一种防止缓冲区溢出攻击的新方法

介绍了缓冲区溢出攻击的原理，分析了缓冲区的三种结构，简要总结了已有的检测方法。提出了一种新的简单、易实施的防御缓冲区溢出攻击的方法。     

一种基于IDA PRO缓冲区溢出的检测方法

在各种安全问题中,缓冲区溢出漏洞已成为主要问题之一。论文首先对缓冲区溢出的基本原理和检测技术作了简单概述,然后借助IDAPRO这一强大的反汇编平台对二进制代码进行缓冲区溢出检测,并利用IDC脚本语言提取函数依赖关系图,最后给出了应用上述缓冲区溢出检测方法的一个实例。     

漏洞利用技术Heap Spray检测方法研究

堆喷射(Heap Spray)是近些年来非常流行的漏洞利用技术,最早被广泛利用在针对浏览器的攻击中。该技术很大程度上降低了漏洞溢出后地址跳转的难度,大大提高了缓冲区溢出攻击的成功率。通过分析和研究Heap Spray技术的原理,给出了一些技术细节,之后,对现有的一些检测方法进行分类研究,并分为3种类型:基于字符串的检测、基于内存保护的检测以及基于系统调用的检测,同时分别通过实例予以说明。     

Engineering Calculation of Overflow Probabilities in Buffers with Markov-Interrupted Service

Interrupted service, which may occur in fading radio channels, in low-priority channels which can be preempted or in systems with failures may make severe demands on buffer size if overflow is to be avoided. This paper analyzes a buffer with a Markov-interrupted timeslotted server, generalizing earlier work on independent random interruptions. An equivalent service distribution is defined for use in an approximateM/G/1model, which in turn gives buffer probabilities and overflow probabilities. For very small overflow probabilities, the necessary buffer size is found from a further analytic approximation to the tail of the buffer size distribution. The accuracy of the two approximations together is good, shown by an example of a fading radio channel.     

Design rules and equivalent capacity for buffering of Pareto source

Formulae are developed that act as design rules when buffering an ON-OFF source with long range dependent (LRD) characteristics. These can be used to predict the buffer overflow probability, or the equivalent capacity required to ensure a specified buffer overflow probability. The traffic source has Pareto distributed ON and OFF periods, and therefore this analysis can be seen as an extension of earlier results for exponential ON and OFF periods     

Adaptive buffer- instrumented entropy-coded quantizer performance for memoryless sources

Variable-length codes can be used in entropy coding the outputs of an optimum entropy-constrained quantizer. Transmitting these codes over a synchronous channel; however, requires a buffer connecting the entropy coder to the channel. In a practical application, this buffer is of finite size and hence might overflow or undertow. To alleviate this difficulty, we use an adaptive scheme in which the quantizer parameters are changed successively according to the state of the buffer. Rate-distortion performance of optimum entropy-constrained quantizers in conjunction with this adaptive scheme is studied for the class of generalized Gaussian sources. It is demonstrated through simulations that the overflow/ undertow problem can be practically eliminated at the cost of a negligible increase in average distortion. Furthermore, it is shown that the efficiency of this system is more pronounced at high rates and for more broadtailed source densities. Easily computable upper and lower bounds on the average distortion of the adaptive system are developed.     

RICB：基于缓冲区溢出的整数溢出漏洞动态分析

Integer overflow vulnerability will cause buffer overflow. The research on the relationship between them will help us to detect integer overflow vulnerability. We present a dynamic analysis methods RICB (Run-time Integer Checking via Buffer overflow). Our approach includes decompile execute file to assembly language; debug the execute file step into and step out; locate the overflow points and checking buffer overflow caused by integer overflow. We have implemented our approach in three buffer overflow types: format string overflow, stack overflow and heap overflow. Experiments results show that our approach is effective and efficient. We have detected more than 5 known integer overflow vulnerabilities via buffer overflow.     

C/C++源代码静态检测系统的设计和实现

为了检测出C/C++源代码程序中常见的运行时错误,设计了一个静态检测系统。该系统通过词法分析、语法分析、语义分析来获取程序的语法树。然后系统的检测程序将会分析语法树的每一个结点,判断结点中的属性信息是否存在错误。创新点在于语法树数据结构和检测程序的设计。通过检测程序对结点的属性值的分析,能够检测出C/C++源代码程序中出现的数组越界、指针错误、字符串函数错误,内存泄露等问题。     

Buffer Behavior for Mixed Input Traffic and Single Constant Output Rate

A queueing model with limited waiting room (buffer), mixed input traffic (Poisson and compound Poisson arrivals), and constant service rate is studied. Using average burst length, traffic intensity, and input-traffic mixture rate as parameters, we obtain relationships among buffer size, overflow probabilities, and expected message-queueing delay due to buffering. These relationships are portrayed on graphs that can be used as a guide in buffer design. Although this study arose in the design of statistical multiplexors, the queueing model developed is quite general and may be useful for other industrial applications.     

Linux下缓冲区溢出的分析与利用

缓冲区溢出漏洞攻击是目前互联网上黑客使用最多的攻击手段之一。论文针对Linux平台,从Linux系统内存管理机制人手,解释了Linux系统下函数调用的方法,分析了缓冲区溢出产生的原因并阐明了缓冲区溢出产生的整个过程,通过具体实例,说明了缓冲区溢出的利用方法。     

Resource Requirements for ABR Explicit Rate Flow Control: Deterministic and Probabilistic Analyses

ATM Available Bit Rate (ABR) service is intended to offer low cell loss for non-real-time data sources that can respond to closed-loop flow control. ATM Forum Traffic Management Specification Version 4.0 defines the various parameters used in the ABR flow control, as well as the source, destination, and switch behaviors. However, the switch designers and service providers are free to choose the method of congestion control to implement and the ABR Quality of Service (QoS) objective to offer. This paper addresses the interaction among the flow control algorithm, the switch resource requirements, and the resulting QoS characteristics.In this paper we propose and evaluate an Explicit Rate (ER) algorithm. The objective of this algorithm is to maintain the total buffer occupancy of all ABR connections to be close to a given threshold. By maintaining a non-zero queue, the ABR service can achieve a high utilization. The switch periodically determines its desirable ER value, based on the available capacity, the ABR buffer occupancy, and the number of active ABR sources.We develop analyses that relate ABR resources to QoS objectives for this algorithm. The first approach is a deterministic, conservative analysis. It provides formulas for determining the ABR buffer and capacity requirements that can achieve zero buffer overflow.The second analysis determines an upper bound on the buffer overflow probability when the above requirements are not met. The result is most effective when the number of active sources is a small fraction of the total ABR connections. Numerical examples show that by slightly relaxing the loss constraint, resource requirements can be significantly reduced.     

基于词包模型的高分辨率SAR 图像变化检测与分析

该文面向高分辨率SAR 图像解译中的变化检测问题,针对其研究现状与难点,重点解决高分辨率SAR图像变化检测中的语义信息缺失问题,提出一种基于词包模型的变化检测与分析的方法。该方法利用词包模型,对两个时相的图像做词包表征,将视觉直方图的差作为变化向量进行分析。由于变化向量包含有语义信息,因此可通过对其分析,结合像素级变化结果,实现对变化区域的语义分析及感兴趣变化类型检测。经实验验证,该框架对高分SAR 影像变化语义分析具有应用前景。      

基于最佳量化的序列图像编码转换码率控制策略

该文分析了编码转换缓冲区的状态,导出了编码转换缓冲区为防止解码器缓冲区下溢和上溢应满足的条件,建立了序列图像编码转换模型。并根据编码转换缓冲器的状态和信道速率,为待编码帧在图像层上预分配目的序列图像编码比特数,使用DCT系数分布特性来表征图像特性。继而为帧内每一具体宏块选定最佳量化因子,提出了基于最佳量化的码率控制策略,模拟实验表明,该码率控制策略能有效地减少、避免缓冲区出现上、下溢的情况,使输出码率趋于稳定,提高了重建序列图像的信噪比。     

针对Shellcode变形规避的NIDS检测技术

现今,缓冲区溢出攻击仍是网络上最普遍和有效的攻击方式之一,常见于恶意攻击者的手动攻击以及病毒蠕虫的自发攻击。随着NIDS的发展,普通的缓冲区溢出攻击能够用基于Shellcode匹配的手段进行检测。然而,Shellcode变形技术的出现使缓冲区溢出攻击拥有了躲避NIDS检测的能力。论文在NIDS传统检测技术的基础上,详细研究了Shellcode的各种变形手段,提出了针对性的检测技术,并展望了未来的发展方向。     

Traffic equivalence and substitution in a multiplexer withapplications to dynamic available capacity estimation

For a multiplexer fed by a large number of sources, we derive conditions under which a given subset of the sources can be substituted for a single source while preserving the buffer overflow probability and the dominant timescales of buffer overflows. This notion of traffic equivalence is stronger than simple effective bandwidth equality and depends on the multiplexing context. We propose several applications of the above traffic substitution conditions. First, we show that fractional Brownian motion as a single source substitute can effectively model a large number of multiplexed sources using information obtained purely from traffic traces; this has direct application to simple but accurate traffic generation. Second, we focus on dynamic (i.e., on-line) estimation of available capacity and buffer overflow probability. This requires the solution of a double optimization problem expressed in terms of functions whose values are obtained from time averages of the traffic traces over a large range of timescales. We show how to solve this problem on-line by reducing it to the calculation of a fixed-point equation that can be solved iteratively by combining traffic substitution using fractional Brownian motion with dynamic measurements of the actual traffic. We have validated this approach by extensive experimentation with large numbers of real traffic sources that are fed to a high bandwidth link, and comparing our on-line estimation of available capacity and the resulting dynamic call admission control with other existing approaches. The superior accuracy of our approach also suggests that taking the buffer size into account, as does our on-line algorithm, may be vital for achieving approximations of practical interest     

Buffer Control for Transmission of Blocked Data Over Fading Channels

Since fading channels are characterized by frequent signal dropouts which are long compared to packet duration, substantial buffer space must be provided at both ends of the link. Systems which rely on selective, on/off transmission to achieve low bit error rates are seriously affected by the special conditions which must be imposed on them to prevent buffer overflow or underflow. This effect can be reduced by a method of buffer control developed and analyzed in this paper, in which the average transmission rate is varied as a function of queue length in an attempt to keep the queue away from the ends of the buffer. It is shown that buffer control provides the same improvement in average error probability as does doubling the buffer size, but without the associated doubled storage cost and doubled delay. In order to simplify the analysis and keep the discussion relevant, the system is oriented to transmission of fixed length blocks or packets.     

Buffer overflow in variable length coding of fixed rate sources

In this paper, we develop and analyze an easily instrumentable scheme for variable length encoding of discrete memoryless fixed-rate sources in which buffer overflows result in codeword erasures at locations that are perfectly specified to the user. Thus, no loss of synchronism ever occurs. We find optimal (i.e., minimizing the probability of buffer overflow) code-wold length requirements under the Kraft inequality constraint, relative to various constant transmission ratesR, and show that these do not result in the minimal average code-word length. The corresponding bounds on the probability of buffer overflow provide a linkup between source coding and Rényi's generalized source entropy. We show, further, that codes having optimal word lengths can be constructed by the method of Elias, and we develop corresponding sequentially instrumented encoders and decoders. We show that the complexity of these encoders and decoders grows only linearly with the encoded message block lengthk, provided the sizedof the coder alphabet is a power of2, and otherwise grows no worse than quadratically withk.     

On overflow and underflow problems in buffer-instrumented variable-length coding of fixed- rate memoryless sources (Corresp.)

It is well-known that variable-length coding schemes can be employed in entropy encoding of finite-alphabet sources. To transmit these codes over a synchronous channel, however, requires a buffer. Since in practice this buffer is of finite size, it is subject to both overflow and undertow. The buffer behavior is studied with particular application to Huffman coding of the outputs of an optimum uniform-threshold quantizer driven by a memoryless Gaussian source. Fairly general upper and lower bounds on the average terminal time are developed. Under certain conditions, the tightness of these bounds is verified, and asymptotic formulas are developed. As an example, an encoding scheme employing Huffman codes in conjunction with uniform quantization of memoryless Gaussian sources is considered, and the buffer behavior as a function of the buffer size and output rate is studied.     

无线传感器网络中基于拥塞程度分级的速率调节机制

文中提出一种基于拥塞程度分级的速率调节算法.首先,对缓冲区进行多尺度排队分析,计算出缓冲区的溢出概率.其次,根据溢出概率的值,把节点拥塞程度分成三级.最后,针对每一级拥塞采取相应的速率调节方案来缓解拥塞.实验结果表明,该算法可以有效缓解拥塞,提高无线传感器网络的数据包投递率.