透過保護參數完整性以防止敏感系統呼叫之濫用

曾詠琪; Yung-Chi Tseng

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/94322

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	黎士瑋	zh_TW
dc.contributor.advisor	Shih-Wei Li	en
dc.contributor.author	曾詠琪	zh_TW
dc.contributor.author	Yung-Chi Tseng	en
dc.date.accessioned	2024-08-15T16:48:44Z	-
dc.date.available	2024-08-16	-
dc.date.copyright	2024-08-15	-
dc.date.issued	2024	-
dc.date.submitted	2024-08-02	-
dc.identifier.citation	Arm armv8-a architecture registers: Rndr, random number. https://developer.arm.com/documentation/ddi0601/2023-12/AArch64-Registers/RNDR--Random-Number. Exploit format strings. https://axcheron.github.io/exploit-101-format-strings/. Intel cet. https://www.intel.com/content/dam/develop/external/us/en/documents/catc17-introduction-intel-cet-844137.pdf. Lighttpd web server. https://www.lighttpd.net/. mremap. https://man7.org/linux/man-pages/man2/mremap.2.html. Open source shadow call stack. git@github.com:yungchii/llvm-project.git. Sqlite. https://www.sqlite.org/index.html. srand. https://cplusplus.com/reference/cstdlib/srand/. Introducing Amazon EC2 A1 Instances Powered By New Arm-based AWS Graviton Processors, Nov. 2018. https://aws.amazon.com/about-aws/whats-new/2018/11/introducing-amazon-ec2-a1-instances. A sqlite3 benchmark tool, 2018. https://github.com/ukontainer/sqlite-bench. Nginx web server, 2022. https://nginx.org. Apple. Apple mac mini m1, 2020. https://www.apple.com/shop/buy-mac/mac-mini/applem1-chip-with-8-core-cpu-and-8-core-gpu-256gb. Apple. Apple unleashes m1, 2020. https://www.apple.com/newsroom/2020/11/apple-unleashes-m1/. Arm Developer. Execute never, 2014. https://developer.arm.com/documentation/den0013/d/The-Memory-Management-Unit/Memory-attributes/Execute-Never?lang=en. E. Bosman and H. Bos. Framing signals—a return to portable shellcode. IEEE Symposium on Security and Privacy, 2014. N. Burow, S. A. Carr, J. Nash, P. Larsen, M. Franz, S. Brunthaler, and M. Payer. Control-flow integrity: Precision, security, and performance. ACM Comput. Surv., 50(1), apr 2017. C. Canella, M. Werner, D. Gruss, and M. Schwarz. Automating seccomp filter generation for linux applications. In Proceedings of the 2021 on Cloud Computing Security Workshop, pages 139–151, 2021. M. Castro, M. Costa, and T. Harris. Securing software by enforcing data-flow integrity. Proceedings of the 7th symposium on Operating systems design and implementation, pages 147–160, 2006. https://vuls.cert.org/confluence/display/historical/CERT+Advisory+CA-2001-33+Multiple+Vulnerabilities+in+WU-FTPD. S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In Proceedings of the 14th Conference on USENIX Security Symposium - Volume 14, SSYM’05, page 12. USENIX Association, 2005. I. Corporation. Intel 64 and ia-32 architectures software developer＇s manual, 2019. https://software.intel.com/en-us/articles/intel-sdm. N. DeMarinis, K. Williams-King, D. Jin, R. Fonseca, and V. P. Kemerlis. Sysfilter: Automated system call filtering for commodity software. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020), pages 459–474, 2020. R. Ding, C. Qian, C. Song, B. Harris, T. Kim, and W. Lee. Efficient protection of Path-Sensitive control security. In 26th USENIX Security Symposium (USENIX Security 17), pages 131–148, Vancouver, BC, Aug. 2017. USENIX Association. I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control jujutsu: On the weaknesses of fine-grained control flow integrity. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015. S. Ghavamnia, T. Palit, S. Mishra, and M. Polychronakis. Temporal system call specialization for attack surface reduction. In 29th USENIX Security Symposium (USENIX Security 20), pages 1749–1766, 2020. Google. A fast key-value storage library, 2011. https://github.com/google/leveldb. H. Hu, S. Shinde, S. Adrian, Z. Chua, P. Saxena, and Z. Liang. Data-oriented programming: On the expressiveness of non-control data attacks. In 2016 IEEE Symposium on Security and Privacy (SP), pages 969–986, Los Alamitos, CA, USA, may 2016. IEEE Computer Society. M. Ismail, J. Yom, C. Jelesnianski, Y. Jang, and C. Min. Vip: Safeguard value invariant property for thwarting critical memory corruption attacks. CCS ’21, page 1612–1626, New York, NY, USA, 2021. Association for Computing Machinery. Jake Edge. A library for seccomp filters. https://lwn.net/Articles/494252/. C. Jelesnianski, M. Ismail, Y. Jang, D. Williams, and C. Min. Protect the system call, protect (most of) the world with bastion. In Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 3, pages 528–541, 2023. L. C. Lam and T.-c. Chiueh. Automatic extraction of accurate application-specific sandboxing policy. In Recent Advances in Intrusion Detection: 7th International Symposium, RAID 2004, Sophia Antipolis, France, September 15-17, 2004. Proceedings 7, pages 1–20. Springer, 2004. Martin Weidmann. Arm v9-a, September 29, 2022. https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/arm-a-profile-architecture-2022. https://nvd.nist.gov/vuln/detail/CVE-2013-2028. https://nvd.nist.gov/vuln/detail/CVE-2012-0809. https://nvd.nist.gov/vuln/detail/CVE-2015-8617. https://nvd.nist.gov/vuln/detail/CVE-2016-10190. https://nvd.nist.gov/vuln/detail/CVE-2016-10191. PaX. Address space layout randomization, 2003. https://pax.grsecurity.net/docs/aslr.txt. R. Rudd, R. Skowyra, D. Bigelow, V. Dedhia, T. Hobson, S. Crane, C. Liebchen, P. Larsen, L. Davi, M. Franz, A.-R. Sadeghi, and H. Okhravi. Address-oblivious code reuse: On the effectiveness of leakage-resilient diversity. Network and Distributed System Security Symposium, 2017. V. van der Veen, D. Andriesse, M. Stamatogiannakis, X. Chen, H. Bos, and C. Giuffrdia. The dynamics of innocent flesh on the bone: Code reuse ten years later. ACM SIGSAC Conference on Computer and Communications Security, 2017. Z. Wang, C. Wu, Y. Zhang, B. Tang, P.-C. Yew, M. Xie, Y. Lai, Y. Kang, Y. Cheng, and Z. Shi. SafeHidden: An efficient and secure information hiding technique using re-randomization. In 28th USENIX Security Symposium (USENIX Security 19), pages 1239–1256, Santa Clara, CA, Aug. 2019. USENIX Association. Will Glozer. a http benchmarking tool, 2019. https://github.com/wg/wrk. C. Williams. Microsoft: Can’t wait for ARM to power MOST of our cloud data centers! Take that, Intel! Ha! Ha! The Register, Mar. 2017. https://www.theregister.co.uk/2017/03/09/microsoft_arm_server_followup. https://web.archive.org/web/20080324003630/http://www.wu-ftpd.org/. C. Zou, Y. Gao, and J. Xue. Practical software-based shadow stacks on x86-64. ACM Trans. Archit. Code Optim., 19(4), oct 2022.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/94322	-
dc.description.abstract	現代應用程式包含眾多功能以滿足多樣化的用戶需求，並依賴系統調用與核心進行通信。然而，系統調用也為攻擊者提供了機會，從而危害進程甚至整個系統。例如，濫用 execve 可以導致權限提升，而 mprotect 可以允許 shellcode 注入。儘管最近的努力旨在保護控制流以防止系統調用被濫用，但研究表明，攻擊者可以在不干擾執行流的情況下繞過這些保護。因此，在本文中，我們提出了一個新穎的參數完整性框架，以防止系統調用參數和函數指針被劫持。我們對系統調用參數和函數指針的使用-定義鏈進行靜態分析，並在運行時將它們複製到安全區域。此外，我們利用軟體影子調用棧來提高參數完整性保護的效率和效果。通過強制執行這些不變性，我們可以有效地檢測真實世界的 CVE 和複雜的攻擊場景。我們將此框架實現為一個定制的 LLVM 編譯器和一個 C++ 運行時庫。經過在真實世界應用中的測試，我們的原型表明，我們的方法僅引入了適度的開銷，具體而言，在 NGINX 上為 1.82%	zh_TW
dc.description.abstract	Modern applications incorporate numerous functionalities to meet diverse user needs, relying on system calls to communicate with the kernel. However, system calls also provide opportunities for attackers to compromise processes or, even worse, the entire system. For example, abusing execve can lead to privilege escalation, while mprotect can enable shellcode injection. Although recent efforts have aimed to protect control flow to prevent the abuse of system calls, studies have shown that attackers can bypass these protections without disrupting the execution flow. Therefore, in this paper, we propose a novel Argument Integrity framework that safeguards system call arguments and function pointers from hijacking. We perform static analysis of the use-def chain of system call arguments and function pointers, and create copies of them in a secure region during runtime. Additionally, we leverage a software shadow call stack to enhance the efficiency and effectiveness of argument integrity protection. By enforcing these invariants, we can effectively detect real-world CVEs and sophisticated attack scenarios. We implemented our framework as a customized LLVM compiler and a C++ runtime library. Our prototypes, tested on real-world applications, demonstrate that our approach introduces only modest overhead, specifically 1.82% on NGINX.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2024-08-15T16:48:44Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2024-08-15T16:48:44Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Verification Letter from the Oral Examination Committee i 致謝 ii 摘要 iii Abstract iv Contents vi List of Figures ix List of Tables x Chapter 1 Introduction 1 Chapter 2 Background 4 2.1 Attack Scenario 4 2.1.1 ROP 4 2.1.2 Signal Return Oriented Programming (SROP) 4 2.2 Data-Flow Integrity(DFI) 5 2.3 Current Protection Mechanisms 5 2.3.1 System call Protection 5 2.3.2 Shadow Call Stack 7 Chapter 3 Threat Model and Assumptions 9 Chapter 4 Design 10 4.1 Motivation 10 4.2 Overview 10 4.3 Attack Scenario 11 4.4 Methodology 12 4.5 Argument Integrity Instrumentation API 13 4.6 Sensitive Variable Instrumentation 14 4.7 Extra Instrumentation of Function Pointer 16 4.8 Shadow Memory Allocation 17 4.9 Shadow Memory Integrity 18 Chapter 5 Implementation 20 Chapter 6 Security Evaluation 22 6.1 ROP 22 6.2 SROP 22 6.3 Direct System Call Manipulation 24 6.4 Non-Control Data Attacks on System Call Argument. 24 6.5 Indirect System Call Manipulation 25 Chapter 7 Performance Evaluation 27 7.1 Application Performance 28 7.2 Discussion 29 7.2.1 Do we need to protect function pointer argument integrity? 29 Chapter 8 Related Work, Limitation and Future Work 31 8.1 Related Work 31 8.2 Limitation 33 8.2.1 Recompile System Libraries 33 8.2.2 Data-Oriented Programming 33 8.3 Future Work 34 8.3.1 Protection of Global Variables 34 Chapter 9 Conclusions 36 References 37	-
dc.language.iso	zh_TW	-
dc.subject	系統安全	zh_TW
dc.subject	作業系統	zh_TW
dc.subject	編譯器	zh_TW
dc.subject	記憶體破壞攻擊	zh_TW
dc.subject	Operating Systems	en
dc.subject	Compiler	en
dc.subject	System Security	en
dc.subject	Memory corruption attack	en
dc.title	透過保護參數完整性以防止敏感系統呼叫之濫用	zh_TW
dc.title	Protecting Argument Integrity to Mitigate the Abuse of Sensitive System Calls	en
dc.type	Thesis	-
dc.date.schoolyear	112-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	廖世偉;陳君朋	zh_TW
dc.contributor.oralexamcommittee	Shih-Wei Liao;Jiun-Peng Chen	en
dc.subject.keyword	系統安全,作業系統,編譯器,記憶體破壞攻擊,	zh_TW
dc.subject.keyword	System Security,Operating Systems,Compiler,Memory corruption attack,	en
dc.relation.page	42	-
dc.identifier.doi	10.6342/NTU202402928	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2024-08-06	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	資訊工程學系	-
顯示於系所單位：	資訊工程學系

文件中的檔案：

檔案	大小	格式
ntu-112-2.pdf	804.79 kB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。