基于指令集随机化的抗代码注入攻击方法

代码注入攻击是应用程序面临的一种主要安全威胁,尤其是Web应用程序,该种攻击源于攻击者能够利用应用程序存在的漏洞/后门,向服务器端注入恶意程序并执行,或者利用应用程序对用户输入的参数缺乏验证和过滤,造成输入作为恶意程序执行,从而达到攻击目的。源程序分析和输入规则匹配等现有防御方法在面对代码注入攻击时都存在着固有缺陷,为了提高Web应用程序对于代码注入攻击的防御性,提出一种基于指令集随机化的抗代码注入方法,该防御方法不依赖于攻击者采用何种攻击方式,能够抵御未知的代码注入攻击。基于该技术及动态、冗余构造方法,设计一套原型系统,采用广义随机Petri网（Generalized Stochastic Petri Net,GSPN）建模计算,攻击者即使在获得随机化方法先验知识的情况下也极难突破系统的防御机制。尽管该方法需要对应用程序源代码进行随机化变换,但处理过程是完全自动化和具有普适性的,通过实验和现网测试表明该方法能够有效抵御大部分代码注入攻击,实现了对攻击的主动防御。     

恶意代码演化与溯源技术研究

恶意代码溯源是指通过分析恶意代码生成、传播的规律以及恶意代码之间衍生的关联性，基于目标恶意代码的特性实现对恶意代码源头的追踪.通过溯源可快速定位攻击来源或者攻击者，对攻击者产生一定的震慑打击作用，具有遏制黑客攻击、完善网络安全保障体系的重要作用和价值.近年来，网络安全形势愈加严峻，归类总结了学术界和产业界在恶意代码溯源领域的研究工作，首先揭示了恶意代码的编码特性以及演化特性，并分析这些特性与溯源的关系；然后，分别从学术界和产业界对恶意代码的溯源技术和研究进行梳理，同时对每个溯源阶段的作用以及影响程度进行了讨论，并对目前恶意代码的溯源对抗手段进行分析；最后讨论了恶意代码溯源技术面对的挑战和未来的发展趋势.     

An artificial intelligence membrane to detect network intrusion

We propose an artificial intelligence membrane to detect network intrusion, which is analogous to a biological membrane that prevents viruses from entering cells. This artificial membrane is designed to monitor incoming packets and to prevent a malicious program code (e.g., a shellcode) from breaking into a stack or heap in a memory. While monitoring incoming TCP packets, the artificial membrane constructs a TCP segment of incoming packets, and derives the byte frequency of the TCP segment (from 0 to 255 bytes) as well as the entropy and size of the segment. These features of the segment can be classified by a data-mining technique such as a decision tree or neural network. If the data-mining method finds a suspicious byte sequence, the sequence is emulated to ensure that it is just a shellcode. If the byte sequence is a shellcode, the sequence is dropped. At the same time, an alert is communicated to the system administrator. Our experiments examined seven data-mining methods for normal and malicious network traffic. The malicious traffic included 114 shellcodes, provided by the Metasploit framework, and including 10 types of metamorphic or polymorphic shellcodes. In addition, real network traffic involving shellcodes was examined. We found that a random forest method outperformed all the other datamining methods and had a very high detection accuracy, including a true-positive rate of 99.6% and a false-positive rate of 0.4%.     

On the infeasibility of modeling polymorphic shellcode

Current trends demonstrate an increasing use of polymorphism by attackers to disguise their exploits. The ability for malicious code to be easily, and automatically, transformed into semantically equivalent variants frustrates attempts to construct simple, easily verifiable representations for use in security sensors. In this paper, we present a quantitative analysis of the strengths and limitations of shellcode polymorphism, and describe the impact that these techniques have in the context of learning-based IDS systems. Our examination focuses on dual problems: shellcode encryption-based evasion methods and targeted “blending” attacks. Both techniques are currently being used in the wild, allowing real exploits to evade IDS sensors. This paper provides metrics to measure the effectiveness of modern polymorphic engines and provide insights into their designs. We describe methods to evade statistics-based IDS sensors and present suggestions on how to defend against them. Our experimental results illustrate that the challenge of modeling self-modifying shellcode by signature-based methods, and certain classes of statistical models, is likely an intractable problem.     

A Behavior-based Buffer Overflow Attack Blocker

A common way to gain control of victim hosts is to launch buffer overflow attacks by remote exploits.This paper proposes a behavior-based buffer overflow attacker blocker,which can dynamically detect and prevent remote buffer overflow attacks by filtering out the client requests that contain malicious executable codes.An important advantage of this approach is that it can block the attack before the exploit code begins affecting the target program.The blocker is composed of three major components,packet dec...     

U-HIPE: hypervisor-based protection of user-mode processes in Windows

We propose a method to protect user-processes against malicious software attacks running an introspection and protection tool (U-HIPE) inside a hypervisor. Our solution is based on hardware virtualization support, imposing “no-write” and/or “no-execution” restrictions on different guest virtual machine’s (VM) memory pages. Protected components include process’ thread stacks, heaps and loadable modules. This way most attempts to execute malicious code in a process are detected and blocked. We propose a method to deal with swappable pages. We inject page-fault exceptions in the guest VM when trying to read swapped-out pages for introspection. We also intercept all swap-in and swap-out events to correctly maintain protection on needed memory pages. We implemented a testing prototype for protecting user-processes in several Microsoft Windows operating systems. Tests we performed proved the effectiveness of our solution against attacks like polymorphic/packed viruses, hook injection and injected code execution. The introduced overhead is acceptable for most applications.     

Extending .NET security to unmanaged code

The number of applications that are downloaded from the Internet and executed on-the-fly is increasing every day. Unfortunately, not all of these applications are benign, and, often, users are unsuspecting and unaware of the intentions of a program. To facilitate and secure this growing class of mobile code, Microsoft introduced the .NET framework, a new development and runtime environment where machine-independent byte-code is executed by a virtual machine. An important feature of this framework is that it allows access to native libraries to support legacy code or to directly invoke the Windows API. Such native code is called unmanaged (as opposed to managed code). Unfortunately, the execution of unmanaged native code is not restricted by the .NET security model, and, thus, could provide the attacker with a mechanism to completely circumvent the framework’s security mechanisms if the user decides to grant execute permission to the .NET application. The approach described in this paper uses a sandboxing mechanism to prevent an attacker from executing malicious, unmanaged code that is not permitted by the security policy. Our sandbox is implemented as two security layers, one on top of the Windows API and one in the kernel. Also, managed and unmanaged parts of an application are automatically separated and executed in two different processes. This ensures that potentially unsafe code can neither issue system calls not permitted by the .NET security policy nor tamper with the memory of the .NET runtime. Our proof-of-concept implementation is transparent to applications and secures unmanaged code with a generally acceptable performance penalty. To the best of our knowledge, the presented architecture and implementation is the first solution to secure unmanaged code in .NET.     

基于指针备份的随机化技术

以“缓冲区溢出”为代表的控制数据漏洞已成为最常见的安全隐患,这些漏洞是依靠修改目标进程的控制数据,使目标进程转向某一段事先注入的恶意代码,从而导致恶意代码以目标进程当前用户的权限而被执行。随机化技术是针对控制数据漏洞的有效手段,但仍无法阻止控制数据被恶意修改。基于指针备份的随机化技术可以对控制数据攻击做出及时、准确的处理,加强了原有模型的抗攻击强度。     

渗透攻击技术研究

计算机中存在一个单独的区块：活动内存,任何一个攻击者都愿意把手伸到这个存储有敏感信息完全未加密的区块。系统为了方便调用,在内存中存储了多种有价值信息;全盘加密机制也必须在内存的某个地方存储密钥、同样,Wi—fi密钥也是如此存储的。Windows在内存中存有注册表键值,系统和SAMhive。许多剪贴板内容和应用程序密码也在存储于内存中。即问题在于,内存存储了系统在某时刻需要的大量有价值信息。攻击者要获得它,需要使用一些同样的取证技术。本文有助于向渗透测试工具包中增加这些技术。     

基于动态分析的底层虚拟机混淆器反混淆方法

底层虚拟机混淆器(OLLVM)是一个著名的代码混淆工具,除了用于保护商业软件的安全外,也被恶意代码的开发者所利用,以此增加分析难度。为便于安全研究人员对ARM恶意程序进行分析,提出并实现了基于动态分析的OLLVM自动化反混淆方法。对于虚假控制流,根据不透明谓词的内存特征监控内存读写并利用动态污点分析技术识别虚假控制流来完成反混淆;对于控制流平坦化,通过动态运行程序并记录基本块的执行顺序来完成反混淆;同时利用多执行路径构造来提高代码覆盖率,最后通过指令修复还原基本块之间的关系。实验结果表明,该方法可准确消除可执行程序中因混淆产生的条件分支,且反混淆后得到的程序其运行结果与未混淆的程序保持一致,能有效完成对ARM混淆程序的反混淆工作。     

Network-level polymorphic shellcode detection using emulation

Significant progress has been made in recent years towards preventing code injection attacks at the network level. However, as state-of-the-art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such as polymorphism and metamorphism to defeat these defenses. A major outstanding question in security research and engineering is thus whether we can proactively develop the tools needed to contain advanced polymorphic and metamorphic attacks. While recent results have been promising, most of the existing proposals can be defeated using only minor enhancements to the attack vector. In fact, some publicly-available polymorphic shellcode engines are currently one step ahead of the most advanced publicly-documented network-level detectors. In this paper, we present a heuristic detection method that scans network traffic streams for the presence of previously unknown polymorphic shellcode. In contrast to previous work, our approach relies on a NIDS- embedded CPU emulator that executes every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of polymorphic shellcode. Our analysis demonstrates that the proposed approach is more robust to obfuscation techniques like self-modifications compared to previous proposals, but also highlights advanced evasion techniques that need to be more closely examined towards a satisfactory solution to the polymorphic shellcode detection problem.     

A security monitoring method for malicious P2P event detection

Recently malicious code is spreading rapidly due to the use of P2P(peer to peer) file sharing. The malicious code distributed mostly transformed the infected PC as a botnet for various attacks by attackers. This can take important information from the computer and cause a large-scale DDos attack. Therefore it is extremely important to detect and block the malicious code in early stage. However a centralized security monitoring system widely used today cannot detect a sharing file on a P2P network. In this paper, to compensate the defect, P2P file sharing events are obtained and the behavior is analyzed. Based on the analysis a malicious file detecting system is proposed and synchronized with a security monitoring system on a virtual machine. In application result, it has been detected such as botnet malware using P2P. It is improved by 12 % performance than existing security monitoring system. The proposed system can detect suspicious P2P sharing files that were not possible by an existing system. The characteristics can be applied for security monitoring to block and respond to the distribution of malicious code through P2P.     

Data memory power optimization and performance exploration of embedded systems for implementing motion estimation algorithms

A memory power optimization and performance exploration methodology based on high-level (C language) code transformations that allows the system designer to explore various data memory power, data memory area and performance trade-offs early in the design process of embedded multimedia systems is introduced. This exploration strategy is introduced for both single and multiprocessor environments. The latter requires partitioning of the application. After employing software transformations, the experimental results, obtained using four well-known motion estimation kernels provide an insight on the performance and energy consumption trade-offs, comparing memory hierarchies for the ARM programmable core and prove the validity of the proposed approach.     

shellcode攻击与防范技术

针对Windows系统环境下,攻击者通过shellcode代码威胁系统安全的问题,研究shellcode攻击与防范方法。分析shellcode代码的工作原理、攻击过程及多种变化,介绍新型Windows系统采用的GS和ASLR保护对shellcode攻击的防范机制,并通过实验验证其防范效果。结果证明,实施shellcode攻击需要一定的条件,而GS和ALSR可破坏这些攻击条件的形成,有效阻止攻击。     

基于异常利用的安卓应用重打包对抗技术

应用重打包是安卓生态中的一种严重的安全威胁。借助应用重打包技术,攻击者可以向原始应用插入恶意代码以实现不同的恶意功能,如窃取用户隐私数据、发送收费短信及替换应用广告SDK等。有研究表明, 85%以上的恶意应用通过应用重打包的方式产生。对抗安卓重打包攻击,主要有三种防御方式:一是在应用开发过程中,由开发者对应用进行加固,实施重打包防御策略;二是在应用上传到应用市场时,进行静态应用重打包检测;三是在终端设备上进行动态重打包应用检测。其中,利用重打包工具解析安卓应用程序安装包的缺陷对应用进行加固来提高攻击者生成重打包应用的技术门槛被证明是一种有效的缓解措施。但距今为止,已有工作并未提出一种系统化的方法来发现可用于保护应用的重打包工具缺陷。本文提出了一种系统化的面向重打包对抗的重打包工具可利用缺陷检测方法。首先,我们通过代码扫描定位重打包工具中的潜在异常点;其次,使用模糊测试的方式来尝试触发被定位的异常;最后,监测触发异常的变异应用在目标安卓设备上的运行情况,并进行进一步的模糊测试来最终构建能被用于对抗重打包攻击的异常触发向量。在以应用广泛的重打包工具Apktool为实验对象的测试中,我们总共...     

通用代码Shell化技术研究

代码Shell化技术是一种实现程序从源码形态到二进制形态的程序变换技术。该技术可用于实现Shellcode生成,生成包括漏洞利用过程中的Shellcode及后渗透测试过程中的功能性Shellcode。文中形式化地描述了程序中代码与数据的关系,提出了一种基于LLVM(Low Level Virtual Machine)的通用程序变换方法,该方法可用于实现操作系统无关的代码Shell化。该技术通过构建代码内置全局数据表和添加动态重定位代码,将代码对数据的绝对内存地址访问转化为对代码内部全局数据表的相对地址访问,重构了代码与数据之间的引用关系,解决了代码执行过程中对操作系统重定位机制依赖的问题,使得生成的Shellcode代码具有位置无关特性。在验证实验中,使用适用于不同操作系统的不同规模的工程源码对基于该技术实现的Shellcode生成系统进行了功能测试,并对比了Shell化前后代码功能的一致性、文件大小、函数数量和运行时间,实验结果表明基于该技术的Shellcode生成系统功能正常,具有较好的兼容性和通用性。     

基于人工免疫理论的Shellcode检测方法

Shellcode是缓冲区溢出漏洞攻击的核心代码部分,往往嵌入到文件和网络流量载体中。针对特征码匹配等检测手段存在时间滞后、准确率低等问题,结合人工免疫理论,提出一种采用实值编码的shellcode检测方法。收集shellcode样本并进行反汇编,利用n-gram模型对汇编指令序列提取特征生成抗原,作为免疫系统未成熟检测器来源,之后经历阴性选择算法的免疫耐受过程,生成成熟检测器。对检测器进行克隆和变异,繁衍出更加优良的后代,提高检测器的多样性和亲和度。实验结果表明,该方法对非编码shellcode和多态shellcode均具有较高的检测准确率。     

基于LWE两方数相等的保密计算协议

保密地比较两方数是否相等是安全多方计算（SMC）问题中重要的研究内容,其在数据挖掘、在线推荐服务、在线预定服务、医药数据库等领域有着重要应用。针对半诚实模型下两方保密比较协议无法抵抗恶意攻击的问题,提出一种恶意模型下两方数相等的保密计算协议,采用基于格上差错学习（LwE）困难性问题的公钥加密机制和Paillier加密方案,使得存在恶意攻击者的情况下能够阻止恶意攻击行为发生,同时证明协议在恶意模型下是安全的。分析结果表明,该协议执行完成后不会泄露通信双方的私有信息,与半诚实模型下两方保密比较协议相比,能有效抵抗恶意攻击者的攻击,为SMC通信提供了较好的解决方案。