JP2005032182A - Program, attack code extracting apparatus, and its method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a program, an apparatus, and a method for extracting attack codes, which can automatically extract harmful attack codes that can be executed in computers by stack smashing attacks. <P>SOLUTION: When input of illegal data including attack codes is detected in an illegal data input detecting part 101, based on a specified pointer (i.e., a frame pointer) linked to an address on a stack in which return addresses to calling functions are stored, a return address that is rewritten by stack overflow is acquired in a beginning address specifying part 102. Based on the address, the beginning address of an attack code is specified. Thereby, without depending on a person, attack codes that are transmitted into a computer by a stack smashing attack can be automatically extracted. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a program for extracting an illegal attack code input to a computer, an extraction apparatus and an extraction method thereof, and in particular, a program for extracting an attack code that can be executed by an attack using stack overflow, an extraction apparatus for the same, and It relates to an extraction method.

  Currently, many problems related to computer security have been reported. One of the most reported is an attack using buffer overflow, and in particular, many attacks called stack smashing using stack overflow have been reported.

  Stack overflow occurs due to the structure of the stack and the lack of array boundary checking in the C language as described below.

  The stack is an abstract data type having a property called LILO (last-in first-out) in which the last placed object is removed first. A stack used for calling a function in the C language is generally composed of a stack pointer, a stack frame, and a frame pointer.

The stack pointer points to the top of the stack.
A stack frame contains function arguments, local variables, and data required to restore a previously loaded stack frame (caller function instruction pointer, caller function frame pointer, etc.) in the specified order. Is a memory area stored in

The frame pointer indicates a reference address position in the stack frame. It is mainly used as a relative value for referring to a local variable.
That is, even if the size of the local variable and the number of arguments change, the head address where the local variable is stored is at a fixed position relative to the reference address indicated by the frame pointer. Therefore, local variables can be easily accessed by obtaining the frame pointer.
In addition, data necessary for restoring a previously stacked stack frame, such as an instruction pointer of the caller function and its frame pointer, is also stored in a relatively fixed position from this reference address. Therefore, access to these data is facilitated by obtaining the frame pointer.

  The stack operation at the time of function call and return will be described with reference to FIG. 16 and FIG.

FIG. 16 is a diagram illustrating an example of a C language source code.
In the function “function ()” of the line number L1 in the source code of FIG. 16, three integer variables “a”, “b”, and “c” are passed as arguments. In addition, inside the function “function ()”, a character type array “buf” is defined as a local variable (line number L2). This function 'function ()' is called in the main function (line numbers L4 and L5).

  FIG. 17 is a diagram illustrating an example of a stack state when such source code is executed.

  The function call is executed in the following procedure.

(1) The arguments ('a' to 'c') of the function 'function ()' are stacked on the stack. As shown in FIG. 17, arguments are stacked on the stack in the order of ‘c’, ‘b’, and ‘a’.

(2) Next, the current instruction pointer (the address of the memory where the instruction code to be executed is stored) is loaded on the stack as the return address ‘ret’.

(3) Further, the current frame pointer 'FP' is stacked on the stack and saved as a frame pointer 'sfp' (saved frame pointer).

(4) The current stack pointer 'SP' is copied to the current frame pointer 'FP'. As a result, the new frame pointer ‘FP’ points to the return address ‘ret’ described above.

(5) Finally, in order to secure the memory area of the local variable “buf”, the stack pointer “SP” is further advanced. FIG. 17 shows an example of the state of the stack at this point.

  When the function returns, the following operations are performed:

(1) The current frame pointer 'FP' is copied to the stack pointer 'SP'. Thus, the new stack point 'SP' points to the return address 'ret'.

(2) Also, the previous frame pointer 'SFP' that was loaded on the stack is copied to the frame pointer 'FP'. As a result, the frame pointer 'FP' returns to the stack frame of the calling function.

(3) The return address 'ret' indicated by the stack pointer SP is read from the stack and set in the instruction pointer. As a result, the process jumps to the calling function. Thereafter, the stack pointer ‘SP’ returns to the original state by sequentially reading the arguments (‘a’ to ‘c’) stacked on the stack.

  FIG. 18 is a diagram illustrating an example of a stack state when an overflow occurs in the stack having such a structure.

  When data exceeding the allocation (in the example of FIG. 18, more than 10 character-type data including the terminal character) is input to the array 'buf' as a local variable, as shown by the arrow in FIG. , Data stored at an address higher than the array buf is overwritten by the input data. In this way, when data exceeding the allocation is input, data to be held on the stack is overwritten, which is called stack overflow.

  FIG. 19 is a diagram illustrating a state in which an attack code is executed by a stack smashing attack using stack overflow.

  In stack smashing attacks, malicious attack code is inserted into the input data that causes stack overflow. That is, as shown in FIG. 19, the attack code is written in the memory area overwritten by the stack overflow. Further, this input data includes an address indicating an attack code, and the return address ‘ret’ stored in the stack is rewritten by this address. Therefore, when the function returns, the attack code is executed instead of the instruction code that should be executed originally.

  For example, in the case of UNIX (registered trademark), many daemon processes are executed with root authority. Therefore, for example, by using “exec (/ bin / sh)” as an attack code and performing a stack smashing attack on the daemon process, the attacker can acquire the root authority on the host.

  In order to counter such a stack smashing attack, several technologies are currently proposed, and these are roughly classified into the following three types.

(1) Method for detecting in advance that information on stack is overwritten (2) Method for detecting that information on stack has been overwritten (3) Method for determining whether or not code on memory is executable

  Below, these prior arts are demonstrated.

(1) Method for detecting in advance that information on the stack is overwritten

  [Non-Patent Document 1] proposes a method called libsafe as a method for replacing a library of source code.

  In libsafe, a library function call that may cause a stack overflow is intercepted, and it is checked whether the argument of the function falls within the memory range of the stack. When normal, an appropriate library function is called, and when abnormal, a message notifying that is left and the program is terminated to prevent stack overflow.

The operation of libsafe will be described by taking the function “strcpy ()” of the standard library (libc) in C language as an example.
FIG. 20 is a diagram illustrating a state of a memory in a certain process linked with a library of libsafe.

  When the program calls ‘strcpy ()’, ‘strcpy ()’ implemented in the library of libsafe is executed instead of the standard library (libc) (F <b> 1). This is achieved by devising the order of library loading.

The libsafe 'strcp ()' first calculates the length of the copy source character string ('src') and the upper limit of the copy destination buffer length (that is, the stack frame length), and the copy source character string is the copy destination. Check whether the upper limit of the buffer length is exceeded.
If the upper limit is not exceeded, libsafe 'strcpy ()' calls the function 'memcpy ()' of the standard library (libc) and executes it (F2, F3), and returns to the main function (F4).
On the other hand, if it is determined that the upper limit is exceeded, libsafe's “strcpy ()” leaves a message in the system log file (syslog) and terminates the program.
Thus, in libsafe, stack smashing attacks are prevented by detecting the occurrence of stack overflow in advance.

(2) Method for detecting that information on the stack has been overwritten

[Non-Patent Document 2] proposes a method called StackGuard as a method for extending a compiler.
In StackGuard, as shown in FIG. 21, a value called “Canary Word” is inserted between the return address “ret” and the local variable “buf”. Then, this value is checked when the function returns, and if the value has been changed by overwriting the stack overflow, the process is terminated assuming that a stack smashing attack has been performed (FIG. 22).

  [Patent Document 1] also discloses a technique called “Stack Smashing Protector” similar to the above-mentioned StackGuard. According to [Patent Document 1], when a function returns, the stack's previous frame pointer (corresponding to the frame pointer 'sfp' in FIG. 17) and the array (corresponding to the array 'buf' in FIG. 17) Prevents stack smashing attacks by storing guard variables between them and checking their effectiveness.

(3) A method for determining whether or not the code on the memory can be executed

  As a method for extending the operating system, a method called non-executable stack, disclosed in the Internet <URL: http://www.openwall.com/linux/>, or the Internet <URL: http: // pageexec There is a method called PaX, disclosed in .virtualave.net />.

  In the non-executable stack method, focusing on the fact that attack code is placed on the stack in a stack smashing attack, the kernel is changed so that execution of instructions by the CPU is not permitted on the page of the stack on the memory. . When an attack code placed on the stack is executed by a stack smashing attack, the process is stopped as a page fault.

  On the other hand, in the PaX method, the kernel is changed so that the instruction execution permission / non-permission of the CPU can be marked not only in the stack but in all data pages.

  In either method, stack smashing attacks are prevented by making it impossible to execute code placed on the stack.

  In addition to the three methods for preventing the stack smashing attack described above, [Patent Document 2] discloses a technique for searching and removing known and unknown computer viruses.

In the technique of [Patent Document 2], there is a possibility that a virtual computer environment in which a virus is present is created, a plurality of objects composed of byte sequences for inducing infection are provided, and the object is attached to the inspection object. Invite the virus to infect these multiple subjects with the virus. Then, it is determined whether or not a virus is contained by comparing a plurality of subjects after inducing infection with a plurality of originally provided subjects and examining whether or not there is any change. In addition, virus information and knowledge are extracted from the comparison results to remove the virus. Further, the key information changed by the virus is corrected based on the information and knowledge extracted about the virus and the correction made by the virus on the infected byte string.
Arash Baratloo, 2 others, 'Transparent Run-Time Defense Against Stack Smashing Attacks', In Proceedings of 2000 USENIX Annual Technical Conference, (USA), 2000 Crispin Cowan, 8 others, 'Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks', In Proceedings of the 7th USENIX Security Symposium, (USA), 1998 JP 2001-216161 A JP 2002-342106 A

  By the way, in order to deal with the above-described stack smashing attack, for which many damage reports have been made, it is indispensable to analyze the details of the attack, and for that purpose, the attack code sent by the attacker is extracted. I have to investigate.

  However, the above three methods to counter the stack smashing attack only detect the occurrence of stack overflow or the execution of the instruction code of the prohibited address, and stop or terminate the process. There is no way to extract it.

  Therefore, in order to know what the attack code is, it is necessary to manually analyze the attack contents, which has the disadvantage of requiring a great deal of time and cost.

In the technique disclosed in [Patent Document 2], a byte string to be infected with a virus is held for a certain moment, and the virus string is compared with the byte string to be infected after the infection is induced. Determine infection.
However, the stack smashing attack is an attack on the running process, and the state of the memory of the running process changes one by one. Therefore, as in the technique disclosed in [Patent Document 2], a certain moment in the past. It is impossible to compare the byte sequence with the byte sequence to be infected after inducing infection. That is, with this method, it is not possible to search for and remove a computer virus using a stack smashing attack and extract an attack code.

  The present invention has been made in view of such circumstances, and an object thereof is a program capable of efficiently extracting harmful attack codes that can be executed in a computer by an attack utilizing stack overflow, and attack code extraction. It is to provide an apparatus and method.

  In order to achieve the above object, the program according to the first aspect of the present invention causes an overflow in the stack due to the input of illegal data including attack code, and returns the code of the calling function stored in the stack due to the overflow. By rewriting the address to the start address of the attack code, a first step of detecting the input of the illegal data to a computer capable of executing the attack code, and in the first step, When an input is detected, a process including a second step of specifying a start address of the attack code is executed based on the return address rewritten by the overflow due to the input of the illegal data.

  According to the first aspect of the present invention, when the input of the illegal data is detected, the start address of the attack code is specified based on the return address rewritten by the overflow caused by the input of the illegal data. .

  Preferably, in the second step, the pointer is stored in a predetermined register of the computer and is rewritten based on a pointer associated with an address on the stack in which the return address is stored. Get the return address. The pointer may be a frame pointer or a stack pointer, for example.

In addition, when a new function is called after the input of the illegal data is detected in the first step, a pointer stored in a predetermined register of the computer in the second step The reference address of the caller function is obtained based on the pointer associated with the address on the stack in which the pointer indicating the reference address in the stack frame of the original function is stored, and based on the obtained reference address Thus, the rewritten return address may be acquired.
When there are a plurality of functions to be called after the attack is detected, in the second step, the process of acquiring the reference address in the stack frame of a higher-level caller function is repeated based on the acquired reference address The rewritten return address may be acquired based on the reference address acquired as a result of the iterative process.
As a result, even if another stack frame is stacked on the stack frame in which the overflow has occurred by calling a function after detecting the input of the invalid data, the rewritten return is performed by following the reference address. An address is obtained.

The program according to the first aspect of the present invention obtains data in a memory area where the overflow is caused by the input of the illegal data when the input of the illegal data is detected in the first step. 4, the address range for storing the attack code is determined according to the start address of the attack code specified in the second step and the data acquired in the fourth step. 5 steps may be included.
Thereby, when the input of the illegal data is detected, the data of the memory area where the overflow is caused is acquired, and the acquired data and the start address of the attack code specified in the second step are acquired. In response, the address range in which the attack code is stored is specified.

  In addition, when the start address of the attack code is specified in the second step, the program according to the first aspect of the present invention is stored at least from information related to the specified start address or from the start address. There may be a seventh step of generating predetermined attack notification information including information on the attack code.

  A program according to a second aspect of the present invention includes a first step of detecting whether or not data stored in a memory area set in advance is acquired by the computer as an instruction code to be executed; When the acquisition of the instruction code is detected in the step, the attack code start address is specified based on a pointer stored in a predetermined register of the computer and indicating the instruction code address to be executed. A process having two steps is executed.

  According to a second aspect of the present invention, when it is detected that data in a preset memory area is acquired by the computer as an instruction code to be executed, the execution is stored in a predetermined register of the computer Based on the pointer indicating the address of the instruction code to be executed, the start address of the attack code is specified.

  An attack code extraction device according to a third aspect of the present invention includes an unauthorized data input detection unit that detects an input of the unauthorized data to the computer, and an input of the unauthorized data detected by the unauthorized data input detection unit. Start address specifying means for specifying a start address of the attack code based on the return address stored in the stack rewritten by the overflow caused by the input of the illegal data.

  According to a third aspect of the present invention, when the illegal data input detecting means detects the input of the illegal data, the start address specifying means stores it in the stack rewritten by the overflow caused by the illegal data input. The start address of the attack code is specified based on the return address.

  According to a fourth aspect of the present invention, there is provided an instruction code acquisition detecting means for detecting whether or not data in a preset memory area is acquired by the computer as an instruction code to be executed; Start address specifying means for specifying a start address of the attack code based on a pointer stored in a predetermined register of the computer and indicating an address of the instruction code to be executed, when acquisition of the instruction code is detected; Have

  According to a fourth aspect of the present invention, an instruction to be executed is stored in a predetermined register of the computer in the start address specifying means when the instruction code acquisition detecting means detects the acquisition of the instruction code. Based on the pointer indicating the address of the code, the start address of the attack code is specified.

  According to a fifth aspect of the present invention, there is provided a first step of detecting an input of the unauthorized data to the computer, and an input of the unauthorized data when the input of the unauthorized data is detected in the first step. And a second step of specifying a start address of the attack code based on the return address stored in the stack rewritten by the overflow.

  According to a sixth aspect of the present invention, there is provided a first step of detecting whether or not data in a preset memory area is acquired by the computer as an instruction code to be executed, and the instruction code acquisition detecting means includes the instruction A second step of specifying a start address of the attack code based on a pointer indicating an address of an instruction code to be executed, which is stored in a predetermined register of the computer when a code acquisition is detected; Have.

  ADVANTAGE OF THE INVENTION According to this invention, the harmful attack code | cord | chord which can be executed in a computer by the attack using a stack overflow can be extracted efficiently.

  Hereinafter, five embodiments of the present invention will be described.

<First Embodiment>
FIG. 1 is a block diagram showing an example of the configuration of a computer according to an embodiment of the present invention.

  The computer shown in FIG. 1 includes a CPU 10, a storage device 20, an input / output unit 30, a program memory 40, and a RAM 50.

  The CPU 10 reads the program according to the present embodiment stored in the program memory 40 and executes a predetermined process based on the program.

  Here, as an example, the CPU 10 is assumed to have an architecture called IA-32 developed by Intel Corporation (USA). The processor of the IA-32 architecture has various registers used for arithmetic processing, and has an ESP register 11, an EBP register 12, and an EIP register 13 as registers related to stack processing. (See FIG. 4).

The ESP register 11 stores a stack pointer.
The EBP register 12 stores a frame pointer. This frame pointer points to the address on the stack where the return address of the caller function is stored.
The EIP register 13 stores an instruction pointer.

  The storage device 20 stores data used in the process of the CPU 10 and processing result data.

The input / output unit 30 performs a process of inputting data used in the process of the CPU 10 and a process of outputting process result data.
The input / output unit 30 may be, for example, a network interface device that exchanges data with other devices via a local area network (LAN) or the Internet, a magnetic disk, an optical disk, an IC card, or the like. Examples include a device for writing and reading data on a portable recording medium, a user interface device such as a keyboard and a mouse, a display device, and the like.

  The program memory 40 stores a program according to this embodiment to be described later.

  The RAM 50 temporarily stores program codes and data used in the course of processing by the CPU 10. Data constituting the stack is stored in a predetermined stack area in the RAM 50.

  These units (CPU 10, storage device 20, input / output unit 30, program memory 40, and RAM 50) are connected to a common bus 60 in the example of FIG. Data is transferred between the units via the bus 60 under the control of the CPU 10.

FIG. 2 is a block diagram illustrating an example of a functional configuration of the program according to the present embodiment.
The program according to the present embodiment includes an illegal data input detection unit 101, a start address specifying unit 102, and a notification information generation unit 103.

[Incorrect data input detection unit 101]
The illegal data input detection unit 101 detects illegal data input that causes an overflow in the stack.

  For example, when a new function is called, the invalid data input detection unit 101 has a predetermined address in the stack frame (between the frame pointer and the return address, or between the local variable and the frame pointer). In addition, data for overwriting detection of a predetermined value is inserted. This value is set using, for example, a random number generated by a random number generator (not shown). When returning to the calling function, the data stored at the predetermined address is compared with the predetermined value to check whether the data for overwriting detection has changed. As a result, when the data for overwriting detection has changed, it is determined that a stack overflow has occurred.

  When the input of unauthorized data is detected, the unauthorized data input detection unit 101 notifies the start address specifying unit 102 to that effect.

[Start address specifying unit 102]
When the input of illegal data is notified from the illegal data input detection unit 101, the start address specifying unit 102 is input based on the return address of the caller function rewritten due to a stack overflow caused by the input of the illegal data. The start address of the attack code included in the illegal data is identified.

  For example, the start address specifying unit 102 acquires the start address of the attack code based on the frame pointer stored in the EBP register 12 of the CPU 10.

  As already described, the EBP register 12 stores a frame pointer that indicates the return address to the caller function. In addition, when stack overflow is caused by illegal data including an attack code, the return address is overwritten on the address to the attack code. Therefore, the start address specifying unit 102 obtains the attack code start address by referring to the contents of the address on the stack indicated by the frame pointer of the EBP register 12 when the input of illegal data is detected. can do.

  The start address of the attack code specified by the start address specifying unit 102 is input to the notification information generating unit 103.

[Notification information generation unit 103]
When the start address of the attack code is specified by the start address specifying unit 102, the notification information generating unit 103 is a predetermined information including information about the specified start address and information about the attack code stored from the start address. Generate notification information.

  For example, the notification information generation unit 103 generates a predetermined file including information on the start address and attack code specified by the start address specification unit 102 and writes the file in the storage device 20. Thereby, the user can know the address of the attack code by referring to this file.

Further, the notification information generation unit 103 may generate information for transmitting information related to the start address and the attack code to other devices via the network. For example, if the input / output unit 30 is connected to the Internet, this information may be transmitted to a predetermined address by E-mail.
Further, when the input / output unit 30 includes a display device, the notification information generation unit 103 may generate information for displaying information on the start address and the attack code on the display screen.

  Next, processing by the program of the present embodiment having the above-described configuration will be described.

  FIG. 3 is a flowchart illustrating an example of the flow of processing by the program according to the present embodiment.

Step ST10:
Processing by another process not shown in FIG. 2 proceeds.

Step ST20:
The illegal data input detection unit 101 monitors the presence or absence of illegal data input during the process of this process. If the input of illegal data is not detected, the process (step ST10) proceeds as usual. If the input of illegal data is detected, the start address specifying unit 102 is notified of the input of illegal data.

Step ST30:
When the illegal data input detection unit 101 is notified of illegal data input, the start address specifying unit 102 refers to, for example, the frame pointer of the EBP register 12, and acquires the return address rewritten due to stack overflow. Thus, the start address of the attack code is specified.

  FIG. 4 is a diagram illustrating an example of the state of the stack when illegal data input is detected.

  As shown in FIG. 4, the stack frame has an argument ('a' to 'c'), a return address, a frame pointer sfp in the stack frame of the caller function, and a local frame from the lower level to the higher level. The variable “buf” is stored. The stack pointer of the ESP register 11 points to the top of the stack, and the frame register of the EBP register 12 points to the return address to the caller function stored on the stack.

  In the stack having such a structure, when illegal data is input to the local variable, a stack overflow occurs as shown in FIG. 4, and an attack code is written on the memory including the stack area. Further, the return address stored on the stack is rewritten to an address “addr” indicating the attack code by data included in the illegal data.

  The start address specifying unit 102 refers to the frame pointer stored in the EBP register 12 in the state of the stack as shown in FIG. 4, and addresses on the stack indicated by the frame pointer, that is, an address to the attack code Get 'addr'.

Step ST40:
When the start address of the attack code is specified by the start address specifying unit 102, the notification information generating unit 103 generates predetermined notification information including information regarding the specified start address and attack code. For example, information including the specified start address is stored in the storage device 20 as a file, transmitted as an E-mail to an Internet mail server, or displayed as an image on the screen of the display device.

As described above, according to the program according to the present embodiment, when an input of invalid data is detected in the process of the process, a predetermined pointer (for example, associated with an address on the stack in which the return address is stored) Based on the frame pointer, a return address rewritten by stack overflow due to input of illegal data is acquired, and thereby, the start address of the attack code is specified.
Therefore, it is possible to automatically extract the attack code sent to the computer by the stack smashing attack without depending on the manpower, greatly increasing the time and cost spent on examining the attack code by the conventional method. Can be reduced.

  Further, according to the above-described program, when a new function is called, data for overwriting detection having a predetermined value is stored at a predetermined address on the stack, and when returning to the caller function, it is stored at the address. The data value to be compared is compared with the predetermined value, and based on the comparison result, the presence or absence of stack overflow is detected, and the start address of the attack code is obtained. Therefore, it is possible to detect the intrusion of unauthorized data and extract the attack code without depending on the route of unauthorized data entering the computer, such as when accessing via a network or when being input as a virus infected file. . Therefore, attack codes can be extracted not only for known attacks but also for unknown attacks whose intrusion route is unknown.

  In the above-described embodiment, the return address rewritten due to stack overflow is acquired by referring to the frame pointer of the EBP register 12 after detecting input of invalid data. This is useful when the stack frame that caused the stack overflow is at the top of the stack, but this condition may not hold as described below.

  That is, after illegal data input is detected by the illegal data input detection unit 101, some processing (for example, processing for preventing execution of attack data) is performed before the address is specified by the start address specifying unit 102. When the processing shifts to the handler function to be performed, as shown in FIG. 5, the stack frame for the newly called function is stacked on the stack frame where the stack overflow has occurred. The stack pointer and frame pointer point to this newly stacked stack frame.

  In such a case, the start address specifying unit 102 reads the frame pointer 'sfp' in the stack frame of the caller function with reference to the address immediately before the address indicated by the frame pointer, and The rewritten return address “addr” is obtained by referring to the address indicated by the frame pointer “sfp”.

As described above, the frame pointer of the EBP register 12 indicates the address on the stack where the return address 'ret' to the caller function is stored. As shown in FIG. 5, the frame pointer 'sfp' in the stack frame of the caller function is stored. Then, the return address on the stack frame overwritten by the overflow is stored in the instruction address of the frame pointer 'sfp'.
Therefore, the start address specifying unit 102 acquires the frame pointer 'sfp' based on the instruction address of the frame pointer of the EBP register 12, and refers to the instruction address of the acquired frame pointer 'sfp'. Thus, the rewritten return address “addr” can be acquired.

The above is an example in which one function is called after the attack is detected, but even when there are a plurality of functions, the return address “addr” can be acquired by the same method as described above.
That is, the start address specifying unit 102 repeats the process of acquiring the frame pointer 'sfp' in the stack frame of the higher-level caller function based on the frame pointer 'sfp' acquired from the stack frame. By repeating this process, as a result, the frame pointer 'sfp' in the stack frame rewritten by the stack overflow is obtained. Then, the rewritten return address “addr” is acquired from the instruction address of the frame pointer “sfp”.

<Second Embodiment>
Next, a second embodiment of the present invention will be described.

  The difference between this embodiment and the first embodiment described above is that, in this embodiment, the presence or absence of stack overflow is detected in advance before a new function is called, and the occurrence of stack overflow is detected in advance. In the case where it is detected, an overflow is forcibly caused.

  FIG. 6 is a block diagram showing an example of a functional configuration of a program according to the second embodiment of the present invention.

The program illustrated in FIG. 6 includes an illegal data input detection unit 101A, a forced overflow unit 104, a start address specifying unit 102, and a notification information generation unit 103. However, the same reference numerals in FIG. 2 and FIG. 6 indicate the same components.
Hereinafter, the illegal data input detection unit 101A and the forced overflow unit 104, which are different from the program illustrated in FIG. 2, will be described.

[Incorrect data input detection unit 101A]
The illegal data input detection unit 101A predicts whether or not an overflow has occurred before a new function is called.

  For example, the illegal data input detection unit 101A compares the size of data passed as an argument to a function to be newly called with the data size assigned to the argument in this function, and based on the comparison result, Detects in advance whether or not a stack overflow occurs when is called. This argument check is performed on a function lacking a boundary check such as 'strcpy ()'.

  When the occurrence of the stack overflow is detected in advance, the illegal data input detection unit 101A notifies the forced overflow unit 104 to that effect.

[Forced overflow part 104]
When the occurrence of stack overflow is notified in advance from the illegal data input detection unit 101A, the forced overflow unit 104 calls a function in which the occurrence of overflow has been detected to forcibly generate an overflow.

  Next, the processing of the program shown in FIG. 6 having the above-described configuration will be described with reference to the flowchart of FIG.

Step ST10:
Similar to FIG. 3, processing by other processes proceeds.

Step ST20A:
The unauthorized data input detection unit 101A monitors whether or not unauthorized data is input during the process of this process. That is, the function argument that may cause a stack overflow is checked, and whether or not a stack overflow has occurred is detected in advance. If the occurrence of the stack overflow is not detected, the process (step ST10) proceeds as usual, and if the occurrence of the stack overflow is detected in advance, the fact is notified to the forced overflow unit 104.

Step ST50:
When the occurrence of stack overflow is detected in advance in the illegal data input detection unit 101A, the forced overflow unit 104 calls this function to forcibly generate overflow.

Steps ST30 and ST40:
When a stack overflow occurs by the forced overflow unit 104, the start address specifying unit 102 specifies the start address of the attack code by the same process as described above. Then, the notification information generation unit 103 generates predetermined notification information including information regarding the specified start address and attack code.

  As described above, the program shown in FIG. 6 differs in that the stack overflow is forcibly caused after detection of illegal data input, but the attack code start address specifying process thereafter is shown in FIG. It is the same as the program shown. Therefore, it is possible to automatically extract the attack code of the stack smashing attack, and it is possible to reduce time and cost.

  Further, according to the above-described program, the presence or absence of stack overflow is detected by checking the argument of the function called on the program, and the attack code is acquired. Therefore, like the program shown in FIG. The attack code can be extracted without depending on the path of unauthorized data entering the computer.

<Third Embodiment>
Next, a third embodiment of the present invention will be described.

  The difference between this embodiment and the first embodiment described above is that the start address of the attack code is specified in the first embodiment, and in this embodiment, the address range in which the attack code is further stored is specified. Is in the point to be.

  FIG. 8 is a block diagram illustrating an example of a functional configuration of a program according to the third embodiment of the present invention.

The program shown in FIG. 8 includes an illegal data input detection unit 101, a start address specification unit 102, a data acquisition unit 105, an address range specification unit 106, and a notification information generation unit 103. However, the same reference numerals in FIG. 2 and FIG. 8 indicate the same components.
Hereinafter, the data acquisition unit 105 and the address range specifying unit 106, which are different from the program shown in FIG. 2, will be described.

[Data acquisition unit 105]
When the illegal data input detection unit 101 detects the input of illegal data, the data acquisition unit 105 acquires the data in the memory area in which overflow has been caused by the input of the illegal data.

[Address range specifying unit 106]
The address range specifying unit 106 specifies an address range in which the attack code is stored according to the start address of the specified attack code and the data acquired by the data acquisition unit 105.

  For example, the address range specifying unit 106 uses the data acquired by the data acquisition unit 105 and the end character (null character) indicating the end of the character string from the attack code start address specified by the start address specifying unit 102. By comparing in order, an address where data matching the terminal character is stored is searched.

FIG. 9 is a diagram illustrating an example of an attack code written in a memory by a stack smashing attack.
As shown in FIG. 9, a buffer overflow attack is often performed using a copy of a character string. Since the character string is terminated with a termination character, the end address of the attack code can be specified by searching for the termination character in the memory area under attack.
The address range specifying unit 106 addresses the address on the memory where the attack code is stored based on the end address of the attack code specified in this way and the start address of the attack code specified by the start address specifying unit 102. Identify the range.

  Next, the processing of the program shown in FIG. 8 having the above-described configuration will be described with reference to the flowchart of FIG.

Steps ST10 and ST20:
The unauthorized data input detection unit 101 monitors whether or not unauthorized data is input during the process of the normal process (step ST10) (step ST20).
If the input of unauthorized data is not detected, the unauthorized data input detection unit 101 proceeds with the process (step ST10) as usual.
When the input of illegal data is detected, the illegal data input detection unit 101 notifies the start address specifying unit 102 of the input of illegal data.

Step ST30:
When the input of illegal data is notified, the start address specifying unit 102 specifies the start address where the attack code is stored by the same process as described above.

Step ST60:
Further, the data acquisition unit 105 acquires data in a memory area in which a stack overflow is caused by input of illegal data.

Step ST70:
The address range specifying unit 106 compares the data acquired by the data acquisition unit 105 with the end character indicating the end of the character string in order from the start address of the attack code specified by the start address specifying unit 102, and the end character Search for the address where the data that matches is stored. By specifying the searched address as the end address of the attack code, the address range in which the attack code is stored is specified.

Step ST40:
The notification information generation unit 103 generates predetermined notification information including information related to the address range of the attack code specified by the address range specifying unit 106 and information related to the attack code included in the address range. For example, the data of the address range specified by the address range specifying unit 106 may be extracted from the data acquired by the data acquisition unit 105, and information for notifying this as an attack code may be generated.

  As described above, according to the program shown in FIG. 8, it is possible to specify the address range of the attack code by specifying not only the start address of the attack code but also the end address of the attack code. Therefore, compared to the program shown in FIG. 2, more detailed information regarding the attack code can be automatically extracted, and the time and cost required for analysis can be reduced more effectively.

  Moreover, the point that it is possible to detect the intrusion of illegal data and extract the attack code without depending on the intrusion route of illegal data is the same as the program shown in FIG. Can play.

<Fourth Embodiment>
Next, a fourth embodiment of the present invention will be described.

  The difference of this embodiment from the third embodiment described above is that the end address of the attack code in the third embodiment is searched by searching for data matching the predetermined data such as the end character in the memory area that has been attacked. In the present embodiment, the end address of the attack code is specified based on the result of recording the input data to the process.

  FIG. 11 is a block diagram showing an example of a functional configuration of a program according to the fourth embodiment of the present invention.

The program shown in FIG. 11 includes an illegal data input detection unit 101, a start address specification unit 102, an address range specification unit 106A, a data acquisition unit 105, a notification information generation unit 103, and an input database 107. However, the same reference numerals in FIG. 8 and FIG. 11 indicate the same components.
Hereinafter, the address range specifying unit 106A and the input database 107, which are different from the program shown in FIG. 8, will be described.

[Input database 107]
The input data database 107 is a database that records data input along with the execution of a process.

  For example, the input database 107 allocates memory to the heap area each time a predetermined library function that involves data input is called by the process, and stores a copy of the data input to the process in the heap area.

FIG. 12 is a diagram illustrating an example of a method for recording input data by the input database 107.
The input database 107 records a copy of input data for the process in a heap area in a list-like structure as shown in FIG. 12, for example. That is, an address is added to the head portion of the memory area where the input data is stored, and the head address of the memory area of the next input data is indicated by this additional address.
When new data is input to the process, the input database 107 records a copy of this input data at the top of the list as shown in FIG.

[Address range specifying unit 106A]
The address range specifying unit 106A uses the data in the post-attack memory area acquired by the data acquisition unit 105 and the input data recorded in the input database 107 as the start address of the attack code specified by the start address specifying unit 102. Are compared in order, and an address where data that matches the recorded input data is stored is searched.
For example, the address range specifying unit 106A compares the acquired data of the data acquisition unit 105 in order from the latest input data recorded in the input database 107, and determines the attack code from the end address of the acquired data that matches the input data. Specify the end address of.

  In the processing of the program shown in FIG. 11 having the above-described configuration, the end address of the attack code is specified by comparing the input data recorded in the input database 107 with the acquired data of the data acquiring unit 105 in step ST70. Except for this point, the processing is the same as that shown in the flowchart of FIG.

As described above, also in the program shown in FIG. 11, the address range of the attack code can be specified similarly to the program shown in FIG. 8, and the same effect can be obtained.
Furthermore, according to the program shown in FIG. 11, the attack code is searched based on the input data of the process, so that the address range of the attack code not including the terminal character can be specified accurately.

<Fifth Embodiment>
Next, a fifth embodiment of the present invention will be described.

  In the fifth embodiment, unlike the first to fourth embodiments described above, when data in a preset memory area (for example, data in a stack area) is fetched by the CPU as an instruction code to be executed. The address of the attack code is acquired based on the instruction pointer indicating the address of the instruction code.

  FIG. 13 is a block diagram illustrating an example of a functional configuration of a program according to the fifth embodiment of the present invention.

The program shown in FIG. 13 includes an instruction code acquisition detecting unit 108, a start address specifying unit 102A, an address range specifying unit 106, a data acquiring unit 105A, and a notification information generating unit 103. However, the same reference numerals in FIG. 8 and FIG. 13 indicate the same components.
Hereinafter, the instruction code acquisition detection unit 108, the start address specifying unit 102A, and the data acquisition unit 105A, which are different from the program illustrated in FIG. 8, will be described.

[Instruction code acquisition detection unit 108]
The instruction code acquisition detection unit 108 detects whether or not data in a memory area set as an area in which execution of instructions is prohibited is fetched by the CPU 10 as an instruction code to be executed. When an instruction fetch is performed from this non-executable memory area, the instruction code acquisition detection unit 108 forcibly terminates the process that tried to execute this instruction code. For example, the instruction code acquisition detection unit 108 instructs the operating system to forcibly terminate this process.

[Start address specifying unit 102A]
The start address specifying unit 102A specifies the start address of the attack code based on the instruction pointer stored in the EIP register 13 when the instruction code acquisition detecting unit 108 detects an instruction fetch in the prohibited memory area. .

FIG. 14 is a diagram illustrating a state where the start address of the attack code written in the memory is fetched by the CPU.
As shown in FIG. 14, when the start address of the attack code is included in a preset non-executable memory area, the instruction code acquisition detection unit 108 executes the process when the address is stored in the EIP register 13. Is forcibly terminated. Therefore, the start address specifying unit 102A can specify the attack code start address by referring to the instruction pointer of the EIP register 13 when the instruction fetch prohibited by the instruction code acquisition detecting unit 108 is detected. .

[Data acquisition unit 105A]
When a process is forcibly terminated in accordance with an instruction from the instruction code acquisition detection unit 108, data in a memory area corresponding to the forcibly terminated process is acquired.

  For example, when the operating system forcibly terminates a process according to an instruction from the instruction code acquisition detection unit 108, the operating system generates a core dump file that is a memory image of the process. The data acquisition unit 105A acquires the core dump file of the process that has been forcibly terminated, and determines the memory area that was the stack of the process according to the format of the core dump file and the memory allocation of the stack area set by the operating system. Then, the determined memory area is mapped to the memory area of the process realizing the address range specifying unit 106, and the stack state at the end of the attacked process is restored.

  Next, the processing of the program shown in FIG. 13 having the above-described configuration will be described with reference to the flowchart of FIG.

Steps ST10 and ST80:
The instruction code acquisition detection unit 108 monitors the presence / absence of instruction fetch from the prohibited memory area in the process of the normal process (step ST10) (step ST80).
If instruction fetch from the prohibited memory area is not detected, the instruction code acquisition detection unit 108 proceeds with the process (step ST10) as usual.
When instruction fetch from the prohibited memory area is detected, the instruction code acquisition detecting unit 108 notifies the start address specifying unit 102A of the occurrence of this violation and attempts to execute the prohibited instruction code. Tells the operating system to kill In response to this instruction, the operating system forcibly terminates the process and generates the core dump file.

Step ST30A:
When the occurrence of the instruction fetch violation is notified, the start address specifying unit 102A specifies the start address of the attack code based on the instruction pointer stored in the EIP register 13.

Step ST60A:
Further, the data acquisition unit 105A acquires data in the stack area at the end of the process based on the core dump file of the process in which the stack overflow has occurred.

Steps ST70 and ST40:
The processing of the address range specifying unit 106 and the notification information generating unit 103 is the same as the program shown in FIG.
That is, the address range specifying unit 106 compares the data acquired by the data acquisition unit 105A with the terminal character indicating the end of the character string in order from the start address of the attack code specified by the start address specifying unit 102A. The address range where the attack code is stored is specified by searching the address where the data matching the terminal character is stored. The notification information generation unit 103 generates predetermined notification information including information related to the address range of the attack code specified by the address range specifying unit 106 and information related to the attack code included in the address range.

As described above, in the program shown in FIG. 13, the start address of the attack code can be automatically specified as in the program shown in FIG.
Further, according to the program shown in FIG. 13, since illegal data input is detected depending on whether or not an instruction is fetched from a prohibited memory area, the illegal data intrusion route is the same as in the above-described embodiment. It is possible to detect the intrusion of illegal data and extract the attack code without depending on.
Further, the point that the address range of the attack code can be automatically extracted is the same as the program shown in FIG. 8, and the same effect can be obtained.

In addition, this invention is not limited to embodiment mentioned above.
For example, the program of the present invention may be previously written in the ROM 40 as in the above-described embodiment, or may be read from the storage device 20. Or what was read from recording media, such as an optical disk, in the input-output part 30, or what was input from the other apparatus via the network may be used. Or the partial data of the program acquired by the several methods as mentioned above may be combined.

  Further, the present invention can be realized by a program as in the above-described embodiment, but part or all of the processing can be executed by dedicated hardware. That is, in the block diagrams shown in FIGS. 2, 6, 8, 11, and 13, some or all of the functional blocks can be replaced with hardware circuits. The circuit in that case may be formed on the same semiconductor chip as the CPU, or may be formed on another chip.

Further, “input of illegal data” in this specification widely means that illegal data is input to a computer.
For example, in addition to the case where illegal data is input to the local variable area on the stack by execution of the input instruction, when illegal data is input from the network or recording medium in the input / output unit 30, the storage device 20 or the RAM 50 The case where illegal data already stored in the CPU 10 is processed by the CPU 10 is also included in “input of illegal data”.
Therefore, the illegal data input detection method in the illegal data input detection unit is not limited to the above-described embodiment. That is, the illegal data input detection unit, for example, based on various information characterizing the input of illegal data, such as a specific data pattern included in the illegal input data, a file name, a network address of the data transmission source, This may be detected.

It is a block diagram which shows an example of a structure of the computer which concerns on embodiment of this invention. It is a block diagram which shows an example of a functional structure of the program which concerns on the 1st Embodiment of this invention. 3 is a flowchart illustrating an example of a process flow in the program shown in FIG. 2. FIG. 3 is a diagram illustrating an example of a state of a stack when illegal data input is detected in the program shown in FIG. 2. FIG. 10 is a diagram illustrating a state in which a stack frame for a newly called function is stacked on a stack frame in which a stack overflow has occurred. It is a block diagram which shows an example of a functional structure of the program which concerns on the 2nd Embodiment of this invention. 7 is a flowchart illustrating an example of a processing flow in the program shown in FIG. 6. It is a block diagram which shows an example of a functional structure of the program which concerns on the 3rd Embodiment of this invention. It is the figure which illustrated an example of the attack code written in the memory by the stack smashing attack. It is the flowchart which illustrated an example of the flow of the process in the program shown in FIG. It is a block diagram which shows an example of a functional structure of the program which concerns on the 4th Embodiment of this invention. It is the figure which illustrated an example of the recording method of the input data by an input database. It is a block diagram which shows an example of a functional structure of the program which concerns on the 5th Embodiment of this invention. It is the figure which illustrated the state where the start address of the attack code written on the memory was fetched by CPU. 14 is a flowchart illustrating an example of a process flow in the program shown in FIG. 13. It is a figure which shows an example of the source code of C language. FIG. 17 is a diagram illustrating an example of a stack state when the source code shown in FIG. 16 is executed. It is the figure which illustrated an example of the state of a stack when stack overflow occurred. It is the figure which illustrated a mode that the attack code was executed by the stack smashing attack. It is a figure for demonstrating the defense method of the stack smashing attack by the method of a nonpatent literature 1. FIG. It is the 1st figure for demonstrating the defense method of the stack smashing attack by the method of a nonpatent literature 2. FIG. It is the 2nd figure for demonstrating the defense method of the stack smashing attack by the method of a nonpatent literature 2. FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... CPU, 11-13 ... Register, 20 ... Storage device, 30 ... Input / output unit, 40 ... Program memory, 50 ... RAM, 101, 101A ... Invalid data input detection unit, 102,102A ... Start address specifying unit, 103 ... Notification information generation unit 104 ... Forced overflow unit 105,105A ... Data acquisition unit 106,106A ... Address range identification unit 107 ... Input database

Claims (16)

The attack code is executed by rewriting the return address of the code of the caller function stored in the stack to the start address of the attack code due to overflow of the stack due to input of invalid data including the attack code. To a computer that can
A first step of detecting input of the unauthorized data;
A second step of specifying a start address of the attack code based on the return address rewritten by the overflow caused by the input of the illegal data when the input of the illegal data is detected in the first step; ,
A program for executing a process having In the second step, the rewritten return address is obtained based on a pointer stored in a predetermined register of the computer and associated with an address on the stack in which the return address is stored. To
The program according to claim 1. When a new function is called after the input of the illegal data is detected in the first step,
In the second step, a pointer that is stored in a predetermined register of the computer and that indicates a reference address in the stack frame of the caller function is associated with an address on the stack that stores the pointer. Acquiring the reference address of the caller function based on the pointer, and acquiring the rewritten return address based on the acquired reference address;
The program according to claim 1. When a plurality of functions are newly called after the attack is detected in the first step,
In the second step, based on the acquired reference address, the process of acquiring the reference address in the stack frame of a higher-level caller function is repeated, and the reference address acquired as a result of the iterative process To obtain the rewritten return address based on
The program according to claim 3. In the first step, when a new function is called, a predetermined value of data is stored at a predetermined address on the stack, and when returning to the caller function, the value of the data stored at the address and the predetermined value are stored. Comparing the value and detecting the occurrence of the overflow based on the comparison result,
The program according to claim 1. In the first step, the size of data passed as an argument to the function to be newly called is compared with the data size assigned to the argument in the function, and the function is called based on the comparison result. In the case of occurrence of the above overflow,
When the occurrence of the overflow is detected in advance in the first step, the method includes a third step of calling the new function to generate the overflow.
The program according to claim 1. A fourth step of acquiring data in the memory area where the overflow is caused by the input of the illegal data when the input of the illegal data is detected in the first step;
A fifth step of specifying an address range in which the attack code is stored according to the start address of the attack code specified in the second step and the data acquired in the fourth step; Having
The program according to claim 1. In the fifth step, the data acquired in the fourth step and the predetermined data are compared in order from the start address of the attack code specified in the second step, and coincide with the predetermined data. Search for the address where the data is stored,
The program according to claim 7. A sixth step of recording data input as the process is performed;
In the fifth step, the data acquired in the fourth step and the input data recorded in the sixth step are compared in order from the start address of the attack code specified in the second step. Search for an address where data matching the input data is stored,
The program according to claim 7. When the attack code start address is specified in the second step, at least information related to the specified start address or predetermined notification information including information related to the attack code stored from the start address is generated Having a seventh step,
The program according to claim 1. The attack code is executed by rewriting the return address of the code of the caller function stored in the stack by the overflow to the start address of the attack code. To a computer that can
A first step of detecting whether data in a preset memory area is acquired by the computer as an instruction code to be executed;
When the acquisition of the instruction code is detected in the first step, the start address of the attack code is set based on a pointer stored in a predetermined register of the computer and indicating the address of the instruction code to be executed. A second step of identifying;
A program for executing a process having When illegal data including attack code is input to the computer and the stack is overflowed, the return address of the caller function code stored in the stack is rewritten to the start address of the attack code. An attack code extraction device for extracting the attack code that can be executed in
Unauthorized data input detection means for detecting the input of the unauthorized data;
When the illegal data input detecting means detects the illegal data input, the start address of the attack code is specified based on the return address stored in the stack rewritten by the overflow caused by the illegal data input. A starting address specifying means to perform,
An attack code extraction apparatus having A data acquisition means for acquiring data in the memory area where the overflow is caused by the input of the illegal data when the illegal data input detection means detects the input of the illegal data;
Address range specifying means for specifying an address range in which the attack code is stored according to the start address of the attack code specified by the address specifying means and the data acquired by the data acquisition means ,
The attack code extraction device according to claim 12. When illegal data including attack code is input to the computer and the stack is overflowed, the return address of the caller function code stored in the stack is rewritten to the start address of the attack code. An attack code extraction device for extracting the attack code that can be executed in
Instruction code acquisition detecting means for detecting whether or not data in a preset memory area is acquired by the computer as an instruction code to be executed;
When acquisition of the instruction code is detected by the instruction code acquisition detection means, the attack code start address is stored in a predetermined register of the computer and points to the instruction code address to be executed. A start address specifying means for specifying
An attack code extraction apparatus having When illegal data including attack code is input to the computer and the stack is overflowed, the return address of the caller function code stored in the stack is rewritten to the start address of the attack code. An attack code extraction method for extracting the attack code that can be executed in
A first step of detecting input of the unauthorized data;
When an input of the illegal data is detected in the first step, a start address of the attack code is specified based on the return address stored in the stack rewritten by the overflow caused by the input of the illegal data A second step;
An attack code extraction method comprising: When illegal data including attack code is input to the computer and the stack is overflowed, the return address of the caller function code stored in the stack is rewritten to the start address of the attack code. An attack code extraction method for extracting the attack code that can be executed in
A first step of detecting whether data in a preset memory area is acquired by the computer as an instruction code to be executed;
When acquisition of the instruction code is detected by the instruction code acquisition detection means, the attack code start address is stored in a predetermined register of the computer and points to the instruction code address to be executed. A second step of identifying
An attack code extraction method comprising:

Images