计算机工程与应用 ›› 2012, Vol. 48 ›› Issue (15): 63-69.

• 网络、通信、安全 • 上一篇    下一篇

基于控制流数据保护的缓冲区溢出防御方法

张蓝图,王  瑛   

  1. 中船重工第709研究所,武汉 430074
  • 出版日期:2012-05-21 发布日期:2012-05-30

Dynamic stack buffer overflow prevention based on protection of control-flow data

ZHANG Lantu, WANG Ying   

  1. 709th Research Institute, China Shipbuilding Industry Corporation, Wuhan 430074, China
  • Online:2012-05-21 Published:2012-05-30

摘要: 根据栈缓冲区溢出的基本原理,介绍了三种缓冲区溢出攻击的基本模式,分析了现有的动态防御方法所存在的优缺点。以此为基础,提出了一种基于控制流相关数据保护的栈缓冲区溢出动态防御方法,引入了加密机制,有效地防御攻击者对保护数据的篡改。设计并实现了针对目标文件为对象的二进制文件重构工具,通过理论分析和实验表明该方法能够极大概率防御各种缓冲区溢出攻击。

关键词: 软件漏洞, 栈缓冲区溢出, 动态防御, 控制流数据

Abstract: The basic attack patterns of stack buffer overflow are introduced based on the principles of stack buffer overflow. A new dynamic stack buffer overflow prevention method based on protection of control-flow related data is proposed due to the weakness of the existing dynamic buffer overflow prevention methods. At the same time, two encryption algorithms are introduced to protect the control-flow related data. The new method is proved to be able to defend multiple patterns of attacks with an acceptable performance tradeoff. At the same time, an object file reconstructing tool for binary is implemented using this new method. Experimental results of both the penetration resistance and the performance impact of the proposed method are presented.

Key words: software vulnerability, stack buffer overflow, dynamic prevention, control-flow data