基于异常控制流识别的漏洞利用攻击检测方法

doi:10.3969/j.issn.1000-436x.2014.09.003

Abstract

Abstract:

In order to deal with exploit attacks such as APT,an approach was proposed to detect exploits based on illegal control flow transfers identification.Both static and dynamic analysis methods were performed to construct the CFSO (control flow safety outline),which was used to restrict the targets of control flow transfers occurred during the target program's running.When a call/ret/jmp was about to execute,the target was checked according to the CFSO.The illegal control flow transfer is considered as an exploit attack and all the following attacking steps could be captured.The ex-periment also showed that proposed method had decent overhead and could be applied to detect exploits online.

Key words: software vulnerability, exploit, attack detection, address space layout randomization, data execution pro-tection

Ming-hua WANG,Ling-yun YING,Deng-guo FENG. Exploit detection based on illegal control flow transfers identification[J]. Journal on Communications, 2014, 35(9): 20-31.

Figures/Tables 6

References 20

[1]	Secunia[EB/OL]. . 2014.
[2]	ABADI M , MIHAIBUDIU , ERLINGSSON U . Control-flow integ-rity[A]. Proceedings of the 12th ACM conference on Computer and Communications Security[C]. Raleigh,NC,USA, 2005.340-353.
[3]	BOSMAN E , SLOWINSKA A , BOS H . Minemu: the world's fastest taint tracker[J]. Recent Advances in Intrusion Detection, 2011,6961:1-20.
[4]	NEWSOME J , SONG D . Dynamic taint analysis for automatic detec-tion,analysis,and signature generation of exploits on commodity software[A]. Network and Distributed System Security Symposium[C]. San Diego,California,USA: Internet Society, 2005.
[5]	SCHWARTZ E L , AVGERINOS T , BRUMLEY D . All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)[A]. IEEE Symposium on Security and Privacy[C]. Oakland,CA,USA, 2010.317-331.
[6]	FireEye[EB/OL]. . 2014.
[7]	Argos[EB/OL]. . 2014.
[8]	PORTOKALIDIS G , SLOWINSKA A , BOS H . Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with auto-matic signature generation[J]. Proceedings of the 1st ACM SI-GOPS/EuroSys European Conference on Computer Systems 2006[C]. New York,NY,USA: ACM, 2006.15-27.
[9]	YIN H , SONG D , EGELE M . Capturing system-wide information flow for malware detection and analysis[A]. Proceeding of the 14th ACM Conference of Computer and Communication Security[C]. Alexandria,VA,USA, 2007.116-127.
[10]	ZHANG M W , SEKAR R . Control flow integrity for COTS bina-ries[A]. Proceedings of the 22nd USENIX Conference on Security 2013[C]. Berkeley,CA,USA, 2013.
[11]	PRAKASH A , YIN H , LIANG Z K . Enforcing system-wide control flow integrity for exploit detection and diagnosis[A]. 8th ACM Sym-posium on Information,Computer and Communications Security[C]. Hangzhou,China, 2013.311-322.
[12]	ZHANG C , WEI T , CHEN Z F . Practical control flow integrity ＆randomization for binary executables[A]. The 34th IEEE Symposium on Security ＆ Privacy[C]. San Francisco,CA,USA, 2013.559-573.
[13]	ZHANG C , WEI T , CHEN Z F . FPGate: The Last Building Block For A Practical CFI Solution[R]. Technical Report For Microsoft BlueHat Prize Contest, 2012.
[14]	ROEMER R , BUCHANAN E , SHACHAM H . Return-oriented pro-gramming: systems,languages,and applications[J]. ACM Transactions on Information and System Security, 2012,15(1).
[15]	DING Y , WEI T , WANG TL . Heap Taichi: exploiting memory alloca-tion granularity in heap-spraying attacks[A]. Proceedings of the 26th Annual Computer Security Applications Conference[C]. New York,NY,USA: ACM, 2010.327-336.
[16]	Heap FengShui[EB/OL]. . 2014.
[17]	BELLARD F . Qemu,a fast and portable dynamic translator[A]. Pro-ceedings of the 14th USENIX conference on Security[C]. Baltimore,MD,USA, 2005.
[18]	WANG MH , SU PR , LI Q . Automatic polymorphic exploit generation for software vulnerabilities[A]. 9th International Conference on Secu-rity and Privacy in Communication Networks[C]. Sydney,Australia. 2013.216-233.
[19]	IDA Pro[EB/OL]. , 2014.
[20]	Metasploit[EB/OL]. , 2014.

Metrics

Recommended 0

No Suggested Reading articles found!

CVE编号	漏洞软件	运行环境
CVE-2007-4607	Easymail 3.0.61	32 bit Windows 7专业版
CVE-2010-3333	Microsoft Office Word 2003	32 bit Windows 7专业版
CVE-2010-2883	Adobe Reader 9.3.4	32 bit Windows 7专业版
CVE-2011-0611	Flash Player 10.0.42.34	32 bit Windows 7专业版
CVE-2012-0158	Microsoft Office Word 2007	32 bit Windows 7专业版
CVE-2012-4969	Internet Explorer 8	32 bit Windows 7专业版
CVE-2013-2551	Internet Explorer 8	32 bit Windows 7专业版+SP1
CVE-2014-1761	Microsoft Office Word 2010	32 bit Windows 7专业版+SP1

CVE编号	控制流转移地址	控制流转移指令	目的指令	目的地址	攻击类型
CVE-2007-4607	ntdll+0x465f7	call ecx	cmp al,0x35	0xc3f0101	JIT Spraying
CVE-2010-3333	ntdll+0x465f7	call ecx	pop edi; pop esi; ret	msxml5+0x12890	SEH exploit
CVE-2010-2883	cooltype+0x8b308	call [eax]	add ebp,0x794; leave; ret	icucnv36+0xcb38	Heap Spraying 结合ROP
CVE-2011-0611	flash+0xaa7d7	call [eax+0x8]	xchg eax,esp; ret	msvcr71+0x8b05	Heap Spraying结合ROP
CVE-2012-0158	mscomctl+0x48a56	ret 0x8	jmp esp	mscomctl+0x3c30	ret-to-libc
CVE-2012-4969	mshtml+0x25c4c0	call [eax+0x8]	xchg eax,esp; ret	msvcr71+0x8b05	Heap Spraying结合ROP
CVE-2013-2551	mshtml+0x1bc545	call [eax+0x8]	xchg eax,esp; ret	msvcr71+0x8b05	Heap Spraying结合ROP
CVE-2014-1761	mscomctl+0x14a34	ret	add esp,0xc; ret	mscomctl+0x5e6ae	Heap Spraying结合ROP

Exploit detection based on illegal control flow transfers identification

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 6

References 20

Related Articles 10

Metrics

Recommended 0

[1]	Lixia XIE, Xueou LI, Hongyu YANG, Liang ZHANG, Xiang CHENG. Multi-stage detection method for APT attack based on sample feature reinforcement [J]. Journal on Communications, 2022, 43(12): 66-76.
[2]	Xueyuan DUAN, Yu FU, Kun WANG, Bin LI. LDoS attack detection method based on simple statistical features [J]. Journal on Communications, 2022, 43(11): 53-64.
[3]	Huafeng HUANG, Purui SU, Yi YANG, Xiangkun JIA. Automatic exploitation generation method of write-what-where vulnerability [J]. Journal on Communications, 2022, 43(1): 83-95.
[4]	Wei SUN,Peng ZHANG,Yongquan HE,Lichao XING. Attack detection method based on spatiotemporal event correlation in intranet environment [J]. Journal on Communications, 2020, 41(1): 33-41.
[5]	Chuanhuang LI,Yan WU,Zhengzhe QIAN,Zhengjun SUN,Weiming WANG. DDoS attack detection and defense based on hybrid deep learning model in SDN [J]. Journal on Communications, 2018, 39(7): 176-187.
[6]	Jie WANG,Lili YANG,Min YANG. Multitier ensemble classifiers for malicious network traffic detection [J]. Journal on Communications, 2018, 39(10): 155-165.
[7]	Hong-bo TANG,Lin-hao ZHENG,Guo-dong GE,Quan YUAN. Detection algorithm for cache pollution attacks based on node state model in content centric networking [J]. Journal on Communications, 2016, 37(9): 1-9.
[8]	Hong-bing CHENG,Chun-ming RONG,Xiao HUANG,Skjalg EGGEN,Qing-kai ZENG. Efficient attack detection and data aggregation algorithm [J]. Journal on Communications, 2012, 33(9): 85-94.
[9]	Shan-shan CHEN,Geng YANG,Sheng-shou CHEN. LEACH protocol based security mechanism for Sybil attack detection [J]. Journal on Communications, 2011, 32(8): 143-149.
[10]	Fen YAN,Yi-qun CHEN,Hao HUANG,Xin-chun YIN. Detecting DDoS attack based on compensation non-parameter CUSUM algorithm [J]. Journal on Communications, 2008, 29(6): 128-134.