通过Glibc堆信息提取检测house of spirit类型攻击  

作　　者：翟继强[1] 王家乾 韩旭 孙海旭 ZHAI Jiqiang;WANG Jiaqian;HAN Xu;SUN Haixu(School of Computer Science and Technology,Harbin University of Science and Technology,Harbin 150080,China)

机构地区：[1]哈尔滨理工大学计算机科学与技术学院,哈尔滨150080

出　　处：《哈尔滨理工大学学报》2024年第1期96-106,共11页Journal of Harbin University of Science and Technology

基　　金：国家自然科学基金(61403109);国家自然科学基金(61402126);国家自然科学基金(61602133).

摘　　要：目前有关堆的取证研究主要是针对Windows系统的堆和NT堆,然而怎样从转储文件中提取出Linux系统Glibc堆信息并没有得到充分的研究。为了重现Linux系统中Glibc堆的内部信息,采用内存对象vtype描述信息中字段偏移定位结合在内存中Glibc堆实现的方法提取Glibc堆内部信息。并基于此方法研发了基于Rekall框架的3个堆信息提取插件。还研究了house of spirit类型的堆攻击,建立了攻击模型并提取其攻击特征。基于提取的攻击特征设计出针对house of spirit攻击的检测算法。在堆信息提取插件的基础上研发了攻击检测插件。实验结果表明本方法可以有效地提取Linux系统进程中堆在内存中的信息,并且基于这些信息结合攻击检测算法成功检测内存中的house of spirit类型攻击。The current forensic research on heaps mainly extracts information from the heap and the NT heap of Windows.However,the study of how to extract the information on the Glibc heap in the Linux from dump files is not sufficient.To reproduce the internal information on the Glibc heap,this paper proposes a method to extract the internal information of Glibc heap in the Linux according to the field offset in the vtype description information of memory object combined with Glibc heap implementation in memory.Based on this method,three heap information extraction plugins were developed on the Rekall framework.In addition,the House of Spirit heap attack is studied,established an attack model,and extracted its attack features.A detection algorithm for House of Spirit attack is designed based on the extracted attack features.The attack detection plug-in is developed based on the heap information extraction plugins.The experimental results show that this method can effectively extract the heap information in the memory of the Linux system process,and successfully detect the House of Spirit attack in the memory based on the information combined with the attack detection algorithm.

关 键 词：Glibc堆 信息提取 堆攻击检测 Rekall框架 

分 类 号：TP319[自动化与计算机技术—计算机软件与理论]