###
Journal of Software:2017.28(7):1732-1745

面向Linux的内核级代码复用攻击检测技术
陈志锋,李清宝,张平,王烨
(解放军信息工程大学, 河南 郑州 450001;数学工程与先进计算国家重点实验室, 河南 郑州 450001)
Kernel Code Reuse Attack Detection Technique for Linux
CHEN Zhi-Feng,LI Qing-Bao,ZHANG Ping,WANG Ye
(PLA Information Engineering University, Zhengzhou 450001, China;State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China)
Abstract
Chart / table
Reference
Similar Articles
Article :Browse 1807   Download 1238
Received:September 20, 2015    Revised:December 31, 2015
> 中文摘要: 近年来,代码复用攻击与防御成为安全领域研究的热点.内核级代码复用攻击使用内核自身代码绕过传统的防御机制.现有的代码复用攻击检测与防御方法多面向应用层代码复用攻击,忽略了内核级代码复用攻击.为有效检测内核级代码复用攻击,提出了一种基于细粒度控制流完整性(CFI)的检测方法.首先根据代码复用攻击原理和正常程序控制流构建CFI约束规则,然后提出了基于状态机和CFI约束规则的检测模型.在此基础上,基于编译器,辅助实现CFI标签指令插桩,并在Hypervisor中实现CFI约束规则验证,提高了检测方法的安全性.实验结果表明,该方法能够有效检测内核级代码复用攻击,并且性能开销不超过60%.
Abstract:Recently, code reuse attack and defensive techniques have been a hot area in security research. Kernel-Level code reuse attacks use kernel code to bypass traditional defensive mechanisms. Existing code reuse attacks detection and defensive methods mainly focus on user-level code reuse attacks, ignoring kernel-level code reuse attacks. In order to detect kernel-level code reuse attacks effectively, a detection method based on fine-grained control flow integrity (CFI) is proposed. Firstly, CFI constraint rules are constructed according to the code reuse attack principles and the control flows of normal programs. Then, a detection model based on state machine and CFI constraint rules is developed. Next, CFI label checking instructions are instrumented based on GCC-plugin. Furthermore, CFI constraint rules are verified on Hypervisor, boosting the security of the method. The experiment results show that this method can effectively detect kernel-level code reuse attacks, and performance evaluations indicate that performance penalty induced by this method is less than 60%.
文章编号:     中图分类号:    文献标志码:
基金项目:“核高基”国家科技重大专项(2013JH00103);国家高技术研究发展计划(863)(2009AA01Z434) “核高基”国家科技重大专项(2013JH00103);国家高技术研究发展计划(863)(2009AA01Z434)
Foundation items:National Science and Technology Major Project of China (2013JH00103); National High Technology Research and Development Program of China (2009AA01Z434)
Reference text:

陈志锋,李清宝,张平,王烨.面向Linux的内核级代码复用攻击检测技术.软件学报,2017,28(7):1732-1745

CHEN Zhi-Feng,LI Qing-Bao,ZHANG Ping,WANG Ye.Kernel Code Reuse Attack Detection Technique for Linux.Journal of Software,2017,28(7):1732-1745