面向Cisco IOS的ROP攻击检测方法

doi:10.11896/jsjkx.210300153

计算机科学 ›› 2022, Vol. 49 ›› Issue (4): 369-375.doi: 10.11896/jsjkx.210300153

面向Cisco IOS的ROP攻击检测方法

李鹏宇^1,2, 刘胜利^1,2, 尹小康^1,2, 刘昊晖²

1 数学工程与先进计算国家重点实验室郑州 450000;
2 战略支援部队信息工程大学郑州 450000

收稿日期:2021-03-15 修回日期:2021-07-09 发布日期:2022-04-01
通讯作者: 刘胜利(dr_liushengli@163.com)
作者简介:(void_yu0359@163.com)
基金资助:
国家重点研发计划(2019QY1300); 科技委基础加强项目(2019-JCJQ-ZD-113)

Detection Method of ROP Attack for Cisco IOS

LI Peng-yu^1,2, LIU Sheng-li^1,2, YIN Xiao-kang^1,2, LIU Hao-hui²

1 State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450000, China;
2 Information Engineering University, Zhengzhou 450000, China

Received:2021-03-15 Revised:2021-07-09 Published:2022-04-01
About author:LI Peng-yu,born in 1993,postgraduate.His main research interests include network device security and network attack detection.LIU Sheng-li,born in 1973,Ph.D professor.His main research interests include network device security and network attack detection.
Supported by:
This work was supported by the National Basic Research Program of China(2019QY1300) and Science & Technology Commission Foundation Strengthening Project(2019-JCJQ-ZD-113).

摘要/Abstract

摘要： Cisco IOS(Internetwork Operating System)作为Cisco路由器的专用操作系统,其由于硬件条件限制,在设计时更加注重性能而忽视了系统安全,导致无法有效检测面向返回地址编程(Return-Oriented Programming,ROP)的攻击。针对传统的ROP防护技术在解决Cisco IOS防护上存在的缺陷,提出了一种基于返回地址内存哈希验证的方法,能够对面向Cisco IOS的ROP攻击进行有效检测,并对ROP攻击代码进行捕获。通过分析现有针对ROP攻击的防护机制的优缺点,在紧凑型影子内存防护思想的基础上,将传统的影子内存存储模式改造为基于哈希的内存查找模式,增加了返回地址内存指针的记录作为哈希查找的索引,提高了影子内存查找效率,同时能够抵御由于内存泄露导致的影子内存篡改。在Dynamips虚拟化平台的基础上设计实现了CROPDS系统,对所提方法进行了有效验证。与现有方法对比,所提方法在通用性和性能上均有提升,并能够捕获到攻击执行的shellcode。

关键词: Cisco IOS, ROP攻击, 攻击检测, 哈希表, 影子栈

Abstract: Cisco IOS (Internet operating system) is a special operating system of Cisco router.Due to the limitation of hardware conditions, it pays more attention to the performance and ignores the system security in the design, which makes it unable to effectively detect the attack of return address oriented programming (ROP).Aiming at the defects of traditional ROP protection technology in Cisco IOS protection, a method based on return address memory hash verification is proposed, which can effectively detect the ROP attack on Cisco IOS and capture the attack code.By analyzing the advantages and disadvantages of the existing protection mechanisms against ROP attacks, on the basis of the idea of compact shadow memory protection, the traditional sha-dow memory storage mode is transformed into a hash based memory search mode, and the record of the return address memory pointer is added as the index of hash search, which improves the efficiency of shadow me-mory search and can resist shadow memory tampering caused by memory leakage.Based on the Dynamips virtualization platform, the CROPDS system is designed and implemented, and the method is verified effectively.Compared with the previous methods, it improves the generality and perfor-mance, and can capture the shellcode of attack execution.

Key words: Attack detection, Cisco IOS, Hash table, ROP attack, Shadow stack

中图分类号:

TP393

李鹏宇, 刘胜利, 尹小康, 刘昊晖. 面向Cisco IOS的ROP攻击检测方法[J]. 计算机科学, 2022, 49(4): 369-375. https://doi.org/10.11896/jsjkx.210300153

LI Peng-yu, LIU Sheng-li, YIN Xiao-kang, LIU Hao-hui. Detection Method of ROP Attack for Cisco IOS[J]. Computer Science, 2022, 49(4): 369-375. https://doi.org/10.11896/jsjkx.210300153

参考文献

[1] CHAUM D.Untraceable electronic mail,return addresses,and digital pseudonyms[J].Communications of the ACM,1981,24(2):84-90.
[2] SZEKERES L, PAYER M,WEI T,et al.SoK:Eternal war in memory[C]//Proceedings of the 34th IEEE Symposium on Security and Privacy.IEEE,2013:48-62.
[3] IDC.Global Ethernet Switch and Router Markets Deliver Mixed Results in Q22020,According to IDC[EB/OL]. (2020-09-03) [2021-01-24].https://www.idc.com/getdoc.jsp?containerId=prUS46830820.
[4] LINDER F.Design and software vulnerability in embedded system[EB/OL].(2003-04-25)[2021-01-12].https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-FX.pdf.
[5] LYNN M.The holy grail:Cisco IOS shellcode and exploitation techniques[EB/OL].(2005-07-29)[2021-3-14].https://mirror.die.net/banned/lynn-cisco.pdf.
[6] MUNIZ S.Killing the myth of Cisco IOS rootkits:DIK(Da IOS rootkit)[EB/OL].(2008-06-25)[2021-03-19]. http://www.orkspace.net/secdocs/Conferences/EuSecWest/2008/Cisco IOS Rootkits-paper.pdf.
[7] LINDER F.Cisco IOS router exploitation[EB/OL].(2009-06-22)[2021-01-02].https://www.blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit-PA-PER.pdf.
[8] HUANG N,HUANG S G,PAN Z L,et al.Automatic analysis to vulnerability of ASLR[J].Journal of National University of Defense Technology,2020,42(2):162-170,185.
[9] EVTYUSHKIN D, PONOMAREV D, ABU-GHAZALEH A.Jump over ASLR:attacking branch predictors to bypass ASLR[C]//Proceedings of 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).2016:1-13.
[10] PAYER M,GROSS T R.String oriented programming:whenASLR is not enough[C]//Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop. ACM,2013:1-9.
[11] ALPS233.Canary Stack protection mechanism[EB/OL].(2019-10-25)[2021-01-12].https://blog.csdn.net/ALPS233/article/details/102736299.
[12] ABADI M,BUDIU M,ERLINGSSON Ú,et al.Control-flow integrity[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS’05).ACM,2005:340-353.
[13] LILJESTRAND H,NYMAN T,GUNN L J,et al.PACStack:an Authenticated Call Stack[C]//Proceedings of the 30th USENIX Security Symposium.2020.
[14] CARLINI N,BARRESI A,PAYER M,et al.Control-flow bending:On the effectiveness of control-flow integrity[C]//Proceedings of the 24th USENIX Security Symposium (USENIX Security ’15).USENIX,2015:161-176.
[15] REN D,QIAN C,SONG L,et al.Effificient protection of path-sensitive control security[C]//Proceedings of the 26th USENIX Security Symposium (USENIX Security ’17).USENIX,2017:131-148.
[16] HU H,QIAN C X,CARTER Y,et al.Enforcing unique codetarget property for control-flow integrity[C]//Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS 2018).ACM CCS, 2018:1470-1486.
[17] VICTOR V,DENNIS A,ENES G,et al.Practical Context-Sensitive CFI[C]//Proceedings of the 22nd ACM Conference on Computer and Communications Security.ACM CCS,2015:927-940.
[18] MARTÍN A, MIHAI B,ULFAR E,et al.Control-flow integrity principles,implementations,and applications[J].ACM Trans.,2009,13(1):4:1-4:40.
[19] BUROW N,ZHANG X P,PAYER M.SoK:Shining light on shadow stacks[C]//Proceedings of the 40th IEEE Symposium onSecurity and Privacy.IEEE,2019:985-999.
[20] WANG J Z,CAI R J,LIU S L.Research on the Protection Mechanism of Cisco IOS Exploit[C]//Proceedings of 4th International Conference on Data Mining,Communications and Information Technology (DMCIT 2020).Asia Pacific Institute of Science and Engineering:Chengdu Sherlock Education Consul-ting Co.,Ltd.,2020,1584(1):012045.
[21] CHEN L G,LIU S L,GAO X,et al.A Vulnerability Attack Detection Method Based on Dynamic Taint Analysis for Cisco IOS[J].Journal of Chinese Computer Systems,2014,35(8):1798-1802.
[22] ANUZELLI G,FILES N,EMULATION P,etal.Dynamips/Dynagen:tutorial[EB/OL].(2011-10-07)[2021-01-13].http://materias.fi.uba.ar/7543/2010-02/download/DynamipsTutorial.doc.
[23] LIU S L,ZOU R,PENG F,et al.A Method for Detecting Cisco IOS Flow Monitoring[J].Journal of Xi’an Jiaotong University,2015,49(12):65-70,111.
[24] DHS,CISA.CVE-2017-6736[EB/OL]. (2017-03-09) [2021-01-02].https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6736.

相关文章 15

[1]	郭星辰, 俞一彪. 具有仿冒攻击检测的鲁棒性说话人识别 Robust Speaker Verification with Spoofing Attack Detection 计算机科学, 2022, 49(6A): 531-536. https://doi.org/10.11896/jsjkx.210500147
[2]	杨亚红, 王海瑞. 基于Renyi熵和BiGRU算法实现SDN环境下的DDoS攻击检测方法 DDoS Attack Detection Method in SDN Environment Based on Renyi Entropy and BiGRU Algorithm 计算机科学, 2022, 49(6A): 555-561. https://doi.org/10.11896/jsjkx.210800095
[3]	李娜娜, 王勇, 周林, 邹春明, 田英杰, 郭乃网. 基于特征重要度二次筛选的DDoS攻击随机森林检测方法 DDoS Attack Random Forest Detection Method Based on Secondary Screening of Feature Importance 计算机科学, 2021, 48(6A): 464-467. https://doi.org/10.11896/jsjkx.200900101
[4]	陈晋音,徐轩桁,苏蒙蒙. 基于自适应免疫计算的网络攻击检测研究 Research on Network Attack Detection Based on Self-adaptive Immune Computing 计算机科学, 2018, 45(6A): 364-370.
[5]	李春彦,王良民. 车载自组网Sybil攻击检测方案研究综述 Research on Detection Schemes of Sybil Attack in VANETs 计算机科学, 2014, 41(Z11): 235-240.
[6]	王睿. 一种基于回溯的Web上应用层DDOS检测防范机制 Mechanism of Detecting and Preventing Application Layer DDOS Attack Based on Traceback 计算机科学, 2013, 40(Z11): 175-177.
[7]	陈林博,江建慧,张丹青. 利用返回地址保护机制防御代码复用类攻击 Prevention of Code Reuse Attacks through Return Address Protection 计算机科学, 2013, 40(9): 93-98.
[8]	徐强，孙乐昌,刘京菊,赵亭,蔡铭. DHT网络中的多维复杂查询处理方法研究 Multi-dimensional Complex Query Processing over DHT 计算机科学, 2011, 38(9): 82-86.
[9]	王良民,李菲,熊书明,张建明. 无线传感器网络内部攻击检测方法研究 Research on Detection Methods for Insidious Attack of Wireless Sensor Networks 计算机科学, 2011, 38(4): 97-99.
[10]	王亚刚,杜慧敏,杨康平. 使用Hash表和树位图的两级IPv6地址查找算法 Two-stage IPv6 Address Lookup Scheme Based on Hash Tables and Tree Bitmaps 计算机科学, 2010, 37(9): 36-39.
[11]	魏文红,向菲,王文丰,王高才. 一种结构化P2P系统的负载平衡算法 Load Balancing Algorithm in Structure P2P Systems 计算机科学, 2010, 37(4): 82-.
[12]	吴炜,苏永红,李瑞轩,卢正鼎. 基于DHT的分布式索引技术研究与实现 Research and Implementation of Distributed Index Based on DHT 计算机科学, 2010, 37(2): 65-70.
[13]	聂晓文,卢显良,李梁,徐海湄,蒲汛. DHT负载均衡的必要性 On the Necessity of Load Balance in DHT 计算机科学, 2009, 36(9): 92-95.
[14]	王向辉张国印张闯. 低维护开销的小世界P2P网络计算机科学, 2008, 35(11): 45-48.
[15]	傅向华彭小刚王志强明仲. 基于分布式范围树的结构化P2P多维范围查询计算机科学, 2007, 34(8): 69-71.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed

面向Cisco IOS的ROP攻击检测方法

Detection Method of ROP Attack for Cisco IOS

PDF (PC)

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

Metrics

本文评价

推荐阅读 0