作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2012, Vol. 38 ›› Issue (04): 122-125. doi: 10.3969/j.issn.1000-3428.2012.04.040

• 安全技术 • 上一篇    下一篇

针对ROP攻击的动态运行时检测系统

韩 浩 a,b,茅 兵 a,b,谢 立 a,b   

  1. (南京大学 a. 计算机软件新技术国家重点实验室;b. 计算机科学与技术系,南京 210093)
  • 收稿日期:2011-07-22 出版日期:2012-02-20 发布日期:2012-02-20
  • 作者简介:韩 浩(1985-),男,硕士研究生,主研方向:软件完整性检测,信息安全;茅 兵、谢 立,教授
  • 基金资助:
    国家自然科学基金资助项目(61073027, 90818022, 6072 1002);国家“973”计划基金资助项目(2009CB320705)

Dynamic Runtime Detection System for Return-oriented Programming Attack

HAN Hao a,b, MAO Bing a,b, XIE Li a,b   

  1. (a. State Key Laboratory for Novel Software Technology; b. Department of Computer Science and Technology, Nanjing University, Nanjing 210093, China)
  • Received:2011-07-22 Online:2012-02-20 Published:2012-02-20

摘要: 根据面向返回的编程(ROP)攻击及其变种的攻击原理,设计一个针对ROP攻击的动态运行时检测系统。该系统包括静态插桩和动态运行监控2个阶段。静态插桩为待检测程序装配分析代码,动态运行利用ret完整性检测、call完整性检测和jmp完整性检测方法分析程序的控制流和数据流,判断是否为ROP攻击。实验结果表明,该方法能完全检测出ROP恶意代码。

关键词: 面向返回的编程, 恶意代码, ROP检测, JOP检测

Abstract: Return-oriented Programming(ROP) is a new attack based on code-reuse technique. This paper proposes a dynamic runtime detection system for return-oriented programming attack, studies the intrinsic nature of ROP and its variant. According to these nature, it designs ret integrity checking, call integrity checking and jmp integrity checking. The detecting system is implemented to static instrument and dynamic run-time checking. Static instrument assemble the analysis code into the program to be detected and dynamic run-time checking do the real detection with the three integrity checking. Preliminary experimental results show that the method can efficiently detect ROP malicious code and have no false positives and negatives.

Key words: Return-oriented Programming(ROP), malicious code, ROP detection, JOP detection

中图分类号: