BODAR 利用現今作業系統普遍支援的硬體分頁保護機制來達到事件 驅動方式偵測。這個分頁保護機制為當存取指令試圖存取未配置的虛擬位 址時,會促使作業系統產生SIGSEGV 訊號。我們將緩衝區之後跟隨一塊未 配置區域,使緩衝區溢位會存取到未配置區域而發出訊號,訊號將觸發溢 位處理函式進行恢復動作。
BODAR 的恢復概念來自於 BMB,同樣的透過容忍緩衝區溢位資料來 達到維持程式的執行。應用程式在BODAR 保護機制下,每個緩衝區後將 跟隨一塊稱為守衛區域的未配置區域,可用來容納緩衝區溢位的資料。當 緩衝區溢位發生時,溢位處理函式會解析程式試圖存取的記憶體位址並在 其上配置一塊實體記憶體,在處理完後溢位存取將會在新配置的記憶體上 執行,不會影響到其他在記憶體中的資料,程式將可繼續執行,直到下一 次緩衝區溢位。
BODAR 的作法相比於 BMB 的實作方式,BMB 對溢位資料是是採取 另找一塊離散的空間存放,這表示之後每次溢位存取,非得經過位址轉換,
與BODAR 直接將溢位資料置於緩衝區之後,溢位資料可直接連續存取,
不需再經任何手續,因而在恢復的速度上BODAR 會有較佳的表現。
我們透過實驗驗證了擁有恢復機制的重要性。ㄧ個無恢復能力的緩衝 區溢位保護機制即使引入到服務程式中,當遇到持續不斷緩衝區溢位攻擊 時所造成的阻斷服務時,效能將嚴重下降。BODAR 具有的快速恢復能力將 使受其保護的程式提升在攻擊下的生存能力與持續提供服務能力。
此外由於BODAR 會造成記憶體資源快速浪費的問題。我們也提出了 一個折衷方案,考量緩衝區溢位漏洞的特性,藉由犧牲少部分的保護範圍 換取大量縮減記憶體使用量與效能的提升。
未來將朝不縮減保護的範圍而能降低記憶體使用量繼續做改進。一個 可能的方法如圖5-1。
buffer A
1 page guard
region buffer A
sparse area dense area
use idle
圖 5-1 未來可能的改進方法
整個記憶體將分為離散區段與緊密區段,離散區段仍以BODAR 的方 式配置緩衝區,而緊密區段以chunks 的方式配置小型緩衝區。在理想的狀 態下,一開始小型緩衝區將配置在離散區段,當系統發現這個小型緩衝區 沒使用時,會將小型緩衝區備份至緊密區段並將小型緩衝區所佔用的分頁 釋放,當要存取小型緩衝區資料時,再於原來的位置重新配置分頁並將備 份的資料回存,透過這樣的操作方式達到存放時不佔用記憶體,使用時能 有BODAR 保護的目的。
參考文獻
[1] ACME Laboratories. thttpd. http://www.acme.com/software/thttpd/ (last access: May 2005).
[2] Aleph One. Smashing the stack for fun and profit.
http://www.insecure.org/stf/smashstack.txt
[3] A. Baratloo, N. Singh and T. Tsai. "Transparent Run-Time Defense against Stack-Smashing Attacks." In Proceedings of the 2000 USENIX Annual
Technical Conference (USENIX-00), pp. 251, June 2000.
[4] Beyond Security. SecuriTeam. http://www.securiteam.com/ (last access:
May 2006).
[5] S. Bhatkar, D.C. DuVarney and R. Sekar. "Address Obfuscation: An
Efficient Approach to Combat A Broad Range of Memory Error Exploits."
In USENIX Security Symposium, pp. 105-120, August 2003.
[6] C. Cowan, S. Beattie, J. Johansen and P. Wagle. "PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities." In In Proceedings of the
12th USENIX Security Symposium, pp. 91-104, August 2003.
[7] C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A.
Grier, P. Wagle and Q. Zhang. "StackGuard: Automatic adaptive detection and prevention of buffer overflow attacks." In Proceedings of the 7th
USENIX Security Symposium, pp. 63-78, January 1998.
[8] C. Dahn and S. Mancoridis. "Using Program Transformation to Secure C Programs Against Buffer Overflows." In IEEE Proceedings of the 2003
Working Conference in Reverse Engineering (WCRE'03), British Columbia,
Canada, pp. 323-332, November 2003.[9] D. Dhurjati, S. Kowshik, V. Adve and C. Lattner. "Memory safety without runtime checks or garbage collection." In Proceedings of the 2003 Workshop
on Languages, Compilers, and Tools for Embedded Systems (LCTES'03),
June 2003.[10] N. Dor, M. Rodeh and M. Sagiv. "CSSV: Towards a realistic tool for statically detecting all buffer overflows in C." In Proceedings of the ACM
Conference on Programming Language Design and Implementation (PLDI),
June 2003.[11] J. Foster, M. Fahndrich and A. Aiken. "A theory of type qualifiers." In
Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), May 1999.
[12] Free Software Foundation Inc. GCC. http://gcc.gnu.org/ (last access: May 2006).
[13] Intel Corporation. IA-32 Intel Architecture Software Developer's Manual Volume 2A: Instruction Set Reference A-M.
http://developer.intel.com/design/pentium4/manuals/index_new.htm (last access: January 2006).
[14] T. Jim, G. Morrisett, D. Grossman, M. Hicks, J. Cheney and Y. Wang.
"Cyclone: Asafe dialect of C." In Proceedings of the USENIX Annual
Technical Conference, pp. 275-288, June 2002.
[15] R. Jones and P. Kelly. "Backwards-compatible bounds checking for arrays and pointers in C programs." In Third International Workshop on
Automated Debugging, May 1997.
[16] S.C. Kendall. "Bcc: run-time checking for c programs." In Proceedings of
the USENIX Summer Conference, 1983.
[17] L. Lam and T. Chiueh. "Checking Array Bound Violation Using Segmentation Hardware." In In Proceedings of the 2005 International
Conference on Dependable Systems and Networks(DSN'05), May 2005.
[18] D. Larochelle and D. Evans. "Statically Detecting Likely Buffer Overflow Vulnerabilities." In Proceedings of the 10th USENIX Security Symposium, pp. 177-190, August 2001.
[19] Mindcraft Inc. Webstone.
http://www.mindcraft.com/benchmarks/webstone/ (last access: January 2006).
[20] G.C. Necula, S. McPeak and W. Weimer. "CCured: Type-Safe Retrofitting of Legacy Code." In Proceedings of the Principles of Programming
Languages (PoPL), pp. 128-139, January 2002.
[21] Pax. http://pageexec.virtualave.net .
[22] B. Perens. "Electric Fence Malloc Debugger." In Pixar Animation Studios, 1993.
[23] M. Rinard, C. Cadar, D. Dumitran, D.M. Roy and T. Leu. "A Dynamic Technique for Eliminating Buffer Overflow Vulnerabilities (and Other
Memory Errors)." In Proceedings of the 20th Annual Computer Security
Applications Conference (ACSAC'04), 2004.
[24] R. Rugina and M. Rinard. "Symbolic bounds analysis of pointers, array indices, andaccessed memory regions." In Proceedings of the ACM
SIGPLAN'00 Conference on Programming Language Design and Implementation, pp. 182-195, June 2000.
[25] O. Ruwase and M.S. Lam. "A Practical Dynamic Buffer Overflow Detector." In Proceedings of the 11th Annual Network & Distributed
System Security Symposium, pp. 159-169, February 2004.
[26] SecurityFocus. Mod_mylo apache module REQSTR buffer overflow
vulnerability. http://www.securityfocus.com/bid/8287/ (last access: January 2006).
[27] SecurityFocus. Thttpd defang remote buffer overflow vulnerability.
http://www.securityfocus.com/bid/8906/ (last access: January 2006).
[28] S. Sidiroglou, G. Giovanidis and A. Keromytis. "Using Execution
Transactions to Recover from Buffer Overflow Attacks." Technical Report Technical Report CUCS-031-04, Columbia University Computer Science Department, September 2004.
[29] Solar Designer. Non-Executable User Stack.
http://www.openwall.com/linux/ (last access: May 2006).
[30] The Apache Software Foundation. The Apache HTTP Server Project.
http://httpd.apache.org/ .
[31] The MITRE Corporation. Common Vulnerabilities and Exposures.
http://cve.mitre.org/ (last access: May 2006).
[32] The Software Technology Laboratory, Queen's University, Kingston, Canada. TXL Home Page. http://www.txl.ca/ (last access: January 2006).
[33] Vendicator. Stack shield. http://www.angelfire.com/sk/stackshield/ (last access: January 2006).
[34] D. Wagner, J.S. Foster, E.A. Brewer and A. Aiken. "A First Step towards Automated Detection of Buffer Overrun Vulnerabilities." In Network and