,2010.
[10]吴楠.基于GCC的缓冲区溢出检测研究(硕士学位论文).哈尔滨工程大学,2010.1.
[11]吕涛,曹天杰.基于内存地址确认的缓冲区溢出检测方法.微计算机信息,2009 25卷3期.
[12]张楠.缓冲区溢出攻击的动态检测与防范.西南民族大学学报,自然科学版,2007年5期.
[13]苏朋,陈性元等.基于进程执行轮廓的缓冲区溢出攻击效果检测.解放军信息工程大学电子技术学院,计算机工程,第35卷第6期,2009.06.
[14]秦肇伟.缓冲区溢出检测工具的设计与实现(硕士学位论文).电子科技大学,2010.4.
[15]史胜,任平安.一种缓冲区溢出攻击的实时检测方法.计算机工程,第37卷第10期,2011年5月.
[16]Michael Sutton and Adam Greene and Pedram Amini, Fuzzing-Brute Force Vulnerability Discovery.2007.
[17]Joao Duraes and Henrique Maderia A Methodology for the Automated Identification of Buffer Overflow Vulnerabilities in Executable Software Without Source-Code ISEC/CISUC-Polytechnic Institute of Coimbra,3030 Coimbra, Protugal.
[18]Matt Pietrek.Checking for Debug information. Windows/DOS Developer's Journal, Oct.1992.
[19]http://searchsecurity.techtarget.com/definition/buffer-overflow
[20]The Shellcoder's Handbook-Discovering and Exploiting Security Holes.
[21]C. Cowan, F. Wagle, Calton Pu, S. Beattie, and J. Walpole. Buffer overflows:attack and defenses for the vulnerability of the decade. In:Proceedings of DARPA Information Survivability Conference and Exposition, Jan.2000.119~129.
[22]张亚军.windows缓冲区溢出原理与利用研究(硕士学位论文).上海交通大学,2005.
[23]Mark Dowd, John McDonald, Justin Schuh. The Art Of Software Security Assessment,2006.
[24]Dafydd Stuttard. Marcus Pinto Writing Secure Code, Second Edition,2003.
[25]Cal Erickson. Writing secure programs. Linux Journal. Volume 2003 (115).8~9.
[26]DARKLAB Windows heap Exploitation(Win2KSP0 through WinXPSp2), Phrack Magazine 2004.
[27]Nicolas Waisman. Understanding and bypassing Windows Heap Protection, Phrack Magazine.2007.
[28]余俊松等.Windows下缓冲区溢出漏洞的利用.计算机工程,2007年17期.
[29]Alexander Sotirov. Bypassing Browser Memory Protections. Phrack Magazine.2008.
[30]Ollie Whitehouse.GS and ASLR in Windows Vista. Phrack Magazine 2007.
[31]Windows Security:The gradual improvement of SEH mechanism 《Netinfo Security》 2009-05 XU) You-ful, ZHANG Jin-han2, WEN Wei-pingl (1. Department of Information Security, SSM, Peking University, Beijing 102600, China; 2. China Information Technology Security Evaluation Center, Beijing 100085, China)
[32]ASLR Smack&Laugh Reference Seminar on Advanced Exploitation Techniques Tilo muller RwTH Aachen, Germany Chair of Computer Science 4 February 17,2008 [33]ByPassing Browser Memory Protections,2008.
[33]Stefan Le Berre, Damien Cauquil Bypassing SEHOP.2009.
[34]廖光灯.缓冲区溢出静态检测工具的研究与实现(硕士学位论文).上海交通大学,2006.
[35]Patrice Godefroid. Random testing for security:blackbox vs. whitebox fuzzing. In:Proceedings of the 2nd international workshop. Atlanta, Georgia. Nov.2007.2 Penn Plaza, Suite 701 NewYork NY, USA:ACM,2007. 1~1.
[36]Peter Oehlert. Violating Assumptions with Fuzzing. IEEE Security and Privacy, Mar.2007,3 (2):265~288.
[37]W. Du and A. P. Mathur. Vulnerability Testing of Software System Using Fault Injection. Technical Report, COAST, Purdue University, West Lafayette, IN,US, April 1998.45~48.
[38]刘为.基于模糊测试的XSS漏洞检测系统研究与实现(硕士学位论文).湖南大学,2010.
[39]曹旭,张一宁,基于逆向工程和Fuzzing技术的AdobeReader漏洞发掘技术研究.信息 工程大学学报,第10卷第2期,2009年6月.
[40]Reversing:secrets of Reverse Engineering, Eldad Eilam, Wiley 2005,4.
[41]Hocav Shacham Ruturn-Oriented Programming. Exploits Without Code Injection,2008
[42]刘飞飞等.基于缓冲区溢出的网络渗透技术的研究.电脑开发与应用,2011年24卷1期
[43]Chen Shuo, Xu Jun, Nithin Nakka, et al. Defeating memory corruption attacks via pointer taintedness.
[44]Detection. Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN05) [C], Washington, DC, USA, IEEE Computer Society,2005: 379-387.
[45]黄奕.基于模糊测试的软件安全漏洞发掘技术研究(硕士学位论文).中国科学技术大学,2010.
[46]张美超,曾凡平,黄奕.基于漏洞库fuzzing测试技术.中国科学技术大学,安徽省计算与通讯软件重点实验室,小型微型计算机系统,2011年4月第4期
[47]黄玉文等.基于可执行文件的缓冲区溢出检测模型.计算机工程2010年2期.
[48]陈帆FreeGate软件的逆向分析技术研究(硕士学位论文).上海交通大学,2008.
[49]徐欣民.一种缓冲区溢出漏洞自动挖掘及漏洞定位技术(硕士学位论文).华中科技大学,2008
[50]Chris Eagle, The IDA Pro Book&The Unofficial to the World's Most Popular Disassembler 2008 No Starch Press.
[51]Patrick Engebretson, The BASICS OF HACKING AND PENETRATION TESTING., Ethical Hacking and Penetration Testing Made Easy 2011.
[52]Tim Burrell.The Evolution of Microsoft's Exploit Mitigations, Phrack Magazine.2010.
[53]Stefan Le Berre, Damien Cauquil Bypassing SEHOP. Phrack Magazine.2009.
[54]Patrick Engebretson, The BASICS OF HACKING AND PENETRATION TESTING., Ethical Hacking and Penetration Testing Made Easy 2011.
[55]张美超,曾凡平,黄奕.基于漏洞库fuzzing测试技术.中国科学技术大学,安徽省计算与通讯软件重点实验室,小型微型计算机系统,2011年4月第4期.
[56]曹旭,张一宁,基于逆向工程和Fuzzing技术的AdobeReader漏洞发掘技术研究.信息工程大学学报,第10卷第2期,2009年6月.
[57]赖志权.计算机科学与技术,基于动态污点分析的状态协议实现软件模糊测试方式研究.国防科技大学研究生院,2010年11月.