计算机科学 ›› 2022, Vol. 49 ›› Issue (4): 369-375.doi: 10.11896/jsjkx.210300153
李鹏宇1,2, 刘胜利1,2, 尹小康1,2, 刘昊晖2
LI Peng-yu1,2, LIU Sheng-li1,2, YIN Xiao-kang1,2, LIU Hao-hui2
摘要: Cisco IOS(Internetwork Operating System)作为Cisco路由器的专用操作系统,其由于硬件条件限制,在设计时更加注重性能而忽视了系统安全,导致无法有效检测面向返回地址编程(Return-Oriented Programming,ROP)的攻击。针对传统的ROP防护技术在解决Cisco IOS防护上存在的缺陷,提出了一种基于返回地址内存哈希验证的方法,能够对面向Cisco IOS的ROP攻击进行有效检测,并对ROP攻击代码进行捕获。通过分析现有针对ROP攻击的防护机制的优缺点,在紧凑型影子内存防护思想的基础上,将传统的影子内存存储模式改造为基于哈希的内存查找模式,增加了返回地址内存指针的记录作为哈希查找的索引,提高了影子内存查找效率,同时能够抵御由于内存泄露导致的影子内存篡改。在Dynamips虚拟化平台的基础上设计实现了CROPDS系统,对所提方法进行了有效验证。与现有方法对比,所提方法在通用性和性能上均有提升,并能够捕获到攻击执行的shellcode。
中图分类号:
[1] CHAUM D.Untraceable electronic mail,return addresses,and digital pseudonyms[J].Communications of the ACM,1981,24(2):84-90. [2] SZEKERES L, PAYER M,WEI T,et al.SoK:Eternal war in memory[C]//Proceedings of the 34th IEEE Symposium on Security and Privacy.IEEE,2013:48-62. [3] IDC.Global Ethernet Switch and Router Markets Deliver Mixed Results in Q22020,According to IDC[EB/OL]. (2020-09-03) [2021-01-24].https://www.idc.com/getdoc.jsp?containerId=prUS46830820. [4] LINDER F.Design and software vulnerability in embedded system[EB/OL].(2003-04-25)[2021-01-12].https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-FX.pdf. [5] LYNN M.The holy grail:Cisco IOS shellcode and exploitation techniques[EB/OL].(2005-07-29)[2021-3-14].https://mirror.die.net/banned/lynn-cisco.pdf. [6] MUNIZ S.Killing the myth of Cisco IOS rootkits:DIK(Da IOS rootkit)[EB/OL].(2008-06-25)[2021-03-19]. http://www.orkspace.net/secdocs/Conferences/EuSecWest/2008/Cisco IOS Rootkits-paper.pdf. [7] LINDER F.Cisco IOS router exploitation[EB/OL].(2009-06-22)[2021-01-02].https://www.blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit-PA-PER.pdf. [8] HUANG N,HUANG S G,PAN Z L,et al.Automatic analysis to vulnerability of ASLR[J].Journal of National University of Defense Technology,2020,42(2):162-170,185. [9] EVTYUSHKIN D, PONOMAREV D, ABU-GHAZALEH A.Jump over ASLR:attacking branch predictors to bypass ASLR[C]//Proceedings of 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).2016:1-13. [10] PAYER M,GROSS T R.String oriented programming:whenASLR is not enough[C]//Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop. ACM,2013:1-9. [11] ALPS233.Canary Stack protection mechanism[EB/OL].(2019-10-25)[2021-01-12].https://blog.csdn.net/ALPS233/article/details/102736299. [12] ABADI M,BUDIU M,ERLINGSSON Ú,et al.Control-flow integrity[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS’05).ACM,2005:340-353. [13] LILJESTRAND H,NYMAN T,GUNN L J,et al.PACStack:an Authenticated Call Stack[C]//Proceedings of the 30th USENIX Security Symposium.2020. [14] CARLINI N,BARRESI A,PAYER M,et al.Control-flow bending:On the effectiveness of control-flow integrity[C]//Proceedings of the 24th USENIX Security Symposium (USENIX Security ’15).USENIX,2015:161-176. [15] REN D,QIAN C,SONG L,et al.Effificient protection of path-sensitive control security[C]//Proceedings of the 26th USENIX Security Symposium (USENIX Security ’17).USENIX,2017:131-148. [16] HU H,QIAN C X,CARTER Y,et al.Enforcing unique codetarget property for control-flow integrity[C]//Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS 2018).ACM CCS, 2018:1470-1486. [17] VICTOR V,DENNIS A,ENES G,et al.Practical Context-Sensitive CFI[C]//Proceedings of the 22nd ACM Conference on Computer and Communications Security.ACM CCS,2015:927-940. [18] MARTÍN A, MIHAI B,ULFAR E,et al.Control-flow integrity principles,implementations,and applications[J].ACM Trans.,2009,13(1):4:1-4:40. [19] BUROW N,ZHANG X P,PAYER M.SoK:Shining light on shadow stacks[C]//Proceedings of the 40th IEEE Symposium onSecurity and Privacy.IEEE,2019:985-999. [20] WANG J Z,CAI R J,LIU S L.Research on the Protection Mechanism of Cisco IOS Exploit[C]//Proceedings of 4th International Conference on Data Mining,Communications and Information Technology (DMCIT 2020).Asia Pacific Institute of Science and Engineering:Chengdu Sherlock Education Consul-ting Co.,Ltd.,2020,1584(1):012045. [21] CHEN L G,LIU S L,GAO X,et al.A Vulnerability Attack Detection Method Based on Dynamic Taint Analysis for Cisco IOS[J].Journal of Chinese Computer Systems,2014,35(8):1798-1802. [22] ANUZELLI G,FILES N,EMULATION P,etal.Dynamips/Dynagen:tutorial[EB/OL].(2011-10-07)[2021-01-13].http://materias.fi.uba.ar/7543/2010-02/download/DynamipsTutorial.doc. [23] LIU S L,ZOU R,PENG F,et al.A Method for Detecting Cisco IOS Flow Monitoring[J].Journal of Xi’an Jiaotong University,2015,49(12):65-70,111. [24] DHS,CISA.CVE-2017-6736[EB/OL]. (2017-03-09) [2021-01-02].https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6736. |
[1] | 郭星辰, 俞一彪. 具有仿冒攻击检测的鲁棒性说话人识别 Robust Speaker Verification with Spoofing Attack Detection 计算机科学, 2022, 49(6A): 531-536. https://doi.org/10.11896/jsjkx.210500147 |
[2] | 杨亚红, 王海瑞. 基于Renyi熵和BiGRU算法实现SDN环境下的DDoS攻击检测方法 DDoS Attack Detection Method in SDN Environment Based on Renyi Entropy and BiGRU Algorithm 计算机科学, 2022, 49(6A): 555-561. https://doi.org/10.11896/jsjkx.210800095 |
[3] | 李娜娜, 王勇, 周林, 邹春明, 田英杰, 郭乃网. 基于特征重要度二次筛选的DDoS攻击随机森林检测方法 DDoS Attack Random Forest Detection Method Based on Secondary Screening of Feature Importance 计算机科学, 2021, 48(6A): 464-467. https://doi.org/10.11896/jsjkx.200900101 |
[4] | 陈晋音,徐轩桁,苏蒙蒙. 基于自适应免疫计算的网络攻击检测研究 Research on Network Attack Detection Based on Self-adaptive Immune Computing 计算机科学, 2018, 45(6A): 364-370. |
[5] | 李春彦,王良民. 车载自组网Sybil攻击检测方案研究综述 Research on Detection Schemes of Sybil Attack in VANETs 计算机科学, 2014, 41(Z11): 235-240. |
[6] | 王睿. 一种基于回溯的Web上应用层DDOS检测防范机制 Mechanism of Detecting and Preventing Application Layer DDOS Attack Based on Traceback 计算机科学, 2013, 40(Z11): 175-177. |
[7] | 陈林博,江建慧,张丹青. 利用返回地址保护机制防御代码复用类攻击 Prevention of Code Reuse Attacks through Return Address Protection 计算机科学, 2013, 40(9): 93-98. |
[8] | 徐强,孙乐昌,刘京菊,赵亭,蔡铭. DHT网络中的多维复杂查询处理方法研究 Multi-dimensional Complex Query Processing over DHT 计算机科学, 2011, 38(9): 82-86. |
[9] | 王良民,李菲,熊书明,张建明. 无线传感器网络内部攻击检测方法研究 Research on Detection Methods for Insidious Attack of Wireless Sensor Networks 计算机科学, 2011, 38(4): 97-99. |
[10] | 王亚刚,杜慧敏,杨康平. 使用Hash表和树位图的两级IPv6地址查找算法 Two-stage IPv6 Address Lookup Scheme Based on Hash Tables and Tree Bitmaps 计算机科学, 2010, 37(9): 36-39. |
[11] | 魏文红,向菲,王文丰,王高才. 一种结构化P2P系统的负载平衡算法 Load Balancing Algorithm in Structure P2P Systems 计算机科学, 2010, 37(4): 82-. |
[12] | 吴炜,苏永红,李瑞轩,卢正鼎. 基于DHT的分布式索引技术研究与实现 Research and Implementation of Distributed Index Based on DHT 计算机科学, 2010, 37(2): 65-70. |
[13] | 聂晓文,卢显良,李梁,徐海湄,蒲汛. DHT负载均衡的必要性 On the Necessity of Load Balance in DHT 计算机科学, 2009, 36(9): 92-95. |
[14] | 王向辉 张国印 张闯. 低维护开销的小世界P2P网络 计算机科学, 2008, 35(11): 45-48. |
[15] | 傅向华 彭小刚 王志强 明仲. 基于分布式范围树的结构化P2P多维范围查询 计算机科学, 2007, 34(8): 69-71. |
|