轻量级缓冲区溢出防护技术研究
|
摘要
计算机软件的普遍应用带给人们越来越多的便捷,并日益影响人们的日常生活,但计算机软件中存在大量的错误及漏洞,隐藏着巨大的风险。因此,无论是科研机构还是企业,都在努力研究避免软件出现错误和漏洞的方法。对缓冲区溢出的研究,在计算机网络与信息安全领域有着非常重要的理论和实用价值。本文对缓冲区溢出攻击技术进行了深入的研究,并且根据缓冲区溢出攻击的基本原理,提出了一种基于地址空间随机化的溢出防护技术,该方法针对远程缓冲区溢出的基本原理,并根据这个基本原理进行了有效的防护。
本文首先阐述了课题的研究背景、意义以及国内外研究现状,研究分析了各种缓冲区溢出攻击技术以及shellcode的编写方法。根据缓冲区溢出利用跳转地址这一原理,提出了基于地址空间随机化的溢出防护技术。地址空间随机化技术是为了防止远程缓冲区溢出攻击对系统核心对象的预计,将系统核心对象和组件在内存中的地址空间进行随机化,使得溢出攻击失效的防御安全技术。根据该方法,利用Windows内核相关技术及设备驱动程序开发技术,进行基于地址空间随机化的缓冲区溢出防护系统的设计及实现,给出了系统总体结构、具体模块的设计流程以及开发环境等。
然后,在Metasploit真实的攻击环境及使用复杂的攻击类型对该系统进行测试。实验结果表明,本文提出的方法能够完全的抵御大部分缓冲区溢出攻击,有力地保障了系统。最后,对全文进行了总结并讨论了这种技术存在的技术局限性以及对后续工作的展望。
The popularization of software has brought people much convenience and changed our life at same time. But there are lots of errors hided in software, which will cause vulnerabilities or security holes in system and bring huge risks. Now many institutes and companies pay more attention to finding methods to avoid software errors. Buffer overflow research is very valuable in practice and in theory in computer network and information security. The paper analyzes the buffer overflow attack and promotes a method for defending buffer overflow based on Address-Space Randomization. The method keeps focus on the fundamental principle of the remote buffer overflow and protectes systems following the principle.
Firstly, the paper expounds background and studies of this field and analyses different kinds of buffer overflow attacks and methods of making shellcode. It promotes an overflow protect technology which on Address-Space Randomization under the Address-Jump principle. The Address-Space Randomization technology is to guard against the prevention of the system kernel objects by remote buffer overflow attack. It randomes the memory space of the system kernel objects and other objects in order to defend remote buffer overflow attack. We make use of the Windows kernel related technology and device driver program develop technology to design and implement the buffer overflow protect system based on the Address-Space Randomization. The paper shows the system collectivity structure, module's detail design flow and develop environment.
The system is discussed by experiment, both in Metasploit real attack environment and in confused attack environment. The result shows the method could protect most of all buffer overflow attacks. At last we give out a conclusion of the paper and talk about the limits of the technology and look forward to the future work.
本文首先阐述了课题的研究背景、意义以及国内外研究现状,研究分析了各种缓冲区溢出攻击技术以及shellcode的编写方法。根据缓冲区溢出利用跳转地址这一原理,提出了基于地址空间随机化的溢出防护技术。地址空间随机化技术是为了防止远程缓冲区溢出攻击对系统核心对象的预计,将系统核心对象和组件在内存中的地址空间进行随机化,使得溢出攻击失效的防御安全技术。根据该方法,利用Windows内核相关技术及设备驱动程序开发技术,进行基于地址空间随机化的缓冲区溢出防护系统的设计及实现,给出了系统总体结构、具体模块的设计流程以及开发环境等。
然后,在Metasploit真实的攻击环境及使用复杂的攻击类型对该系统进行测试。实验结果表明,本文提出的方法能够完全的抵御大部分缓冲区溢出攻击,有力地保障了系统。最后,对全文进行了总结并讨论了这种技术存在的技术局限性以及对后续工作的展望。
The popularization of software has brought people much convenience and changed our life at same time. But there are lots of errors hided in software, which will cause vulnerabilities or security holes in system and bring huge risks. Now many institutes and companies pay more attention to finding methods to avoid software errors. Buffer overflow research is very valuable in practice and in theory in computer network and information security. The paper analyzes the buffer overflow attack and promotes a method for defending buffer overflow based on Address-Space Randomization. The method keeps focus on the fundamental principle of the remote buffer overflow and protectes systems following the principle.
Firstly, the paper expounds background and studies of this field and analyses different kinds of buffer overflow attacks and methods of making shellcode. It promotes an overflow protect technology which on Address-Space Randomization under the Address-Jump principle. The Address-Space Randomization technology is to guard against the prevention of the system kernel objects by remote buffer overflow attack. It randomes the memory space of the system kernel objects and other objects in order to defend remote buffer overflow attack. We make use of the Windows kernel related technology and device driver program develop technology to design and implement the buffer overflow protect system based on the Address-Space Randomization. The paper shows the system collectivity structure, module's detail design flow and develop environment.
The system is discussed by experiment, both in Metasploit real attack environment and in confused attack environment. The result shows the method could protect most of all buffer overflow attacks. At last we give out a conclusion of the paper and talk about the limits of the technology and look forward to the future work.
引文
[1]CERT.CERT/CC statistics.http://www.cert.org/stats/cert_stats.html,Feb.2005
[2]eEye digital security,"Sapphire worm code disassembled",http://www.eeye.com/html/Research/Flash/sapphire.txt
[3]张毓森 信息战概论[M]北京:解放军出版社,2000
[4]Eugene H.Spafford,The Intemet worm program:an analysis,ACM Computer Communication Review,1989,19(1):17-57
[5]Eugene H.Spafford;The Internet Worm:Crisis and Aftermath;Communications of the ACM;v.32(6),pp.678-687;June 1989
[6]蒋卫华,李伟华,杜君.缓冲区溢出攻击:原理,防御及检测[J].计算机工程,2003,10:5-7
[7]AlephOne.Smashing The Stack For Fun And Profit.Phrack Magazine.14(49),1996
[8]Smith.http://pax.grsecurity.net
[9]Dildog.The Tao of Windows Buffer Overflows,Phrack Magazine,12(55),1999
[10]Spyrit D.Win32 Buffer Overflows,Phrack Magazine 15(55),1999
[11]w00w00,w00w00_on_Heap_Overflows http://www.secinf.net/auditing/w00w00_on_Heap_Overflows.html,1999-08-161
[12]C.Cowan,C.Pu,D.Maier,etc.Stackguard:Automatic adaptive detection and prevention of buffer-overflow attacks.In Proceedings of the 7th USENIX Security Conference,pages 63-78,San Antonio,Texas,Jan.1998.
[13]C.Cowan,P.Wagle,C.Pu etc,"Buffer Overflows:Attacks and Defenses for the Vulnerability of the Decade," DARPA Information Survivability Conference and Expo(DISCEX),2000.
[14]Staff P.Bypassing StackGuard and StackShield,Phrack Magazine,5(56),2000.
[15]Richard J.GCC extension for protecting applications from stack smashing attacks.http://www.trl.ibm,com/projects/security/ssp/,Dec.2003.
[16]袁仁广.WINDOWS下的溢出程序编写技巧http://blog.csdn.net/aixihuan/archive/2004/07/30/56326.aspx.1999.
[17]flashSky.Windows 2003堆溢出及其利用技术深入研究.http://www.xfocus.net/projects/Xcon/2003/Xcon2003_FlashSky.pdf.2003.
[18]San.Hacking Windows CE Phrack Magazine,Phrack Magazine,06(63),2005
[19]Iyer Aishwarya,Liebrock Lorie M,Vulnerability Scanning for Buffer Overflow,International Conference on Information Technology:Coding Computing,ITCC,v 2,2004,p 116-117
[20]Kaplan Kathleen M,Duran Colleen,Kaplan etc,BO(Buffer Overflow):Bad for everyone,ASEE Annual Conference Proceedings,ASEE 2004 Annual Conference and Exposition,"Engineering Education Researchs New Heights",2004,p1233-1243
[21]Pan Qi,Wang Cheng,Yang Yu-Hang,Analysis and prevention of the stack overflow attacking,Shanghai Jiaotong Daxue Xuebao/Journal of Shanghai Jiaotong University,2002,v 36,p 1346-1350
[22]李娜,陈性元,车天伟,远程缓冲区溢出攻击的原理分析与检测,计算机工程与应用,2004 p 145-147
[23]Lhee Kyung-Suk,Chapin Steve J,Buffer overflow and format string overflow vulnerabilities,Software—Practice and Experience,2003,v 33,p 423-460
[24]张晓磊,张晓明,基于堆栈的缓冲区溢出攻击原理,广州大学学报,2004,v3 p 330-332
[25]许治坤等,网络渗透技术,北京:电子工业出版社,2005,p 124
[26]姚建东,秦军,古志民,Linux缓冲区溢出攻击原理分析及防范,计算机应用,2002,v 22p 125-127
[27]B.Skaggs,B.Blackburn,G.Manes etc,Network Vulnerability Analysis,IEEE Midwest Symposium on Circuits and Systems(MWSCAS-2002),2002,v 3,pⅢ493-Ⅲ495
[28]J.Scambray,S.McClure,G.Kurtz,Hacking Exposed 2nd Ed,Osborne:McGraw Hill.2001.n.319-321
[29]杨荣,杨鑫.win32平台堆栈溢出保护软件的设计.计算机应用,2003,23(10).
[30][美]Jeffrey Richter.Windows核心编程.北京:机械工业出版社,2000.5
[31]罗云彬.Windows环境下32位汇编语言程序设计[M].北京:电子工业出版社,2002:368.
[32]Randal E.Bryant,David O'Hallaron.深入理解计算机系统,(龚奕利,雷迎春).北京:中国电力出版社,2004,2-17.
[33]Art Baker,Jerry Lozano.Windows2000设备驱动程序设计指南,(施诺).北京:机械工业出版社,2001,35-79
[34]M.Zitser,R.Lippmann,and T.Leek.Testing static analysis tools using exploitable buffer overflows from open source code.SIGSOFT Softw.Eng.Notes,29(6):97-106,2004.
[35]Mark E.Russinovich,David A.Solomon.Microsoft(?) Windows(?) Internals,Fourth Edition:Microsoft Windows Server~(TM) 2003,Windows XP,and Windows 2000.WA,USA:Microsoft Press,2004,23-80.
[36]Prasad Dabak,Sandeep Phadke,and Milind Borate.Undocumented Windows NT.NY,USA:M&T Books,1998,109-122.
[37]http://www.metasploit.com/framework/download/
[2]eEye digital security,"Sapphire worm code disassembled",http://www.eeye.com/html/Research/Flash/sapphire.txt
[3]张毓森 信息战概论[M]北京:解放军出版社,2000
[4]Eugene H.Spafford,The Intemet worm program:an analysis,ACM Computer Communication Review,1989,19(1):17-57
[5]Eugene H.Spafford;The Internet Worm:Crisis and Aftermath;Communications of the ACM;v.32(6),pp.678-687;June 1989
[6]蒋卫华,李伟华,杜君.缓冲区溢出攻击:原理,防御及检测[J].计算机工程,2003,10:5-7
[7]AlephOne.Smashing The Stack For Fun And Profit.Phrack Magazine.14(49),1996
[8]Smith.http://pax.grsecurity.net
[9]Dildog.The Tao of Windows Buffer Overflows,Phrack Magazine,12(55),1999
[10]Spyrit D.Win32 Buffer Overflows,Phrack Magazine 15(55),1999
[11]w00w00,w00w00_on_Heap_Overflows http://www.secinf.net/auditing/w00w00_on_Heap_Overflows.html,1999-08-161
[12]C.Cowan,C.Pu,D.Maier,etc.Stackguard:Automatic adaptive detection and prevention of buffer-overflow attacks.In Proceedings of the 7th USENIX Security Conference,pages 63-78,San Antonio,Texas,Jan.1998.
[13]C.Cowan,P.Wagle,C.Pu etc,"Buffer Overflows:Attacks and Defenses for the Vulnerability of the Decade," DARPA Information Survivability Conference and Expo(DISCEX),2000.
[14]Staff P.Bypassing StackGuard and StackShield,Phrack Magazine,5(56),2000.
[15]Richard J.GCC extension for protecting applications from stack smashing attacks.http://www.trl.ibm,com/projects/security/ssp/,Dec.2003.
[16]袁仁广.WINDOWS下的溢出程序编写技巧http://blog.csdn.net/aixihuan/archive/2004/07/30/56326.aspx.1999.
[17]flashSky.Windows 2003堆溢出及其利用技术深入研究.http://www.xfocus.net/projects/Xcon/2003/Xcon2003_FlashSky.pdf.2003.
[18]San.Hacking Windows CE Phrack Magazine,Phrack Magazine,06(63),2005
[19]Iyer Aishwarya,Liebrock Lorie M,Vulnerability Scanning for Buffer Overflow,International Conference on Information Technology:Coding Computing,ITCC,v 2,2004,p 116-117
[20]Kaplan Kathleen M,Duran Colleen,Kaplan etc,BO(Buffer Overflow):Bad for everyone,ASEE Annual Conference Proceedings,ASEE 2004 Annual Conference and Exposition,"Engineering Education Researchs New Heights",2004,p1233-1243
[21]Pan Qi,Wang Cheng,Yang Yu-Hang,Analysis and prevention of the stack overflow attacking,Shanghai Jiaotong Daxue Xuebao/Journal of Shanghai Jiaotong University,2002,v 36,p 1346-1350
[22]李娜,陈性元,车天伟,远程缓冲区溢出攻击的原理分析与检测,计算机工程与应用,2004 p 145-147
[23]Lhee Kyung-Suk,Chapin Steve J,Buffer overflow and format string overflow vulnerabilities,Software—Practice and Experience,2003,v 33,p 423-460
[24]张晓磊,张晓明,基于堆栈的缓冲区溢出攻击原理,广州大学学报,2004,v3 p 330-332
[25]许治坤等,网络渗透技术,北京:电子工业出版社,2005,p 124
[26]姚建东,秦军,古志民,Linux缓冲区溢出攻击原理分析及防范,计算机应用,2002,v 22p 125-127
[27]B.Skaggs,B.Blackburn,G.Manes etc,Network Vulnerability Analysis,IEEE Midwest Symposium on Circuits and Systems(MWSCAS-2002),2002,v 3,pⅢ493-Ⅲ495
[28]J.Scambray,S.McClure,G.Kurtz,Hacking Exposed 2nd Ed,Osborne:McGraw Hill.2001.n.319-321
[29]杨荣,杨鑫.win32平台堆栈溢出保护软件的设计.计算机应用,2003,23(10).
[30][美]Jeffrey Richter.Windows核心编程.北京:机械工业出版社,2000.5
[31]罗云彬.Windows环境下32位汇编语言程序设计[M].北京:电子工业出版社,2002:368.
[32]Randal E.Bryant,David O'Hallaron.深入理解计算机系统,(龚奕利,雷迎春).北京:中国电力出版社,2004,2-17.
[33]Art Baker,Jerry Lozano.Windows2000设备驱动程序设计指南,(施诺).北京:机械工业出版社,2001,35-79
[34]M.Zitser,R.Lippmann,and T.Leek.Testing static analysis tools using exploitable buffer overflows from open source code.SIGSOFT Softw.Eng.Notes,29(6):97-106,2004.
[35]Mark E.Russinovich,David A.Solomon.Microsoft(?) Windows(?) Internals,Fourth Edition:Microsoft Windows Server~(TM) 2003,Windows XP,and Windows 2000.WA,USA:Microsoft Press,2004,23-80.
[36]Prasad Dabak,Sandeep Phadke,and Milind Borate.Undocumented Windows NT.NY,USA:M&T Books,1998,109-122.
[37]http://www.metasploit.com/framework/download/