基于返回地址签名的控制流攻击检测方法  被引量：1

作　　者：余云飞 汪鹏君[1,2] 张跃军 张会红[1] 张海明[1] YU Yunfei;WANG Pengjun;ZHANG Yuejun;ZHANG Huihong;ZHANG Haiming(Institute of Circuits and System,Ningbo University,Ningbo 315211,Zhejiang,China;College of Electrical and Electronic Engineering,Wenzhou University,Wenzhou 325035,Zhejiang,China)

机构地区：[1]宁波大学电路与系统研究所,浙江宁波315211 [2]温州大学电气与电子工程学院,浙江温州325035

出　　处：《华东理工大学学报（自然科学版）》2020年第6期800-806,共7页Journal of East China University of Science and Technology

基　　金：国家自然科学基金(61871244,61874078);浙江省自然科学基金(LY18F040002);密码科学技术国家重点实验室开放课题(MMKFKT20187)。

摘　　要：攻击者利用软件漏洞劫持程序的执行流向,将其导向恶意代码shellcode或组成恶意代码指令处并执行,最终达到控制整个系统行为的目的,这种恶意攻击方式称为控制流攻击。通过对控制流攻击原理的研究,提出了基于返回地址签名的控制流攻击检测方法。该方法首先在处理器执行程序调用指令call时,触发伪随机数发生器生成密钥K与压栈返回地址进行异或操作,利用MD5算法为异或后的压栈返回地址生成压栈签名值;然后在执行程序返回指令ret及返回地址弹出堆栈时,使用密钥K与出栈返回地址进行异或操作,异或后的出栈返回地址作为MD5算法的输入,生成出栈签名值;最后根据压栈签名值与出栈签名值是否匹配检测控制流攻击。实验结果显示:返回地址签名值具有良好的随机性且攻击者可用的控制流指令平均减少率达到81.27%,可以有效地检测因返回地址被恶意篡改而引起的控制流攻击。Attackers use software vulnerabilities to hijack the execution flow of the program,direct it to the malicious code or instructions that compose the malicious code,and finally achieve the purpose of controlling the behavior of the entire system.This kind of malicious attack is called control flow attack.Based on research of the principle of control flow attack,this paper proposes a method based on the return address signature to detect control flow attack.The scheme firstly triggers pseudo random number generator to generate the key K to perform XOR encrypt operation with the return address that push into stack when the processor executes the call instruction,and uses the MD5 algorithm to generate the signature for the encrypted return address;Then,when processor executes the ret instruction,uses the MD5 algorithm to generate the signature for the encrypted return address that popped from stack.Finally,control flow attack can be detected according to whether the push_address signature matches the pop address signature.The experimental results show that the return address signature has good randomness and the control flow instruction that can be used to hijack the control flow is reduced to 81.27%,which can effectively prevent control flow attacks caused by maliciously tampering of the return address.

关 键 词：控制流攻击 返回地址 签名值 MD5算法 

分 类 号：TP79[自动化与计算机技术—检测技术与自动化装置]