面向Cisco IOS的ROP攻击检测方法  

作　　者：李鹏宇 刘胜利 尹小康[1,2] 刘昊晖 LI Peng-yu;LIU Sheng-li;YIN Xiao-kang;LIU Hao-hui(State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450000,China;Information Engineering University,Zhengzhou 450000,China)

机构地区：[1]数学工程与先进计算国家重点实验室,郑州450000 [2]战略支援部队信息工程大学,郑州450000

出　　处：《计算机科学》2022年第4期369-375,共7页Computer Science

基　　金：国家重点研发计划(2019QY1300);科技委基础加强项目(2019-JCJQ-ZD-113)。

摘　　要：Cisco IOS(Internetwork Operating System)作为Cisco路由器的专用操作系统,其由于硬件条件限制,在设计时更加注重性能而忽视了系统安全,导致无法有效检测面向返回地址编程(Return-Oriented Programming,ROP)的攻击。针对传统的ROP防护技术在解决Cisco IOS防护上存在的缺陷,提出了一种基于返回地址内存哈希验证的方法,能够对面向Cisco IOS的ROP攻击进行有效检测,并对ROP攻击代码进行捕获。通过分析现有针对ROP攻击的防护机制的优缺点,在紧凑型影子内存防护思想的基础上,将传统的影子内存存储模式改造为基于哈希的内存查找模式,增加了返回地址内存指针的记录作为哈希查找的索引,提高了影子内存查找效率,同时能够抵御由于内存泄露导致的影子内存篡改。在Dynamips虚拟化平台的基础上设计实现了CROPDS系统,对所提方法进行了有效验证。与现有方法对比,所提方法在通用性和性能上均有提升,并能够捕获到攻击执行的shellcode。Cisco IOS(Internet operating system)is a special operating system of Cisco router.Due to the limitation of hardware conditions,it pays more attention to the performance and ignores the system security in the design,which makes it unable to effectively detect the attack of return address oriented programming(ROP).Aiming at the defects of traditional ROP protection technology in Cisco IOS protection,a method based on return address memory hash verification is proposed,which can effectively detect the ROP attack on Cisco IOS and capture the attack code.By analyzing the advantages and disadvantages of the existing protection mechanisms against ROP attacks,on the basis of the idea of compact shadow memory protection,the traditional sha-dow memory storage mode is transformed into a hash based memory search mode,and the record of the return address memory pointer is added as the index of hash search,which improves the efficiency of shadow me-mory search and can resist shadow memory tampering caused by memory leakage.Based on the Dynamips virtualization platform,the CROPDS system is designed and implemented,and the method is verified effectively.Compared with the previous methods,it improves the generality and perfor-mance,and can capture the shellcode of attack execution.

关 键 词：Cisco IOS ROP攻击 影子栈 哈希表 攻击检测 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]