本文選題：代碼復(fù)用攻擊 + QEMU　； 參考：《華中科技大學(xué)》2016年碩士論文

【摘要】：代碼復(fù)用攻擊是一種不需要引入外部代碼,利用庫(kù)函數(shù)或程序自身代碼達(dá)到攻擊目的的攻擊方式。它具備圖靈完全計(jì)算能力,同時(shí)極具威脅性和隱蔽性。雖然如今主流的操作系統(tǒng)通過(guò)使用DEP(Data Execution Prevention)和ASLR(Address Space Layout Randomization)等防御策略,能夠阻止傳統(tǒng)的代碼注入攻擊和靜態(tài)的代碼復(fù)用攻擊。但是動(dòng)態(tài)代碼復(fù)用攻擊的出現(xiàn)打破了DEP和ASLR筑建的防護(hù)壁壘,向計(jì)算機(jī)系統(tǒng)安全發(fā)起了新的挑戰(zhàn)。針對(duì)代碼復(fù)用攻擊需要“掃描”內(nèi)存來(lái)構(gòu)造具有攻擊力的gadget(代碼復(fù)用片段)鏈這一特征,提出了一種基于代碼和數(shù)據(jù)分離的代碼復(fù)用攻擊防御方法。該方法在虛擬機(jī)管理器層,利用虛擬多TLB機(jī)制分離代碼的讀和執(zhí)行,阻止攻擊者構(gòu)造gadget鏈,從而達(dá)到防御代碼復(fù)用攻擊的目的。虛擬多TLB機(jī)制是指對(duì)現(xiàn)有虛擬機(jī)的內(nèi)存管理單元進(jìn)行擴(kuò)充(即新增一個(gè)與TLB具有相似結(jié)構(gòu)和功能的DTLB)。為了改變以前代碼同時(shí)具有可讀可執(zhí)行的混合權(quán)限,將代碼和數(shù)據(jù)分別保存到只讀和只可執(zhí)行的內(nèi)存區(qū)域,然后利用TLB和DTLB分別對(duì)代碼和數(shù)據(jù)進(jìn)行訪問(wèn)。以開源虛擬機(jī)QEMU為開發(fā)平臺(tái),構(gòu)建了基于代碼和數(shù)據(jù)分離的代碼復(fù)用攻擊防御系統(tǒng)。整個(gè)防御過(guò)程分成預(yù)處理、頁(yè)面加載和頁(yè)面訪問(wèn)三個(gè)階段。其中,預(yù)處理階段分離出代碼中的數(shù)據(jù)并將它們作為一個(gè)新段保存到可執(zhí)行文件中,頁(yè)面加載時(shí)將代碼和數(shù)據(jù)加載到不同屬性的內(nèi)存區(qū)域,頁(yè)面訪問(wèn)實(shí)現(xiàn)代碼的讀和執(zhí)行的分離。經(jīng)過(guò)測(cè)試,原型系統(tǒng)能夠有效地隱藏gadget(如msvcr7.dll中可利用的gadget數(shù)目從3146下降到4)并能夠準(zhǔn)確地防御利用CVE-2012-1876和CVE-2012-1889漏洞構(gòu)造的代碼復(fù)用攻擊;系統(tǒng)的性能損耗率為58.4%。實(shí)驗(yàn)結(jié)果證明在虛擬機(jī)系統(tǒng)中實(shí)現(xiàn)所提出的基于代碼和數(shù)據(jù)分離的代碼復(fù)用攻擊防御方法是有效的、可行的。
[Abstract]:Code reuse attack is an attack that does not need to introduce external code, use library function or program itself code to achieve attack purposes. It has Turing complete computing power, with great threat and concealment. Although the mainstream operating system is now using DEP (Data Execution Prevention) and ASLR (Address Space Layout Ra) Ndomization) and other defense strategies can prevent traditional code injection attacks and static code reuse attacks. However, the emergence of dynamic code reuse attacks breaks the protection barriers built by DEP and ASLR and poses new challenges to computer system security. Gadget (code multiplexed fragment) chain is a feature that proposes a code reuse attack defense method based on code and data separation. This method separates code reading and execution in virtual machine manager layer and uses virtual multiple TLB mechanism to prevent attackers to construct gadget chain, thus achieving the purpose of defending code reuse attacks. Virtual multiple TLB mechanism It is an extension of the memory management unit of existing virtual machines (that is, a new DTLB with a similar structure and function with TLB). In order to change the readable and executable permissions of the previous code, the code and data are saved to the read-only and only executable memory domain, and then the code and the data are used by TLB and DTLB respectively. With the open source virtual machine QEMU as the development platform, the code and data separation code reuse attack defense system is constructed. The whole defense process is divided into three stages: preprocessing, page loading and page access. In the preprocessing phase, the data in the code is separated and stored as a new segment to the executable file. When the page is loaded, the code and data are loaded into the memory area of different attributes, and the page access is separated from the read and execution of the code. After testing, the prototype system can effectively hide the gadget (as the number of gadget available in the msvcr7.dll is reduced from 3146 to 4) and can accurately defend the CVE-2012-1876 and CVE-2012-1889 vulnerabilities. The code reuse attack is constructed; the performance loss rate of the system is 58.4%. experimental results. It is proved that it is effective and feasible to implement the proposed code reuse attack defense method based on the code and data separation in the virtual machine system.

【學(xué)位授予單位】：華中科技大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2016
【分類號(hào)】：TP309

【參考文獻(xiàn)】

相關(guān)期刊論文 前7條

1 邢驍;陳平;丁文彪;茅兵;謝立;;BIOP:自動(dòng)構(gòu)造增強(qiáng)型ROP攻擊[J];計(jì)算機(jī)學(xué)報(bào);2014年05期

2 黃志軍;鄭滔;;基于Return-Oriented Programming的程序攻擊與防護(hù)[J];計(jì)算機(jī)科學(xué);2012年S1期

3 韓浩;茅兵;謝立;;針對(duì)ROP攻擊的動(dòng)態(tài)運(yùn)行時(shí)檢測(cè)系統(tǒng)[J];計(jì)算機(jī)工程;2012年04期

4 李正玉;茅兵;謝立;;一種基于JOP的rootkit構(gòu)造方法[J];計(jì)算機(jī)科學(xué);2011年S1期

5 ;認(rèn)識(shí)微軟ASLR與DEP操作系統(tǒng)安全防護(hù)技術(shù)[J];計(jì)算機(jī)與網(wǎng)絡(luò);2010年20期

6 劉鋒;雷航;李曉瑜;;Kernel-based virtual machine事件跟蹤機(jī)制的設(shè)計(jì)與實(shí)現(xiàn)[J];計(jì)算機(jī)應(yīng)用;2008年S2期

7 吳金波,蔣烈輝;反靜態(tài)反匯編技術(shù)研究[J];計(jì)算機(jī)應(yīng)用;2005年03期

相關(guān)博士學(xué)位論文 前2條

1 文晟;網(wǎng)絡(luò)蠕蟲的傳播模型與防御策略研究[D];中南大學(xué);2012年

2 陳平;代碼復(fù)用攻擊與防御技術(shù)研究[D];南京大學(xué);2012年

相關(guān)碩士學(xué)位論文 前3條

1 呂慶翰;面向哰擬化的綜合性能測(cè)評(píng)方法研究[D];華南理工大學(xué);2015年

2 錢逸;基于ARM架構(gòu)的ROP攻擊與防御技術(shù)研究[D];上海交通大學(xué);2012年

3 韓浩;ROP攻擊及其變種的檢測(cè)技術(shù)[D];南京大學(xué);2011年

，

本文編號(hào)：1805467