| 面向Linux的内核级代码复用攻击检测技术 |
| |
| 引用本文: | 陈志锋,李清宝,张平,王烨.面向Linux的内核级代码复用攻击检测技术[J].软件学报,2017,28(7):1732-1745. |
| |
| 作者姓名: | 陈志锋 李清宝 张平 王烨 |
| |
| 作者单位: | 解放军信息工程大学,河南 郑州 450001;数学工程与先进计算国家重点实验室,河南 郑州 450001,解放军信息工程大学,河南 郑州 450001;数学工程与先进计算国家重点实验室,河南 郑州 450001,解放军信息工程大学,河南 郑州 450001;数学工程与先进计算国家重点实验室,河南 郑州 450001,解放军信息工程大学,河南 郑州 450001;数学工程与先进计算国家重点实验室,河南 郑州 450001 |
| |
| 基金项目: | “核高基”国家科技重大专项(2013JH00103); 国家863目标导向项目(2009AA01Z434) |
| |
| 摘 要: | 近年来,代码复用攻击与防御成为安全领域研究的热点.内核级代码复用攻击使用内核自身代码绕过传统的防御机制.现有的代码复用攻击检测与防御方法多面向应用层代码复用攻击,忽略了内核级代码复用攻击.为有效检测内核级代码复用攻击,提出了一种基于细粒度控制流完整性(CFI)的检测方法.首先根据代码复用攻击原理和正常程序控制流构建CFI约束规则,然后提出了基于状态机和CFI约束规则的检测模型.在此基础上,基于编译器辅助实现CFI标签指令插桩,并在Hypervisor中实现CFI约束规则验证,提高了检测方法的安全性.实验结果表明该方法能够有效检测内核级代码复用攻击,并且性能开销不超过60%.
|
| 关 键 词: | 代码复用攻击 内核 控制流完整性 插桩 约束规则 |
| 收稿时间: | 2015/9/20 0:00:00 |
| 修稿时间: | 2015/12/31 0:00:00 |
Kernel Code Reuse Attack Detection Technique for Linux |
| |
| CHEN Zhi-Feng,LI Qing-Bao,ZHANG Ping and WANG Ye.Kernel Code Reuse Attack Detection Technique for Linux[J].Journal of Software,2017,28(7):1732-1745. |
| |
| Authors: | CHEN Zhi-Feng LI Qing-Bao ZHANG Ping and WANG Ye |
| |
| Affiliation: | PLA Information Engineering University, Zhengzhou 450001, China;State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China,PLA Information Engineering University, Zhengzhou 450001, China;State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China,PLA Information Engineering University, Zhengzhou 450001, China;State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China and PLA Information Engineering University, Zhengzhou 450001, China;State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China |
| |
| Abstract: | Recently, code reuse attack and defensive techniques have been a hot area in the security field. Kernel-level code reuse attacks use kernel code to bypass traditional defensive mechanisms. And existing code reuse attacks detection and defensive methods mainly focus on user-level code reuse attacks, ignoring kernel-level code reuse attacks. In order to detect kernel-level code reuse attacks effectively, a detection method based on fine-grained control flow integrity (CFI) is proposed. Firstly, CFI constraint rules are constructed according to the code reuse attack principles and the control flows of normal programs. After that, a detection model based on state machine and CFI constraint rules is proposed. On this basis, CFI label checking instructions are instrumented based on GCC-plugin. And CFI constraint rules are verified on the Hypervisor, which promotes the security of the method. The experiment results show that this method can effectively detect kernel-level code reuse attacks, and performance evaluations indicate that performance penalty induced by this method is less than 60%. |
| |
| Keywords: | code reuse attack kernel control flow integrity instrumentation constraint rule |
|
| 点击此处可从《软件学报》浏览原始摘要信息 |
|
点击此处可从《软件学报》下载全文 |
|
