【作者】 刘智；

【导师】 吴跃；

【作者基本信息】 电子科技大学 ， 计算机软件与理论， 2013， 博士

【摘要】 网络攻击自从上世纪八十年代Morris蠕虫出现以来，一直给互联网和用户带来严重威胁。造成各种攻击的根源是软件漏洞。虽然工业界和学术界提出各种技术保护软件及操作系统安全，但攻击数量仍有增无减；而漏洞攻击技术也不断发展，从缓冲区溢出到最近的Return-Oriented-Programming(ROP)攻击。漏洞攻击检测是信息安全领域的研究热点，特别是如何在二进制代码级检测攻击更是业界关注的焦点，但x86指令的复杂性和WYSINWYX(What You See Is Not What YouExecute)给检测带来诸多挑战。在二进制代码级检测攻击不仅可用于攻击防御，而且能为漏洞分析和zero-day漏洞挖掘提供帮助，同时有助于设计更有效的编译器和操作系统级防御机制。然而当前漏洞攻击检测技术存在若干问题：首先，相当部分的防御检测手段都需要源码，但商业软件不提供源码；其次，大部分防御技术都是纯粹的静态或动态分析，牺牲了准确性或效率，没有将两者结合起来，特别是对于最新的ROP攻击，目前还未找到一种合适的检测方法。总的来说，当前漏洞攻击的发展给攻击检测提出了新的要求，而以Stack canary、NX、特征码匹配为代表的经典防御技术已不能满足对于目前攻击的检测需求。本文对动态污点分析、控制流安全以及复杂shellcode三个方面进行了深入细致的研究，取得了四方面成果：1．提出了若干种技术加强动态污点分析，能够准确检测一种重要类型的攻击--内存溢出攻击，并提高了系统效率。首先，设计和实现了一种高效shadowmemory，能够在较低时间复杂度和空间复杂度存储查询shadow bit。提出了x86指令层次化结构分析，有效克服了x86指令的复杂性，通过它制定准确污点传播策略。传统污点分析只在指令级传播污点，缺乏过程级传播，为此提出了两种技术加强过程级污点传播的准确性与效率，分别是函数局部变量残留污点清除与函数摘要。基于动态插桩工具实现了原型系统MANGO，并对真实攻击进行了测试，实验结果表明MANGO能有效检测内存溢出攻击，并且系统效率得到提升。2．提出了一种新的ROP攻击检测方法。当前检测技术依赖ROP某些特征检测攻击，但无法准确区分正常指令执行与ROP攻击，因此误报率较高。本文通过分析实际ROP代码，确定了ROP的表现特征与功能特征，并依赖它们作为检测依据。同时，纯粹的动态分析对程序性能影响较大，并且无法在gadget执行前阻止攻击，本文提出了黑盒模拟gadget思想加强检测效率与效果。原型系统通过动态插桩工具实现，通过自动化工具对真实shellcode生成ROP攻击样本，并对其进行测试，实验结果表明我们提出的方法在检测准确性和效率都优于当前ROP攻击检测方法。3．提出了一种基于地址完整性检查的函数指针攻击检测方法FPGuard，其思想是判断间接跳转指令的目标地址是否位于合法函数范围。FPGuard与CFI的最大区别是前者的检查代码位于程序外部，能有效分析间接跳转指令。除了传统注入攻击，攻击者仍有可能利用函数指针覆盖进行ROP攻击，同时本文在实验中发现C++程序存在多函数入口点。提出了两阶段方法检测攻击，第一步是粗粒度的range check，第二步是细粒度的黑盒模拟gadget(用于检测ROP攻击)。通过测试真实攻击，FPGuard能准确检测注入代码与ROP攻击。并且由于FPGuard采用高效数据结构存储查询函数地址信息，保证了较高的效率。FPGuard是目前首个能同时检测(通过覆盖函数指针)注入代码攻击与ROP攻击的技术。4．提出了一种有效的自修改多态shellcode(SMPS)检测方法。通过实际SMPS样本，我们观察到SMPS的一个重要特点是动态代码字节生成，基于此特点提出一种有效的静态与动态结合检测算法。首先用反汇编得到静态代码字节，然后将payload放入模拟器执行，比较两者之间差异，如果不同则检测到SMPS。为了过滤正常payload，实现了一种简单有效的过滤机制。对Metasploit提供的真实SMPS样本进行测试，实验结果表明检测效果非常好，同时对正常网络流进行了误报率测试，实验结果显示误报率较低。更多还原

【Abstract】 Network attacks have caused great threats since the Morris worm in1980’, and theroot cause of various attacks is software vulnerability. The number of attacks has beenin steady growth, though industry and academia have proposed a bunch of techniquesto protect software and operating system security. Attacking techniques have been de-veloping, from buffer overflow to recent Return-Oriented-Programming(ROP). Vulne-rability attack detection is a hot area in information security, especially binarycode-level detection is the focus in industry, however, the complexity of x86instruc-tions and WYSINWYX(What You See Is Not What You Execute) give rise to manychallenges.Binary code level detection can not only defend attacks, but also provide sugges-tions for vulnerability analysis and zero-day vulnerability mining. It is also beneficialto design effective compiler-and OS-level defense. However, current detectionsagainst attacks have several vital limitations. First, a large fraction of defense tech-niques require source code which is unavailable for commercial software, and thus bi-nary code analysis is a must; second, most detection techniques are pure static or dy-namic analysis that sacrifices accuracy or efficiency, and there is no seamless combi-nation. Particularly, for recent ROP attacks, there is no effective defense. In brief, cur-rent attacks demand new defense techniques, but classical defenses such as stack ca-nary, NX and signature matching are unable to meet the demands.This dissertation performs in-depth and elaborate research in three categories, in-cluding dynamic taint analysis, control flow integrity and complex shellcode. Weachieve four major contributions:1. Proposed several novel techniques to strengthen dynamic taint analysis, whichis able to accurately detect a major attack form-memory corruption attack. Designedand implemented efficient shadow memory, which can store and query shadow bit inlow time and space complexity. Proposed structured and hierarchy analysis of x86in-structions, which overcomes the difficulty of x86instruction complexity. Using suchinstruction analysis, we design accurate taint propagation policies. Traditional taint analysis propagate taint value only on instruction level, lacking of procedure levelpropagation. Two techniques are proposed to enhance effectiveness and accuracy ofprocedure-level propagation that they are remaining taint data clear and function sum-mary. The prototype system is developed using dynamic binary instrumentation tool.The system is evaluated with real-world attacks and experiment results demonstratethat our system can effectively detection memory corruption attacks, moreover, systemperformance has also improved.2. A novel technique against ROP is proposed. Current approaches rely on partialfeatures of ROP for detection, but they are unable to accurately distinguish normal in-struction execution and ROP attacks, which may cause high false positives. Throughreal ROP exploits study, we establish the manifested feature and functional feature ofROP and by using them to detect ROP attacks. Meanwhile, pure dynamic analysis in-curs high overhead, and more important, it cannot block attack before gadgets are ex-ecuted. We propose a new technique, black-box gadget emulation, to overcome theseproblems. The prototype system is built with dynamic binary instrumentation. ROPexploits are generated with an automatic tool. Experiment results show our system issuperior to existing ROP detection techniques in terms of both accuracy and efficiency.3. A new function pointer defense technique called FPGuard is proposed. FPGuardworks by sanitizing address that checks if jump targets fall in legal function addressspace. The major difference between FPGuard and CFI is that the checking code ofFPGuard is placed out of program, which can analyze indirect jumps. Besides tradi-tional code injection attacks, attackers are still able to mount ROP attacks. We alsofound there are non-entry function calls in C++programs. A two-step detection tech-nique is proposed. Tthe first step is coarse-grained range check, and the second step isfine-grained black-box gadget emulation. By evaluating real-world exploits, FPGuardcan accurately detection code injection and ROP attacks. System performance is guar-anteed, as FPGuard uses efficient data structure to store and query function addressinformation. FPGuard is the fist system that can detect both code injection and ROPattacks which are exploited by overwriting function pointer.4. A technique of detecting Self-Modify Polymorphic Shellcode(SMPS) is pro-posed. By studying real SMPS samples, we found a major characteristic of SMPS isdynamic code generation. Based on this feature, we propose an effective detection technique by combining static and dynamic analysis. First, it obtains static code bytesusing disassembling, and then obtains dynamic code bytes by emulation. If static anddynamic code are different, it implies a SMPS instance is identified. A simple and ef-fective filtering method is used to filter normal payload. We evaluate the system withSMPS instances generated by Metasploit, and results show it achieves satisfactory re-sults, and also by evaluating false positives with innocuous flows, it reveals false posi-tive rate is very low.更多还原