JP2005032185A - Program, security protection device, and its method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a program, a security protection device, and its method, capable of correctly grasping the presence of a preparation act of a stack smashing attack. <P>SOLUTION: When a stack overflow is detected in an overflow detection part 101, data of the result rewritten by the overflow are acquired by a data acquisition part 102. In a determination part 103, whether the stack overflow is caused by input of wrong data or not is determined based on data acquired by the acquisition part 102. For instance, the determination is executed based on the result of evaluation of periodicity of a series of the rewritten data. Thereby, a security attack can be prevented by restraining the attack preparation act such as an analysis act of a stack structure. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a program, a security protection device, and a method for protecting the security of a computer, and more particularly, to a program, a security protection device, and a method for protecting a computer from attacks using stack overflow.

  Currently, many problems related to computer security have been reported. One of the most reported is an attack using buffer overflow, and in particular, many attacks called stack smashing using stack overflow have been reported.

  Stack overflow occurs due to the structure of the stack and the lack of array boundary checking in the C language as described below.

  The stack is an abstract data type having a property called LILO (last-in first-out) in which the last placed object is removed first. A stack used for calling a function in the C language is generally composed of a stack pointer, a stack frame, and a frame pointer.

The stack pointer points to the top of the stack.
The stack frame is a memory area in which function arguments, local variables, and data necessary for restoring a previously stacked stack frame (such as an instruction pointer when calling a function) are stored in a predetermined order. .
The frame pointer indicates a reference address position in the stack frame. It is mainly used as a relative value for referring to a local variable.

  The stack operation during function call and return will be described with reference to FIG. 9 and FIG.

FIG. 9 is a diagram illustrating an example of a C language source code.
In the function “function ()” of the line number L1 in the source code of FIG. 9, three integer variables “a”, “b”, and “c” are passed as arguments. In addition, inside the function “function ()”, a character type array “buf” is defined as a local variable (line number L2). This function 'function ()' is called in the main function (line numbers L4 and L5).

  FIG. 10 is a diagram illustrating an example of the state of the stack when such source code is executed.

  The function call is executed in the following procedure.

(1) The arguments ('a' to 'c') of the function 'function ()' are stacked on the stack. As shown in FIG. 10, arguments are stacked on the stack in the order of ‘c’, ‘b’, and ‘a’.

(2) Next, the current instruction pointer (the address of the memory where the instruction code to be executed is stored) is loaded on the stack as the return address ‘ret’.

(3) Further, the current frame pointer 'FP' is stacked on the stack and saved as a frame pointer 'sfp' (saved frame pointer).

(4) The current stack pointer SP is copied to the current frame pointer 'FP'. As a result, the new frame pointer ‘FP’ points to the return address ‘ret’ described above.

(5) Finally, in order to secure the memory area of the local variable “buf”, the stack pointer “SP” is further advanced. FIG. 10 shows an example of the state of the stack at this point.

  When the function returns, the following operations are performed:

(1) The current frame pointer 'FP' is copied to the stack pointer 'SP'. As a result, the new stack pointer 'SP' points to the return address 'ret'.

(2) Also, the previous frame pointer 'SFP' that was loaded on the stack is copied to the frame pointer 'FP'. As a result, the frame pointer 'FP' returns to the stack frame of the calling function.

(3) Then, the return address ‘ret’ indicated by the stack pointer ‘SP’ is read from the stack and set to the instruction pointer. As a result, the process jumps to the calling function. Thereafter, the stack pointer ‘SP’ returns to the original state by sequentially reading the arguments (‘a’ to ‘c’) stacked on the stack.

  FIG. 11 is a diagram illustrating an example of a stack state when an overflow occurs in the stack having such a structure.

  When data exceeding the allocation (in the example of FIG. 9, more than 10 character-type data including the terminal character) is input to the array 'buf' as a local variable, as shown by the arrow in FIG. , Data on the stack stored at an address higher than the array 'buf' is overwritten by the input data. In this way, when data exceeding the allocation is input, data to be held on the stack is overwritten, which is called stack overflow.

  FIG. 12 is a diagram illustrating a state in which an attack code is executed by a stack smashing attack using stack overflow.

  In stack smashing attacks, malicious attack code is inserted into the input data that causes stack overflow. That is, as shown in FIG. 12, the attack code is written in the memory area overwritten by the stack overflow. Further, this input data includes an address indicating an attack code, and the return address ‘ret’ stored in the stack is rewritten by this address. Therefore, when the function returns, the attack code is executed instead of the instruction code that should be executed originally.

  For example, in the case of UNIX (registered trademark), many daemon processes are executed with root authority. Therefore, for example, by using “exec (/ bin / sh)” as an attack code and performing a stack smashing attack on the daemon process, the attacker can acquire the root authority on the host.

  In order to counter such a stack smashing attack, several techniques have been proposed at present, and these are roughly classified into the following three types.

(1) Method for detecting in advance that information on stack is overwritten (2) Method for detecting that information on stack has been overwritten (3) Method for determining whether or not code on memory is executable

  Below, these prior arts are demonstrated.

(1) Method for detecting in advance that information on the stack is overwritten

  [Non-Patent Document 1] proposes a method called libsafe as a method for replacing a library of source code.

  In libsafe, a library function call that may cause a stack overflow is intercepted, and it is checked whether the argument of the function falls within the memory range of the stack. When normal, an appropriate library function is called, and when abnormal, a message notifying that is left and the program is terminated to prevent stack overflow.

The operation of libsafe will be described by taking the function “strcpy ()” of the standard library (libc) in C language as an example.
FIG. 13 is a diagram illustrating a state of a memory in a certain process linked with a library of libsafe.

  When the program calls ‘strcpy ()’, ‘strcpy ()’ implemented in the library of libsafe is executed instead of the standard library (libc) (F <b> 1). This is achieved by devising the order of library loading.

The libsafe 'strcp ()' first calculates the length of the copy source character string ('src') and the upper limit of the copy destination buffer length (that is, the stack frame length), and the copy source character string is the copy destination. Check whether the upper limit of the buffer length is exceeded.
If the upper limit is not exceeded, libsafe 'strcpy ()' calls the function 'memcpy ()' of the standard library (libc) and executes it (F2, F3), and returns to the main function (F4).
On the other hand, if it is determined that the upper limit is exceeded, libsafe's “strcpy ()” leaves a message in the system log file (syslog) and terminates the program.
Thus, in libsafe, stack smashing attacks are prevented by detecting the occurrence of stack overflow in advance.

(2) Method for detecting that information on the stack has been overwritten

[Non-Patent Document 2] proposes a method called StackGuard as a method for extending a compiler.
In StackGuard, as shown in FIG. 14, a value called “Canary Word” is inserted between the return address “ret” and the local variable “buf”. Then, this value is checked when the function returns, and if the value has been changed by overwriting the stack overflow, the process is terminated assuming that a stack smashing attack has been performed (FIG. 15).

  [Patent Document 1] also discloses a technique called “Stack Smashing Protector” similar to the above-mentioned StackGuard. According to [Patent Document 1], at the time of function return, the stack's previous frame pointer (corresponding to the frame pointer 'sfp' in FIG. 10) and the array (corresponding to the array 'buf' in FIG. 10) Prevents stack smashing attacks by storing guard variables between them and checking their effectiveness.

(3) A method for determining whether or not the code on the memory can be executed

  As a method for extending the operating system, a method called non-executable stack, disclosed in the Internet <URL: http://www.openwall.com/linux/>, or the Internet <URL: http: // pageexec There is a method called PaX, disclosed in .virtualave.net />.

  In the non-executable stack method, focusing on the fact that attack code is placed on the stack in a stack smashing attack, the kernel is changed so that execution of instructions by the CPU is not permitted on the page of the stack on the memory. . When an attack code placed on the stack is executed by a stack smashing attack, the process is stopped as a page fault.

  On the other hand, in the PaX method, the kernel is changed so that the instruction execution permission / non-permission of the CPU can be marked not only in the stack but in all data pages.

In either method, stack smashing attacks are prevented by making it impossible to execute code placed on the stack.
Arash Baratloo and two others, 'Transparent Run-Time Defense Against Stack Smashing Attacks', In Proceedings of 2000 USENIX Annual Technical Conference, (USA), 2000 Crispin Cowan, 8 others, 'Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks', In Proceedings of the 7th USENIX Security Symposium, (USA), 1998 JP 2001-216161 A

  By the way, in order to perform the above-described stack smashing attack, knowledge about the security hole of the program is required. In other words, when a stack smashing attack is launched, the security hole has already been analyzed by the attacker. For this reason, even if a specific attack can be prevented by the above-described method, another attacker may start a new attack based on the analyzed information. Therefore, it is hard to say that security threats have been wiped out.

  If it is possible to ascertain whether there is any preparatory action for launching an attack, such as an act of searching for a security hole in a program, based on the result, more effective measures can be taken to combat such an attack. It can be taken in advance and is expected to reduce security threats.

  However, the above three methods to counter the stack smashing attack only detect the occurrence of stack overflow and the execution of the instruction code of the prohibited address, and stop or terminate the process. There is no way to tell if it was caused by an act of preparing for an attack or if it occurred accidentally in normal processing. Therefore, there is a disadvantage that it is impossible to accurately grasp the presence / absence of an attack preparation action, and it cannot be used to prevent an attack in advance.

  The present invention has been made in view of such circumstances, and an object of the present invention is to provide a program, a security protection device, and a method thereof that can correctly grasp the presence / absence of an attack preparation action using a stack overflow. is there.

In order to achieve the above object, a program according to a first aspect of the present invention includes a first step of detecting an overflow of the stack in a computer in which the stack can overflow due to input of illegal data; When the overflow is detected in step (2), the second step of acquiring data resulting from rewriting by the overflow, and the overflow is determined based on the data acquired in the second step. And a third step of determining whether or not it is caused by the input.
Preferably, in the third step, the periodicity of a series of data resulting from the rewriting is evaluated, and the determination is performed based on the evaluation result.

  According to the first aspect of the present invention, when an overflow of the stack is detected in the first step, data as a result of rewriting due to the overflow is acquired in the second step. In the third step, based on the data acquired in the second step, it is determined whether or not the overflow is caused by the input of the illegal data. The determination is made based on, for example, a result of evaluating the periodicity of a series of data as a result of the rewriting.

In the second step, a predetermined number of data arranged in the order of addresses is extracted as a data string from the rewritten memory area, and the third step is a correlation of the data string extracted in the second step. A fourth step of calculating a value and a fifth step of performing the determination based on the correlation value calculated in the fourth step may be included.
According to the above processing, a predetermined number of data arranged in the order of addresses is extracted as a data string from the rewritten memory area, and a correlation value of the extracted data string is calculated. And the said determination is performed based on this calculated correlation value.

A first aspect of the present invention is the tenth to thirteenth processing, in which, in the third step, when it is determined that the overflow is caused by the input of the illegal data, the following processing is performed. At least one of the thirteenth steps may be included.
The tenth step stops the process in which the overflow has occurred.
In the eleventh step, access from the unauthorized data supplier is prohibited.
In the twelfth step, display data for displaying predetermined warning information in the device that supplies the illegal data is generated.
In the thirteenth step, at least information regarding the source of the illegal data, the content of the illegal data, or the method of supplying the illegal data is acquired.

According to a second aspect of the present invention, there is provided a security protection device for protecting the computer from an attack that causes an overflow of the stack by inputting illegal data to the computer, and an overflow detection means for detecting the overflow of the stack. When the overflow is detected by the overflow detection means, the overflow is detected based on the data acquired by the data acquisition means for acquiring the data rewritten as a result of the overflow, and the illegal data When the determination means for determining whether or not the overflow is caused by the input of the illegal data, the determination means for determining whether or not the overflow is caused by the input of the illegal data. -A process for stopping the process in which the flow has occurred, a process for prohibiting access from the unauthorized data supplier, a process for generating display data for displaying predetermined warning information on the unauthorized data supplier, or And processing means for executing processing for obtaining information relating to at least one of the source of the illegal data, the content of the illegal data, or the method of supplying the illegal data.
Preferably, the determination means evaluates the periodicity of a series of data as a result of the rewriting, and performs the determination based on the evaluation result.

According to the second aspect of the present invention, when the overflow is detected by the overflow detection means, the data acquisition means acquires data resulting from rewriting due to the overflow. The determination means determines whether or not the overflow is caused by the input of the illegal data, based on the data acquired by the data acquisition means. For example, the determination is performed based on the result of evaluating the periodicity of a series of data as a result of the rewriting.
If the determination means determines that the overflow is caused by the input of the illegal data, at least a process for stopping the process in which the overflow has occurred and prohibiting access from the source of the illegal data Processing for generating display data for displaying predetermined warning information in the device that is the source of the unauthorized data, or the source of the unauthorized data, the content of the unauthorized data, or the supply of the unauthorized data Processing for acquiring information relating to at least one of the methods is executed in the processing means.

According to a third aspect of the present invention, there is provided a security protection method for protecting the computer from an attack that causes an overflow of the stack by inputting illegal data to the computer, and includes a first step of detecting the overflow of the stack. And when the overflow is detected in the first step, the second step of acquiring data resulting from rewriting by the overflow, and the overflow based on the data acquired in the second step In the third step, it is determined in the third step that the overflow is caused by the input of the illegal data. At least the process where the overflow occurred Either stop the access from the unauthorized data supply source, display predetermined warning information on the unauthorized data supply source device, or supply the unauthorized data source and the contents of the unauthorized data. Or a fourth step of acquiring information relating to at least one of the methods of supplying illegal data.
Preferably, in the third step, the periodicity of a series of data resulting from the rewriting is evaluated, and the determination is performed based on the evaluation result.

According to the third aspect of the present invention, when the overflow is detected in the first step, data as a result of rewriting due to the overflow is acquired in the second step. In the third step, it is determined based on the data acquired in the second step whether or not the overflow is caused by the input of the illegal data. For example, the determination is performed based on the result of evaluating the periodicity of a series of data as a result of the rewriting.
In the third step, if it is determined that the overflow is caused by the input of the illegal data, in the fourth step, at least the process in which the overflow has occurred is stopped, or Access from the unauthorized data supply source is prohibited, predetermined warning information is displayed on the unauthorized data supply source device, or the unauthorized data supply source, the content of the unauthorized data, or Information on at least one of the illegal data supply methods is acquired.

  According to the present invention, when an overflow occurs in the stack of the computer, it can be determined whether or not the overflow is caused by input of invalid data. Further, based on this determination result, it is possible to prevent a preparatory action for setting up an attack using the stack overflow.

  Hereinafter, four embodiments of the present invention will be described with reference to the drawings.

<First Embodiment>
FIG. 1 is a block diagram showing an example of the configuration of a computer according to an embodiment of the present invention.

  The computer shown in FIG. 1 includes a CPU 10, a storage device 20, an input / output unit 30, a program memory 40, and a RAM 50.

  The CPU 10 reads the program according to the present embodiment stored in the program memory 40 and executes a predetermined process based on the program.

  The storage device 20 stores data used in the process of the CPU 10 and processing result data.

The input / output unit 30 performs a process of inputting data used in the process of the CPU 10 and a process of outputting process result data.
The input / output unit 30 may be, for example, a network interface device that exchanges data with other devices via a local area network (LAN) or the Internet, a magnetic disk, an optical disk, an IC card, or the like. Examples include a device for writing and reading data on a portable recording medium, a user interface device such as a keyboard and a mouse, a display device, and the like.

  The program memory 40 stores a program according to this embodiment to be described later.

  The RAM 50 temporarily stores program codes and data used in the course of processing by the CPU 10. Data constituting the stack is stored in a predetermined stack area in the RAM 50.

  These units (CPU 10, storage device 20, input / output unit 30, program memory 40, and RAM 50) are connected to a common bus 60 in the example of FIG. Data is transferred between the units via the bus 60 under the control of the CPU 10.

FIG. 2 is a block diagram illustrating an example of a functional configuration of the program according to the present embodiment.
The program according to the present embodiment includes an overflow detection unit 101, a data acquisition unit 102, a determination unit 103, and a security processing unit 104.

[Overflow detection unit 101]
The overflow detection unit 101 detects stack overflow.

  For example, when a new function is called in the process of the process, the overflow detection unit 101 determines whether a predetermined address in the stack frame (between a frame pointer and a return address, or between a local variable and a frame pointer). Data for overwriting detection of a predetermined value is inserted in the interval). This value is set using, for example, a random number generated by a random number generator (not shown). When returning to the caller function, the data stored at the predetermined address is compared with the predetermined value to check whether or not the data for overwriting detection has changed. As a result, when the data for overwriting detection has changed, it is determined that a stack overflow has occurred.

  In addition, the overflow detection unit 101, when this function is called based on the result of comparing the data size passed as an argument to the function to be newly called and the data size assigned to the argument in this function Whether or not stack overflow has occurred may be detected in advance. The argument check described above is performed on a function that lacks a boundary check such as ‘strcpy ()’, for example.

[Data acquisition unit 102]
When the overflow detection unit 101 detects a stack overflow, the data acquisition unit 102 acquires data resulting from rewriting due to the stack overflow.

  For example, when the overflow detection unit 101 detects a stack overflow, the data acquisition unit 102 forcibly terminates the process and causes the operating system to output a core-dump file. In the core dump file, the memory image of the process at the time of forced termination is recorded. The determination unit 102 acquires data resulting from rewriting due to stack overflow from the core dump file.

[Determining unit 103]
Based on the data obtained as a result of being rewritten by the stack overflow acquired by the data acquisition unit 102, the determination unit 103 detects that the stack overflow has been performed for security attacks such as stack smashing and the preparation thereof. It is determined whether or not it is caused by data input.

  For example, the determination unit 103 evaluates the periodicity of a series of data as a result of rewriting, and determines whether or not the stack overflow is caused by input of invalid data based on the evaluation result. This makes use of the fact that malicious data used for security attack preparation often has a simple pattern with a short period.

  In addition to the data periodicity as described above, the determination unit 103 includes, for example, the network address of the data supply source causing the stack overflow, the port number of the data supply source, and the data The above determination may be made based on various information that characterizes the input of illegal data, such as a specific data pattern and the name of a file having the data.

[Security processing unit 104]
When the determination unit 103 determines that the stack overflow is caused by input of illegal data, the security processing unit 104 performs predetermined processing for protecting the security of the computer from such input of illegal data. To do.

For example, the security processing unit 104 stops the process in which the stack overflow has occurred. As a result, if the stack overflow is caused by an attack preparation action, this can be prevented and the attack can be prevented beforehand. In addition, when the stack overflow is caused by an attack, it is possible to prevent execution of harmful attack codes included in illegal data.
In this case, the security processing unit 104 may stop the process for a predetermined period in response to the determination result of the determination unit 103, or may stop until a predetermined command for instructing release of the stop is input. good.

Further, the security processing unit 104 may prohibit access from an unauthorized data supplier. For example, when the source of illegal data is a device on the network, access from the network address is prohibited. Alternatively, when a specific process is a supplier of illegal data, access from the process number is prohibited. Such processing can also prevent an attack preparation action to prevent an attack in advance and also prevent an attack code from being executed.
In this case, as described above, the security processing unit 104 may stop the process for a predetermined period or until a predetermined command instructing release of the stop is input.

Further, the security processing unit 104 may generate display data for displaying predetermined warning information on the device that is the source of the unauthorized data. For example,
"Illegal input has been made.
Input data:****"
Such a content is displayed on a display device provided in a device that supplies illegal data. As a result, a warning can be given to a person who has set up a security attack or a preparatory action, and such action can be suppressed.

Further, the security processing unit 104 may acquire, for example, a network address, a process number, and a port number as information related to the source of unauthorized data.
Alternatively, the input data or the attack code included therein may be acquired as information on the contents of the illegal data.
Furthermore, as information on the method of supplying unauthorized data, information such as whether it is due to unauthorized access or due to a computer virus may be acquired.
As described above, by acquiring various pieces of information related to the input of illegal data, detailed knowledge about the attack preparation action can be obtained, so that it is possible to take effective measures relating to defense against attacks in advance.

  Here, before explaining the processing by the above-described program, first, a general procedure for the preparation action of the stack smashing attack will be explained.

(1) Input data of an appropriate length to the attack target process and check whether the process is forcibly terminated. In the case of forced termination, it is estimated that a stack overflow has occurred.

(2) If the occurrence of a stack overflow is estimated, then data that has been crafted to analyze the stack structure is input to the program, the process is terminated, and the core dump / Output a file.

(3) Analyzing the contents of each pointer (stack pointer, frame pointer, instruction pointer, etc.) and memory from the acquired core dump file, and the position where the return address to the caller function is stored on the stack presume.

(4) The steps (2) and (3) described above are repeated to specify the position of the return address on the stack.

(5) Based on the position of the identified return address, illegal data in which the attack code and the instruction address are inserted at an appropriate position is created.

(6) The created illegal data is input to the attack target process, and it is confirmed whether or not a desired operation is executed.

(7) The steps (5) and (6) described above are repeated to complete illegal data including an attack code.

  According to the procedure of such an attack preparation action, a stack overflow occurs in the steps (1), (2) and (6). In the program of the present embodiment, when occurrence of a stack overflow is detected, it is determined whether or not this is due to an input of illegal data in a security attack or the above-described attack preparation action.

  FIG. 3 is a flowchart illustrating an example of the flow of processing by the program according to the present embodiment.

Step ST10:
Normal processing by other processes not shown in FIG. 2 proceeds.

Step ST20:
The overflow detection unit 101 monitors whether or not a stack overflow occurs during the process of this process. If the stack overflow is not detected, the process (step ST10) proceeds as usual. If the stack overflow is detected, the data acquisition unit 102 is notified of the occurrence of the overflow.

Step ST30:
When the occurrence of a stack overflow is notified from the overflow detection unit 101, the data acquisition unit 102 acquires data resulting from rewriting due to the stack overflow. For example, the process in which the stack overflow is detected is forcibly terminated and the core dump file is output to the operating system. Then, data obtained as a result of rewriting due to the stack overflow is acquired from the core dump file.

Step ST40:
When the data obtained as a result of rewriting due to the stack overflow is acquired in the data acquisition unit 102, the determination unit 103 determines that the stack overflow is a security attack or illegal data for preparing it based on the acquired data. It is determined whether it is caused by the input of. For example, the periodicity of the rewritten series of data is evaluated, and the above determination is performed based on the evaluation result.
As a result of the determination, if it is determined that the data is not due to illegal data input, the process (step ST10) proceeds as usual, and if it is determined that the data is illegal data input, This is notified to the processing unit 104.

Step ST50:
When the determination unit 103 is notified of the occurrence of overflow due to input of illegal data, the security processing unit 104 performs predetermined processing for protecting the security of the computer from the input of illegal data.
For example, processing to stop the process in which stack overflow has occurred, processing to prohibit access from the unauthorized data supply source, processing to display predetermined warning information on the unauthorized data supply device, input of unauthorized data The process which acquires the various information regarding is performed.

  As described above, according to the program according to the present embodiment, when a stack overflow is detected, whether or not the stack overflow is caused by an unauthorized data input in a security attack or a preparation act thereof. Can be determined. That is, it is possible to distinguish between a stack overflow caused by normal use of a computer and a stack overflow caused by a security attack or a preparatory action thereof. Therefore, it is possible to accurately grasp the actual state of the attack preparation action, and the grasped contents can be used for taking a countermeasure against the security attack in advance.

  Further, according to the program according to the present embodiment, when it is determined that stack overflow has occurred due to input of unauthorized data, processing related to computer security protection (process stop, unauthorized access prohibition, warning display, information Etc.) can be suppressed, and security attacks can be prevented in advance, so that security threats can be further reduced.

<Second Embodiment>
Next, a second embodiment of the present invention will be described.

  In the second embodiment, the presence / absence of illegal data input is determined based on the correlation value of the data resulting from rewriting due to stack overflow.

  The program according to the present embodiment described below as an example is obtained by replacing the data acquisition unit 102 and the determination unit 103 with the data acquisition unit 102A and the determination unit 103A described below in the program shown in FIG. This program is executed, for example, in the computer shown in FIG.

  First, the data acquisition unit 102A and the determination unit 103A, which are different configurations from the program shown in FIG. 2, will be described.

[Data acquisition unit 102A]
When the overflow detection unit 101 detects a stack overflow, the data acquisition unit 102A extracts a predetermined number of data arranged in the order of addresses as a data string from the memory area rewritten by the stack overflow.

  For example, when a stack overflow is detected by the overflow detection unit 101, the data acquisition unit 102A uses a predetermined number of data arranged in the order of addresses in the area including the stack on the memory from the core dump file output when the process is forcibly terminated. Is extracted as a data string.

[Determination unit 103A]
The determination unit 103A calculates the correlation value of the data string extracted by the data acquisition unit 102A, and determines whether the stack overflow is caused by incorrect data input based on the calculated correlation value To do.

  For example, the determination unit 103A compares two identical data strings with a plurality of different phases in the data acquisition unit 102A, and according to the number of corresponding data in the two identical data strings in each phase. Calculate an autocorrelation value.

Assume that the data acquisition unit 102A extracts a data string D having a data length N (N is a positive integer equal to or greater than 2). Data indicating positive integers up to 'N-1') will be expressed as 'D [i]'.
Under such conditions, the determination unit 103A determines, for example, the equation D [i] = D [i + P] (1) for the integer i from “0” to “N−1”.
Is counted as a correlation value R [P] at phase P.
However, when “i + P” exceeds “N−1” or is smaller than “0”, Formula (1) is regarded as not established. Therefore, when the phase P is an integer from “0” to “N−1”, the correlation value R [P] can have a meaningful value of “1” or more.

  FIG. 4 is a diagram for explaining an example of an autocorrelation value calculation method in the determination unit 103A.

In the example of FIG. 4, as the data string D with the data length N = 18 in the data acquisition unit 102 </ b> A,
'abcdefabcdefabcdef'
Is extracted. The data D [0], D [1], D [2],..., D [17] are “a”, “b”, “c”,.

FIG. 4A shows the correspondence of each data when the phase P = 0. In this case, since all the expressions (1) hold for the integer i from “0” to “17”, the correlation value R [0] is “18”.
FIGS. 4B and 4C show the correspondence of each data when the phase P = 1 and the phase P = 2. In this case, since none of the expressions (1) hold for the integer i from “0” to “17”, the correlation value R [0] is “0”.
FIG. 4D shows the correspondence of each data when the phase P = 6. In this case, since the equation (1) is established for the integer i from “6” to “17”, the correlation value R [0] is “12”.

  In this way, when the data shown in the example of FIG. 4 is extracted, the correlation value R [P] is “18”, “12” when the phase P is “0”, “6”, “12”, respectively. ',' 6 ', and' 0 'in other cases.

  The autocorrelation value of the data string can also be calculated by the following method.

For a data string D2 having a data length of 2N in which two data strings D are arranged, the equation D [i] = D2 [i + P] (2)
Is counted for an integer i from '0' to 'N-1', and this is set as a correlation value R2 [P] at phase P. However, when “i + P” exceeds “2N−1” or is smaller than “0”, Expression (2) is regarded as not established.

For example, as in FIG. 4, in the data acquisition unit 102A, as a data string D having a data length N = 18,
'abcdefabcdefabcdef'
Is extracted, a data string D2 in which two of them are arranged is
'abcdefabcdefabcdefabcdefabcdefabcdef'
It becomes.
In this case, the correlation value R2 [P] is “18” when the phase P is “0”, “6”, and “12”, and “0” in other cases.

  Note that the determination unit 103A in the above-described example calculates autocorrelation values for two identical data sequences, but is not limited to this, regarding two different data sequences extracted from a common memory area by the data acquisition unit 102A. The cross-correlation value may be calculated by the same method as described above.

  When the correlation value in each phase is calculated in this way, the determination unit 103A checks for each phase whether or not the calculated correlation value exceeds a predetermined threshold value. Then, the number of phases in which the correlation value exceeds a predetermined threshold is counted, and when the count value reaches a predetermined number, it is determined that the stack overflow is caused by incorrect data input.

  Next, processing of the program having the above-described configuration will be described with reference to the flowchart shown in FIG.

Steps ST10 to ST30:
The processing in steps ST10 to ST30 is the same as that in the flowchart of FIG.
That is, the occurrence of stack overflow is monitored during the normal process (step ST10) (step ST20), and when the occurrence of stack overflow is detected, the rewritten data is extracted (step ST30).

Step ST410:
When the data acquisition unit 102A extracts a data string having a predetermined data length from the area on the memory rewritten due to stack overflow, the determination unit 103A calculates a correlation value of each phase of the extracted data string.

Step ST420:
Next, the determination unit 103A compares the calculated correlation value of each phase with a predetermined threshold value, and counts the number of phases whose correlation value exceeds the threshold value.

Step ST440:
Then, the determination unit 103A determines whether or not the count value reaches a predetermined number. If the count value reaches the predetermined number, the determination unit 103A determines that the stack overflow is caused by incorrect data input, and performs step ST50. Move on. If the count value does not reach the predetermined number, the process returns to the normal process in step ST10.

Step ST50:
The process of step ST50 is the same as that of the flowchart of FIG.
That is, the security processing unit 104 executes predetermined processing such as process stop and unauthorized access prohibition in order to protect the security of the computer from input of unauthorized data.

As described above, according to the program according to the present embodiment, when a stack overflow is detected, a data string is extracted from the area on the memory rewritten by the stack overflow, and the stack is determined based on the correlation value. A determination is made whether the overflow is caused by incorrect data input. In general, data used for preparatory attacks often has a relatively simple pattern with periodicity in order to facilitate analysis. By examining the correlation value of the rewritten data, it can be attacked. It is possible to estimate whether or not the data is input to prepare the data. Therefore, it is possible to accurately grasp the actual state of the attack preparation action, and the grasped contents can be used for taking a countermeasure against the security attack in advance.
Further, similarly to the program shown in FIG. 2, since the security processing of the computer is executed in the security processing unit 104, an attack preparation action can be suppressed and a security attack can be prevented in advance.

<Third Embodiment>
Next, a third embodiment of the present invention will be described.

  The difference between the second embodiment and the third embodiment described above is that, in the second embodiment, the determination regarding the input of illegal data is performed based on the number of phases whose correlation value exceeds a predetermined threshold value. However, in the third embodiment, the above determination is performed based on a predetermined statistic indicating the variation of the correlation value.

  The program according to the present embodiment described below as an example is obtained by replacing the data acquisition unit 102 and the determination unit 103 with the data acquisition unit 102A and the determination unit 103B described later in the program illustrated in FIG. This program is executed, for example, in the computer shown in FIG.

  First, the determination unit 103B, which is a different configuration from the program of the second embodiment, will be described.

[Determination unit 103B]
The determination unit 103B calculates the correlation value of the data string extracted by the data acquisition unit 102A at each phase, and calculates a predetermined statistic (for example, standard deviation) indicating the variation of the calculated plurality of correlation values. Then, based on the calculated statistic, it is determined whether or not the stack overflow is caused by the input of invalid data.

  Next, processing of the program having the above-described configuration will be described with reference to the flowchart shown in FIG.

Steps ST10 to ST30, ST410:
The processing of steps ST10 to ST30 and ST410 is the same as the flowchart of FIG.
That is, the occurrence of stack overflow is monitored during the normal process (step ST10) (step ST20), and when the occurrence of stack overflow is detected, the rewritten result data is extracted (step ST30). A correlation value is calculated (step ST410).

Step ST430:
When the determination unit 103B calculates the correlation value of each phase, the determination unit 103B calculates, for example, a standard deviation as a statistic indicating the variation of the calculated plurality of correlation values.

Step ST450:
Then, the determination unit 103B compares the calculated standard deviation with a predetermined threshold, and if the standard deviation is larger than the predetermined threshold, that is, if the degree of variation of the correlation value is large, the stack overflow is incorrect. It is determined that it is caused by the input of correct data, and the process proceeds to step ST50. If the standard deviation does not reach this threshold value, the process returns to the normal process of step ST10.

Step ST50:
The processing in step ST50 is the same as that in the flowchart of FIG. 3, and predetermined security protection processing such as process stop and unauthorized access prohibition is executed.

As described above, according to the program according to the present embodiment, when a stack overflow is detected, based on the variation degree of the correlation value of the data string extracted in the area on the memory rewritten due to the stack overflow. A determination is made as to whether the stack overflow is caused by incorrect data input. Therefore, also in the present embodiment, as in the second embodiment, it is possible to accurately grasp the actual state of the attack preparation act.
In addition, since appropriate security protection processing is executed in the same manner as in the first and second embodiments, it is possible to suppress an attack preparation act and prevent a security attack.

<Fourth Embodiment>
Next, a fourth embodiment of the present invention will be described.

  In the fourth embodiment, the determination method based on the correlation value in the second and third embodiments described above is combined to determine whether or not the stack overflow is caused by the input of invalid data. It is.

  The program according to the present embodiment described below as an example is obtained by replacing the data acquisition unit 102 and the determination unit 103 with the data acquisition unit 102A and the determination unit 103C described later in the program illustrated in FIG. This program is executed, for example, in the computer shown in FIG.

  First, the determination unit 103C, which is a different configuration from the program of the second embodiment, will be described.

[Determination unit 103C]
The determination unit 103C calculates the correlation value of the data string extracted by the data acquisition unit 102A, and checks whether or not the calculated correlation value exceeds a predetermined threshold value for each phase. Then, the number of phases in which the correlation value exceeds a predetermined threshold value is counted, and a first provisional determination regarding whether or not the stack overflow is caused by incorrect data input based on the count value To do.
Further, the determination unit 103C calculates a predetermined statistic (for example, standard deviation) indicating the variation of the calculated plurality of correlation values, and based on the calculated statistic, stack overflow is caused by incorrect data input. A second provisional determination is made as to whether or not the
Then, the determination unit 103C finally determines whether or not the stack overflow is caused by incorrect data input based on the determination results of the first temporary determination and the second temporary determination.

For example, the determination unit 103C counts the number of times that a stack overflow is temporarily determined to be caused by input of invalid data in one of the first temporary determination and the second temporary determination. .
Then, when it is tentatively determined that the stack overflow is caused by the input of invalid data in both the first tentative determination and the second tentative determination, or when the above-mentioned count number reaches a predetermined number Finally, it is finally determined that the stack overflow is caused by the input of invalid data.

  Next, processing of the program having the above-described configuration will be described with reference to flowcharts shown in FIGS.

Step ST2:
First, the value of the counter variable C used in the determination process described later is cleared to “0”.

Step ST4:
Next, the values of flag variables F1 and F2 used in the determination process described later are cleared to “0”.

Steps ST10 to ST30, ST410 to ST430:
The processes of steps ST10 to ST30 and ST410 to ST430 are the same as the processes with the same reference numerals in the flowcharts of FIGS.
That is, the occurrence of stack overflow is monitored during the normal process (step ST10) (step ST20), and when the occurrence of stack overflow is detected, the rewritten result data is extracted (step ST30). A correlation value is calculated (step ST410). Then, the number of phases where the correlation value exceeds the threshold value is counted (step ST420), and a standard deviation indicating the variation of the correlation value is calculated (step ST430).

Steps ST440 and ST445:
Determination section 103C determines whether or not the number of phases counted in step ST420 exceeds a predetermined threshold value (step ST440). If the predetermined threshold value is exceeded, the flag variable F1 is changed to '1' (step ST445). If the predetermined threshold value is not exceeded, the flag variable F1 is kept at '0' and step ST450. Migrate to The flag variable F1 having a value “1” indicates a determination result that the stack overflow is caused by input of invalid data in the first provisional determination described above.

Steps ST450 and ST455:
Further, determination section 103C determines whether or not the standard deviation calculated in step ST430 exceeds a predetermined threshold value. (Step ST450). If the predetermined threshold value is exceeded, the flag variable F2 is changed to “1” (step ST455). If the predetermined threshold value is not exceeded, the flag variable F2 remains “0” and step ST460. Migrate to The flag variable F2 having a value “1” indicates a determination result that the stack overflow is caused by input of invalid data in the second provisional determination described above.

Step ST460:
Next, determination section 103C checks whether flag variables F1 and F2 are both “1” (step ST460). When flag variables F1 and F2 are both “1”, a final determination is made that the stack overflow is caused by input of invalid data, and the process proceeds to step ST50. When flag variables F1 and F2 are not both “1”, the process proceeds to step ST462.

Steps ST462 to ST466:
In step ST462, the determination unit 103C checks whether or not the flag variable F1 or F2 is “1” (step ST462). If the flag variable F1 or F2 is “1”, after adding “1” to the counter variable C, it is checked whether or not the counter variable C exceeds a predetermined threshold (step ST466). When the counter variable C exceeds the threshold value, the determination unit 103C makes a final determination that the stack overflow is due to input of invalid data, and proceeds to step ST50.
If both flag variables F1 and F2 are “0” in the determination in step ST462, or if counter variable C does not exceed the threshold value in the determination in step ST466, determination unit 103C returns the process to step ST4. Thereby, the flag variables F1 and F2 are cleared to “0”, and the processes after step ST10 are repeated.

Step ST50:
The processing in step ST50 is the same as that in the flowchart of FIG. 3, and predetermined security protection processing such as process stop and unauthorized access prohibition is executed.

  As described above, according to the program according to the present embodiment, when a stack overflow is detected, a data string is extracted from the area on the memory rewritten by the stack overflow, and the correlation value is calculated. Whether or not the stack overflow is caused by incorrect data input based on the number of phases where the correlation value becomes maximum at a certain data length and the degree of variation of the correlation value at a certain data length Is determined. Therefore, also in the present embodiment, as in the second and third embodiments described above, it is possible to accurately grasp the actual situation of the attack preparation act.

In addition, according to the present embodiment, the determination is performed based on a combination of determination methods having different correlation values, so that it is possible to more accurately grasp the occurrence of stack overflow due to the attack preparation action.
In addition, in the case where stack overflow frequently occurs, the number of times that the temporary determination of illegal data input is made only in one of the determination methods and the final determination of incorrect data input is made when it reaches a predetermined number of times. It is possible to accurately determine whether or not it is due to an attack preparation act.
Furthermore, since the appropriate security protection processing is executed in the same manner as in the first to third embodiments, it is possible to suppress the attack preparation action and prevent the security attack.

In addition, this invention is not limited to embodiment mentioned above.
For example, the program of the present invention may be previously written in the ROM 40 as in the above-described embodiment, or may be read from the storage device 20. Or what was read from recording media, such as an optical disk, in the input-output part 30, or what was input from the other apparatus via the network may be used. Or the partial data of the program acquired by the several methods as mentioned above may be combined.

  Further, the present invention can be realized by a program as in the above-described embodiment, but part or all of the processing can be executed by dedicated hardware. For example, in the block diagram shown in FIG. 2, some or all of the functional blocks can be replaced with hardware circuits. The circuit in that case may be formed on the same semiconductor chip as the CPU, or may be formed on another chip.

It is a block diagram which shows an example of a structure of the computer which concerns on embodiment of this invention. It is a block diagram which shows an example of a functional structure of the program which concerns on the 1st Embodiment of this invention. It is the flowchart which illustrated an example of the flow of processing by the program concerning a 1st embodiment. It is a figure for demonstrating an example of the calculation method of the autocorrelation value in a determination part. It is the flowchart which illustrated an example of the flow of processing by the program concerning a 2nd embodiment. It is the flowchart which illustrated an example of the flow of processing by the program concerning a 3rd embodiment. It is the 1st flowchart illustrating an example of the flow of processing by the program concerning a 4th embodiment. It is the 2nd flowchart which illustrated an example of the flow of processing by the program concerning a 4th embodiment. It is a figure which shows an example of the source code of C language. FIG. 10 is a diagram illustrating an example of a stack state when the source code illustrated in FIG. 9 is executed. It is the figure which illustrated an example of the state of a stack when stack overflow occurred. It is the figure which illustrated a mode that the attack code was executed by the stack smashing attack. It is a figure for demonstrating the defense method of the stack smashing attack by the method of a nonpatent literature 1. FIG. It is the 1st figure for demonstrating the defense method of the stack smashing attack by the method of a nonpatent literature 2. FIG. It is the 2nd figure for demonstrating the defense method of the stack smashing attack by the method of a nonpatent literature 2. FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... CPU, 20 ... Storage device, 30 ... Input / output unit, 40 ... Program memory, 50 ... RAM, 101 ... Overflow detection unit, 102,102A ... Data acquisition unit, 103,103A, 103B, 103C ... Determination unit, security Processing unit 104

Claims (19)

To a computer where the stack can overflow due to incorrect data input,
A first step of detecting an overflow of the stack;
If the overflow is detected in the first step, a second step of obtaining data resulting from the rewriting by the overflow;
A third step for determining, based on the data acquired in the second step, whether the overflow is caused by the input of the illegal data;
A program for executing a process having In the third step, the periodicity of a series of data resulting from the rewriting is evaluated, and the determination is performed based on the evaluation result.
The program according to claim 1. In the second step, a predetermined number of data arranged in the order of addresses is extracted as a data string from the rewritten memory area,
The third step is
A fourth step of calculating a correlation value of the data string extracted in the second step;
A fifth step of performing the determination based on the correlation value calculated in the fourth step.
The program according to claim 2. In the fourth step, the two data strings extracted from the common memory area in the second step are compared at a plurality of different phases, and corresponding data in the two data strings are compared with each other in each phase. Calculate the correlation value according to the number of matches,
The program according to claim 3. In the fifth step, the determination is performed based on the number of phases in which the correlation value exceeds a predetermined threshold value.
The program according to claim 4. In the fifth step, a predetermined statistic indicating the variation of the plurality of correlation values calculated in the fourth step is calculated, and the determination is performed based on the calculated statistic.
The program according to claim 4. The fifth step is
A sixth step of performing a first provisional determination relating to the determination based on the number of phases in which the correlation value exceeds a predetermined threshold;
A seventh step of calculating a predetermined statistic indicating the variation of the plurality of correlation values calculated in the sixth step, and performing a second provisional determination related to the determination based on the calculated statistic; ,
And an eighth step of finally determining whether or not the overflow is caused by the input of the illegal data based on the determination results of the first and second provisional determinations. The program according to claim 4. The fifth step is the number of times that the overflow is temporarily determined to be caused by the input of the illegal data in the determination result of one of the first temporary determination and the second temporary determination. Has a ninth step of counting
In the eighth step, when it is tentatively determined that the overflow is caused by the input of the illegal data in both the first tentative determination and the second tentative determination, or When the number of counts in the step reaches a predetermined number, it is finally determined that the overflow is caused by the input of the invalid data.
The program according to claim 7. In the third step, at least the network address of the data supply source causing the overflow, the port number of the data supply source, the specific data pattern included in the data, or the file having the data Make the above determination based on the name of
The program according to claim 1. In the third step, when it is determined that the overflow is caused by the input of the illegal data, the process includes the tenth step of stopping the process in which the overflow has occurred.
The program according to claim 1. In the tenth step, the process in which the overflow has occurred is stopped at least for a predetermined period or until a predetermined command is input.
The program according to claim 10. In the third step, when it is determined that the overflow is caused by the input of the invalid data, the third step includes an eleventh step for prohibiting access from the source of the illegal data.
The program according to claim 1. In the eleventh step, access from the unauthorized data supplier is prohibited at least for a predetermined period or until a predetermined command is input.
The program according to claim 12. In the third step, when it is determined that the overflow is caused by the input of the unauthorized data, display data for displaying predetermined warning information on the device that supplies the unauthorized data is generated. Having a twelfth step
The program according to claim 1. If it is determined in the third step that the overflow is caused by the input of the illegal data, at least the source of the illegal data, the content of the illegal data, or the supply of the illegal data Having a thirteenth step of obtaining information about the method;
The program according to claim 1. A security protection device for protecting the computer from an attack that causes an overflow of the stack by inputting illegal data to the computer,
Overflow detection means for detecting an overflow of the stack;
When the overflow is detected by the overflow detection means, data acquisition means for acquiring data resulting from rewriting due to the overflow; and
Determination means for determining whether the overflow is caused by the input of the illegal data, based on the data acquired by the data acquisition means;
If the determination means determines that the overflow is caused by the input of the illegal data, at least a process for stopping the process in which the overflow has occurred and prohibiting access from the source of the illegal data Processing for generating display data for displaying predetermined warning information in the device that is the source of the unauthorized data, or the source of the unauthorized data, the content of the unauthorized data, or the supply of the unauthorized data Processing means for executing processing for acquiring information on at least one of the methods;
Having a security protection device. The determination means evaluates the periodicity of a series of data resulting from the rewriting, and performs the determination based on the evaluation result.
The security protection device according to claim 16. A security protection method for protecting the computer from an attack that causes an overflow of the stack by inputting illegal data to the computer,
A first step of detecting an overflow of the stack;
If the overflow is detected in the first step, a second step of acquiring data resulting from the rewriting by the overflow;
A third step of determining, based on the data acquired in the second step, whether the overflow is caused by the input of the unauthorized data;
In the third step, when it is determined that the overflow is caused by the input of the illegal data, at least the process in which the overflow has occurred is stopped or the access from the supply source of the illegal data is performed. Or displaying predetermined warning information on the device that is the source of the unauthorized data, or at least one of the source of the unauthorized data, the content of the unauthorized data, or the method of supplying the unauthorized data A fourth step of obtaining information about one;
A security protection method. In the third step, the periodicity of a series of data of the rewritten result is evaluated, and the determination is performed based on the evaluation result.
The security protection method according to claim 18.

Images