面向Linux的内核级代码复用攻击检测技术  被引量:8

Kernel Code Reuse Attack Detection Technique for Linux

在线阅读下载全文

作  者:陈志锋[1,2] 李清宝[1,2] 张平[1,2] 王烨[1,2] 

机构地区:[1]解放军信息工程大学,河南郑州450001 [2]数学工程与先进计算国家重点实验室,河南郑州450001

出  处:《软件学报》2017年第7期1732-1745,共14页Journal of Software

基  金:"核高基"国家科技重大专项(2013JH00103);国家高技术研究发展计划(863)(2009AA01Z434)~~

摘  要:近年来,代码复用攻击与防御成为安全领域研究的热点.内核级代码复用攻击使用内核自身代码绕过传统的防御机制.现有的代码复用攻击检测与防御方法多面向应用层代码复用攻击,忽略了内核级代码复用攻击.为有效检测内核级代码复用攻击,提出了一种基于细粒度控制流完整性(CFI)的检测方法.首先根据代码复用攻击原理和正常程序控制流构建CFI约束规则,然后提出了基于状态机和CFI约束规则的检测模型.在此基础上,基于编译器,辅助实现CFI标签指令插桩,并在Hypervisor中实现CFI约束规则验证,提高了检测方法的安全性.实验结果表明,该方法能够有效检测内核级代码复用攻击,并且性能开销不超过60%.Recently, code reuse attack and defensive techniques have been a hot area in security research. Kernel-Level code reuse attacks use kernel code to bypass traditional defensive mechanisms. Existing code reuse attacks detection and defensive methods mainly focus on user-level code reuse attacks, ignoring kernel-level code reuse attacks. In order to detect kernel-level code reuse attacks effectively, a detection method based on fine-grained control flow integrity (CFI) is proposed. Firstly, CFI constraint rules are constructed according to the code reuse attack principles and the control flows of normal programs. Then, a detection model based on state machine and CFI constraint rules is developed. Next, CFI label checking instructions are instrumented based on GCC-plugin. Furthermore, CFI constraint rules are verified on Hypervisor, boosting the security of the method. The experiment results show that this method can effectively detect kernel-level code reuse attacks, and performance evaluations indicate that performance penalty induced by this method is less than 60%.

关 键 词:代码复用攻击 内核 控制流完整性 插桩 约束规则 

分 类 号:TP311[自动化与计算机技术—计算机软件与理论]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象