以動態轉譯機制偵測緩衝區溢位攻擊之設計

Chun-Chung Chen; 陳雋中

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/45625

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	洪士灝(Shih-Hao Hung)
dc.contributor.author	Chun-Chung Chen	en
dc.contributor.author	陳雋中	zh_TW
dc.date.accessioned	2021-06-15T04:31:10Z	-
dc.date.available	2014-12-29
dc.date.copyright	2009-12-29
dc.date.issued	2009
dc.date.submitted	2009-08-19
dc.identifier.citation	Bibliography [1] National Vulnerability Database (NVD). http://nvd.nist.gov/. [2] F. Bellard. Qemu, a fast and portable dynamic translator. In ATEC ’05: Proceedings of the annual conference on USENIX Annual Technical Conference, pages 41–41, Berkeley, CA, USA, 2005. USENIX Association. [3] D. Bruening, T. Garnett, and S. Amarasinghe. An infrastructure for adaptive dynamic optimization. pages 265–275, 2003. [4] C. Cifuentes and M. V. Emmerik. Uqbt: Adaptable binary translation at low cost. Computer, 33(3):60–66, 2000. [5] T. cker Chiueh and F.-H. Hsu. Rad: A compile-time solution to buffer overflow attacks. Distributed Computing Systems, International Conference on, 0:0409, 2001. [6] C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In SSYM’98: Proceedings of the 7th conference on USENIX Security Symposium, 1998, page 5, Berkeley, CA, USA, 1998. USENIX Association. [7] C. Cowan, F. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: attacks and defenses for the vulnerability of the decade. In DARPA Information Survivability Conference and Exposition, 2000. DISCEX ’00. Proceedings, volume 2, pages 119–129 vol.2, 2000. [8] S. Designer. Non-executable user stack. http://www.openwall.com/linux/. [9] K. Ebcioglu, E. Altman, M. Gschwind, and S. Sathaye. Dynamic binary translation and optimization. IEEE Trans. Comput., 50(6):529–548, 2001. [10] H. Etoh. GCC extention for protecting applications from stack-smashing attacks. http://www.research.ibm.com/trl/projects/security/ssp/. [11] T. F. S. Foundation. the GNU Compiler Collection. http://gcc.gnu.org. [12] F. S. Inc. Rough Auditing Tool for Security (RATS). http://www.fortify. com/security-resources/rats.jsp. [13] X. Jiang, H. J. Wang, D. Xu, and Y. min Wang. Randsys: Thwarting code injection attacks with system service interface randomization. Technical report, 2007. [14] C. keung Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. Janapa, and R. K. Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In In Programming Language Design and Implementation, pages 190–200. ACM Press, 2005. [15] Klog. The Frame Pointer Overwrite. http://doc.bughunter.net/ buffer-overflow/frame-pointer.html. [16] J. R. Larus and E. Schnarr. Eel: machine-independent executable editing. In PLDI ’95: Proceedings of the ACM SIGPLAN 1995 conference on Programming language design and implementation, pages 291–300, New York, NY, USA, 1995. ACM. [17] N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In PLDI ’07: Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, pages 89–100. ACM, 2007. [18] E. M. Nystrom, R. D. Barnes, M. C. Merten, and W. mei W. Hwu. Code reordering and speculation support for dynamic optimization systems. Parallel Architectures and Compilation Techniques, International Conference on, 0:0163, 2001. [19] H. Ozdoganoglu, T. N. Vijaykumar, C. E. Brodley, B. A. Kuperman, and A. Jalote. Smashguard: A hardware solution to prevent security attacks on the function return address. IEEE Trans. Comput., 55(10):1271–1285, 2006. [20] S. Pramanik and S. J. Upadhyaya. Rabit: A new framework for runtime emulation and binary translation. Simulation Symposium, Annual, 0:213, 2004. [21] M. Prasad and T. cker Chiueh. A binary rewriting defense against stack based overflow attacks. In In Proceedings of the USENIX Annual Technical Conference, pages 211–224, 2003. [22] F. Qin, C. Wang, Z. Li, H.-s. Kim, Y. Zhou, and Y. Wu. Lift: A low-overhead practical information flow tracking system for detecting security attacks. In MI- CRO 39: Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture, pages 135–148, Washington, DC, USA, 2006. IEEE Computer Society. [23] G. Richarte. Four different tricks to bypass stackshield and stackguard protection, June 2002. [24] T. Romer, G. Voelker, D. Lee, A. Wolman, W. Wong, H. Levy, B. Bershad, and B. Chen. Instrumentation and optimization of win32/intel executables using etch. In In Proceedings of the USENIX Windows NT Workshop, pages 1–7, 1997. [25] C. Schmidt and T. Darby. The What, Why, and How of the 1988 Internet Worm. http://snowplow.org/tom/worm/worm.html. [26] K. Scott, N. Kumar, S. Velusamy, B. Childers, J. W. Davidson, and M. L. Soffa. Retargetable and reconfigurable software dynamic translation. In In CGO ąę03: Proceedings of the international symposium on Code generation and optimization, pages 36–47. IEEE Computer Society, 2003. [27] Z. Shao, Q. Zhuge, Y. He, and E. H. M. Sha. Defending embedded systems against buffer overflow via hardware/software. In ACSAC ’03: Proceedings of the 19th Annual Computer Security Applications Conference, page 352, Washington, DC, USA, 2003. IEEE Computer Society. [28] A. Srivastava and A. Eustace. Atom: a system for building customized program analysis tools. SIGPLAN Not., 39(4):528–539, 2004. [29] G. E. Suh, J. Lee, and S. Devadas. Secure program execution via dynamic information flow tracking. pages 85–96, 2004. [30] T. Tsai and N. Singh. Libsafe: Transparent system-wide protection against buffer overflow attacks. Dependable Systems and Networks, International Conference on, 0:541, 2002. [31] Vangelis. Stack-based Overflow Exploit: Introduction to Classical and Advanced Overflow Technique, 2004. http://http://neworder.box.sk/newsread.php? newsid=12476. [32] Vendicator. Stack Shield protection tool. http://www.angelfire.com/sk/ stackshield/index.html. [33] J. Viega, J. T. Bloch, Y. Kohno, and G. Mcgraw. ITS4: a static vulnerability scanner for C and C++ code. In Computer Security Applications, 2000. ACSAC ’00. 16th Annual Conference, pages 257–267, 2000. [34] C. Wang, S. Hu, H.-S. Kim, S. R. Nair, M. B. Jr., Z. Ying, and Y. Wu. Stardbt: An efficient multi-platform dynamic binary translation system. In L. Choi, Y. Paek, and S. Cho, editors, Asia-Pacific Computer Systems Architecture Conference, volume 4697 of Lecture Notes in Computer Science, pages 4–15. Springer, 2007. [35] D. Wheeler. FlawFinder Tool. http://www.dwheeler.com/flawfinder/. [36] D. A. Wheeler. Secure Programming for Linux and Unix HOWTO. v3.010 edition, March 2003. [37] M. Zitser, R. Lippmann, and T. Leek. Testing static analysis tools using exploitable buffer overflows from open source code. SIGSOFT Softw. Eng. Notes, 29(6):97–106, 2004.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/45625	-
dc.description.abstract	摘要電腦與網際網路的發展，帶給人們方便的生活，卻也迫使我們面臨嚴重的資訊安全問題。緩衝區溢位攻擊(Buffer Overflow Attacks)是目前極具威脅性的系統入侵手法，此類型攻擊利用目標系統由外界輸入字串時，疏忽於防範，未對所接收的字串做長度驗證(Bound-checking)，使得攻擊者有機會傳入超過目標系統的接收緩衝區長度的字串，造成產生溢位。過長的字串覆蓋掉與緩衝區相鄰的程式流程控制資料區，將程式的執行流程導向包含在攻擊字串內的惡意程式碼，進而執行攻擊者所選定的攻擊程序。對於緩衝區溢位攻擊，傳統的防禦機制有其限制。等待軟體更新檔的釋出、需取得程式原始碼重新編譯、修改作業系統或硬體架構等等，皆限制傳統的防禦機制的即時性或實用性。本篇論文所提出動態偵測機制，透過動態轉譯(Dynamic Binary Translation)的技術，毋需原始碼，即可對於可能隱含漏洞的程式執行檔(binary) 提供保護，確保每一個程序的返回地址(Return Address)與堆疊框指標( Stack Frame Pointer)的正確性。一旦發現它們遭到竄改，立即對管理者發出警訊，並且能夠將對應的備份資料做復原，讓程式正常運作。為了驗證本論文所提出的防禦機制，我們首先在Linux作業系統上，以Pin與QEMU兩種動態轉譯軟體為基礎，實際建構具備防禦機制的兩套軟體工具，並且評估兩者的安全性與效能。實驗測試結果顯示，在安全性方面，兩者皆可準確偵測攻擊的發生；在效能方面，基於QEMU的偵測工具，降低受監控程式的執行效能的幅度較低，約在11.2%至41%之間，應可讓一般使用者接受。而基於Pin的偵測工具雖然效率較差，但由於Pin這個平台本身可攜性較高，使得我們的偵測工具可同時應用在Linux與Windows作業系統，為更多使用者提供全面的動態防護。	zh_TW
dc.description.abstract	Abstract Modern computer and network technologies improve some aspects of the human life, but also compel us to face numerous security problems. Buffer overflow attacks are currently the most serious threats to computer systems. A buffer overflow vulnerability is caused when a program gets an input string without cautious bound-checking. Hence, attackers could exploit this type of vulnerability by sending an input which is longer than the fixed-sized input buffer. Once the adjacent control data is corrupted by the overflowed data, the program control flow will be redirected to malicious codes. Traditional defense mechanisms against buffer overflow attacks are constrained with certain restrictions, such as waiting for the patch to fix vulnerabilities, acquiring source codes to recompile programs, modifying the operating system or hardware architecture, etc. Thus, the efficiency or practicability of those mechanisms is restricted. This thesis proposes a mechanism to dynamically detect buffer overflow attacks. With the dynamic binary translation techniques, our mechanism does not need source codes and directly provides protection for binaries that may comprise buffer overflow vulnerabilities. Our mechanism ensures the correctness of the return address and stack frame pointer. If these control data are detected to be corrupted, the detection tool will alarm the system administrator. Furthermore, corrupted control data could be recovered so that the attacked programs could preserve normal control flows. In order to verify our proposed protection mechanism, we implement two suites of tools against buffer overflow attacks based on Pin and QEMU. The Pin and QEMU are dynamic binary translation software on Linux. Besides, we evaluate the perforiv mance and safety of both tools. The experimental results showed that both tools accurately detected the occurrence of attacks in the safety experiments. And in the performance experiments, the QEMU-based tool executed the tested programs with a degradation between 11.2% and 41%, which is 11.1x faster than previous work, e.g. Read-Only RAR, and should be acceptable for common users. Although the Pin-based tool imposed higher overhead, it may work for both Windows and Linux applications because of the portability and availability of Pin on those platforms.	en
dc.description.provenance	Made available in DSpace on 2021-06-15T04:31:10Z (GMT). No. of bitstreams: 1 ntu-98-R96944030-1.pdf: 1380352 bytes, checksum: 03737d7d647cff8b819f462e52477f6a (MD5) Previous issue date: 2009	en
dc.description.tableofcontents	Contents Acknowledgements ii Abstract(Chinese) iii Abstract iv List of Tables ix List of Figures x 1 Introduction 1 1.1 Protection against Buffer Overflow Attacks . . . . . . . . . . . . . . . 4 1.2 Binary Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3 Motivation and Proposed Mechanism . . . . . . . . . . . . . . . . . . 5 1.4 Thesis Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Background and Related Works 8 2.1 Virtual Memory Layout of a Linux Process . . . . . . . . . . . . . . . 8 2.2 The Buffer Overflow Attacks . . . . . . . . . . . . . . . . . . . . . . . 11 2.3 Classification of Protection Mechanisms against Buffer Overflow Attacks 13 2.3.1 Static Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . 13 2.3.2 Dynamic Mechanisms . . . . . . . . . . . . . . . . . . . . . . . 16 2.4 Related Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.4.1 StackGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.4.2 StackShield and RAD . . . . . . . . . . . . . . . . . . . . . . 19 2.4.3 Libsafe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.5 Dynamic Binary Translation and Optimization . . . . . . . . . . . . 20 2.6 Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3 Design of the Detection Tool against Buffer Overflow Attacks 25 3.1 The Detection Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.2 Design Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 3.2.1 Neglected Frame Pointer . . . . . . . . . . . . . . . . . . . . . 30 3.2.2 Proper Recovery From the Corrupted State . . . . . . . . . . 32 3.2.3 The Usage of system calls setjmp() and longjmp() . . . . . . . 33 4 A Detection Tool based on Pin 35 4.1 Introduction to Pin . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 4.2 Implementation of a Pin-based Detection Tool . . . . . . . . . . . . . 38 5 A Detection Tool based on QEMU 40 5.1 Introduction to QEMU . . . . . . . . . . . . . . . . . . . . . . . . . . 40 5.2 Implementation of a QEMU-based Detection Tool . . . . . . . . . . . 43 6 Experiments and Evaluation 47 6.1 Security Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 6.1.1 Testing the known vulnerable applications . . . . . . . . . . . 48 6.1.2 A demonstration of our detection tool . . . . . . . . . . . . . . 49 6.2 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 51 6.2.1 Macro-Benchmark Results . . . . . . . . . . . . . . . . . . . . 51 6.2.2 Micro-Benchmark Results . . . . . . . . . . . . . . . . . . . . 52 7 Conclusion and Future Work 55 Bibliography 57
dc.language.iso	en
dc.subject	Pin	zh_TW
dc.subject	QEMU	zh_TW
dc.subject	動態執行檔轉譯	zh_TW
dc.subject	軟體安全	zh_TW
dc.subject	堆疊覆寫	zh_TW
dc.subject	緩衝區溢位攻擊	zh_TW
dc.subject	QEMU	en
dc.subject	buffer overflow attacks	en
dc.subject	stack smashing	en
dc.subject	software security	en
dc.subject	dynamic binary translation	en
dc.subject	Pin	en
dc.title	以動態轉譯機制偵測緩衝區溢位攻擊之設計	zh_TW
dc.title	Detection of Buffer Overflow Attacks via Dynamic Binary Translation	en
dc.type	Thesis
dc.date.schoolyear	97-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	郭大維(Tei-Wei Kuo),施吉昇(Chi-Sheng Shih),王勝德(Sheng-De Wang)
dc.subject.keyword	緩衝區溢位攻擊,堆疊覆寫,軟體安全,動態執行檔轉譯,Pin,QEMU,	zh_TW
dc.subject.keyword	buffer overflow attacks,stack smashing,software security,dynamic binary translation,Pin,QEMU,	en
dc.relation.page	62
dc.rights.note	有償授權
dc.date.accepted	2009-08-19
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	資訊網路與多媒體研究所	zh_TW
顯示於系所單位：	資訊網路與多媒體研究所

文件中的檔案：

檔案	大小	格式
ntu-98-1.pdf 未授權公開取用	1.35 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。