從1950年開始，緩衝區溢位攻擊便不斷地在網際網路上肆虐著。由於發起容易，目標眾多，及強大的破壞力，長久以來緩衝區溢位攻擊便一直是網際網路最大的安全威脅問題之一。不僅internet worm利用這種程式漏洞大量繁殖，許多的攻擊者也利用此種程式漏洞奪取電腦系統的控制權。且在理論上來說，利用這類型的攻擊手法可以讓攻擊者在數十分鐘內攻破成千上萬的電腦。這些安全威脅不僅嚴重地影響到每一台使用網路的電腦系統的可靠度，並且威脅到使用者對於使用這些網路服務的信心。有鑑於此，開發出一套有效的緩衝區溢位攻擊防禦方法便成為目前網路安全研究中迫切且重要的議題。

隨著眾多防禦方法的提出，緩衝區溢位攻擊這類的攻擊手法也不斷地演化成不同的形態，以繞過這些保護機制。而研究顯示，若要對鎖定的系統造成傷害攻擊者通常必需執行系統呼叫，而在i386的架構下系統呼叫的執行則必需透過int 80或 sysenter指令，因此在本篇論文中我們將針對 (一)防止攻擊者自行提供的int 80指令的執行 (二)防止程式內原有的int 80被攻擊者盜用，兩項議題提出解決方案，進而解決破壞力強大的植入惡意程式之緩衝區溢位攻擊。

在不需重新編譯使用者程式並提供可執行堆疊的前提下、本篇論文提出了一種借由修改kernel和libc的方法使int 80 指令僅能由程式中特定的int 80指令產生、此外借由模糊位置技巧及偽造int 80指令的加入，使得攻擊者很難利用程式中已向Kernel註冊的int 80指令執行系統呼叫、進而防止多種型態的緩衝區溢位攻擊，實驗顯示在僅需微量的工作負擔下，本法可有效地解決植入惡意程式碼的緩衝區溢位攻擊。

Since its first appearance in 1950, buffer overflow attacks have buffeted the Internet for more than half a century. Due to the simplicity to launch a BOA, the tremendous available targets in the Internet, and the damage power a BOA can create, buffer overflow attacks have continuously been one of the most hazardous security threats in the Internet. Not only Internet worms utilize this attack to proliferate themselves but also malicious users exploit it to take the control of a computer system. Internet incidents are often related to buffer overflow attacks. And theoretically, by utilizing this attack method a malicious user can compromise thousands of hundreds hosts in 20 minutes. The above security threats severely influence the reliability of a computer and network system and also reduce people''s confidence on the computer and network system. Therefore, developing an efficient and effective approach to protect a computer and network system become a critical and emergent issues modern cyber community.
As more protection approaches are developed, BOAs also evolve into different mutants to bypass the proposed protection mechanism. Among the various mutants there are stack smashing attacks, heap overflow attacks, function pointer attacks, jump table overflow attacks, and so on. Attackers usually have to damage target system by system calls, and in i386 architecture it must use int 80 or sysenter. In our research we focus on (1) prevent executing int 80 provided by attacker (2) prevent executing int 80 existed in memory to protect system from BOAs.
We propose a new method to protect system calls by registering valid int 80 on premise that we don’t have to recompile source code. Besides of that, we introduce Address Obfuscation and forge fake int 80 instructions to make attackers hardly use system calls registered in system and then protect system from many kinds of injected code Attack. And the experimental results show that it takes less overhead to protect system.

第一章 緒論 1
1-1 研究背景 1
1-2 研究動機與目地 1
第二章 攻擊原理 3
2-1 Stack Overflow Attack 3
2-2 Return-into-libc Attack 3
2-3 Heap Overflow Attack 4
2-4 Scanning Code Attack 5
第三章 相關研究 6
3-1 StackGuard and Stack Shield 6
3-2 Address Obfuscation 7
3-3 邊界檢查 8
3-4 Exec Shield 8
3-5 Binary Obfuscation 9
3-6 PointGuard
第一章 緒論 1
1-1 研究背景 1
1-2 研究動機與目地 1
第二章 攻擊原理 3
2-1 Stack Overflow Attack 3
2-2 Return-into-libc Attack 3
2-3 Heap Overflow Attack 4
2-4 Scanning Code Attack 5
第三章 相關研究 6
3-1 StackGuard and Stack Shield 6
3-2 Address Obfuscation 7
3-3 邊界檢查 8
3-4 Exec Shield 8
3-5 Binary Obfuscation 9
3-6 PointGuard

[1]. C. Cowan, C. Pu, D. Maier, H. Hinton, J. Wadpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, "StackGuard: Automatic Detection and Prevention of Buffer-overrun Attacks", In Proceedings of the 7th USENIX Security Symposium, January 1998
[2]. Phrake Magazine, http://www.phrack.org
[3]. Bulba and Kil3r lam3rz@hert.org, "Bypassing StackGuard and StackShield", volume 0xa Issue 0x38, 05.01.2000
[4]. Arash Baratloo, Navjot Singh, and Timothy Tsai. "Transparent run-time defense against stack smashing attacks". In Proceedings of the 2000 USENIX Annual Technical Conference (USENIX-00), pages 251–262, Berkeley, CA, June 2000.
[5]. S. Bhatkar, D. DuVarney, and R. Sekar. "Address obfuscation: An efficient approach to combat a broad range of memory error exploits". In V. Paxson, editor, Proc. 12th USENIX Sec. Symp, USENIX, Aug. 2003.
[6]. Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar, "Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits", Department of Computer Science, Stony Brook University, Stony Brook, NY 11794
[7]. The PaX Address Space Layout Randomization project, http://pax.grsecurity.net/
[8]. Tzi-cker Chiueh and Fu-Hau Hsu, "RAD: A Compiler Time Solution to Buffer Overflow Attacks", ICDCS 2001, Phoenix, Arizona, USA, April, 2001.
[9]. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. " On the effectiveness of address space randomization", derandomization attack, page 2. In Proc. of the ACM Conf. on Computer and Communications Security, 2004.
[10]. Anonymous. "Bypassing PaX ASLR protection". Phrack, 11(59), July 2002.
[11]. R. Jones and P. Kelly. "Bounds Checking for C". Technical report. http://www-ala.doc.ic.ac.uk/phjk/BoundsChecking.html
[12]. D. Dhurjati and V. Adve. "Backwards-compatible array bounds checking for C with very low overhead". In Proc. 28th Int’l Conf. on Software Engineering (ICSE), Shanghai, China, May 2006.
[13]. GCC extensions, http://gcc.gnu.org/extensions.html
[14]. Exec Shield, http://en.wikipedia.org/wiki/Exec_Shield
[15]. Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle. "Pointguard: Protecting pointers from buffer overflow vulnerabilities". In Proceedings of the 12th USENIX Security Symposium, Washington, D.C., August 2003.
[16]. C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, and J. H. Hartman. "Protect against unexpected system calls". In Proceedings of the 2005 USENIX Security Symposium, page 239-254, July 2005.
[17]. Chongkyung Kil, Jinsuk Jun, Christopher Bookholt, Jun Xu, Peng Ning. "Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software", IEEE Computer Society, 2006
[18]. The Apache Project, http://www.apache.org/
[19]. GDB: The GNU Project Debugger, http://sourceware.org/gdb/
[20]. G. S. Kc, A. D. Keromytis, and V. Prevelakis. "Countering Code-Injection Attacks With Instruction-Set Randomization". In Proceedings of the ACM Computer and Communications
Security (CCS) Conference, pages 272–280, October 2003.
[21]. BERNASCHI, M., GABRIELLI, E., AND MANCINI, L. V. 2002. "REMUS: a Security-Enhanced Operating System". ACM Transactions on Information and System Security 5, 36 (Feb.).
[22]. QEMU: a generic and open source machine emulator and virtualizer, http://fabrice.bellard.free.fr/qemu/
[23]. VMware, http://www.vmware.com/
[24]. Strace: a system call tracer, http://sourceforge.net/projects/strace/
[25]. NX Bit, http://en.wikipedia.org/wiki/NX_bit
[26]. Aleph One, "Smashing the Stack for Fun and Profit", Phrak 49