共查询到20条相似文献,搜索用时 250 毫秒
1.
嵌入式系统设计时由于成本和功耗等方面的考虑而较少重视安全性,而一般采用的软件防御方式无法满足嵌入式系统在实时性和可靠性上的要求,缓冲区溢出作为最常见的软件安全漏洞对嵌入式系统安全构成严重威胁.文中构建了一种基于细粒度指令流监控(FIFM)的硬件防御机制,通过虚拟执行单元虚拟执行程序,在攻击发生之前检测攻击行为.实验结果表明FIFM能很好的防御典型的缓冲区溢出攻击,而且FIFM不需要修改程序,不破坏流水线完整性,对系统的性能影响小,本文的防护机制可以应用于其他嵌入式系统设计中以动态防御缓冲区溢出攻击. 相似文献
2.
WindowsDNS服务器远程栈溢出漏洞的应用研究 总被引:1,自引:0,他引:1
文章介绍了系统安全漏洞和针对系统安全漏洞攻击的基本实现原理,通过对具体漏洞的分析,提出了Windows系统中基于DNS服务远程栈缓冲区溢出攻击的具体实现方法,同时也给出了针对系统安全漏洞的一些防御和避免措施。 相似文献
3.
为了编写更安全的C程序和提高已有C程序的安全性,对C库函数中易受缓冲区溢出攻击的脆弱函数进行了分析,分析它们可能产生缓冲区溢出时的特征及如何避免缓冲区溢出.实现了一种缓冲区溢出检测工具,能较准确地检测到C目的程序中的缓冲区溢出漏洞,分析结果具有实用价值. 相似文献
4.
本文分析了缓冲区溢出攻击的原理,概括linux系统针对溢出攻击的常用防御手段.进一步,分析了目前各种基于裁减linux系统的安全网关的特点,提出了其抗缓冲区溢出攻击以增强系统安全性的方法.最后说明了防溢出攻击技术的近期发展. 相似文献
5.
缓冲区溢出漏洞是一类常见的软件漏洞,其对计算机系统造成的危害非常大。本文针对这类漏洞提出一种基于二进制文件动态插桩并根据程序运行状态来判定缓冲区溢出的检测方法,并实现了基于该方法的检测系统。通过分析缓冲区溢出的原理以及常见攻击方法的特点,提出了基于覆盖返回地址、虚函数表、异常处理链表以及溢出后执行特定API的缓冲区溢出检测方法。实验表明该系统能有效检测到缓冲区溢出并定位溢出点从而辅助对漏洞原理进行分析。 相似文献
6.
7.
针对嵌入式操作系统软件开发过程中的缓冲区溢出现象,提出一种基于边界检测的缓冲区溢出检测方法,给出该方法的理论基础,描述实验步骤及实验过程,该方法为需检测的数据缓冲区与检测变量分配连续的内存区域,通过检测变量的改变与否直观的检测出缓冲区是否溢出,并执行相应的告警和补救措施。 相似文献
8.
基于解决缓冲区溢出这一普遍发生的网络安全漏洞的目的,通过软件、硬件技术层面的验证方法,结合人工检查、静态发现技术、动态防御技术等实验手段,得出了在向缓冲区中传输数据时可以通过数组边界检 相似文献
9.
缓冲区溢出攻击严重地危害着我们的网络安全,已经给人们带来了巨大的损失。在对现有防御技术和工具进行合理分类的基础上,文章总结其中存在的优缺点,探讨更有效防御工具的开发方向。同时针对日益增长的网络安全需求,从整个系统的角度提出了防御缓冲区溢出攻击的一种有效策略。 相似文献
10.
在各种安全问题中,缓冲区溢出漏洞已成为主要问题之一。论文首先对缓冲区溢出的基本原理和检测技术作了简单概述,然后借助IDAPRO这一强大的反汇编平台对二进制代码进行缓冲区溢出检测,并利用IDC脚本语言提取函数依赖关系图,最后给出了应用上述缓冲区溢出检测方法的一个实例。 相似文献
11.
一种针对JVM运行时库安全策略的全自动检测方法 总被引:1,自引:0,他引:1
JVM运行时库通过调用自身库函数的安全管理器类能够实现多种安全策略,其中非常重要的一条安全策略是保证程序在执行敏感操作之前必须进行相应的访问控制权限检查.传统上依赖于人工分析来确保JVM运行时库满足该安全策略,由于Java标准类库涵盖上千个类,上万个方法,且处于快速发展和演化过程中,人工分析费时费力,容易出错.本文提出一种全自动、高效、快速的模型检测方法评估JVM是否遵守这一安全策略,扫描Java标准类库字节码文件,将类的成员方法生成控制流图,通过定义检验模型,结合污点分析计算出方法摘要,自动检测出风险方法. 相似文献
12.
Woo-Yong Choi Chi-Hyuck Jun 《Communications Letters, IEEE》1997,1(5):149-151
The heterogeneity and the burstiness of input source traffic together with large size of the shared buffer make it difficult to analyze the performance of an asynchronous transfer mode (ATM) multiplexer. Based on the asymptotic decay rate of queue length distribution at the shared buffer, we propose a Bernoulli process approximation for the individual on-off input source with buffer size adjustment, which gives a good upper bound of the cell loss probability 相似文献
13.
为了动态进行白盒、黑盒测试,设计实现了基于源代码插桩的动态测试工具,该工具包含了源代码的预处理方法、插桩库设计、插桩策略以及统计分析等内容。通过对源代码的语法、词法分析,对其插桩能获取最高的准确度,并且设计在函数执行,结束之前统一将桩信息写入桩文件中,减少了大量的I/O操作。最终,通过测试用例的执行获得了覆盖率、执行时间、复杂度等测试数据,正确地得到了测试用例优劣性的指标。 相似文献
14.
赵旺飞 《电信工程技术与标准化》2014,(12):66-69
提出了一种欺诈类手机恶意软件多维度检测模型,通过静态检测识别和动态运行验证的双重验证法确保恶意软件的精准识别。建立签名信息、权限、分组名等多个维度的应用软件特征识别库,根据特征库将应用软件打上正常软件和恶意软件的标签,最大限度完善现有欺诈类手机恶意软件安全防护手段,支撑第三方应用软件商店规范发展,有效提升用户对欺诈类手机恶意软件防范意识和保护手机使用安全起到积极作用。 相似文献
15.
Shared buffer switches consist of a memory pool completely shared among output ports of a switch. Shared buffer switches achieve low packet loss performance as buffer space is allocated in a flexible manner. However, this type of buffered switches suffers from high packet losses when the input traffic is imbalanced and bursty. Heavily loaded output ports dominate the usage of shared memory and lightly loaded ports cannot have access to these buffers. To regulate the lengths of very active queues and avoid performance degradations, threshold‐based dynamic buffer management policy, decay function threshold, is proposed in this paper. Decay function threshold is a per‐queue threshold scheme that uses a tailored threshold for each output port queue. This scheme suggests that buffer space occupied by an output port decays as the queue size of this port increases and/or empty buffer space decreases. Results have shown that decay function threshold policy is as good as well‐known dynamic thresholds scheme, and more robust when multicast traffic is used. The main advantage of using this policy is that besides best‐effort traffic it provides support to quality of service (QoS) traffic by using an integrated buffer management and scheduling framework. Copyright © 2006 John Wiley & Sons, Ltd. 相似文献
16.
17.
18.
Courcoubetis C.A. Dimakis A. Stamoulis G.D. 《Networking, IEEE/ACM Transactions on》2002,10(2):217-231
For a multiplexer fed by a large number of sources, we derive conditions under which a given subset of the sources can be substituted for a single source while preserving the buffer overflow probability and the dominant timescales of buffer overflows. This notion of traffic equivalence is stronger than simple effective bandwidth equality and depends on the multiplexing context. We propose several applications of the above traffic substitution conditions. First, we show that fractional Brownian motion as a single source substitute can effectively model a large number of multiplexed sources using information obtained purely from traffic traces; this has direct application to simple but accurate traffic generation. Second, we focus on dynamic (i.e., on-line) estimation of available capacity and buffer overflow probability. This requires the solution of a double optimization problem expressed in terms of functions whose values are obtained from time averages of the traffic traces over a large range of timescales. We show how to solve this problem on-line by reducing it to the calculation of a fixed-point equation that can be solved iteratively by combining traffic substitution using fractional Brownian motion with dynamic measurements of the actual traffic. We have validated this approach by extensive experimentation with large numbers of real traffic sources that are fed to a high bandwidth link, and comparing our on-line estimation of available capacity and the resulting dynamic call admission control with other existing approaches. The superior accuracy of our approach also suggests that taking the buffer size into account, as does our on-line algorithm, may be vital for achieving approximations of practical interest 相似文献
19.
A two-phase control wrapper for a micropipeline is presented. The wrapper is implemented in an Artisan 0.13/spl mu/ standard cell library that has not been augmented with any special cells for asynchronous design. The wrapper supports early evaluation allowing the output to be updated after a subset of the inputs have arrived, thus improving the throughput of the micropipeline. 相似文献
20.
James Aweya Michel Ouellette Delfin Y. Montuno 《International Journal of Communication Systems》2003,16(4):337-356
A multiple (priority) queueing system allows a network node to manage the queueing of packets in such a way that higher priority packets will always be served first, low priority packets will be discarded when the queue is full, and for same‐priority packets any interference between them will be prevented. This paper describes a TCP window control scheme for a shared memory device that has buffer memory logically organized into multiple queues. To handle changing queue traffic loads, the shared memory device uses a dynamic buffer threshold mechanism to allocate buffer space to the queues. The TCP window control scheme allows the receiver's advertised window size in ACK packets to be modified at the network queue in order to maintain the queue size at a computed dynamic threshold. Copyright © 2003 John Wiley & Sons, Ltd. 相似文献