基于异常控制流识别的漏洞利用攻击检测方法

doi:10.3969/j.issn.1000-436x.2014.09.003

通信学报 ›› 2014, Vol. 35 ›› Issue (9): 20-31.doi: 10.3969/j.issn.1000-436x.2014.09.003

• 论文Ⅰ 网络攻击与防范 • 上一篇下一篇

基于异常控制流识别的漏洞利用攻击检测方法

王明华^1,²,应凌云¹,冯登国¹

¹ 中国科学院软件研究所可信计算与信息保障实验室，北京 100190
² 中国科学院大学，北京 100049

出版日期:2014-09-25 发布日期:2017-06-14
基金资助:
国家重点基础研究发展计划（“973”计划）基金资助项目;国家自然科学基金资助项目;北京市自然科学基金资助项目

Exploit detection based on illegal control flow transfers identification

Ming-hua WANG^1,²,Ling-yun YING¹,Deng-guo FENG¹

¹ Laboratory of Trusted Computing and Information Assurance,Institute of Software,Chinese Academy of Sciences,Beijing 100190,China
² University of Chinese Academy of Sciences,Beijing 100049,China

Online:2014-09-25 Published:2017-06-14
Supported by:
The National Basic Research Program of China (973 Program);The National Natural Science Foundation of China;The Natural Science Foundation of Beijing

摘要/Abstract

摘要：

为应对 APT 等漏洞利用攻击的问题，提出了一种基于异常控制流识别的漏洞利用攻击检测方法。该方法通过对目标程序的静态分析和动态执行监测，构建完整的安全执行轮廓，并限定控制流转移的合法目标，在函数调用、函数返回和跳转进行控制流转移时，检查目标地址的合法性，将异常控制流转移判定为漏洞攻击，并捕获完整的攻击步骤。实验结果表明，该方法能够准确检测到漏洞利用攻击，并具备良好的运行效率，可以作为漏洞利用攻击的实时检测方案。

关键词: 软件漏洞, 漏洞利用, 攻击检测, 地址随机化, 数据执行保护

Abstract:

In order to deal with exploit attacks such as APT,an approach was proposed to detect exploits based on illegal control flow transfers identification.Both static and dynamic analysis methods were performed to construct the CFSO (control flow safety outline),which was used to restrict the targets of control flow transfers occurred during the target program's running.When a call/ret/jmp was about to execute,the target was checked according to the CFSO.The illegal control flow transfer is considered as an exploit attack and all the following attacking steps could be captured.The ex-periment also showed that proposed method had decent overhead and could be applied to detect exploits online.

Key words: software vulnerability, exploit, attack detection, address space layout randomization, data execution pro-tection

王明华,应凌云,冯登国. 基于异常控制流识别的漏洞利用攻击检测方法[J]. 通信学报, 2014, 35(9): 20-31.

Ming-hua WANG,Ling-yun YING,Deng-guo FENG. Exploit detection based on illegal control flow transfers identification[J]. Journal on Communications, 2014, 35(9): 20-31.

图/表 6

图1

图2

图3

表1

表2

图4

参考文献 20

[1]	Secunia[EB/OL]. . 2014.
[2]	ABADI M , MIHAIBUDIU , ERLINGSSON U . Control-flow integ-rity[A]. Proceedings of the 12th ACM conference on Computer and Communications Security[C]. Raleigh,NC,USA, 2005.340-353.
[3]	BOSMAN E , SLOWINSKA A , BOS H . Minemu: the world's fastest taint tracker[J]. Recent Advances in Intrusion Detection, 2011,6961:1-20.
[4]	NEWSOME J , SONG D . Dynamic taint analysis for automatic detec-tion,analysis,and signature generation of exploits on commodity software[A]. Network and Distributed System Security Symposium[C]. San Diego,California,USA: Internet Society, 2005.
[5]	SCHWARTZ E L , AVGERINOS T , BRUMLEY D . All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)[A]. IEEE Symposium on Security and Privacy[C]. Oakland,CA,USA, 2010.317-331.
[6]	FireEye[EB/OL]. . 2014.
[7]	Argos[EB/OL]. . 2014.
[8]	PORTOKALIDIS G , SLOWINSKA A , BOS H . Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with auto-matic signature generation[J]. Proceedings of the 1st ACM SI-GOPS/EuroSys European Conference on Computer Systems 2006[C]. New York,NY,USA: ACM, 2006.15-27.
[9]	YIN H , SONG D , EGELE M . Capturing system-wide information flow for malware detection and analysis[A]. Proceeding of the 14th ACM Conference of Computer and Communication Security[C]. Alexandria,VA,USA, 2007.116-127.
[10]	ZHANG M W , SEKAR R . Control flow integrity for COTS bina-ries[A]. Proceedings of the 22nd USENIX Conference on Security 2013[C]. Berkeley,CA,USA, 2013.
[11]	PRAKASH A , YIN H , LIANG Z K . Enforcing system-wide control flow integrity for exploit detection and diagnosis[A]. 8th ACM Sym-posium on Information,Computer and Communications Security[C]. Hangzhou,China, 2013.311-322.
[12]	ZHANG C , WEI T , CHEN Z F . Practical control flow integrity ＆randomization for binary executables[A]. The 34th IEEE Symposium on Security ＆ Privacy[C]. San Francisco,CA,USA, 2013.559-573.
[13]	ZHANG C , WEI T , CHEN Z F . FPGate: The Last Building Block For A Practical CFI Solution[R]. Technical Report For Microsoft BlueHat Prize Contest, 2012.
[14]	ROEMER R , BUCHANAN E , SHACHAM H . Return-oriented pro-gramming: systems,languages,and applications[J]. ACM Transactions on Information and System Security, 2012,15(1).
[15]	DING Y , WEI T , WANG TL . Heap Taichi: exploiting memory alloca-tion granularity in heap-spraying attacks[A]. Proceedings of the 26th Annual Computer Security Applications Conference[C]. New York,NY,USA: ACM, 2010.327-336.
[16]	Heap FengShui[EB/OL]. . 2014.
[17]	BELLARD F . Qemu,a fast and portable dynamic translator[A]. Pro-ceedings of the 14th USENIX conference on Security[C]. Baltimore,MD,USA, 2005.
[18]	WANG MH , SU PR , LI Q . Automatic polymorphic exploit generation for software vulnerabilities[A]. 9th International Conference on Secu-rity and Privacy in Communication Networks[C]. Sydney,Australia. 2013.216-233.
[19]	IDA Pro[EB/OL]. , 2014.
[20]	Metasploit[EB/OL]. , 2014.

CVE编号	漏洞软件	运行环境
CVE-2007-4607	Easymail 3.0.61	32 bit Windows 7专业版
CVE-2010-3333	Microsoft Office Word 2003	32 bit Windows 7专业版
CVE-2010-2883	Adobe Reader 9.3.4	32 bit Windows 7专业版
CVE-2011-0611	Flash Player 10.0.42.34	32 bit Windows 7专业版
CVE-2012-0158	Microsoft Office Word 2007	32 bit Windows 7专业版
CVE-2012-4969	Internet Explorer 8	32 bit Windows 7专业版
CVE-2013-2551	Internet Explorer 8	32 bit Windows 7专业版+SP1
CVE-2014-1761	Microsoft Office Word 2010	32 bit Windows 7专业版+SP1

CVE编号	控制流转移地址	控制流转移指令	目的指令	目的地址	攻击类型
CVE-2007-4607	ntdll+0x465f7	call ecx	cmp al,0x35	0xc3f0101	JIT Spraying
CVE-2010-3333	ntdll+0x465f7	call ecx	pop edi; pop esi; ret	msxml5+0x12890	SEH exploit
CVE-2010-2883	cooltype+0x8b308	call [eax]	add ebp,0x794; leave; ret	icucnv36+0xcb38	Heap Spraying 结合ROP
CVE-2011-0611	flash+0xaa7d7	call [eax+0x8]	xchg eax,esp; ret	msvcr71+0x8b05	Heap Spraying结合ROP
CVE-2012-0158	mscomctl+0x48a56	ret 0x8	jmp esp	mscomctl+0x3c30	ret-to-libc
CVE-2012-4969	mshtml+0x25c4c0	call [eax+0x8]	xchg eax,esp; ret	msvcr71+0x8b05	Heap Spraying结合ROP
CVE-2013-2551	mshtml+0x1bc545	call [eax+0x8]	xchg eax,esp; ret	msvcr71+0x8b05	Heap Spraying结合ROP
CVE-2014-1761	mscomctl+0x14a34	ret	add esp,0xc; ret	mscomctl+0x5e6ae	Heap Spraying结合ROP

基于异常控制流识别的漏洞利用攻击检测方法

Exploit detection based on illegal control flow transfers identification

在线阅读

PDF下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 20

相关文章 13

Metrics

推荐阅读 0

[1]	谢丽霞, 李雪鸥, 杨宏宇, 张良, 成翔. 基于样本特征强化的APT攻击多阶段检测方法[J]. 通信学报, 2022, 43(12): 66-76.
[2]	段雪源, 付钰, 王坤, 李彬. 基于简单统计特征的LDoS攻击检测方法[J]. 通信学报, 2022, 43(11): 53-64.
[3]	黄桦烽, 苏璞睿, 杨轶, 贾相堃. 可控内存写漏洞自动利用生成方法[J]. 通信学报, 2022, 43(1): 83-95.
[4]	马博林, 张铮, 任权, 张高斐, 邬江兴. 软件异构冗余执行系统的安全能力分析[J]. 通信学报, 2021, 42(9): 1-11.
[5]	陈福才,何威振,程国振,霍树民,周大成. 基于DPDK的内网动态网关关键技术设计[J]. 通信学报, 2020, 41(6): 139-151.
[6]	孙伟,张鹏,何永全,邢丽超. 内网环境下基于时空事件关联的攻击检测方法[J]. 通信学报, 2020, 41(1): 33-41.
[7]	李传煌,吴艳,钱正哲,孙正君,王伟明. SDN下基于深度学习混合模型的DDoS攻击检测与防御[J]. 通信学报, 2018, 39(7): 176-187.
[8]	汪洁,杨力立,杨珉. 基于集成分类器的恶意网络流量检测[J]. 通信学报, 2018, 39(10): 155-165.
[9]	王淼,王利明,徐震,马多贺. 基于熵变的多租户云内DDoS检测方法研究[J]. 通信学报, 2016, 37(Z1): 204-210.
[10]	汤红波,郑林浩,葛国栋,袁泉. CCN中基于节点状态模型的缓存污染攻击检测算法[J]. 通信学报, 2016, 37(9): 1-9.
[11]	程宏兵,容淳铭,黄晓,曾庆凯. 高效的攻击检测与数据融合算法[J]. 通信学报, 2012, 33(9): 85-94.
[12]	陈珊珊,杨庚,陈生寿. 基于LEACH协议的Sybil攻击入侵检测机制[J]. 通信学报, 2011, 32(8): 143-149.
[13]	严芬,陈轶群,黄皓,殷新春. 使用补偿非参数CUSUM方法检测DDoS攻击[J]. 通信学报, 2008, 29(6): 128-134.