Journal of Software:2019.30(11):3518-3534

(解放军信息工程大学, 河南 郑州 450001;数学工程与先进计算国家重点实验室, 河南 郑州 450001;信息保障技术重点实验室, 北京 100072;河南省人民检察院, 河南 郑州 450000)
Defending Code Reuse Attacks Based on Running Characteristics Monitoring
ZHANG Gui-Min,LI Qing-Bao,ZHANG Ping,CHENG San-Jun
(PLA Information Engineering University, Zhengzhou 450001, China;State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China;Science and Technology on Information Assurance Laboratory, Beijing 100072, China;People's Procuratorate of Henan Province, Zhengzhou 450000, China)
Chart / table
Similar Articles
Article :Browse 132   Download 171
Received:December 15, 2016    Revised:April 05, 2017
> 中文摘要: 针对代码复用的攻击与防御已成为网络安全领域研究的热点,但当前的防御方法普遍存在防御类型单一、易被绕过等问题.为此,提出一种基于运行特征监控的代码复用攻击防御方法RCMon.该方法在分析代码复用攻击实现原理的基础上定义了描述程序正常运行过程的运行特征模型RCMod,并提出了验证程序当前运行状态是否满足RCMod约束规则的安全验证自动机模型.实现中,通过直接向目标程序中植入监控代码,使程序运行到监控节点时自动陷入,并由Hypervisor实现运行特征库的构建和安全验证.实验结果表明,RCMon能够有效地防御已知的绝大部分代码复用攻击,平均性能开销约为22%.
Abstract:Code reuse attacks (CRAs) and their defense technologies have been the hot topic in network security field. However, current defense technologies usually focus on a single type of attacks and can be easily bypassed by other attacks. This paper presents a method called RCMon to defend CRAs based on running characteristics monitoring to overcome this problem. RCMon defines the running characteristics model (RCMod) according to the realize theory of CRAs and designs a safety verification automaton to verify whether current status meets the constraints in the RCMod. When RCMon is implemented, monitor code is instrumented into the target executable directly so that target program will trap in the Hypervisor when it runs to monitoring nodes, then the construction of running characteristics databse and safety verifications will be both performed by the Hypervisor. The experiment results show that RCMon can effectively detect and defense mostly CRAs, and induces average 22% performance penalty.
文章编号:     中图分类号:TP309    文献标志码:
基金项目:国家社会科学基金(15AJG012);核高基国家科技重大专项(2013JH00103);信息保障技术重点实验室开放基金(KJ-15-107) 国家社会科学基金(15AJG012);核高基国家科技重大专项(2013JH00103);信息保障技术重点实验室开放基金(KJ-15-107)
Foundation items:National Social Science Foundation of China (15AJG012); CHB National Science and Technology Major Project of China (2013JH00103); Foundation of Science and Technology on Information Assurance Laboratory (KJ-15-107)
Reference text:


ZHANG Gui-Min,LI Qing-Bao,ZHANG Ping,CHENG San-Jun.Defending Code Reuse Attacks Based on Running Characteristics Monitoring.Journal of Software,2019,30(11):3518-3534