臺灣博碩士論文加值系統

由於C程式語言不進行陣列的邊界檢查，造成軟體中潛藏著可被用來進行緩衝區溢位攻擊（Buffer Overflow）的漏洞，近年來已成為駭客進行電腦主機入侵或未經授權操作的主要管道之一。除此之外，有些電腦蠕蟲與病毒也採用緩衝區溢位攻擊的方式來進行傳播。緩衝區溢位攻擊依據其攻擊碼（Shell Code）被存放的位置，大至上可以區分為Stack與Heap的緩衝區溢位攻擊這二大類。在已知的漏洞之中，屬於Stack的緩衝區溢位攻擊多已被研究，屬於Heap的緩衝區溢位攻擊雖然較少，但相對的，防制的方法也較少。針對Stack與Heap的緩衝區溢位攻擊的威脅，雖然現有數種防制的方法可以使用，但是普遍都有缺點存在，例如系統效能降低、浪費記憶體空間、相容性有問題、需要硬體支援、可被繞過、以及需要重新編譯，都是現有防制緩衝區溢位攻擊的方法常見的缺點。在透過動態記憶體管理機制起動的Heap緩衝區溢位攻擊出現之後，既有的一些防制方法有被繞過的可能，能抵擋此種攻擊的防制方法卻又得犧牲許多系統資源與效能才能達到防制的目的。因此本論文對Heap Buffer Overflow攻擊之防制進行研究，我們提出採用檢查雙向串列(Doubly-Linked List)的方式來防制Heap緩衝區溢位攻擊，這樣的方法能具有方便、快速、有效、相容、和跨平台的特性。

Recently, buffer overflow has become a drastic security problem for computer systems. The main cause of it is due to the lack of boundary checking mechanism in the C language. Hackers often get access into different systems without authorization through this kind of vulnerability. Some virus and worms also are spread by the same vulnerability. According to where the attacking code residing, there are two kinds of buffer overflow attacks: stack buffer overflow, and heap buffer overflow. Although there are some work proposed to eliminate buffer overflow, they all suffer from some drawbacks such as system slowing down, memory wasting, non-compatible code, and hardware dependent. In this work, we propose to introduce some basic memory checking mechanism in order to defend heap buffer overflow. Our approach can provide a convenient, efficient, and effective way to defend heap buffer overflow problem.

第一章導論
1.1 研究背景
1.2 研究動機
1.3 研究目的
1.4研究範圍與限制
1.5本文貢獻
1.6論文架構
第二章文獻研究
2.1 Buffer Overflow攻擊的回顧
2.2防制Buffer Overflow的相關研究
2.3各種防制方法的比較
第三章Linux的HBO防制
3.1 Linux的Heap運作原理
3.2利用記憶體管理機制的攻擊手法
3.3檢查雙向串列防制法
第四章FreeBSD的HBO防制
4.1 FreeBSD的Heap運作原理
4.2 利用記憶體管理機制的攻擊手法
4.3 檢查雙向串列防制法
第五章實驗結果與討論
5.1 Linux的實驗方法與環境
5.2 Linux的實驗結果
5.3 FreeBSD的實驗方法與環境
5.4 FreeBSD的實驗結果
第六章結論與未來發展
參考文獻

[1] The CERT Coordination Center (CERT/CC). http://www.cert.org/.
[2] CERT Advisory. CERT Advisory CA-2001-26 Nimda Worm. http://www.cert.org/advisories/CA-2001-26.html.
[3] CERT Advisory. CERT Advisory CA-2002-02 Buffer Overfl ow in AOL ICQ. http://www.mycert.org.my/cert/advisory/CA-2002-02.html.
[4] StackGuard: Protecting Systems From Stack Smashing Attacks. http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/.
[5] Brandon Bray. Compiler Security Checks In Depth. http: //msdn.microsoft.com/library/default.asp?url=/library/en-us/dv_ vst%echart/html/vctchCompilerSecurityChecksInDepth.asp.
[6] Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. . Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade*. http://www.immunix.org/StackGuard/discex00.pdf.
[7] Mark W.Eichin and Jon A. Rochlis. With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988. ftp://coast.cs.purdue.edu/pub/doc/morris_worm/mit.PS.Z.
[8] Joel Eriksson. Bugtraq: mpg123-0.59k bufferoverflow. http://lists.insecure.org/lists/bugtraq/1998/Nov/0012.html.
[9] Pierre-Alain Fayolle and Vincent Glaume. A Buffer Overflow Study Attacks & Defenses. http://ouah.sysdoor.net/bofstd.pdf.
[10] Christof Fetzer and Zhen Xiao. Detecting Heap Smashing Attacks Through Fault Containment Wrappers. Proceedings of the IEEE Symposium on Reliable Distributed Systems (October 2001), 80-89.
[11] Eveline Irwandi. The Internet Worm of 1988. http://faculty.fullerton.edu/schen/ISDS%20553/Week%205/Briefing%2014.do%c.
[12] Richard Kettlewell. Protecting Against Some Buffer-Overrun Attacks. http://www.greenend.org.uk/rjk/random-stack.html.
[13] Chia-Ling Lee. Port 443 and Openssl-too-open. http://www.giac.org/practical/GCIH/Chia_Ling_Lee_GCIH.pdf.
[14] Stack Shield-A "stack smashing" technique protection tool for Linux. http://www.angelfire.com/sk/stackshield/info.html.
[15] David Litchfield. Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP. http://www.nextgenss.com/papers/non-stack-bo-windows.pdf.
[16] Phrack Magazine. http://www.phrack.org/.
[17] Nergal. The advanced return-into-lib(c) exploits (PaX case study). https://www.phrack.com/phrack/58/p58-0x04.
[18] Aleph One. Smashing The Stack For Fun And Profit. https://www.phrack.com/phrack/49/P49-14.
[19] Jensenne Roculan. Nimda Worm Alert. http://www.der-keiler.de/Mailing-Lists/securityfocus/focus-ids/2001-09/%0079.html.
[20] Donn Seeley. A Tour of the Worm. ftp://coast.cs.purdue.edu/pub/doc/morris_worm/seely.PS.Z.
[21] Projects:Libsafe-Protecting Critical Elements of Stacks. http://www.research.avayalabs.com/project/libsafe/.
[22] Ari Takanen, Marko Laakso, Juhani Eronen, and Juha Roning. Running Malicious Code By Exploiting Buffer Overflows: A Survey Of Publicly Available Exploits. http://www.ee.oulu.fi/research/ouspg/protos/sota/EICAR2000-overflow-sur%vey/paper.pdf.
[23] Homepage of The PaX Team. http://pageexec.virtualave.net/.
[24] David A. Wheeler. Secure Programming for Linux and Unix HOWTO. http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO.html#BUFF%ER-OVERFLOW.
[25] Anonymous. Once upon a free(). https://www.phrack.com/phrack/57/p57-0x09.
[26] BugTraq. http://online.securityfocus.com/archive/1.
[27] RATS. http://www.securesw.com/rats/.
[28] scut and team teso. Exploiting Format String Vulnerabilities. http://ouah.sysdoor.net/formatstring-1.2.pdf.