Windows内存防护机制研究

doi:10.11959/j.issn.2096-109x.2017.00208

Abstract

Abstract:

Over the past three decades,attacks exploiting Windows memory holes have emerged in an endless stream,and the usual means is to attack control-data to hijack the execution flow of the program.To this end,Microsoft has added layers of protection mechanisms to Windows to prevent such attacks.But at this stage,the defensive mechanisms deployed on Windows cannot prevent attacks against non-control-data.In view of the published articles lacking comprehensive study of Windows memory protection mechanism,a detailed introduction to Windows memory protection mechanism and its breakthrough techniques,and non-control-data protection research status was conducted.On this basis,the challenges of Windows memory protection were analyzed and the future of memory protection was discussed.

Key words: Windows memory protection, memory protection mechanism, control-data protection, non-control-data protection

CLC Number:

TP309

Ting-ting LU,Jun-feng WANG. Research on Windows memory protection mechanism[J]. Chinese Journal of Network and Information Security, 2017, 3(10): 1-15.

Figures/Tables 13

	防护方案	防护对象	优点	缺点
非控制数据防护方案	DIFT	决策数据＆控制数据	对应用程序完全透明执行开销小仅有1.1%无误报	采用宽松的不可信数据追踪规则，导致引入不必要的陷阱
	PointerTaintednessDetection	指针解引用	对应用程序完全透明执行开销小误报率低逼近于0	存在漏报引入硬件开销
	DFI	程序的所有变量	不需要修改源码无误报	执行开销大存在漏报
	DSR	内存数据	较DFI执行开销小，平均15%	需修改源码等价类掩码计算不精确
	WIT	可写对象＆控制数据	不需要修改源码较DFI、DSR开销小，平均7%无误报	存在漏报引入空间开销未检查读操作，无法阻止越界读
	SIDAN	系统调用参数及影响其调用的变量	执行开销小无误报	需修改源码存在漏报只能检测非法系统调用
	ValueGuard	程序的所有变量	无误报	需修改源码全局防护执行开销很大只能检测堆栈攻击
	DCI	安全敏感数据	较DFI、DSR大范围防护，DCI执行开销小，最大16.34%较WIT只能检查读操作，DCI可同时检查读操作和写操作	需修改源代码需人工干预存在漏报
Windows已部署的内存防护机制	GS	返回地址	遏止直接修改返回地址	Security cookie易泄露
	SafeSEH	异常处理函数指针	保证了异常处理函数据的有效性	对指向堆区的异常处理函数指针无效
	SEHOP	SEH链	在SafeSEH前检查SEH链的完整性	可通过伪造SEH链绕过检查
	DEP	数据页	阻止执行部署到数据页的shellcode	多数第三方应用的DLL不支持对可写可执行页不起作用
	ASLR	控制数据地址	加大定位通用跳板等跳转地址的难度	映像随机化只对映射基值的前 2 个字节进行了随机化堆栈随机化只能防止精准攻击
	CFG	间接跳转地址	可防范对间接跳转目标地址的攻击	位图映射基址固定调用 NtAllocVirtualMemory 分配的可执行虚拟内存对应位图位全为1进程加载不支持CFG的模块，将不受CFG保护
	RFG	返回地址	返回地址保存在攻击者不可控的Thread Control Stack	只能防护针对返回地址的攻击，验证失败后执行的处理可以通过其他方式修改
	Safeunlinking	堆块块首	在分配堆块之前验证flink和blink 的有效性	只考虑了堆块分配时指针的完整性，没有处理堆块回收时的情况
	Heapmetadatacookies	堆块块首	可防止直接溢出覆盖块首中的 flink 和blink	和GS一样都存在cookie泄露的风险
	Heapmetadataencryption	堆块块首	对堆块块首数据加密存储，可防止对其进行直接修改	只对块首元素进行加密存储，并没有加密存储堆块数据
	Heapguard pages	堆块	堆块首尾加入防护页，有效防止跨堆块攻击块首	对同堆块的堆数据还不能起到保护作用，仍可覆盖同一堆块中的函数指针实施攻击

References 50

[1]	Morris worm[EB/OL]. .
[2]	DURUMERIC Z , LI F , KASTEN J ,et al. The matter of heartbleed[C]// 2014 Conference on Internet Measurement. 2014: 475-488.
[3]	ZATKO P . How to write buffer overflows[EB/OL]. .
[4]	HOGLUND G . Advanced buffer overflow technique[EB/OL]. .
[5]	ABADI M , BUDIU M , ERLINGSSON U ,et al. Control-flow integrity[C]// The 12th ACM Conference on Computer and Communications Security. 2005: 340-353.
[6]	KUZNETSOV V , SZEKERES L , PAYER M ,et al. Code-pointer integrity[C]// The 11th USENIX Symposium on Operating Systems Design and Implementation. 2014: 147-163.
[7]	CHEN S , XU J , SEZER E C ,et al. Non-control-data attacks are realistic threats[C]// The 14th USENIX Security Symposium. 2005: 177-191.
[8]	CARR S A , PAYER M . DataShield:configurable data confidentiality and integrity[C]// 2017 ACM on Asia Conference on Computer and Communications Security. 2017: 193-204.
[9]	CASTRO M , COSTA M , HARRIS T . Securing software by enforcing data-flow integrity[C]// The 7th USENIX Symposium on Operating Systems Design and Implementation. 2006: 147-160.
[10]	BHATKAR S , SEKAR R . Data space randomization[C]// The 5th International Conference on Detection of Intrusion and Malware,and Vulnerability Assessment. 2008: 1-22.
[11]	Usage share of operating systems[EB/OL]. .
[12]	ANDERSEN S . Memory protection technologies[EB/OL]. .
[13]	Control flow guard[EB/OL]. .
[14]	COWAN C , PU C , MAIER D ,et al. StackGuard:automatic adaptive detection and prevention of buffer-overflow attacks[C]// The 7th USENIX Security Symposium. 1998: 63-77.
[15]	GS compiler option documentation for Visual Studio 2003[EB/OL]. .
[16]	RICHARTE G . Four different tricks to bypass StackShield and StackGuard protection[EB/OL]. .
[17]	strict_gs_check pragma documentation for Visual Studio 2005[EB/OL]. .
[18]	LITCHFIELD D . Defeating the stack based buffer overflow prevention mechanism of Microsoft Windows 2003 server[EB/OL]. .
[19]	PIETREK M . A crash course on the depths of Win32 structured exception handling[EB/OL]. .
[20]	SAFESEH linker option documentation for Visual Studio 2003[EB/OL]. .
[21]	Preventing the exploitation of structured exception handler (SEH) overwrites with SEHOP[EB/OL]. .
[22]	Miller M . Preventing the exploitation of SEH overwrites[EB/OL]. .
[23]	BERRE S L , CAUQUIL D . Bypassing SEHOP[EB/OL]. .
[24]	SOTIROV A , DOWD M . Bypassing browser memory protections[EB/OL]. .
[25]	SHACHAM H , . The geometry of innocent flesh on the bone:return-into-libc without function calls (on the x86)[C]// The 14th ACM CCS. 2007: 552-561.
[26]	BUCHANAN E , ROEMER R , SAVAGE S ,et al. Return-oriented programming:exploitation without code Injection[EB/OL]. .
[27]	Bypassing Windows hardware-enforced data execution prevention[EB/OL]. .
[28]	PaX ASLR[EB/OL]. .
[29]	WHITEHOUSE O . An analysis of address space layout randomization on Windows VistaTM[EB/OL]. .
[30]	SOTIROV A . Windows ANI header buffer overflow[EB/OL]. .
[31]	Heap spraying[EB/OL]. .
[32]	Guard compiler option documentation for Visual Studio 2015[EB/OL]. .
[33]	TANG J . Exploring control flow guard in Windows 10[EB/OL]. .
[34]	THEORI.Chakra jit cfg bypass[EB/OL]. .
[35]	SUN K , OU Y , ZHAO Y H ,et al. Never let your guard down:finding unguarded gates toby-pass control flow guard with big data[EB/OL]. .
[36]	Return flow guard[EB/OL]. .
[37]	Mitigate threats by using Windows 10 security features[EB/OL]. .
[38]	HU H , CHUA Z L , ADRIAN S ,et al. Automatic generation of data-oriented exploits[C]// The 24th USENIX Security Symposium. 2015: 177-192.
[39]	HU H , SHINDE S , ADRIAN S ,et al. Data-oriented programming:on the expressiveness of non-control data attacks[C]// 2016 IEEE Symposium on Security and Privacy. 2016: 969-986.
[40]	AKRITIDIS P , CADAR C , RAICIU C ,et al. Preventing memory error exploits with WIT[C]// 2008 IEEE Symposium on Security and privacy. 2008: 263-277.
[41]	SUH G E , LEE J W , ZHANG D ,et al. Secure program execution via dynamic information flow tracking[C]// The 11th International Conference on Architectural Support for Programming Languages and Operating Systems. 2004: 85-96.
[42]	CHEN S , XU J , NAKKA N ,et al. Defeating memory corruption attacks via pointer taintedness detection[C]// 2005 International Conference on Dependable Systems and Networks. 2005: 378-387.
[43]	BARRANTES E G , ACKLEY D , PALMER T S ,et al. Randomized instruction set emulation to disrupt binary code injection attacks[C]// The 10th ACM Conference on Computer and Communications Security. 2003: 281-289.
[44]	KC G S , KEROMYTIS A D , PREVELAKIS V . Countering code injection attacks with instruction-set randomization[C]// The 10th ACM Conference on Computer and Communications Security. 2003: 272-280.
[45]	STEENSGAARD B , . Points-to analysis in almost linear time[C]// The 23rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 1996: 32-41.
[46]	DEMAY J C , TOTEL E , TRONEL R . SIDAN:a tool dedicated to software instrumentation for detecting attacks on non-control- data[C]// 2009 Fourth International Conference on Risks and Security of Internet and Systems. 2009: 51-58.
[47]	ACKER S V , NIKIFORAKIS N , PHILIPPAERTS P ,et al. Valueguard:protection of native applications against data-only buffer overflows[C]// The 6th International Conference on Information Systems Security. 2010: 156-170.
[48]	DING R , QIAN C X , SONG C Y ,et al. Efficient protection of path-sensitive control security[C]// The 26th USENIX Security Symposium. 2017: 131-148.
[49]	VEEN V V D , ANDRIESSE D , G?KTAS E ,et al. Practical context-sensitive CFI[C]// The 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 927-940.
[50]	G?KTAS E , ATHANASOPOULOS E , BOS H ,et al. Out of control:overcoming control-flow integrity[C]// 2014 IEEE Symposium on Security and Privacy. 2014: 575-589.

Metrics

Recommended 0

No Suggested Reading articles found!

Research on Windows memory protection mechanism

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 13

References 50

Related Articles 15

Metrics

Recommended 0

[1]	Yilong WANG, Zhenyu LI, Daofu GONG, Fenlin LIU. Image double fragile watermarking algorithm based on block neighborhood [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 38-48.
[2]	Renfeng CHEN, Hongbin ZHU. Research on credit card transaction security supervision based on PU learning [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 73-78.
[3]	Guanyun FENG, Cai FU, Jianqiang LYU, Lansheng HAN. Insider threat detection based on operational attention and data augmentation [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 102-112.
[4]	Genlin XIE, Guozhen CHENG, Yawen WANG, Qingfeng WANG. Software diversity evaluating method based on gadget feature analysis [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 161-173.
[5]	Peng HOU, Zhixin LI, Fei ZHANG, Xu SUN, Dan CHEN, Yihao CUI, Hanbing ZHANG, Yinan JIN, Hongfeng CHAI. Technology and practice of intelligent governance for financial data security [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 174-187.
[6]	Min XIAO, Faying MAO, Yonghong HUANG, Yunfei CAO. Anonymous trust management scheme of VANET based on attribute signature [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 33-45.
[7]	Jianlong XU, Jian LIN, Yusen LI, Zhi XIONG. Distributed user privacy preserving adjustable personalized QoS prediction model for cloud services [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 70-80.
[8]	Xunxun CHEN, Mingzhe LI, Ning LYU, Liang HUANG. Intrinsic assurance: a systematic approach towards extensible cybersecurity [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 92-102.
[9]	Jiashuo SONG, Zhenzhen LI, Haiyang DING, Zichen LI. Efficient and fully simulated oblivious transfer protocol on elliptic curve [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 158-166.
[10]	Fenghua LI, Hui LI, Ben NIU, Weidong QIU. Academic connotation and research trends of privacy computing [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 1-8.
[11]	Fei TANG, Ning GAN, Xianggui YANG, Jinyang WANG. Anti malicious KGC certificateless signature scheme based on blockchain and domestic cryptographic SM9 [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 9-19.
[12]	Xue BAI, Baodong QIN, Rui GUO, Dong ZHENG. Two-party cooperative blind signature based on SM2 [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 39-51.
[13]	Jun LIU, Lin YUAN, Zhishang FENG. Survey of key management schemes for cluster networks [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 52-69.
[14]	Min XIAO, Tao YAO, Yuanni LIU, Yonghong HUANG. Dynamic and efficient vehicular cloud management scheme with privacy protection [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 70-83.
[15]	Jiaying LIN, Wenbo ZHOU, Weiming ZHANG, Nenghai YU. Lip forgery detection via spatial-frequency domain combination [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 146-155.