锁闭保护:基于程序行为分析的非预期执行攻击阻断  被引量：1

作　　者：杨佳庚 方滨兴 冀甜甜[2] 张云涛 王田 崔翔 王媛娣 YANG Jia-Geng;FANG Bin-Xing;JI Tian-Tian;ZHANG Yun-Tao;WANG Tian;CUI Xiang;WANG Yuan-Di(School of Computer Science and Technology.Harbin Institute of Technology,Shenzhen,Guangdong 518055;Key Laboratory of Trustworthy Distributed Computing and Service(BUPT),Ministry of Education,Beijing University of Posts and Teleommunications,Beijing 100876;Zhongguancun Laboratory,Beijing 100194;Geedge Netuorks Ltd.,Beijing 100029)

机构地区：[1]哈尔滨工业大学(深圳)计算机科学与技术学院,广东深圳518055 [2]北京邮电大学可信分布式计算与服务教育部重点实验室,北京100876 [3]中关村实验室,北京100194 [4]积至(海南)信息技术有限公司,北京100029

出　　处：《计算机学报》2024年第7期1697-1712,共16页Chinese Journal of Computers

基　　金：海南省方滨兴院士工作站资金资助。

摘　　要：投递恶意代码以调用安全敏感服务是网络攻击中实施窃取、损毁、致瘫攻击的必要行为,使网络空间面临严重威胁。本文将此类攻击称为非预期执行攻击,现有的防御技术难以检测以合法载体实施的这类攻击.本文提出了一种称为锁闭保护结构的安全防护机制,作为现有防御技术的补充和安全底线,是阻断恶意行为实施的最后一道防线.通过分析目标程序针对安全敏感服务的预期行为,监控程序实际行为,阻断与预期行为不一致的服务执行,实现对非预期执行攻击的防御。基于对影响服务行为的关键要素的观察,本文提出了锁闭保护模型,作为阻断非预期执行攻击的理论支撑。然后,在Linux实验环境下实现了一个锁闭保护原型系统,使用真实的高级持续性威胁攻击样本、内核权限提升漏洞以及流行的应用程序进行了有效性验证,并评估了其产生的性能开销.实验结果表明,该原型系统能成功抵御典型的非预期执行攻击,仅引入不超过5%的性能开销.Delivering malware to invoke security-sensitive services is a necessary step in cyberattacks to implement theft,destruction and denial-of-service attacks,putting cyberspace at serious risk.Malware that calls security-sensitive services performs sensitive operations such as file read or write,access control,and system management,posing a direct and significant threat to system security.For instance,in the WannaCry ransomware incident that began in 2017 involved attackers spreading ransomware to victims'devices through vulnerabilities.This ransomware encrypted and overwrote files by invoking the system's file writing services,aiming for ransom.In this paper,we define such attacks as unintended execution attacks,which are difficult to detect by existing techniques.The unintended execution attacks can lead to system crashes,data leakage,or destruction,with serious implications for personal privacy,business operations,and national security.Analyzing the MITRE ATT&CK attack matrix,we conclude that strategies closer to the end of the attack chain are more technically necessary.The invocation of security-sensitive services with high access and execution privileges at the end of the attack chain is a prerequisite for achieving attack objectives,making unintended execution attacks inevitable.Existing defense techniques primarily focus on mitigating and detecting the process of malicious code injection and exploitation,preventing attackers from executing malicious code injection,control flow hijacking,and privilege escalation through code injection or exploiting vulnerabilities in programs.However,with the emergence of new types of vulnerability exploitation techniques,such as code reuse attacks,and considering the performance overhead of mitigation techniques in commercial systems,practical defense solutions are vulnerable to being bypassed.In particular,when attackers enter the system in an unknown manner and run malicious software with privileged accounts,existing defense techniques fail to detect such unintended executi

关 键 词：安全敏感服务 非预期执行攻击 锁闭保护 程序行为监控 攻击阻断 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]