Chinese Journal of Network and Information Security ›› 2017, Vol. 3 ›› Issue (10): 1-15.doi: 10.11959/j.issn.2096-109x.2017.00208
• Comprehensive Reviews • Next Articles
Ting-ting LU1,Jun-feng WANG1,2()
Revised:
2017-09-18
Online:
2017-10-01
Published:
2017-11-13
Supported by:
CLC Number:
Ting-ting LU,Jun-feng WANG. Research on Windows memory protection mechanism[J]. Chinese Journal of Network and Information Security, 2017, 3(10): 1-15.
"
防护方案 | 防护对象 | 优点 | 缺点 | |
非控制数据防护方案 | DIFT | 决策数据&控制数据 | 对应用程序完全透明执行开销小仅有1.1%无误报 | 采用宽松的不可信数据追踪规则,导致引入不必要的陷阱 |
PointerTaintednessDetection | 指针解引用 | 对应用程序完全透明执行开销小误报率低逼近于0 | 存在漏报引入硬件开销 | |
DFI | 程序的所有变量 | 不需要修改源码无误报 | 执行开销大存在漏报 | |
DSR | 内存数据 | 较DFI执行开销小,平均15% | 需修改源码等价类掩码计算不精确 | |
WIT | 可写对象&控制数据 | 不需要修改源码较DFI、DSR开销小,平均7%无误报 | 存在漏报引入空间开销未检查读操作,无法阻止越界读 | |
SIDAN | 系统调用参数及影响其调用的变量 | 执行开销小无误报 | 需修改源码存在漏报只能检测非法系统调用 | |
ValueGuard | 程序的所有变量 | 无误报 | 需修改源码全局防护执行开销很大只能检测堆栈攻击 | |
DCI | 安全敏感数据 | 较DFI、DSR大范围防护,DCI执行开销小,最大16.34%较WIT只能检查读操作,DCI可同时检查读操作和写操作 | 需修改源代码需人工干预存在漏报 | |
Windows已部署的内存防护机制 | GS | 返回地址 | 遏止直接修改返回地址 | Security cookie易泄露 |
SafeSEH | 异常处理函数指针 | 保证了异常处理函数据的有效性 | 对指向堆区的异常处理函数指针无效 | |
SEHOP | SEH链 | 在SafeSEH前检查SEH链的完整性 | 可通过伪造SEH链绕过检查 | |
DEP | 数据页 | 阻止执行部署到数据页的shellcode | 多数第三方应用的DLL不支持对可写可执行页不起作用 | |
ASLR | 控制数据地址 | 加大定位通用跳板等跳转地址的难度 | 映像随机化只对映射基值的前 2 个字节进行了随机化堆栈随机化只能防止精准攻击 | |
CFG | 间接跳转地址 | 可防范对间接跳转目标地址的攻击 | 位图映射基址固定调用 NtAllocVirtualMemory 分配的可执行虚拟内存对应位图位全为1进程加载不支持CFG的模块,将不受CFG保护 | |
RFG | 返回地址 | 返回地址保存在攻击者不可控的Thread Control Stack | 只能防护针对返回地址的攻击,验证失败后执行的处理可以通过其他方式修改 | |
Safeunlinking | 堆块块首 | 在分配堆块之前验证flink和blink 的有效性 | 只考虑了堆块分配时指针的完整性,没有处理堆块回收时的情况 | |
Heapmetadatacookies | 堆块块首 | 可防止直接溢出覆盖块首中的 flink 和blink | 和GS一样都存在cookie泄露的风险 | |
Heapmetadataencryption | 堆块块首 | 对堆块块首数据加密存储,可防止对其进行直接修改 | 只对块首元素进行加密存储,并没有加密存储堆块数据 | |
Heapguard pages | 堆块 | 堆块首尾加入防护页,有效防止跨堆块攻击块首 | 对同堆块的堆数据还不能起到保护作用,仍可覆盖同一堆块中的函数指针实施攻击 |
[1] | Morris worm[EB/OL]. . |
[2] | DURUMERIC Z , LI F , KASTEN J ,et al. The matter of heartbleed[C]// 2014 Conference on Internet Measurement. 2014: 475-488. |
[3] | ZATKO P . How to write buffer overflows[EB/OL]. . |
[4] | HOGLUND G . Advanced buffer overflow technique[EB/OL]. . |
[5] | ABADI M , BUDIU M , ERLINGSSON U ,et al. Control-flow integrity[C]// The 12th ACM Conference on Computer and Communications Security. 2005: 340-353. |
[6] | KUZNETSOV V , SZEKERES L , PAYER M ,et al. Code-pointer integrity[C]// The 11th USENIX Symposium on Operating Systems Design and Implementation. 2014: 147-163. |
[7] | CHEN S , XU J , SEZER E C ,et al. Non-control-data attacks are realistic threats[C]// The 14th USENIX Security Symposium. 2005: 177-191. |
[8] | CARR S A , PAYER M . DataShield:configurable data confidentiality and integrity[C]// 2017 ACM on Asia Conference on Computer and Communications Security. 2017: 193-204. |
[9] | CASTRO M , COSTA M , HARRIS T . Securing software by enforcing data-flow integrity[C]// The 7th USENIX Symposium on Operating Systems Design and Implementation. 2006: 147-160. |
[10] | BHATKAR S , SEKAR R . Data space randomization[C]// The 5th International Conference on Detection of Intrusion and Malware,and Vulnerability Assessment. 2008: 1-22. |
[11] | Usage share of operating systems[EB/OL]. . |
[12] | ANDERSEN S . Memory protection technologies[EB/OL]. . |
[13] | Control flow guard[EB/OL]. . |
[14] | COWAN C , PU C , MAIER D ,et al. StackGuard:automatic adaptive detection and prevention of buffer-overflow attacks[C]// The 7th USENIX Security Symposium. 1998: 63-77. |
[15] | GS compiler option documentation for Visual Studio 2003[EB/OL]. . |
[16] | RICHARTE G . Four different tricks to bypass StackShield and StackGuard protection[EB/OL]. . |
[17] | strict_gs_check pragma documentation for Visual Studio 2005[EB/OL]. . |
[18] | LITCHFIELD D . Defeating the stack based buffer overflow prevention mechanism of Microsoft Windows 2003 server[EB/OL]. . |
[19] | PIETREK M . A crash course on the depths of Win32 structured exception handling[EB/OL]. . |
[20] | SAFESEH linker option documentation for Visual Studio 2003[EB/OL]. . |
[21] | Preventing the exploitation of structured exception handler (SEH) overwrites with SEHOP[EB/OL]. . |
[22] | Miller M . Preventing the exploitation of SEH overwrites[EB/OL]. . |
[23] | BERRE S L , CAUQUIL D . Bypassing SEHOP[EB/OL]. . |
[24] | SOTIROV A , DOWD M . Bypassing browser memory protections[EB/OL]. . |
[25] | SHACHAM H , . The geometry of innocent flesh on the bone:return-into-libc without function calls (on the x86)[C]// The 14th ACM CCS. 2007: 552-561. |
[26] | BUCHANAN E , ROEMER R , SAVAGE S ,et al. Return-oriented programming:exploitation without code Injection[EB/OL]. . |
[27] | Bypassing Windows hardware-enforced data execution prevention[EB/OL]. . |
[28] | PaX ASLR[EB/OL]. . |
[29] | WHITEHOUSE O . An analysis of address space layout randomization on Windows VistaTM[EB/OL]. . |
[30] | SOTIROV A . Windows ANI header buffer overflow[EB/OL]. . |
[31] | Heap spraying[EB/OL]. . |
[32] | Guard compiler option documentation for Visual Studio 2015[EB/OL]. . |
[33] | TANG J . Exploring control flow guard in Windows 10[EB/OL]. . |
[34] | THEORI.Chakra jit cfg bypass[EB/OL]. . |
[35] | SUN K , OU Y , ZHAO Y H ,et al. Never let your guard down:finding unguarded gates toby-pass control flow guard with big data[EB/OL]. . |
[36] | Return flow guard[EB/OL]. . |
[37] | Mitigate threats by using Windows 10 security features[EB/OL]. . |
[38] | HU H , CHUA Z L , ADRIAN S ,et al. Automatic generation of data-oriented exploits[C]// The 24th USENIX Security Symposium. 2015: 177-192. |
[39] | HU H , SHINDE S , ADRIAN S ,et al. Data-oriented programming:on the expressiveness of non-control data attacks[C]// 2016 IEEE Symposium on Security and Privacy. 2016: 969-986. |
[40] | AKRITIDIS P , CADAR C , RAICIU C ,et al. Preventing memory error exploits with WIT[C]// 2008 IEEE Symposium on Security and privacy. 2008: 263-277. |
[41] | SUH G E , LEE J W , ZHANG D ,et al. Secure program execution via dynamic information flow tracking[C]// The 11th International Conference on Architectural Support for Programming Languages and Operating Systems. 2004: 85-96. |
[42] | CHEN S , XU J , NAKKA N ,et al. Defeating memory corruption attacks via pointer taintedness detection[C]// 2005 International Conference on Dependable Systems and Networks. 2005: 378-387. |
[43] | BARRANTES E G , ACKLEY D , PALMER T S ,et al. Randomized instruction set emulation to disrupt binary code injection attacks[C]// The 10th ACM Conference on Computer and Communications Security. 2003: 281-289. |
[44] | KC G S , KEROMYTIS A D , PREVELAKIS V . Countering code injection attacks with instruction-set randomization[C]// The 10th ACM Conference on Computer and Communications Security. 2003: 272-280. |
[45] | STEENSGAARD B , . Points-to analysis in almost linear time[C]// The 23rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 1996: 32-41. |
[46] | DEMAY J C , TOTEL E , TRONEL R . SIDAN:a tool dedicated to software instrumentation for detecting attacks on non-control- data[C]// 2009 Fourth International Conference on Risks and Security of Internet and Systems. 2009: 51-58. |
[47] | ACKER S V , NIKIFORAKIS N , PHILIPPAERTS P ,et al. Valueguard:protection of native applications against data-only buffer overflows[C]// The 6th International Conference on Information Systems Security. 2010: 156-170. |
[48] | DING R , QIAN C X , SONG C Y ,et al. Efficient protection of path-sensitive control security[C]// The 26th USENIX Security Symposium. 2017: 131-148. |
[49] | VEEN V V D , ANDRIESSE D , G?KTAS E ,et al. Practical context-sensitive CFI[C]// The 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 927-940. |
[50] | G?KTAS E , ATHANASOPOULOS E , BOS H ,et al. Out of control:overcoming control-flow integrity[C]// 2014 IEEE Symposium on Security and Privacy. 2014: 575-589. |
[1] | Yilong WANG, Zhenyu LI, Daofu GONG, Fenlin LIU. Image double fragile watermarking algorithm based on block neighborhood [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 38-48. |
[2] | Renfeng CHEN, Hongbin ZHU. Research on credit card transaction security supervision based on PU learning [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 73-78. |
[3] | Guanyun FENG, Cai FU, Jianqiang LYU, Lansheng HAN. Insider threat detection based on operational attention and data augmentation [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 102-112. |
[4] | Genlin XIE, Guozhen CHENG, Yawen WANG, Qingfeng WANG. Software diversity evaluating method based on gadget feature analysis [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 161-173. |
[5] | Peng HOU, Zhixin LI, Fei ZHANG, Xu SUN, Dan CHEN, Yihao CUI, Hanbing ZHANG, Yinan JIN, Hongfeng CHAI. Technology and practice of intelligent governance for financial data security [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 174-187. |
[6] | Min XIAO, Faying MAO, Yonghong HUANG, Yunfei CAO. Anonymous trust management scheme of VANET based on attribute signature [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 33-45. |
[7] | Jianlong XU, Jian LIN, Yusen LI, Zhi XIONG. Distributed user privacy preserving adjustable personalized QoS prediction model for cloud services [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 70-80. |
[8] | Xunxun CHEN, Mingzhe LI, Ning LYU, Liang HUANG. Intrinsic assurance: a systematic approach towards extensible cybersecurity [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 92-102. |
[9] | Jiashuo SONG, Zhenzhen LI, Haiyang DING, Zichen LI. Efficient and fully simulated oblivious transfer protocol on elliptic curve [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 158-166. |
[10] | Fenghua LI, Hui LI, Ben NIU, Weidong QIU. Academic connotation and research trends of privacy computing [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 1-8. |
[11] | Fei TANG, Ning GAN, Xianggui YANG, Jinyang WANG. Anti malicious KGC certificateless signature scheme based on blockchain and domestic cryptographic SM9 [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 9-19. |
[12] | Xue BAI, Baodong QIN, Rui GUO, Dong ZHENG. Two-party cooperative blind signature based on SM2 [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 39-51. |
[13] | Jun LIU, Lin YUAN, Zhishang FENG. Survey of key management schemes for cluster networks [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 52-69. |
[14] | Min XIAO, Tao YAO, Yuanni LIU, Yonghong HUANG. Dynamic and efficient vehicular cloud management scheme with privacy protection [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 70-83. |
[15] | Jiaying LIN, Wenbo ZHOU, Weiming ZHANG, Nenghai YU. Lip forgery detection via spatial-frequency domain combination [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 146-155. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|