基于信息流的动态污点分析技术研究

【作者】 周凌；

【导师】 罗克露；

【作者基本信息】 电子科技大学 ， 计算机应用技术， 2010， 硕士

【摘要】 随着计算机技术和网络技术的飞速发展,信息网络已经成为社会发展的重要保证,随之而来的网络安全问题逐渐成为信息化时代人们面临的最为严峻的问题之一。理论分析表明,各类网络攻击行为之所以能够对计算机系统产生巨大的威胁,其主要原因在于计算机及软件系统在设计、开发、维护过程中存在安全漏洞。长期以来,缓冲区溢出漏洞是各种安全漏洞中最为常见的一种。缓冲区溢出漏洞非常的普遍,广泛存在于各种操作系统、应用软件之中。CERT声称约50%以上的网络攻击都是利用缓冲区溢出漏洞进行的。如何有效的检测和防护缓冲区溢出这一类网络攻击是有待人们急需解决的问题。在网络攻击及漏洞检测方面,国内外已经有一些较为深入的研究工作。然而已有的手段相对落后,静态分析方法不能很好的解决程序运行时的攻击防护和对未知攻击的检测等问题,而动态分析方法大多需要目标程序源代码,不利于保护商业软件和推广应用。在对缓冲区溢出漏洞及检测方法进行了深入研究之后,本文提出了一种新型的网络攻击检测方法——基于信息流的动态污点分析方法。这是一种主要针对缓冲区溢出漏洞攻击的检测技术,具有实时性,在客户程序动态执行时完成监控检测任务,不需要客户程序源代码,误报率低等特点。本文首先阐述了研究背景及意义,缓冲区溢出攻击技术及检测技术等相关背景知识,然后主要研究了动态污点分析技术的两个重要分析方法——数据流分析和控制流分析。数据流分析方法主要通过指令分析来识别和标记外部污点数据,跟踪污点数据通过算术类和移动类指令造成的显式信息传播,检测污点数据被用作跳转对象地址、格式化字符串参数等可疑情况并作出攻击报警提出。控制流分析通过控制流图和辅助栈来帮助分析污点数据通过分支节点造成的隐式信息流传播,以减小误报率。接着基于动态污点分析技术构建了原型系统,展示了系统设计思路及相关实现细节。最后对系统进行了实验评估,从功能上和性能上对系统进行了测试。实验表明动态污点分析技术能很好的完成针对缓冲区溢出攻击的检测任务,但是性能还需提升。更多还原

【Abstract】 With the rapid development of computer technology and network technology, information networks have become an important guarantee for social development. The ensuing issue of network security has become the most serious problem in information age. Theoretical analysis shows that various types of network attacks on computer systems which have been able to create a great threat, are mainly due to security vulnerabilities in computer and software systems which are made in the processes of software design, development and maintenance. For a long time, buffer overflow vulnerability is the most common type in all kinds of security vulnerabilities. Buffer overflow is very common and widespread in a variety of operating systems, application software. CERT claimed that more than 50% of network attacks are carried out by using buffer overflow vulnerability. How to do effectively detection and protection to buffer overflow vulnerability is what people need to resolve immediately.In all over the world, the research for detection of attacks and vulnerabilities has been doing well. However, some approaches have been a little backward. Static analysis methods can not properly prevent attacks when the program is running and detect unknown attacks, while the majority problem of dynamic analysis methods is that it needs to target program source code, so it can not protect commercial software. After doing research work deeply for buffer overflow vulnerability, we present a new network attack detection approach——dynamic taint analysis based on information flow. This is an detection approach against attacks based on the buffer overflow vulnerability, which is with real-time, dynamic monitoring the execution of client program to prevent attacks from network, does not require client program source code, and has low false positives.This thesis firstly begins with describing the research background and significance, buffer overflow vulnerability attacks technology and prevention technology and some other background knowledge. Then, we do major research work on two important analytical methods of dynamic taint analysis - data flow analysis and control flow analysis. Data flow analysis methods, primarily through instruction analysis to identify and mark the external taint data, tracking tainted data propagation caused by explicit information flow, detecting when tainted data is used as a jump target address, format string parameters and so on, and alarming when attacks occur. Control-flow analysis is with the help of control flow diagram and auxiliary stack to assist in the analysis implicit information flow of tainted data caused by branch node of program, in order to reduce the false negatives. Then we build a prototype system based on dynamic taint analysis show the system design and some implementation details. Finally, we give an experimental evaluation of the prototype system, from the functionality side and performance side. The experiments show that the approach of dynamic taint analysis based on information flow can well complete the task for prevention buffer overflow attacks, but the performance needs to be improved.更多还原