洪士灝Hung, Shih-Hao臺灣大學:資訊網路與多媒體研究所陳雋中Chen, Chun-ChungChun-ChungChen2010-05-052018-07-052010-05-052018-07-052009U0001-1908200909581000http://ntur.lib.ntu.edu.tw//handle/246246/180746摘要腦與網際網路的發展，帶給人們方便的生活，卻也迫使我們面臨嚴重的資訊安全問題。緩衝區溢位攻擊(Buffer Overflow Attacks)是目前極具威脅性的系統入侵手法，此類型攻擊利用目標系統由外界輸入字串時，疏忽於防範，未對所接收的字串做長度驗證(Bound-checking)，使得攻擊者有機會傳入超過目標系統的接收緩衝區長度的字串，造成產生溢位。過長的字串覆蓋掉與緩衝區相鄰的程式流程控制資料區，將程式的執行流程導向包含在攻擊字串內的惡意程式碼，進而執行攻擊者所選定的攻擊程序。於緩衝區溢位攻擊，傳統的防禦機制有其限制。等待軟體更新檔的釋出、需取得程式原始碼重新編譯、修改作業系統或硬體架構等等，皆限制傳統的防禦機制的即時性或實用性。本篇論文所提出動態偵測機制，透過動態轉譯(Dynamic Binary Translation)的技術，毋需原始碼，即可對於可能隱含漏洞的程式執行檔(binary) 提供保護，確保每一個程序的返回地址(Return Address)與堆疊框指標( Stack Frame Pointer)的正確性。一旦發現它們遭到竄改，立即對管理者發出警訊，並且能夠將對應的備份資料做復原，讓程式正常運作。了驗證本論文所提出的防禦機制，我們首先在Linux作業系統上，以Pin與QEMU兩種動態轉譯軟體為基礎，實際建構具備防禦機制的兩套軟體工具，並且評估兩者的安全性與效能。實驗測試結果顯示，在安全性方面，兩者皆可準確偵測攻擊的發生；在效能方面，基於QEMU的偵測工具，降低受監控程式的執行效能的幅度較低，約在11.2%至41%之間，應可讓一般使用者接受。而基於Pin的偵測工具雖然效率較差，但由於Pin這個平台本身可攜性較高，使得我們的偵測工具可同時應用在Linux與Windows作業系統，為更多使用者提供全面的動態防護。Abstractodern computer and network technologies improve some aspects of the humanife, but also compel us to face numerous security problems. Buffer overflow attacksre currently the most serious threats to computer systems. A buffer overflow vulnerabilitys caused when a program gets an input string without cautious bound-checking.ence, attackers could exploit this type of vulnerability by sending an input which isonger than the fixed-sized input buffer. Once the adjacent control data is corruptedy the overflowed data, the program control flow will be redirected to malicious codes.raditional defense mechanisms against buffer overflow attacks are constrainedith certain restrictions, such as waiting for the patch to fix vulnerabilities, acquiringource codes to recompile programs, modifying the operating system or hardwarerchitecture, etc. Thus, the efficiency or practicability of those mechanisms is restricted.his thesis proposes a mechanism to dynamically detect buffer overflowttacks. With the dynamic binary translation techniques, our mechanism does noteed source codes and directly provides protection for binaries that may compriseuffer overflow vulnerabilities. Our mechanism ensures the correctness of the returnddress and stack frame pointer. If these control data are detected to be corrupted,he detection tool will alarm the system administrator. Furthermore, corrupted controlata could be recovered so that the attacked programs could preserve normalontrol flows.n order to verify our proposed protection mechanism, we implement two suites ofools against buffer overflow attacks based on Pin and QEMU. The Pin and QEMUre dynamic binary translation software on Linux. Besides, we evaluate the perforivance and safety of both tools. The experimental results showed that both toolsccurately detected the occurrence of attacks in the safety experiments. And in theerformance experiments, the QEMU-based tool executed the tested programs with degradation between 11.2% and 41%, which is 11.1x faster than previous work,.g. Read-Only RAR, and should be acceptable for common users. Although thein-based tool imposed higher overhead, it may work for both Windows and Linuxpplications because of the portability and availability of Pin on those platforms.Contentscknowledgements iibstract(Chinese) iiibstract ivist of Tables ixist of Figures x Introduction 1.1 Protection against Buffer Overflow Attacks . . . . . . . . . . . . . . . 4.2 Binary Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Motivation and Proposed Mechanism . . . . . . . . . . . . . . . . . . 5.4 Thesis Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Background and Related Works 8.1 Virtual Memory Layout of a Linux Process . . . . . . . . . . . . . . . 8.2 The Buffer Overflow Attacks . . . . . . . . . . . . . . . . . . . . . . . 11.3 Classification of Protection Mechanisms against Buffer Overflow Attacks 13.3.1 Static Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . 13.3.2 Dynamic Mechanisms . . . . . . . . . . . . . . . . . . . . . . . 16.4 Related Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17.4.1 StackGuard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.4.2 StackShield and RAD . . . . . . . . . . . . . . . . . . . . . . 19.4.3 Libsafe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19.5 Dynamic Binary Translation and Optimization . . . . . . . . . . . . 20.6 Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Design of the Detection Tool against Buffer Overflow Attacks 25.1 The Detection Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 26.2 Design Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29.2.1 Neglected Frame Pointer . . . . . . . . . . . . . . . . . . . . . 30.2.2 Proper Recovery From the Corrupted State . . . . . . . . . . 32.2.3 The Usage of system calls setjmp() and longjmp() . . . . . . . 33 A Detection Tool based on Pin 35.1 Introduction to Pin . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35.2 Implementation of a Pin-based Detection Tool . . . . . . . . . . . . . 38 A Detection Tool based on QEMU 40.1 Introduction to QEMU . . . . . . . . . . . . . . . . . . . . . . . . . . 40.2 Implementation of a QEMU-based Detection Tool . . . . . . . . . . . 43 Experiments and Evaluation 47.1 Security Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48.1.1 Testing the known vulnerable applications . . . . . . . . . . . 48.1.2 A demonstration of our detection tool . . . . . . . . . . . . . . 49.2 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 51.2.1 Macro-Benchmark Results . . . . . . . . . . . . . . . . . . . . 51.2.2 Micro-Benchmark Results . . . . . . . . . . . . . . . . . . . . 52 Conclusion and Future Work 55ibliography 57application/pdf1380352 bytesapplication/pdfen-US緩衝區溢位攻擊堆疊覆寫軟體安全動態執行檔轉譯PinQEMUbuffer overflow attacksstack smashingsoftware securitydynamic binary translationthesishttp://ntur.lib.ntu.edu.tw/bitstream/246246/180746/1/ntu-98-R96944030-1.pdf