基于信息流的动态污点分析技术研究
|
摘要
随着计算机技术和网络技术的飞速发展,信息网络已经成为社会发展的重要保证,随之而来的网络安全问题逐渐成为信息化时代人们面临的最为严峻的问题之一。理论分析表明,各类网络攻击行为之所以能够对计算机系统产生巨大的威胁,其主要原因在于计算机及软件系统在设计、开发、维护过程中存在安全漏洞。长期以来,缓冲区溢出漏洞是各种安全漏洞中最为常见的一种。缓冲区溢出漏洞非常的普遍,广泛存在于各种操作系统、应用软件之中。CERT声称约50%以上的网络攻击都是利用缓冲区溢出漏洞进行的。如何有效的检测和防护缓冲区溢出这一类网络攻击是有待人们急需解决的问题。
在网络攻击及漏洞检测方面,国内外已经有一些较为深入的研究工作。然而已有的手段相对落后,静态分析方法不能很好的解决程序运行时的攻击防护和对未知攻击的检测等问题,而动态分析方法大多需要目标程序源代码,不利于保护商业软件和推广应用。在对缓冲区溢出漏洞及检测方法进行了深入研究之后,本文提出了一种新型的网络攻击检测方法——基于信息流的动态污点分析方法。这是一种主要针对缓冲区溢出漏洞攻击的检测技术,具有实时性,在客户程序动态执行时完成监控检测任务,不需要客户程序源代码,误报率低等特点。
本文首先阐述了研究背景及意义,缓冲区溢出攻击技术及检测技术等相关背景知识,然后主要研究了动态污点分析技术的两个重要分析方法——数据流分析和控制流分析。数据流分析方法主要通过指令分析来识别和标记外部污点数据,跟踪污点数据通过算术类和移动类指令造成的显式信息传播,检测污点数据被用作跳转对象地址、格式化字符串参数等可疑情况并作出攻击报警提出。控制流分析通过控制流图和辅助栈来帮助分析污点数据通过分支节点造成的隐式信息流传播,以减小误报率。接着基于动态污点分析技术构建了原型系统,展示了系统设计思路及相关实现细节。最后对系统进行了实验评估,从功能上和性能上对系统进行了测试。实验表明动态污点分析技术能很好的完成针对缓冲区溢出攻击的检测任务,但是性能还需提升。
With the rapid development of computer technology and network technology, information networks have become an important guarantee for social development. The ensuing issue of network security has become the most serious problem in information age. Theoretical analysis shows that various types of network attacks on computer systems which have been able to create a great threat, are mainly due to security vulnerabilities in computer and software systems which are made in the processes of software design, development and maintenance. For a long time, buffer overflow vulnerability is the most common type in all kinds of security vulnerabilities. Buffer overflow is very common and widespread in a variety of operating systems, application software. CERT claimed that more than 50% of network attacks are carried out by using buffer overflow vulnerability. How to do effectively detection and protection to buffer overflow vulnerability is what people need to resolve immediately.
In all over the world, the research for detection of attacks and vulnerabilities has been doing well. However, some approaches have been a little backward. Static analysis methods can not properly prevent attacks when the program is running and detect unknown attacks, while the majority problem of dynamic analysis methods is that it needs to target program source code, so it can not protect commercial software. After doing research work deeply for buffer overflow vulnerability, we present a new network attack detection approach——dynamic taint analysis based on information flow. This is an detection approach against attacks based on the buffer overflow vulnerability, which is with real-time, dynamic monitoring the execution of client program to prevent attacks from network, does not require client program source code, and has low false positives.
This thesis firstly begins with describing the research background and significance, buffer overflow vulnerability attacks technology and prevention technology and some other background knowledge. Then, we do major research work on two important analytical methods of dynamic taint analysis - data flow analysis and control flow analysis. Data flow analysis methods, primarily through instruction analysis to identify and mark the external taint data, tracking tainted data propagation caused by explicit information flow, detecting when tainted data is used as a jump target address, format string parameters and so on, and alarming when attacks occur. Control-flow analysis is with the help of control flow diagram and auxiliary stack to assist in the analysis implicit information flow of tainted data caused by branch node of program, in order to reduce the false negatives. Then we build a prototype system based on dynamic taint analysis show the system design and some implementation details. Finally, we give an experimental evaluation of the prototype system, from the functionality side and performance side. The experiments show that the approach of dynamic taint analysis based on information flow can well complete the task for prevention buffer overflow attacks, but the performance needs to be improved.
在网络攻击及漏洞检测方面,国内外已经有一些较为深入的研究工作。然而已有的手段相对落后,静态分析方法不能很好的解决程序运行时的攻击防护和对未知攻击的检测等问题,而动态分析方法大多需要目标程序源代码,不利于保护商业软件和推广应用。在对缓冲区溢出漏洞及检测方法进行了深入研究之后,本文提出了一种新型的网络攻击检测方法——基于信息流的动态污点分析方法。这是一种主要针对缓冲区溢出漏洞攻击的检测技术,具有实时性,在客户程序动态执行时完成监控检测任务,不需要客户程序源代码,误报率低等特点。
本文首先阐述了研究背景及意义,缓冲区溢出攻击技术及检测技术等相关背景知识,然后主要研究了动态污点分析技术的两个重要分析方法——数据流分析和控制流分析。数据流分析方法主要通过指令分析来识别和标记外部污点数据,跟踪污点数据通过算术类和移动类指令造成的显式信息传播,检测污点数据被用作跳转对象地址、格式化字符串参数等可疑情况并作出攻击报警提出。控制流分析通过控制流图和辅助栈来帮助分析污点数据通过分支节点造成的隐式信息流传播,以减小误报率。接着基于动态污点分析技术构建了原型系统,展示了系统设计思路及相关实现细节。最后对系统进行了实验评估,从功能上和性能上对系统进行了测试。实验表明动态污点分析技术能很好的完成针对缓冲区溢出攻击的检测任务,但是性能还需提升。
With the rapid development of computer technology and network technology, information networks have become an important guarantee for social development. The ensuing issue of network security has become the most serious problem in information age. Theoretical analysis shows that various types of network attacks on computer systems which have been able to create a great threat, are mainly due to security vulnerabilities in computer and software systems which are made in the processes of software design, development and maintenance. For a long time, buffer overflow vulnerability is the most common type in all kinds of security vulnerabilities. Buffer overflow is very common and widespread in a variety of operating systems, application software. CERT claimed that more than 50% of network attacks are carried out by using buffer overflow vulnerability. How to do effectively detection and protection to buffer overflow vulnerability is what people need to resolve immediately.
In all over the world, the research for detection of attacks and vulnerabilities has been doing well. However, some approaches have been a little backward. Static analysis methods can not properly prevent attacks when the program is running and detect unknown attacks, while the majority problem of dynamic analysis methods is that it needs to target program source code, so it can not protect commercial software. After doing research work deeply for buffer overflow vulnerability, we present a new network attack detection approach——dynamic taint analysis based on information flow. This is an detection approach against attacks based on the buffer overflow vulnerability, which is with real-time, dynamic monitoring the execution of client program to prevent attacks from network, does not require client program source code, and has low false positives.
This thesis firstly begins with describing the research background and significance, buffer overflow vulnerability attacks technology and prevention technology and some other background knowledge. Then, we do major research work on two important analytical methods of dynamic taint analysis - data flow analysis and control flow analysis. Data flow analysis methods, primarily through instruction analysis to identify and mark the external taint data, tracking tainted data propagation caused by explicit information flow, detecting when tainted data is used as a jump target address, format string parameters and so on, and alarming when attacks occur. Control-flow analysis is with the help of control flow diagram and auxiliary stack to assist in the analysis implicit information flow of tainted data caused by branch node of program, in order to reduce the false negatives. Then we build a prototype system based on dynamic taint analysis show the system design and some implementation details. Finally, we give an experimental evaluation of the prototype system, from the functionality side and performance side. The experiments show that the approach of dynamic taint analysis based on information flow can well complete the task for prevention buffer overflow attacks, but the performance needs to be improved.
引文
[1]网络安全介绍. http://baike.baidu.com/view/17495.html?wtp=tt.
[2] James Newsoms. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In The 12th Annual Network and Distributed System Security Symposium, 2005, 2: 3-7.
[3] CNCERT/CC. CNCERTCC Annual Report. http://www.cert.org.cn/. 2004
[4]高静峰,林柏钢,倪一涛.基于粗糙集理论的漏洞检测技术研究.前沿技术. 2007
[5] CNCERT/CC.中国互联网网络安全报告. http://www.cert.org.cn/. 2008
[6]缓冲区溢出介绍. http://baike.baidu.com/view/36638.html?wtp=tt.
[7]张保稳,施军,张晖.缓冲区溢出漏洞检测技术研究进展.计算机应用与软件. 2006.1
[8] L. C. Lam and T. Chiueh. A General Dynamic Information Flow Tracking Framework for Security Applications. In 22nd Annual Computer Security Applications Conference.
[9] James Newsoms. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In The 12th Annual Network and Distributed System Security Symposium, 2005.
[10]安全漏洞介绍. http://baike.baidu.com/view/93544.htm?fr=ala0_1.
[11]朱艳玲,牛少彰.计算机安全漏洞研究. 2009第四届中国电信行业网络信息安全论坛优秀论文集. 2009.
[12]龚静.基于缓冲区溢出漏洞的攻击及防范技术探讨.湖州师范学院学报,2008,28(1):109-112
[13]陆军,丁雪梅.缓冲区溢出攻击及保护.东北农业大学学报,2004,35(3):361-365
[14]何子昂.轻量级缓冲区溢出防护研究:[硕士学位论文].成都:电子科技大学,2008
[15]彭炜.计算机安全漏洞动态检测研究.光盘技术. 2008.
[16]戈戟,徐良华,史洪.地址空间随机化研究.计算机应用与软件,2009,26(9):38-41
[17] J Clause, W Li and A Orso. Dytan. A Generic Dynamic Taint Analysis Framework. International Symposium on Software Testing and Analysis. London, British, 2007: 196-206
[18] Nicholas Nethercote, Julian Seward. How to Shadow Every Byte of Memory Used by a Program. Proceedings of the Third International ACM SIGPLAN/SIGOPS Conference on VirtualExecution Environments (VEE 2007), 2007: 3-5
[19] Derek L. Bruening. Efficient, Transparent, and Comprehensive Runtime Code Manipulation. Thesis of Massachusetts Institute of Technology, 2004
[20] W Masri, A Podgurski, D Leon. Detecting and Debugging Insecure Information Flows. International Symposium on Software Reliability Engineering. Rennes and Saint-Malo, France, 2004: 198–209
[21] G Bonfante, M Kaczmarek, and J Y. Marion. Control flow graphs as malware signatures. WTCV, France, 2007.
[22] Keith D Cooper, Timothy J Harvey and Todd Waterman. Building a Control-flow Graph from Scheduled Assembly Code. http://www.cs.rice.edu/~harv/my_papers/cfg.pdf.
[23] Mr. Milind Mohan Chabbi. StackGuard: EFFIICIIENT TAIINT ANALYSIIS USIING MULTIICORE MACHIINES . Thesis of University of Arizona. 2007.
[24] Wei Xu, Sandeep Bhatkar, and R. Sekar. Practical Dynamic Taint Analysis for Countering Input Validation Attacks on Web Applications. 2007
[25] Xinran Wang, Yoon-Chan Jhi, 2Sencun Zhu, Peng Liu. STILL: Exploit Code Detection via Static Taint and Initialization Analysis. 2007 [26 ] Jens Krinke. Information Flow Control and Taint Analysis with Dependence Graphs. 2006 [27 ] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. In 20th IFIP International Information Security Conference, 2005.
[28] Joseph Tucek. Shan Lu, Chengdu Huang, Spiros Xanthos, et al. Sweeper: a lightweight end-to-end system for defending against fast worms, 2007
[29] T. Pietraszek and C. V. Berghe. Defending Against Injection Attacks Through Context-Sensitive String Evaluation. Proceedings of Recent Advances in Intrusion Detection, 2005.
[30] F. Qin, C. Wang, Z. Li, H. seop Kim, Y. Zhou, et al. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. MICRO’06: Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, 2006
[31] Qin Zhao, Winnie W. Cheng, Bei Yu, Scott Hiroshige. DOG: Efficient Information Flow Tracing and Program Monitoring with Dynamic Binary Rewriting. 2005
[32] Prateek Saxena, R. Sekar and Varun Puranik. Efficient Fine-Grained Binary Instrumentation with Applications to Taint-Tracking. 2007
[33] Wei Xu, Sandeep Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practicalapproach to defeat a wide range of attacks. In USENIX Security Symposium, August,2006
[34] N Vachharajani, M. J Bridges, J Chang, et al. RIFLE: An Architectural Framework for User-Centric Information-Flow Security. Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture. Washington, DC, USA, 2004: 243–254
[35]汪立东,方滨兴. UNIX缓冲区溢出攻击研究:技术原理、防范与检测.计算机工程与应用, 2000 (2) : 12—14
[36]蒋卫华,李伟华,杜君.缓冲区溢出攻击:原理,防御及检测.计算机工程,2003,10:5-7
[37]杨荣,杨鑫. win32平台堆栈溢出保护软件的设计.计算机应用,2003,23(10).
[38] Jeffrey Richter. Windows核心编程.北京:机械工业出版社,2000.5:1-300
[39]罗云彬. Windows环境下32位汇编语言程序设计.北京:电子工业出版社,2002:368.
[40] Charles Petzold. Programming Windows. Microsoft Press,1998
[41]周明天,汪文勇. TCP/IP网络原理与技术.北京:清华大学出版社,1993.6
[42] Michael Howard David LeBlanc.编写安全的代码.北京:机械工业出版社,2002,8
[43]袁仁广. WINDOWS下的溢出程序编写技巧. http://blog. csdn.net/aixihuan/ archive/2004/07/30/56326.aspx.
[44] flashSky. Windows 2003堆溢出及其利用技术深入研究. http://www.xfocus. net/projects/Xcon/2003/Xcon2003_FlashSky.pdf.
[2] James Newsoms. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In The 12th Annual Network and Distributed System Security Symposium, 2005, 2: 3-7.
[3] CNCERT/CC. CNCERTCC Annual Report. http://www.cert.org.cn/. 2004
[4]高静峰,林柏钢,倪一涛.基于粗糙集理论的漏洞检测技术研究.前沿技术. 2007
[5] CNCERT/CC.中国互联网网络安全报告. http://www.cert.org.cn/. 2008
[6]缓冲区溢出介绍. http://baike.baidu.com/view/36638.html?wtp=tt.
[7]张保稳,施军,张晖.缓冲区溢出漏洞检测技术研究进展.计算机应用与软件. 2006.1
[8] L. C. Lam and T. Chiueh. A General Dynamic Information Flow Tracking Framework for Security Applications. In 22nd Annual Computer Security Applications Conference.
[9] James Newsoms. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In The 12th Annual Network and Distributed System Security Symposium, 2005.
[10]安全漏洞介绍. http://baike.baidu.com/view/93544.htm?fr=ala0_1.
[11]朱艳玲,牛少彰.计算机安全漏洞研究. 2009第四届中国电信行业网络信息安全论坛优秀论文集. 2009.
[12]龚静.基于缓冲区溢出漏洞的攻击及防范技术探讨.湖州师范学院学报,2008,28(1):109-112
[13]陆军,丁雪梅.缓冲区溢出攻击及保护.东北农业大学学报,2004,35(3):361-365
[14]何子昂.轻量级缓冲区溢出防护研究:[硕士学位论文].成都:电子科技大学,2008
[15]彭炜.计算机安全漏洞动态检测研究.光盘技术. 2008.
[16]戈戟,徐良华,史洪.地址空间随机化研究.计算机应用与软件,2009,26(9):38-41
[17] J Clause, W Li and A Orso. Dytan. A Generic Dynamic Taint Analysis Framework. International Symposium on Software Testing and Analysis. London, British, 2007: 196-206
[18] Nicholas Nethercote, Julian Seward. How to Shadow Every Byte of Memory Used by a Program. Proceedings of the Third International ACM SIGPLAN/SIGOPS Conference on VirtualExecution Environments (VEE 2007), 2007: 3-5
[19] Derek L. Bruening. Efficient, Transparent, and Comprehensive Runtime Code Manipulation. Thesis of Massachusetts Institute of Technology, 2004
[20] W Masri, A Podgurski, D Leon. Detecting and Debugging Insecure Information Flows. International Symposium on Software Reliability Engineering. Rennes and Saint-Malo, France, 2004: 198–209
[21] G Bonfante, M Kaczmarek, and J Y. Marion. Control flow graphs as malware signatures. WTCV, France, 2007.
[22] Keith D Cooper, Timothy J Harvey and Todd Waterman. Building a Control-flow Graph from Scheduled Assembly Code. http://www.cs.rice.edu/~harv/my_papers/cfg.pdf.
[23] Mr. Milind Mohan Chabbi. StackGuard: EFFIICIIENT TAIINT ANALYSIIS USIING MULTIICORE MACHIINES . Thesis of University of Arizona. 2007.
[24] Wei Xu, Sandeep Bhatkar, and R. Sekar. Practical Dynamic Taint Analysis for Countering Input Validation Attacks on Web Applications. 2007
[25] Xinran Wang, Yoon-Chan Jhi, 2Sencun Zhu, Peng Liu. STILL: Exploit Code Detection via Static Taint and Initialization Analysis. 2007 [26 ] Jens Krinke. Information Flow Control and Taint Analysis with Dependence Graphs. 2006 [27 ] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically Hardening Web Applications Using Precise Tainting. In 20th IFIP International Information Security Conference, 2005.
[28] Joseph Tucek. Shan Lu, Chengdu Huang, Spiros Xanthos, et al. Sweeper: a lightweight end-to-end system for defending against fast worms, 2007
[29] T. Pietraszek and C. V. Berghe. Defending Against Injection Attacks Through Context-Sensitive String Evaluation. Proceedings of Recent Advances in Intrusion Detection, 2005.
[30] F. Qin, C. Wang, Z. Li, H. seop Kim, Y. Zhou, et al. LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks. MICRO’06: Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, 2006
[31] Qin Zhao, Winnie W. Cheng, Bei Yu, Scott Hiroshige. DOG: Efficient Information Flow Tracing and Program Monitoring with Dynamic Binary Rewriting. 2005
[32] Prateek Saxena, R. Sekar and Varun Puranik. Efficient Fine-Grained Binary Instrumentation with Applications to Taint-Tracking. 2007
[33] Wei Xu, Sandeep Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practicalapproach to defeat a wide range of attacks. In USENIX Security Symposium, August,2006
[34] N Vachharajani, M. J Bridges, J Chang, et al. RIFLE: An Architectural Framework for User-Centric Information-Flow Security. Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture. Washington, DC, USA, 2004: 243–254
[35]汪立东,方滨兴. UNIX缓冲区溢出攻击研究:技术原理、防范与检测.计算机工程与应用, 2000 (2) : 12—14
[36]蒋卫华,李伟华,杜君.缓冲区溢出攻击:原理,防御及检测.计算机工程,2003,10:5-7
[37]杨荣,杨鑫. win32平台堆栈溢出保护软件的设计.计算机应用,2003,23(10).
[38] Jeffrey Richter. Windows核心编程.北京:机械工业出版社,2000.5:1-300
[39]罗云彬. Windows环境下32位汇编语言程序设计.北京:电子工业出版社,2002:368.
[40] Charles Petzold. Programming Windows. Microsoft Press,1998
[41]周明天,汪文勇. TCP/IP网络原理与技术.北京:清华大学出版社,1993.6
[42] Michael Howard David LeBlanc.编写安全的代码.北京:机械工业出版社,2002,8
[43]袁仁广. WINDOWS下的溢出程序编写技巧. http://blog. csdn.net/aixihuan/ archive/2004/07/30/56326.aspx.
[44] flashSky. Windows 2003堆溢出及其利用技术深入研究. http://www.xfocus. net/projects/Xcon/2003/Xcon2003_FlashSky.pdf.