Computer Science

Computer Science ›› 2022, Vol. 49 ›› Issue (4): 369-375.doi: 10.11896/jsjkx.210300153

• Information Security • Previous Articles     Next Articles

Detection Method of ROP Attack for Cisco IOS

LI Peng-yu1,2, LIU Sheng-li1,2, YIN Xiao-kang1,2, LIU Hao-hui2   

  1. 1 State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450000, China;
    2 Information Engineering University, Zhengzhou 450000, China
  • Received:2021-03-15 Revised:2021-07-09 Published:2022-04-01
  • About author:LI Peng-yu,born in 1993,postgraduate.His main research interests include network device security and network attack detection.LIU Sheng-li,born in 1973,Ph.D professor.His main research interests include network device security and network attack detection.
  • Supported by:
    This work was supported by the National Basic Research Program of China(2019QY1300) and Science & Technology Commission Foundation Strengthening Project(2019-JCJQ-ZD-113).

PDF (PC)

788

Abstract: Cisco IOS (Internet operating system) is a special operating system of Cisco router.Due to the limitation of hardware conditions, it pays more attention to the performance and ignores the system security in the design, which makes it unable to effectively detect the attack of return address oriented programming (ROP).Aiming at the defects of traditional ROP protection technology in Cisco IOS protection, a method based on return address memory hash verification is proposed, which can effectively detect the ROP attack on Cisco IOS and capture the attack code.By analyzing the advantages and disadvantages of the existing protection mechanisms against ROP attacks, on the basis of the idea of compact shadow memory protection, the traditional sha-dow memory storage mode is transformed into a hash based memory search mode, and the record of the return address memory pointer is added as the index of hash search, which improves the efficiency of shadow me-mory search and can resist shadow memory tampering caused by memory leakage.Based on the Dynamips virtualization platform, the CROPDS system is designed and implemented, and the method is verified effectively.Compared with the previous methods, it improves the generality and perfor-mance, and can capture the shellcode of attack execution.

Key words: Attack detection, Cisco IOS, Hash table, ROP attack, Shadow stack

CLC Number: 

  • TP393
[1] CHAUM D.Untraceable electronic mail,return addresses,and digital pseudonyms[J].Communications of the ACM,1981,24(2):84-90.
[2] SZEKERES L, PAYER M,WEI T,et al.SoK:Eternal war in memory[C]//Proceedings of the 34th IEEE Symposium on Security and Privacy.IEEE,2013:48-62.
[3] IDC.Global Ethernet Switch and Router Markets Deliver Mixed Results in Q22020,According to IDC[EB/OL]. (2020-09-03) [2021-01-24].https://www.idc.com/getdoc.jsp?containerId=prUS46830820.
[4] LINDER F.Design and software vulnerability in embedded system[EB/OL].(2003-04-25)[2021-01-12].https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-FX.pdf.
[5] LYNN M.The holy grail:Cisco IOS shellcode and exploitation techniques[EB/OL].(2005-07-29)[2021-3-14].https://mirror.die.net/banned/lynn-cisco.pdf.
[6] MUNIZ S.Killing the myth of Cisco IOS rootkits:DIK(Da IOS rootkit)[EB/OL].(2008-06-25)[2021-03-19]. http://www.orkspace.net/secdocs/Conferences/EuSecWest/2008/Cisco IOS Rootkits-paper.pdf.
[7] LINDER F.Cisco IOS router exploitation[EB/OL].(2009-06-22)[2021-01-02].https://www.blackhat.com/presentations/bh-usa-09/LINDNER/BHUSA09-Lindner-RouterExploit-PA-PER.pdf.
[8] HUANG N,HUANG S G,PAN Z L,et al.Automatic analysis to vulnerability of ASLR[J].Journal of National University of Defense Technology,2020,42(2):162-170,185.
[9] EVTYUSHKIN D, PONOMAREV D, ABU-GHAZALEH A.Jump over ASLR:attacking branch predictors to bypass ASLR[C]//Proceedings of 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).2016:1-13.
[10] PAYER M,GROSS T R.String oriented programming:whenASLR is not enough[C]//Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop. ACM,2013:1-9.
[11] ALPS233.Canary Stack protection mechanism[EB/OL].(2019-10-25)[2021-01-12].https://blog.csdn.net/ALPS233/article/details/102736299.
[12] ABADI M,BUDIU M,ERLINGSSON Ú,et al.Control-flow integrity[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS’05).ACM,2005:340-353.
[13] LILJESTRAND H,NYMAN T,GUNN L J,et al.PACStack:an Authenticated Call Stack[C]//Proceedings of the 30th USENIX Security Symposium.2020.
[14] CARLINI N,BARRESI A,PAYER M,et al.Control-flow bending:On the effectiveness of control-flow integrity[C]//Proceedings of the 24th USENIX Security Symposium (USENIX Security ’15).USENIX,2015:161-176.
[15] REN D,QIAN C,SONG L,et al.Effificient protection of path-sensitive control security[C]//Proceedings of the 26th USENIX Security Symposium (USENIX Security ’17).USENIX,2017:131-148.
[16] HU H,QIAN C X,CARTER Y,et al.Enforcing unique codetarget property for control-flow integrity[C]//Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS 2018).ACM CCS, 2018:1470-1486.
[17] VICTOR V,DENNIS A,ENES G,et al.Practical Context-Sensitive CFI[C]//Proceedings of the 22nd ACM Conference on Computer and Communications Security.ACM CCS,2015:927-940.
[18] MARTÍN A, MIHAI B,ULFAR E,et al.Control-flow integrity principles,implementations,and applications[J].ACM Trans.,2009,13(1):4:1-4:40.
[19] BUROW N,ZHANG X P,PAYER M.SoK:Shining light on shadow stacks[C]//Proceedings of the 40th IEEE Symposium onSecurity and Privacy.IEEE,2019:985-999.
[20] WANG J Z,CAI R J,LIU S L.Research on the Protection Mechanism of Cisco IOS Exploit[C]//Proceedings of 4th International Conference on Data Mining,Communications and Information Technology (DMCIT 2020).Asia Pacific Institute of Science and Engineering:Chengdu Sherlock Education Consul-ting Co.,Ltd.,2020,1584(1):012045.
[21] CHEN L G,LIU S L,GAO X,et al.A Vulnerability Attack Detection Method Based on Dynamic Taint Analysis for Cisco IOS[J].Journal of Chinese Computer Systems,2014,35(8):1798-1802.
[22] ANUZELLI G,FILES N,EMULATION P,etal.Dynamips/Dynagen:tutorial[EB/OL].(2011-10-07)[2021-01-13].http://materias.fi.uba.ar/7543/2010-02/download/DynamipsTutorial.doc.
[23] LIU S L,ZOU R,PENG F,et al.A Method for Detecting Cisco IOS Flow Monitoring[J].Journal of Xi’an Jiaotong University,2015,49(12):65-70,111.
[24] DHS,CISA.CVE-2017-6736[EB/OL]. (2017-03-09) [2021-01-02].https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6736.
[1] GUO Xing-chen, YU Yi-biao. Robust Speaker Verification with Spoofing Attack Detection [J]. Computer Science, 2022, 49(6A): 531-536.
[2] YANG Ya-hong, WANG Hai-rui. DDoS Attack Detection Method in SDN Environment Based on Renyi Entropy and BiGRU Algorithm [J]. Computer Science, 2022, 49(6A): 555-561.
[3] LI Na-na, WANG Yong, ZHOU Lin, ZOU Chun-ming, TIAN Ying-jie, GUO Nai-wang. DDoS Attack Random Forest Detection Method Based on Secondary Screening of Feature Importance [J]. Computer Science, 2021, 48(6A): 464-467.
[4] CHEN Jin-yin,XU Xuan-yan,SU Meng-meng. Research on Network Attack Detection Based on Self-adaptive Immune Computing [J]. Computer Science, 2018, 45(6A): 364-370.
[5] WU Shao-hua, CHENG Shu-bao and HU Yong. Web Attack Detection Method Based on Support Vector Machines [J]. Computer Science, 2015, 42(Z6): 362-364.
[6] LI Chun-yan and WANG Liang-min. Research on Detection Schemes of Sybil Attack in VANETs [J]. Computer Science, 2014, 41(Z11): 235-240.
[7] ZHANG Hai-jun,LIU Zhan-dong and Munina. Rapid Algorithm of Chinese High-frequency Repeat Extraction Based on Hierarchical Pruning [J]. Computer Science, 2014, 41(5): 270-274.
[8] WANG Rui. Mechanism of Detecting and Preventing Application Layer DDOS Attack Based on Traceback [J]. Computer Science, 2013, 40(Z11): 175-177.
[9] XU Qiang,SUN Le-chang,LIU Jing-ju,ZHAO Ting,CAI Ming. Multi-dimensional Complex Query Processing over DHT [J]. Computer Science, 2011, 38(9): 82-86.
[10] WANG Liang-min,LI Fei,XIONG Shu-ming,ZHANG Jian-ming. Research on Detection Methods for Insidious Attack of Wireless Sensor Networks [J]. Computer Science, 2011, 38(4): 97-99.
[11] WANG Ya-gang,DU Hui-min,YANG Kang-ping. Two-stage IPv6 Address Lookup Scheme Based on Hash Tables and Tree Bitmaps [J]. Computer Science, 2010, 37(9): 36-39.
[12] WU Wei,SU Yong-hong,LI Rui-xuan,LU Zheng-ding. Research and Implementation of Distributed Index Based on DHT [J]. Computer Science, 2010, 37(2): 65-70.
[13] NIE Xiao-wen,LU Xian-liang, LI Liang, XU Hai-mei, PU Xun. On the Necessity of Load Balance in DHT [J]. Computer Science, 2009, 36(9): 92-95.
[14] FU Xiang-Hua, PENG Xiao-Gang, WANG Zhi-Qiang, MING Zhong (College of Information Engineering, Shenzhen University, Shenzhen 518060). [J]. Computer Science, 2007, 34(8): 69-71.
[15] . [J]. Computer Science, 2006, 33(9): 76-80.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.