發(fā)布時間：2018-05-31 18:13

  本文選題：內(nèi)核代碼重用型攻擊 + QEMU��； 參考：《西安電子科技大學(xué)》2014年碩士論文

【摘要】：作為一種新型的攻擊方式,代碼重用型攻擊不需要向系統(tǒng)內(nèi)注入任何代碼,而是僅僅利用已有的(合法)代碼就能實施完整攻擊,危害巨大。代碼重用型攻擊可以繞過多種傳統(tǒng)安全防護機制(比如代碼完整性保護),攻擊的成功率大大增加。利用緩沖區(qū)溢出等技術(shù)手段篡改跳轉(zhuǎn)指令的跳轉(zhuǎn)地址(比如返回地址),可以獲得對系統(tǒng)指令流程的控制;同時,由于跳轉(zhuǎn)指令的數(shù)量巨大,攻擊者可以有多種選擇。雖然研究人員開發(fā)出一些能夠檢測這種攻擊的方法,但是,由于攻擊方式的多樣化和兼容性問題,仍然無法滿足系統(tǒng)安全的需求。論文以QEMU虛擬機管理器為平臺,通過對QEMU源代碼的學(xué)習(xí)與研究,掌握了QEMU動態(tài)二進制翻譯技術(shù)的原理和其TCG(Tiny Code Generator)中間代碼的專業(yè)技術(shù),并基于此設(shè)計實現(xiàn)了一種代碼重用型攻擊檢測系統(tǒng)。注意到代碼重用型攻擊使用的主要攻擊方式是篡改跳轉(zhuǎn)指令的跳轉(zhuǎn)地址,改變系統(tǒng)指令的執(zhí)行流程,從而達到攻擊的目的,所以需要對內(nèi)核中的跳轉(zhuǎn)指令進行監(jiān)控和檢測。這一類指令主要包括ret指令、間接call指令和中斷指令。使用QEMU虛擬機管理器運行操作系統(tǒng)內(nèi)核,由于QEMU是基于二進制指令翻譯技術(shù)實現(xiàn),系統(tǒng)內(nèi)核的每一條指令都會在QEMU虛擬機管理器中翻譯運行。通過對QEMU虛擬機管理器的功能模塊進行修改,遍歷檢測操作系統(tǒng)內(nèi)核中每一條指令,從中識別ret指令、間接call指令和中斷指令的翻譯方式,然后記錄這些指令的跳轉(zhuǎn)目標(biāo)地址,通過將記錄信息與合法信息進行對比,就可以實現(xiàn)對代碼重用型攻擊的檢測。最后,論文基于QEMU和Linux操作系統(tǒng)實現(xiàn)了原型系統(tǒng),并對原型系統(tǒng)進行了輸出測試和性能測試。測試結(jié)果表明,原型系統(tǒng)能夠有效地將代碼重用型攻擊所篡改的跳轉(zhuǎn)指令記錄下來,通過對比即可得出系統(tǒng)是否被攻擊,并且經(jīng)過專業(yè)工具測試,原始系統(tǒng)的性能開銷與添加功能模塊的系統(tǒng)性能開銷差別在4%左右,系統(tǒng)消耗很小。
[Abstract]:As a new type of attack, code reuse attacks do not need to inject any code into the system, but only use the existing (legal) code to implement the complete attack, which is very harmful. Code reuse attacks can bypass many traditional security mechanisms, such as code integrity protection, and the success rate of attacks is greatly increased. Using buffer overflow and other techniques to tamper with the jump address of jump instruction (such as return address) can obtain the control of the system instruction flow. At the same time, because of the large number of jump instructions, the attacker can have a variety of choices. Although researchers have developed some methods to detect this attack, however, due to the diversity of attack methods and compatibility problems, it is still unable to meet the security requirements of the system. On the platform of QEMU virtual machine manager, through the study and research of QEMU source code, this paper grasps the principle of QEMU dynamic binary translation technology and the specialized technology of TCG(Tiny Code generator intermediate code. Based on this design, a code reuse attack detection system is implemented. It is noted that the main attack mode used in code reuse attacks is to tamper with the jump address of jump instructions and to change the execution flow of system instructions so as to achieve the purpose of the attack. So it is necessary to monitor and detect the jump instructions in the kernel. This kind of instruction mainly includes ret instruction, indirect call instruction and interrupt instruction. The QEMU virtual machine manager is used to run the operating system kernel. Because QEMU is based on the binary instruction translation technology, every instruction of the system kernel will be translated and run in the QEMU virtual machine manager. By modifying the functional modules of the QEMU virtual machine manager, traversing every instruction in the kernel of the operating system, recognizing the translation of the ret instruction, indirect call instruction and interrupt instruction, recording the jump target address of these instructions. By comparing the recorded information with the legal information, the detection of code reuse attacks can be realized. Finally, the prototype system is implemented based on QEMU and Linux operating system, and the output and performance of the prototype system are tested. The test results show that the prototype system can effectively record the jump instructions tampered with by the code reuse attack, and can get whether the system is attacked or not by comparison, and is tested by professional tools. The performance cost of the original system is about 4% different from that of adding the function module, and the system consumption is very small.
【學(xué)位授予單位】：西安電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【相似文獻】

相關(guān)期刊論文 前10條

1 湯淑英;張博堯;何春輝;王素華;;建立標(biāo)準(zhǔn)的、安全的、可重用的代碼[J];煤炭技術(shù);2010年02期

2 張慶營;何明昕;;Javigator:Java代碼導(dǎo)讀及分析管理工具的設(shè)計[J];計算機工程與設(shè)計;2010年09期

3 武春友;;基于用戶控件的代碼重用技術(shù)[J];電腦知識與技術(shù);2010年35期

4 天啦;;Asp.Net開發(fā)教程User Server Controls[J];中文信息;2002年04期

5 鄭曄;;代碼的閱讀[J];程序員;2004年06期

6 葛建芳;;C++標(biāo)準(zhǔn)模板庫與代碼重用[J];南通大學(xué)學(xué)報(自然科學(xué)版);2006年02期

7 鄒燕飛;趙媛;;分布式環(huán)境下遺留代碼重用研究[J];自動化技術(shù)與應(yīng)用;2009年10期

8 王霞;;Java代碼可重用性的實現(xiàn)策略[J];計算機光盤軟件與應(yīng)用;2012年16期

9 劉冰;;最大化Java代碼可重用性的策略研究[J];福建電腦;2010年03期

10 魏建杰,吳向前;基于面向?qū)ο蟪绦蛟O(shè)計語言的代碼分類提取模型研究及應(yīng)用[J];新疆大學(xué)學(xué)報(自然科學(xué)版);2005年04期

相關(guān)會議論文 前1條

1 劉國q，

本文編號：1960810