臺灣博碩士論文加值系統

隨著軟體應用程式與網際網路的發展，其所伴隨而來的安全問題也日益嚴重。緩衝區溢位是軟體寫作上不可避免的問題，根據每年的安全通報上顯示許多安全上的漏洞都是源自於緩衝區溢位，也造成駭客入侵攻擊的重大來由。一般軟體應用程式的使用者通常只能依靠軟體廠商發布的更新來防止因緩衝區溢位造成的攻擊，於是在尚未使用更新前，如何避免軟體遭受到緩衝區溢位攻擊、儘量延長軟體使用的安全時效是個防治緩衝區溢位的重點。而由搜集並分析駭客使用的攻擊探測碼可建立起整體緩衝區溢位攻擊手法的模式，並可將此模式作為防治未來緩衝區溢位攻擊的基礎。
關聯規則法能夠發掘未知事物之間的關聯性，所以可協助建立緩衝區溢位攻擊其間共有的特徵模式。於是本研究應用關聯規則法建立緩衝區溢位的攻擊模式，找出攻擊探測碼裡面的系統呼叫關係，實驗並建立一群可區分攻擊行為與正常行為的系統呼叫規則，這些規則能夠正確地偵測出緩衝區溢位攻擊，在誤判率也有很好的表現，進而能夠協助在偵測到攻擊後的防範措施，降低系統遭受緩衝區溢位攻擊的嚴重性。

As the development of software applications and Internet, the security issues that come with get more serious. Buffer Overflow is an unavoidable problem while software programming. According to the advisories of each year, they show that many security vulnerabilities are from Buffer Overflow. Buffer Overflow is also the cause of intrusion made by hackers. The users of software applications usually depend on the software updates released by software venders to prevent the attacks caused by Buffer Overflow. So before applying software updates, that how to avoid attacks to software and prolong the save period of software is an important issue to prevent Buffer Overflow. By collecting and analyzing the exploit codes used by hackers, we can build the overall pattern of Buffer Overflow attacks, and we can take this pattern as the basis for preventing future Buffer Overflow attacks.
Association rules can find the relations of unknown things, so it can help to build the common pattern between Buffer Overflow attacks. So this work applies association rules to build the pattern of Buffer Overflow attacks, and to find out the relations of system calls inside the exploit codes. We experiment and build a group of system call rules that can differentiate the attack behavior and the normal behavior. These rules can detect the Buffer Overflow attacks exactly and perform well in false positives. And then they can help to do further defenses after detecting attacks and alleviate the seriousness of Buffer Overflow attacks to computer systems.

第一章 緒論 1
第一節 研究背景 1
第二節 緩衝區溢位(Buffer Overflow) 2
第三節 研究動機 5
第二章 文獻探討 8
第一節 Buffer Overflow攻擊分類 8
第二節 相關防治Buffer Overflow的研究 9
第三節 文獻探討中的比較與缺點 13
第三章 研究方法與步驟 - 攻擊探測碼的分析方法 14
第一節 exploit code(攻擊探測碼)、shell code與system call 14
第二節 問題定義與描述 15
第三節 關聯規則 16
第四節 系統架構 18
第五節 實驗設計與模擬 20
第四章 實驗結果與評估 31
第一節 篩選初步規則 31
第二節 比對攻擊行為的實驗結果 35
第三節 比對正常行為的實驗結果 36
第四節 刪除無效的規則 36
第五節 評估 37
第五章 結論 39
第一節 本研究的貢獻 39
第二節 未來發展 39
參考文獻 40
英文參考文獻 40
中文參考文獻 43

英文參考文獻
[2] CERT Statistics http://www.cert.org/stats/
[3] National Vulnerability Database. http://nvd.nist.gov
[4] Gerardo Richarte. “Four different tricks to bypass StackShield and StackGuard protection”, April 9, 2002 - June 3, 2002.
[5] James C Foster. “Buffer Overflow Attacks - Detect, Exploit, Prevent”, April 6, 2006.
[6] Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. “Buffer Overflows: Attacks and Defenses for the vulnerability of the Decade” , DARPA Information Survivability Conference and Exposition 2000 Proceedings.
[7] CERT® Advisory CA-2001-19. http://www.cert.org/advisories/CA-2001-19.html
[8] CERT® Advisory CA-2003-04. http://www.cert.org/advisories/CA-2003-04.html
[9] CERT® Advisory CA-2003-20. http://www.cert.org/advisories/CA-2003-20.html
[10] Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. “StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks”, Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, January 26-29, 1998.
[11] David A. Wheeler. “Secure Programming for Linux and Unix HOWTO”, 3 March 2003.
[12] Purify: Fast Detection of Memory Leaks and Access Errors. In Proceedings
of the Winter USENIX Conference, 1992.
[13] Java.sun.com. http://java.sun.com/
[14] Crispin Cowan, Steve Beattie, John Johansen and Perry Wagle. “PointGuardTM: Protecting Pointers From Buffer Overflow Vulnerabilities”, Proceedings of the 12th USENIX Security Symposium, August 4–8, 2003.
[15] Arash Baratloo, Timothy Tsai, and Navjot Singh. “Libsafe: Protecting Critical Elements of Stacks”, December 25, 1999.
[16] Biswanath Mukherjee, L. Todd Heberlein, and Karl N. Levitt. “Network Intrusion Detection” , IEEE Network May/June 1994.
[17] StackShield. http://www.angelfire.com/sk/stackshield/
[18] Thomas Toth and Christopher Kruegel. “Accurate Buffer Overflow Detection via Abstract Payload Execution” , Distributed Systems Group, Technical University of Vienna, 2002
[19] A. Pasupulati, J. Coit, K. Levitt. S. F. Wu. “Buttercup: On Network-based Detection of Polymorphic Buffer Overflow Vulnerabilities”, IEEE 2004.
[20] Stig Andersson, Andrew Clark, and George Mohay. “Network-Based Buffer Overflow Detection by Exploit Code Analysis”, Proceedings of AusCERT Asia Pacific Information Technology, 2004.
[21] Zhenkai Liang and R. Sekar. “Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models” , Proceedings of the 21st Annual Computer Security Applications Conference, 2005.
[22] Snort. http://www.snort.org
[23] http://www.milw0rm.com/
[24] Solar Designer. Non-executable Stack Patch. http://www.openwall.com/linux
[25] PaX. https://pageexec.virtualave.net
[26] RSX. http://www.ihaquer.com/software/rsx.
[27] kNoX. http://cliph.linux.pl/kNoX.
[28] Austin TM, Breach SE, Sohi GS. Efficient detection of all pointer and array access errors. ACM SIGPLAN 94 Conference on Programming Language Design and Implementation. ACM: Orlando, FL, 1994;290-301
[29] Jones RWM, Kelly PHJ. Backwards-compatible bounds checking for arrays and pointers in C programs. Proceedings of the Third International Workshop on Automatic Debugging, Sweden, May 1997. Linkoeping University Electronic Press,13-26.
[30] Hastings R, Joyce B. Purify: Fast detection of memory leaks and access errors. Proceedings of the Winter USENIX Conference. USENIX: San Jose, CA, 1992; 125-138
[31] Wagner D, Foster JS, Brewer EA, Aiken A. A first step towards automated detection of buffer overrun vulnerabilities. Network and Distributed System Security Symposium, San Diego, CA, February 2000; 3-17
[32] Larochelle D, Evans D. Statically detecting likely buffer overflow vulnerabilities. Proceedings of the 10th USENIX Security Symposium. USENIX: Washington, DC, 2001; 177-189
[33] Necula GC, McPeak S, Weimer W. CCured: Type-safe retrofitting of legacy code. 29th ACM Symposium on Principles of Programming Languages. ACM: Portland, OR, 2002; 128-139
[34] Jim T, Morrisett G, Grossman D, Hicks M, Cheney J, Wang Y. Cyclone: A safe dealect of C. USENIX Annual Technical Conference. USENIX: Monterey, CA, 2002.
[36] http://www.die.net/doc/linux/man/man1/strace.1.html
[37] Linux System Call Table： http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html
[38] R. Agrawal, T. Imielinski, and A. Swami. Mining association rules between sets of items in large databases. Proceedings of the ACM SIGMOD Conference on Management of data, p.p. 207-216, May 1993.
[39] R. Agrawal, and R. Srikant. Fast algorithms for mining association rules in large database. Technical Report FJ9839, IBM Almaden Research Center, San Jose, CA, Jun. 1994.
[40] R. Agrawal, and R. Srikant. Fast algorithms for mining association rules. In Proc. 1994 Int. Conf. Very Large Databases(VLDB’94), Sep. 1994.

中文參考文獻
[1] 軟體王. http://www.softking.com.tw/
[35] 尹相志, SQL Server 2005 資料採礦聖經, 學貫, 2005, ISBN：9867198395