堆溢出自动生成的研究与实现
|
摘要
堆溢出是指超长的数据复制到动态分配的内存块,导致超越边界并覆盖内存块的管理结构或内容。它是缓冲区溢出的一种形式,攻击者可以利用覆盖的地方使程序流程发生跳转并执行攻击者指定的指令来达到攻击的目的。堆溢出攻击是一种重要而有效的计算机网络攻击。研究堆溢出自动生成技术,可以为计算机网络对抗(CNO)提供关键的攻击手段。本文分析并研究堆溢出技术和堆溢出代码自动生成描述语言,主要内容包括:
首先,指出目前堆溢出技术存在的问题。即关于生成堆溢出代码并予以利用方面的研究,主要是集中于研究不同的系统和不同溢出类型下的攻击技术和方法等几个方面,尚没能给出通用的自动化生成方法。可利用的堆溢出代码都需根据具体不同的方法手工编写。在堆溢出描述方面的研究还缺少公认的形式语言。
其次,针对上述存在的问题,本文通过分析堆溢出的控制信息以及相关的利用或攻击类型,抽象出堆溢出代码的一种构造规律,据此建立自动生成堆溢出代码的自动机模型,并予以形式证明其生成逻辑的可达性。
再次,基于上述模型,相应地设计了一种自动生成堆溢出代码的描述语言,以此支持堆溢出代码的自动化描述。并根据语言的词法、语法和语义规则设计,运用Lex和Yacc等开发工具,用VC++6.0实现堆溢出代码的自动生成系统。
最后,给出验证的目标、环境和测试用例,对堆溢出代码自动生成系统予以实际验证,实验结果的分析结论表明,按照本文的技术路线,该系统在linux下自动生成的堆溢出代码符合项目的要求。
Heap overflow is to replicate the data beyond given length to the memory blocks of dynamic allocation, lead to over the border and cover the management structure or content between memory blocks. Heap overflow is a form of buffer overflow. An attacker could change the program flow through the use of covered areas and execute their specified orders to achieve the purpose of attack. Heap overflow attack is an important and effective computer network attack. The research of the technology of automatic generation of heap overflow can provide key attack means for Computer Network Operation (CNO).
This paper analyzes and studies the technology of heap overflow and the description language of automatic generation of heap overflow codes, mainly includes: First, points out the problems about the technology of heap overflow at present that the research of generation and use of heap overflow mainly focuses on the techniques and methods of attacks under different systems and types of heap overflow, and hasn’t universal method of automatic generation. The codes of heap overflow which can be used need write manually by different methods. The research of the description of heap overflow lacks recognized language.
Secondly, in view of the problems mentioned above and according to the project needs, the paper abstracts a type of construction rule of heap overflow codes by analyzing control information and the related use or types of attack of heap overflow, thus establishes the automata model of automatic generation of heap overflow codes and gives the formal proof that the generating logic of this automata model is accessibility.
Again, based on the above model, designs a description language of automatic generation of heap overflow codes to support automatic description of heap overflow codes. In accordance with the rules of morphology, syntax and semantic of program language, adopts Lex and Yacc development tools etc., and uses VC + + 6.0 to implement automatic generation system of heap overflow codes.
Finally, under the condition of given validation targets, environments and test cases, practically certifies the automatic generation system of heap overflow codes. The experiment results show that the codes of heap overflow of this system under Linux are consistent with the project requirements according to the technical route of this paper.
首先,指出目前堆溢出技术存在的问题。即关于生成堆溢出代码并予以利用方面的研究,主要是集中于研究不同的系统和不同溢出类型下的攻击技术和方法等几个方面,尚没能给出通用的自动化生成方法。可利用的堆溢出代码都需根据具体不同的方法手工编写。在堆溢出描述方面的研究还缺少公认的形式语言。
其次,针对上述存在的问题,本文通过分析堆溢出的控制信息以及相关的利用或攻击类型,抽象出堆溢出代码的一种构造规律,据此建立自动生成堆溢出代码的自动机模型,并予以形式证明其生成逻辑的可达性。
再次,基于上述模型,相应地设计了一种自动生成堆溢出代码的描述语言,以此支持堆溢出代码的自动化描述。并根据语言的词法、语法和语义规则设计,运用Lex和Yacc等开发工具,用VC++6.0实现堆溢出代码的自动生成系统。
最后,给出验证的目标、环境和测试用例,对堆溢出代码自动生成系统予以实际验证,实验结果的分析结论表明,按照本文的技术路线,该系统在linux下自动生成的堆溢出代码符合项目的要求。
Heap overflow is to replicate the data beyond given length to the memory blocks of dynamic allocation, lead to over the border and cover the management structure or content between memory blocks. Heap overflow is a form of buffer overflow. An attacker could change the program flow through the use of covered areas and execute their specified orders to achieve the purpose of attack. Heap overflow attack is an important and effective computer network attack. The research of the technology of automatic generation of heap overflow can provide key attack means for Computer Network Operation (CNO).
This paper analyzes and studies the technology of heap overflow and the description language of automatic generation of heap overflow codes, mainly includes: First, points out the problems about the technology of heap overflow at present that the research of generation and use of heap overflow mainly focuses on the techniques and methods of attacks under different systems and types of heap overflow, and hasn’t universal method of automatic generation. The codes of heap overflow which can be used need write manually by different methods. The research of the description of heap overflow lacks recognized language.
Secondly, in view of the problems mentioned above and according to the project needs, the paper abstracts a type of construction rule of heap overflow codes by analyzing control information and the related use or types of attack of heap overflow, thus establishes the automata model of automatic generation of heap overflow codes and gives the formal proof that the generating logic of this automata model is accessibility.
Again, based on the above model, designs a description language of automatic generation of heap overflow codes to support automatic description of heap overflow codes. In accordance with the rules of morphology, syntax and semantic of program language, adopts Lex and Yacc development tools etc., and uses VC + + 6.0 to implement automatic generation system of heap overflow codes.
Finally, under the condition of given validation targets, environments and test cases, practically certifies the automatic generation system of heap overflow codes. The experiment results show that the codes of heap overflow of this system under Linux are consistent with the project requirements according to the technical route of this paper.
引文
[1] 李肖坚. 一种计算机网络自组织的协同对抗模型[A]. 计算机研究与发展增刊 A[C]. 2005,42 卷:618-628
[2] Pierre-Alain FAYOLLF, Vincent GLAUME ENSEIRB. A Buffer Overflow Study Attack & Denfenses[EB/OL]. 2002
[3] James C Foster, Vitaly Osipov, Nish Bhalla et al. Buffer Overflow Attacks: Detect, Exploit, Prevent[M]. Syngress Publishing, Inc, 2005
[4] Jonathan Pincus, Brandon Baker. Beyond Stack Smashing:Recent Advancesin Exploiting Buffer Overruns[J]. IEEE SECURITY & PRIVACY. 2004,7
[5] Matt Conover. w00w00 on Heap Overflows [EB/OL]: http:/www.windowsecurity.com/whitepaper/w00w00_on_Heap_Overflows.html. 1999,1
[6] Frederic Perriot and Peter Szor. An Analysis of the Slapper Worm Exploit. http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf. 2003
[7] FlashSky. windows 堆溢出及其利用技术深入研究. X’CON2003. 2003
[8] Security Focus. Microsoft Windows winhlp32.exe Heap Overflow Vulnerability. http://www.securityfocus.com/archive/1/385332/2004-12-20/2004-12-26/2. 2004
[9] 袁哥. 堆溢出的研究. http://www.yesky.com/13/1730013.shtml .2003-09-19 15
[10] Warnming. Heap/Bss 溢 出 机 理 分 析 . http://packetstormsecurity.nl/groups/w00w00/heaptut/.1999.12
[11] Isno. Windows 下 的 HEAP 溢 出 及 其 利 用 . http://blog.csdn.net/Delphiscn/archive/2005/09/17/483270.aspx .2005
[12] 钟达夫. 缓冲区溢出攻击语言与实现. 广西师范大学硕士论文. 2006
[13] Aleph One. Smashing the stack for fun and profit[J]. Phrack Magazine, 49(14), 1996.11
[14] 唐淑君. 面向安全仿真的计算机网络攻击系统研究与实现. 北京航天航空大学. 2007
[15] G. Vigna, S.T. Eckmann, R.A. Kemmerer. Attack Languages [A]. Proceedings of the IEEE Information Survivability Workshop (ISW 2000) [C]. Boston, MA,October 2000:163-166
[16] G. Vigna, and R.A. STATL: An Attack Language for State-based Intrusion Detection[J].S.T. Eckmann, Kemmerer Journal of Computer Security, 2003, vol. 10: 71-104
[17] Cuppens and R. Ortalo, LAMBDA: A Language to Model a Database for Detection f Attacks[J]. Recent Advances in Intrusion Detection (RAID 2000), Oct. 2000, vol. 1907 of LCNS: 197-216
[18] Ce dric M, Ludovic M. ADeLe:An attack description language for knowledge-basedintrusion detection[A].Proceeding of the 16th Int'l Conf on Information Security[C].Dordrecht,Holland:Kluwer,2001:353-368
[19] R Deraison. The Nessus Attack Scripting Language Reference Guide[EB/OL]. http://www.nessus.org/doc/nasl.html,2000.
[20] Secure Networks. Custom Attack Simulation Language (CASL) [EB/OL]. Http://www.sockpuppet.org/tqbf/casl.html,1998.
[21] (美)福斯特(Foster,J.C)等著,蔡勉译. 缓冲区溢出攻击--检测、剖析与预防[M]. 清华大学出版社. 2006,12
[22] 王磊等. 系统缓冲区溢出攻击防范体系的建立[J]. 计算机工程. 2004,6
[23] KaempfM. Vudo malloc tricks. http://www.phrack.org/phrack/57/p57-0x08. 2001
[24] 许治坤等编著. 网络渗透技术[M]. 北京:电子工业出版社. 2005,4
[25] Raleigh. Improving the Security of the Heap through Inter-Process Protection and Intra-Process Temporal Protection. COMPUTER ENGINEERING. 2005
[26] (美)霍普克罗夫特(Hopcroft,J.E.)等著,刘田等译. 自动机理论、语言和计算导论[M]. 北京:机械工业出版社. 2007
[27] 蒋宗礼,姜守旭. 形式语言与自动机理论[M]. 北京:清华大学出版社, 2003:194
[28] 李劲华,丁洁玉. 编译原理与技术[M]. 北京:北京邮电大学出版社. 2005
[29] 龚天富. 程序设计语言与编译[M]. 北京:电子工业出版社. 2003: 176
[30] Nemo. OS X heap exploitation techniques. http://www.phrack.org/phrack/57/p63-0x05. 2005
[31] 许国志. 系统科学[M]. 上海:上海科技教育出版社. 2000,9
[32] warning3. 一种新的堆溢出方法[EB/OL]. http://overflow.nease.net/txt/new_heap.txt. 2001
[33] Frederic Perriot and Peter Szor. An Analysis of the Slapper Worm Exploit. http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf. 2003
[2] Pierre-Alain FAYOLLF, Vincent GLAUME ENSEIRB. A Buffer Overflow Study Attack & Denfenses[EB/OL]. 2002
[3] James C Foster, Vitaly Osipov, Nish Bhalla et al. Buffer Overflow Attacks: Detect, Exploit, Prevent[M]. Syngress Publishing, Inc, 2005
[4] Jonathan Pincus, Brandon Baker. Beyond Stack Smashing:Recent Advancesin Exploiting Buffer Overruns[J]. IEEE SECURITY & PRIVACY. 2004,7
[5] Matt Conover. w00w00 on Heap Overflows [EB/OL]: http:/www.windowsecurity.com/whitepaper/w00w00_on_Heap_Overflows.html. 1999,1
[6] Frederic Perriot and Peter Szor. An Analysis of the Slapper Worm Exploit. http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf. 2003
[7] FlashSky. windows 堆溢出及其利用技术深入研究. X’CON2003. 2003
[8] Security Focus. Microsoft Windows winhlp32.exe Heap Overflow Vulnerability. http://www.securityfocus.com/archive/1/385332/2004-12-20/2004-12-26/2. 2004
[9] 袁哥. 堆溢出的研究. http://www.yesky.com/13/1730013.shtml .2003-09-19 15
[10] Warnming. Heap/Bss 溢 出 机 理 分 析 . http://packetstormsecurity.nl/groups/w00w00/heaptut/.1999.12
[11] Isno. Windows 下 的 HEAP 溢 出 及 其 利 用 . http://blog.csdn.net/Delphiscn/archive/2005/09/17/483270.aspx .2005
[12] 钟达夫. 缓冲区溢出攻击语言与实现. 广西师范大学硕士论文. 2006
[13] Aleph One. Smashing the stack for fun and profit[J]. Phrack Magazine, 49(14), 1996.11
[14] 唐淑君. 面向安全仿真的计算机网络攻击系统研究与实现. 北京航天航空大学. 2007
[15] G. Vigna, S.T. Eckmann, R.A. Kemmerer. Attack Languages [A]. Proceedings of the IEEE Information Survivability Workshop (ISW 2000) [C]. Boston, MA,October 2000:163-166
[16] G. Vigna, and R.A. STATL: An Attack Language for State-based Intrusion Detection[J].S.T. Eckmann, Kemmerer Journal of Computer Security, 2003, vol. 10: 71-104
[17] Cuppens and R. Ortalo, LAMBDA: A Language to Model a Database for Detection f Attacks[J]. Recent Advances in Intrusion Detection (RAID 2000), Oct. 2000, vol. 1907 of LCNS: 197-216
[18] Ce dric M, Ludovic M. ADeLe:An attack description language for knowledge-basedintrusion detection[A].Proceeding of the 16th Int'l Conf on Information Security[C].Dordrecht,Holland:Kluwer,2001:353-368
[19] R Deraison. The Nessus Attack Scripting Language Reference Guide[EB/OL]. http://www.nessus.org/doc/nasl.html,2000.
[20] Secure Networks. Custom Attack Simulation Language (CASL) [EB/OL]. Http://www.sockpuppet.org/tqbf/casl.html,1998.
[21] (美)福斯特(Foster,J.C)等著,蔡勉译. 缓冲区溢出攻击--检测、剖析与预防[M]. 清华大学出版社. 2006,12
[22] 王磊等. 系统缓冲区溢出攻击防范体系的建立[J]. 计算机工程. 2004,6
[23] KaempfM. Vudo malloc tricks. http://www.phrack.org/phrack/57/p57-0x08. 2001
[24] 许治坤等编著. 网络渗透技术[M]. 北京:电子工业出版社. 2005,4
[25] Raleigh. Improving the Security of the Heap through Inter-Process Protection and Intra-Process Temporal Protection. COMPUTER ENGINEERING. 2005
[26] (美)霍普克罗夫特(Hopcroft,J.E.)等著,刘田等译. 自动机理论、语言和计算导论[M]. 北京:机械工业出版社. 2007
[27] 蒋宗礼,姜守旭. 形式语言与自动机理论[M]. 北京:清华大学出版社, 2003:194
[28] 李劲华,丁洁玉. 编译原理与技术[M]. 北京:北京邮电大学出版社. 2005
[29] 龚天富. 程序设计语言与编译[M]. 北京:电子工业出版社. 2003: 176
[30] Nemo. OS X heap exploitation techniques. http://www.phrack.org/phrack/57/p63-0x05. 2005
[31] 许国志. 系统科学[M]. 上海:上海科技教育出版社. 2000,9
[32] warning3. 一种新的堆溢出方法[EB/OL]. http://overflow.nease.net/txt/new_heap.txt. 2001
[33] Frederic Perriot and Peter Szor. An Analysis of the Slapper Worm Exploit. http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf. 2003