發(fā)布時(shí)間：2018-12-07 07:18

【摘要】：互聯(lián)網(wǎng)是二十一世紀(jì)最具活力和創(chuàng)新的產(chǎn)業(yè),它深深的扎根于人類社會(huì)的每一個(gè)角落中。人們享受互聯(lián)網(wǎng)帶來(lái)的便捷生活的同時(shí),卻忽視伴隨而來(lái)的安全問(wèn)題。近年來(lái)網(wǎng)絡(luò)安全事件層出不窮,如Google北極光APT事件、Hacking Team信息泄露事件和百度應(yīng)用Wormhole漏洞事件都造成了極大的破壞,從中可以看出當(dāng)今互聯(lián)網(wǎng)安全局勢(shì)十分嚴(yán)峻。在安全事件中,ROP攻擊越來(lái)越受到黑客和安全研究員的重視,因?yàn)檫@種攻擊方法能繞過(guò)當(dāng)前大多數(shù)防御措施。本文正是針對(duì)當(dāng)前漏洞攻防中ROP攻擊泛濫的嚴(yán)重局勢(shì),在研究正常程序跳轉(zhuǎn)的基礎(chǔ)上,提出了一種全新的ROP攻擊緩解方法,并設(shè)計(jì)實(shí)現(xiàn)了相應(yīng)的緩解原型系統(tǒng)。本文的主要工作包括:第一,在調(diào)試器原理的基礎(chǔ)上,通過(guò)Windows系統(tǒng)獨(dú)有的頁(yè)面守護(hù)異常提出了熱點(diǎn)動(dòng)態(tài)鏈接庫(kù)分析方法,并依據(jù)該方法實(shí)現(xiàn)了HMAT指令分析工具。HMAT指令分析工具能夠細(xì)致的分析程序在運(yùn)行期間匯編指令層面的執(zhí)行特點(diǎn),并根據(jù)用戶需求單獨(dú)分析進(jìn)程中的某些動(dòng)態(tài)鏈接庫(kù)。利用HMAT指令分析工具,在分析Windows系統(tǒng)中幾款自帶軟件的基礎(chǔ)上,對(duì)call、jmp和ret三類間接跳轉(zhuǎn)指令進(jìn)行了詳細(xì)研究。通過(guò)研究發(fā)現(xiàn),三類間接跳轉(zhuǎn)指令在正常執(zhí)行過(guò)程中有別于受到ROP攻擊情況下的執(zhí)行特點(diǎn),通過(guò)鑒別執(zhí)行過(guò)程中三類間接跳轉(zhuǎn)的完備性從而檢測(cè)出當(dāng)前程序是否受到ROP攻擊。第二,研究了在檢測(cè)和防御ROP攻擊過(guò)程中需要面對(duì)的三個(gè)問(wèn)題,分別是在程序運(yùn)行過(guò)程中什么時(shí)候檢測(cè)、在哪個(gè)點(diǎn)檢測(cè)以及通過(guò)什么方法識(shí)別ROP攻擊。在結(jié)合傳統(tǒng)檢測(cè)方法基礎(chǔ)上,確定了在關(guān)鍵函數(shù)被調(diào)用時(shí)來(lái)檢測(cè)當(dāng)前程序是否受到攻擊并確定了函數(shù)選擇標(biāo)準(zhǔn),最后創(chuàng)新性的提出,利用單步調(diào)試技術(shù)來(lái)識(shí)別執(zhí)行的每一條指令,通過(guò)鑒別指令序列中間接跳轉(zhuǎn)的完備性來(lái)判斷當(dāng)前是否受到ROP攻擊。第三,基于三個(gè)問(wèn)題研究成果的基礎(chǔ)上提出了ROP攻擊緩解方案,并依據(jù)設(shè)計(jì)方案實(shí)現(xiàn)了原型系統(tǒng)。本文對(duì)緩解系統(tǒng)的實(shí)現(xiàn)目標(biāo)和各模塊的設(shè)計(jì)進(jìn)行了詳細(xì)闡述。最后通過(guò)三個(gè)漏洞樣本,對(duì)ROP攻擊緩解原型系統(tǒng)進(jìn)行了詳細(xì)測(cè)試,測(cè)試結(jié)果表明該系統(tǒng)能有效的防御ROP攻擊。
[Abstract]:Internet is the most dynamic and innovative industry in the 21 century. It is deeply rooted in every corner of human society. People enjoy the convenient life brought by the Internet, but ignore the accompanying security problems. In recent years, network security incidents emerge in endlessly, such as the Google Northern Lights APT event, Hacking Team information leak event and Baidu application Wormhole vulnerability incident have caused great damage, from which we can see that the current Internet security situation is very serious. In security incidents, ROP attacks have attracted increasing attention from hackers and security researchers because they can bypass most of the current defense measures. In this paper, aiming at the serious situation of ROP attack in current vulnerability attack and defense, a new method of ROP attack mitigation is proposed based on the study of normal program jump, and the corresponding prototype system is designed and implemented. The main work of this paper is as follows: first, on the basis of debugger principle, this paper puts forward the analysis method of hot spot dynamic link library through the unique page daemon exception of Windows system. According to this method, the HMAT instruction analysis tool is implemented. The HMAT instruction analysis tool can analyze the execution characteristics of the program at the command level during the run time, and analyze some dynamic link libraries in the process separately according to the user's needs. On the basis of analyzing several software in Windows system, three kinds of indirect jump instructions of call,jmp and ret are studied in detail by using HMAT instruction analysis tool. It is found that the three kinds of indirect jump instructions are different from those under ROP attack during normal execution. By identifying the completeness of the three kinds of indirect jump during execution, we can find out whether the current program is attacked by ROP. Secondly, three problems that need to be faced in the process of detecting and defending ROP attacks are studied. They are when to detect in the process of program running, which points to detect and how to identify ROP attacks. On the basis of the traditional detection method, it is determined whether the current program is attacked or not when the key function is called, and the criteria of function selection are determined. Finally, the innovative proposal is put forward. The single-step debugging technique is used to identify each instruction executed and the completeness of indirect jump in the sequence of instructions is used to determine whether the instruction is currently under ROP attack. Thirdly, the ROP attack mitigation scheme is proposed based on the research results of three problems, and the prototype system is implemented according to the design scheme. In this paper, the realization goal of the mitigation system and the design of each module are described in detail. Finally, through three vulnerability samples, the prototype system of ROP attack mitigation is tested in detail. The test results show that the system can effectively defend against ROP attack.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2016
【分類號(hào)】：TP393.08

【相似文獻(xiàn)】

相關(guān)期刊論文 前10條

1 林麗華;;讓W(xué)indows Media Player的跳轉(zhuǎn)列表不再貪污[J];電腦迷;2010年09期

2 梁阿磊;吳浩;李小勇;;動(dòng)態(tài)二進(jìn)制翻譯中的跳轉(zhuǎn)優(yōu)化技術(shù)[J];四川大學(xué)學(xué)報(bào)(自然科學(xué)版);2007年06期

3 朱俊華;;一種高速的條件跳轉(zhuǎn)指令硬件實(shí)現(xiàn)[J];計(jì)算機(jī)技術(shù)與發(fā)展;2008年07期

4 白鋒,程旭;一種針對(duì)短循環(huán)的跳轉(zhuǎn)隱藏技術(shù)[J];計(jì)算機(jī)工程與應(yīng)用;2003年22期

5 羅文華;;基于Windows7環(huán)境下的跳轉(zhuǎn)列表解析用戶操作行為[J];警察技術(shù);2014年03期

6 飄零雪;;Windows 7跳轉(zhuǎn)列表延伸到所有程序[J];電腦迷;2010年13期

7 大江東去;;利用CCleaner快速清理跳轉(zhuǎn)列表[J];電腦迷;2012年02期

8 齊寧;趙榮彩;;IA-64代碼翻譯中的跳轉(zhuǎn)表恢復(fù)技術(shù)[J];計(jì)算機(jī)工程;2006年23期

9 蘇銘,宋宗宇,趙榮彩,齊寧;IA-64二進(jìn)制翻譯中跳轉(zhuǎn)表恢復(fù)技術(shù)[J];微計(jì)算機(jī)信息;2005年17期

10 劉曼;;使用跳轉(zhuǎn)指令時(shí)應(yīng)注意的問(wèn)題[J];江西科學(xué);2007年04期

相關(guān)重要報(bào)紙文章 前5條

1 彭茂山 黃貴清 林直友;Unix下子目錄的模糊跳轉(zhuǎn)[N];計(jì)算機(jī)世界;2001年

2 秤桿;輕松搞定 Windows 7的跳轉(zhuǎn)列表[N];中國(guó)電腦教育報(bào);2009年

3 北京 YATE;PowerPoint使用技巧[N];中國(guó)電腦教育報(bào);2001年

4 本報(bào)評(píng)論員 付小為;歸家之路濃縮國(guó)家社會(huì)變遷[N];長(zhǎng)江日?qǐng)?bào);2014年

5 廣西 可愛(ài)的木阿;給Flash作品加把鎖[N];電腦報(bào);2003年

相關(guān)碩士學(xué)位論文 前3條

1 許云清;Windows平臺(tái)下ROP攻擊緩解技術(shù)研究[D];電子科技大學(xué);2016年

2 孫廷韜;動(dòng)態(tài)二進(jìn)制翻譯中跳轉(zhuǎn)分析與優(yōu)化[D];上海交通大學(xué);2010年

3 朱艷坤;雙穩(wěn)態(tài)層合板跳轉(zhuǎn)過(guò)程分析與新型柔性蜂窩結(jié)構(gòu)性能評(píng)價(jià)[D];大連理工大學(xué);2014年

，

本文編號(hào)：2366804