Function call interception techniques

Function call interception (FCI), or method call interception (MCI) in the object‐oriented programming domain, is a technique of intercepting function calls at program runtime. Without directly modifying the original code, FCI enables to undertake certain operations before and/or after the called function or even to replace the intercepted call. Thanks to this capability, FCI has been typically used to profile programs, where functions of interest are dynamically intercepted by instrumentation code so that the execution control is transferred to an external module that performs execution time measurement or logging operations. In addition, FCI allows for manipulating the runtime behavior of program components at the fine‐grained function level, which can be useful in changing an application's original behavior at runtime to meet certain execution requirements such as maintaining performance characteristics for different input problem sets. Due to this capability, however, some FCI techniques can be used as a basis of many security exploits for vulnerable systems. In this paper, we survey a variety of FCI techniques and tools along with their applications to diverse areas in the computing and software domains. We describe static and dynamic FCI techniques at large and discuss the strengths and weaknesses of different implementations in this category. In addition, we also discuss aspect‐oriented programming implementation techniques for intercepting method calls.     

主机防护系统中系统调用截获机制的实现

基于主机的系统级防护系统在主动防御方面表现出诸多优势，正成为计算机安全研究领域新的热点。系统调用截获是这类系统实现的关键技术。论述了Windows操作系统的系统调用机制，讨论了系统调用截获的方法及其在构建主机防护系统中的运用。     

基于地址完整性检查的函数指针攻击检测

针对传统函数指针攻击检测技术无法检测面向返回编程(ROP)攻击的问题,提出了一种基于跳转地址完整性检查的新方法,在二进制代码层面能够检测多种类型的函数指针攻击。首先,通过静态分析得到函数地址信息,然后动态检查跳转目标地址是否位于合法函数区间。分析了非入口点跳转,提出一种动静结合方法检测ROP攻击。基于二进制代码插桩工具实现原型系统fpcheck,对真实攻击和正常程序进行了测试。实验结果表明fpcheck能够检测包括ROP在内的多种函数指针攻击,通过准确的检测策略,误报率显著下降,性能损失相比原始插桩仅升高10%~20%。     

基于控制流数据保护的缓冲区溢出防御方法

根据栈缓冲区溢出的基本原理,介绍了三种缓冲区溢出攻击的基本模式,分析了现有的动态防御方法所存在的优缺点。以此为基础,提出了一种基于控制流相关数据保护的栈缓冲区溢出动态防御方法,引入了加密机制,有效地防御攻击者对保护数据的篡改。设计并实现了针对目标文件为对象的二进制文件重构工具,通过理论分析和实验表明该方法能够极大概率防御各种缓冲区溢出攻击。     

基于动态二进制平台的缓冲区溢出过程分析

提出一种基于动态二进制平台的缓冲区溢出过程分析方法,并实现基于该方法的原型系统。分析缓冲区溢出攻击方法的特点,给出基于异常捕获、控制流分析和内存状态检查的溢出检测方法。通过对内存读写指令、控制转移指令进行监控,获得函数调用序列和数据传递关系,定位导致缓冲区溢出的代码。实验结果表明,该系统能有效检测缓冲区溢出,准确定位导致溢出的代码位置。     

Using Dynamic Information in the Interprocedural Static Slicing of Binary Executables

Although the slicing of programs written in a high-level language has been widely studied in the literature, relatively few papers have been published on the slicing of binary executable programs. The lack of existing solutions for the latter is really hard to understand since the application domain for slicing binaries is similar to that for slicing high-level languages. Furthermore, there are special applications of the slicing of programs without source code like source code recovery, code transformation and the detection of security critical code fragments. In this paper, in addition to describing the method of interprocedural static slicing of binaries, we discuss how the set of the possible targets of indirect call sites can be reduced by dynamically gathered information. Our evaluation of the slicing method shows that, if indirect function calls are extensively used, both the number of edges in the call graph and the size of the slices can be significantly reduced.Ákos Kiss obtained his M.Sc. in Computer Science from the University of Szeged in 2000. He is currently working on his Ph.D. thesis and his chosen field of research is the analysis and optimization of binary executables. He was the chief programmer of a code compaction project which sought to reduce ARM binaries. He is also interested in GCC and in open source developmentJudit Jász obtained her M.Sc. in Computer Science recently from the University of Szeged and is currently a Ph.D student. Her main research interest is adapting slicing methods—originally intended for high-level languages—to binary executables. She is also actively working on improving the GCC compiler.Tibor Gyimóthy is the head of the Software Engineering Department at the University of Szeged in Hungary. His research interests include program comprehension, slicing, reverse engineering and compiler optimization. He has published over 60 papers in these areas and was the leader of several software engineering R&D projects. He is the Program Co-Chair of the 21th International Conference on Software Maintenance, which will be held in Budapest, Hungary in 2005.     

基于动态二进制翻译和插桩的函数调用跟踪

动态函数调用跟踪技术是调试Linux内核的重要手段.针对现有动态跟踪工具存在支持平台有限、运行效率低的问题,基于二进制翻译,设计并实现支持多种指令集的动态函数调用跟踪工具.首先,使用二进制翻译进行系统加载、分析内核镜像,识别基本块的分支指令类型.然后,根据不同平台指令集,设计桩代码并在函数调用与返回指令翻译时插入桩指令,进而在程序执行和内核启动时实时获取时间戳、进程标识、线程标识、函数地址等信息.最后,内核加载完毕后,处理获取的信息,生成过程函数调用图.只需要根据平台指令集特点设计对应的信息获取桩代码并插入到函数调用指令翻译代码中,实现简单,易于移植支持多种平台.该方法基于二进制翻译,直接对程序或内核镜像中的指令段、代码段、符号表进行分析,不依赖源码.拓展的中间代码和额外的目标码,不影响基本块连接、冗余代码消除、热路径分析等二进制翻译的优化方法,降低了开销.基于QEMU的实验结果表明：跟踪分析结果与源代码行为一致,桩代码执行信息记录产生了15.24%的时间开销,而信息处理并输出到磁盘文件产生了165.59%的时间开销,与现有工具相比,性能有较大提升.     

API函数挂接的机理与方法探讨

介绍了在Windows的高级编程中所涉及的对Windows系统应用程序接口(API)函数的挂接的原理,并探讨了实现API函数挂接的条件。提供了几种实用的挂接方法(直接或间接修改API)及实现代码,给出了这些方法的不同适用场合。     

Applying fuzzy logic and genetic algorithms to enhance the efficacy of the PID controller in buffer overflow elimination for better channel response timeliness over the Internet

In this paper two novel intelligent buffer overflow controllers: the fuzzy logic controller (FLC) and the genetic algorithm controller (GAC) are proposed. In the FLC the extant algorithmic PID controller (PIDC) model, which combines the proportional (P), derivative (D) and integral (I) control elements, is augmented with fuzzy logic for higher control precision. The fuzzy logic divides the PIDC control domain into finer control regions. Every region is then defined either by a fuzzy rule or a ‘don't care’ state. The GAC combines the PIDC model with the genetic algorithm, which manipulates the parametric values of the PIDC as genes in a chromosome. The FLC and GAC operations are based on the objective function . The principle is that the controller should adaptively maintain the safety margin around the chosen reference point (represent by the ‘0’ of ) at runtime. The preliminary experimental results for the FLC and GAC prototypes indicate that they are both more effective and precise than the PIDC. After repeated timing analyses with the Intel's VTune Performer Analyzer, it was confirmed that the FLC can better support real‐time computing than the GAC because of its shorter execution time and faster convergence without any buffer overflow. Copyright © 2005 John Wiley & Sons, Ltd.