JP4643201B2 - Buffer overflow vulnerability analysis method, data processing device, analysis information providing device, analysis information extraction processing program, and analysis information provision processing program - Google Patents

Description

  The present invention relates to a buffer overflow vulnerability analysis method for performing processing for providing analysis information necessary for correcting a program subjected to a buffer overflow attack to the developer of the program, and the buffer overflow Data processing apparatus and analysis information providing apparatus used in system for realizing vulnerability analysis method, analysis information extraction processing program used for realizing the data processing apparatus, and analysis information used for realizing the analysis information providing apparatus It relates to a program for providing processing.

  The stack memory stores a return address for returning to the caller when a subroutine is called, a frame pointer, a local variable used only within the subroutine, and an exception handler (exception occurs depending on the operating system). The address of a subroutine that is sometimes executed is stored.

  From now on, when a write exceeding the buffer boundary (buffer overflow) occurs in a buffer declared as a local variable used only in a subroutine, the return address and the like are rewritten.

  The buffer overflow attack (stack smashing attack) is an attack in which an arbitrary program is executed by changing the processing flow of the program by this rewriting.

  Specifically, this buffer overflow attack is executed by writing attack data in the copy source buffer. When the attack data is written, the attack target process is specified by the standard copy function (calling process). When a copy is performed by calling a function that executes a copy process from the copy source buffer to the copy destination buffer), the copy destination buffer overflows and the return address is rewritten, which causes an attack. Become.

  As a conventional technique for protecting against buffer overflow attacks, a dynamic linker is used to hook a standard memory copy function call at the time of process execution, so that the size of the copy destination buffer is checked in advance and a buffer overflow occurs. There is a technique of detecting (see, for example, Non-Patent Document 1).

  Note that “hooking a function” means that control is intercepted when a certain function is called. For debugging purposes, in order to check whether a certain function is called correctly, there is a usage method in which control is temporarily intercepted and logged.

  In addition, a guard variable that is a special value for protection such as a return address is inserted into the process to be protected at the time of compilation, and the validity of the guard variable is confirmed immediately before the return processing of the function. Some insert a process of abnormally terminating the process when the variable is destroyed (see, for example, Patent Document 1).

These conventional technologies can protect the host from unauthorized intrusion such as server hijacking and data tampering due to buffer overflow attacks.
White Paper “Libsafe: Protecting critical elements of stacks.” “Http://www.research.avayalabs.com/project/libsafe/” A. Baratloo, N. Singh, and T. Tsai, December 1999. JP 2001-216161 A

  However, according to such a conventional technique, it is possible to detect the occurrence of a buffer overflow, but there is a problem that it is difficult to identify the cause.

  Therefore, according to the prior art, there is a problem that it is impossible to quickly correct the program source and apply the correction patch, which is a fundamental countermeasure.

  The present invention has been made in view of such circumstances, and by clarifying the cause of the buffer overflow that has occurred, it is possible to quickly correct the program source and apply the correction patch, which is the fundamental countermeasure. The purpose is to provide new technology.

  The buffer overflow vulnerability analysis system realized by the present invention is configured by connecting a plurality of data processing devices and an analysis information providing device via a network, and corrects a program that is subject to a buffer overflow attack. Processing to provide analysis information necessary for performing to the developer of the program.

[1] Data processing apparatus of the present invention The data processing apparatus of the present invention calls (a) a heap memory allocation function that is called when a buffer is allocated on the heap memory in order to realize the analysis information providing process. The function call history until the buffer allocation processing is performed by performing a stack trace to the top of the stack, and the acquired information is recorded in the heap memory allocation function call history storage unit. Storage means and (b) When the attack target process calls the copy function, it enters the process and traces the stack memory so that the address of the copy destination buffer specified by the copy function starts from the beginning of the copy destination buffer. Find the distance to the point just before the frame pointer of the caller function, and copy that distance to the attack target Obtained as the size of the destination buffer. If the destination buffer does not exist in the stack memory at this time, the size of the destination buffer is searched by searching for the heap management block that manages the buffer information allocated in the heap memory. If the size of the copy destination buffer is smaller than the size of the copy source buffer, the size of the copy source buffer is compared with the size of the copy destination buffer thus obtained. Detecting means for detecting whether a buffer overflow attack has occurred, and (c) if the detecting means detects that the attack target buffer exists in the stack memory, the attack target buffer The frame point before the first frame pointer that arrives first after tracing beyond the beginning of The return address that follows is specified, information on the function that secured the attack target buffer at the address pointed to by the specified return address is obtained, and further, based on the return address specified in the trace First acquisition means for acquiring function call history information from securing the attack target buffer to buffer overflow attack, and (d) when the detection means detects that the attack target buffer exists in the heap memory. A second acquisition unit that acquires information on a function call history until the buffer for the attack target is secured by referring to the heap memory allocation function call history storage unit; and (e) a detection unit Information on whether the attack target buffer detected by the sash exists in stack memory or heap memory, and the first The acquired information of the resulting unit / second acquisition unit, and a determination means for determining as analysis information to be provided to the program developer.

  Here, each processing means constituting the data processing apparatus of the present invention can also be realized by a computer program. This computer program is provided by being recorded on an appropriate recording medium or provided via a network. The present invention is realized by installing and operating on a control means such as a CPU when the invention is carried out.

[2] Analysis Information Providing Device of the Present Invention The analysis information providing device of the present invention provides (a ) the data of the present invention sent from the data processing device of the present invention in order to realize the above analysis information providing process Analyzing information indicating whether the attack target buffer determined as information to be provided to the program developer by the processing device exists in the stack memory or the heap memory. Further, upon receiving this, (i) the attack target buffer When the data is present in the stack memory, the data processing apparatus of the present invention programs the information on the function that performed the process of securing the attack target buffer and the function call history information from the securing of the attack target buffer to the buffer overflow attack. Since it is determined as analysis information to be provided to the developer, the analysis information is also received. (Ii) Meanwhile, the attack target buffer If it exists in the heap memory, the data processing device of the present invention determines the function call history information until the attack target buffer is secured as analysis information to be provided to the program developer. also by receiving the information, by referring receiving means for receiving the analysis information to be provided to program developer, known analysis information storage means for storing already provided insights into (ii) the program developer, a determination unit received analysis information receiving means is already determined whether it is already provided in the program developer, not been registered to the known analysis information storage means analyzes information received in (c) receiving means Ikoto when determining the provides the analysis information to the program developer, if it is determined that it is registered, known analysis in association with the analysis information of their Based on the address information registered in the broadcast storage means comprises executing means for executing a dealing process for buffer overflow attacks.

In the case of employing this configuration, the determination unit, when the received analysis information receiving means determines whether the registered in the known analysis information storage unit, from the function which ensures an attack Target Bas Ffa If the call history up to a function that has undergone program correction is the same as that of the analysis information registered in the known analysis information storage means, the same function is used even if the subsequent function call history is different. Judgment may be made as

  Here, each processing means constituting the analysis information providing apparatus of the present invention can also be realized by a computer program, and this computer program is provided by being recorded on an appropriate recording medium or provided via a network, When the present invention is implemented, the present invention is realized by being installed and operating on a control means such as a CPU.

[3] Regarding the processing of the present invention In the present invention configured as described above, when the data processing apparatus detects the occurrence of a buffer overflow attack, the data processing apparatus detects the occurrence of the buffer as the attack target as analysis information to be provided to the program developer. Information on the existing location and information on the function that secured the buffer are extracted, and if the function call history information from the buffer securing to the buffer overflow attack can be extracted, the information is extracted.

Buffer overflow correction methods can be broadly divided into
(I) Extending the size of the buffer to be secured (ii) Checking the buffer size when writing to the buffer can be cited.

  In order to correct (i), it is necessary to know how much buffer should be expanded to what extent.

  Therefore, in the present invention, in order to specify the buffer, a place where the buffer exists and a place where the buffer is secured are used. The location where the buffer exists is mainly stack memory and heap memory.

  The buffer in the stack memory is secured immediately after the function is called. In the present invention, the stack trace is performed from the frame pointer at the time of the overflow to the beginning of the attacked buffer, and finally The function that secures the buffer is specified by extracting the return address close to the frame pointer immediately before the frame pointer that arrives at.

  In addition, the buffer on the heap memory is secured when the heap memory allocation function is called. In the present invention, when the heap memory allocation function is called, the function is performed by performing a stack trace to the top of the stack. The call history information (information about what module configuration is called according to the module configuration) is acquired, and the information is recorded in association with the information of the buffer secured in the heap memory. When the resulting buffer exists in the heap memory, the information on the function that secured the buffer is specified by referring to the recorded information.

  On the other hand, in order to correct (ii), it is necessary to know where to check the buffer size in addition to the information of (i). The trigger for checking the buffer size is from the time when the buffer is secured until the overflow occurs.

  Therefore, in the present invention, in order to specify the location, stack trace is performed from the frame pointer at the time of overflow occurrence to the function that secures the buffer, thereby extracting function call history information from buffer securing to buffer overflow attack. To do.

  The data processing apparatus notifies the analysis information providing apparatus of the information acquired in this way as analysis information to be provided to the program developer, and in response to this, the analysis information providing apparatus refers to the known analysis information storage means. Thus, when it is determined whether or not the notified analysis information has already been provided to the program developer, and it is determined that it has not been provided yet, the notified analysis information is provided to the program developer.

  Upon receiving this analysis information, the program developer modifies the program by the method (1) or (2) based on the provided analysis information, and adds the analysis information registered in the known analysis information storage means to The correction method (information indicating (1) or (2)) is reflected. Further, when the correction is made by the method (2), the location where the buffer size check is performed is reflected in the analysis information registered in the known analysis information storage means. In addition, if there is coping information such as the location of the correction patch, it is also reflected in the analysis information registered in the known analysis information storage means.

  By reflecting the correction method in the analysis information in this way, it is possible to appropriately determine whether or not the analysis information is known even when the same buffer overflows with a different function call history.

  When the analysis information providing apparatus determines that the analysis information notified from the data processing apparatus is registered in the known analysis information storage means, the analysis information providing apparatus registers it in the known analysis information storage means in association with the analysis information. On the basis of the handling information that has been processed, a handling process for the buffer overflow attack is executed. For example, coping processing such as presenting the coping information to the user or automatically coping based on the coping information is executed.

  The effect obtained by the present invention is that it becomes possible to quickly correct a program source and apply a correction patch, which is a fundamental countermeasure.

  Even if it is known that a buffer overflow has occurred in conventional detection methods against buffer overflow attacks, it is difficult to identify the cause of the buffer overflow. It was.

  In contrast, in the present invention, it is determined whether or not the buffer overflow that has occurred is a known vulnerability, and in the case of an unknown vulnerability, information necessary for correcting the program is extracted and the program developer is extracted. By transmitting to, quick program correction becomes possible. In the case of known vulnerabilities, it is possible to quickly apply a correction patch by presenting countermeasure information registered by the program developer or by automatically dealing with it according to the countermeasure information.

  Next, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 illustrates an example embodiment of a buffer overflow vulnerability analysis system implemented by the present invention.

  As shown in this figure, the buffer overflow vulnerability analysis system realized by the present invention includes a buffer overflow detection unit 1 that detects a buffer overflow, and information for a program developer to specify a program correction location (correction location). Information), a known vulnerability determination unit 3 that determines whether the generated buffer overflow is a known vulnerability (one that occurred in the past), and known vulnerability information (the cause of the buffer overflow A known vulnerability information storage unit 4 for storing the handling information), a dialogue registration unit 5 for registering the known vulnerability information in the known vulnerability information storage unit 4 by interacting with the program developer, and a known vulnerability information storage. Coping section that executes countermeasure processing for buffer overflow based on known vulnerability information stored in section 4 Composed of a.

  Here, 7 is a stack memory, 8 is a heap memory allocation function call history storage unit, and 9 is a heap memory allocation function call history recording unit.

  As shown in FIG. 2, the heap memory allocation function call history storage unit 8 associates the address of the buffer allocated on the heap memory with the call history information of the heap memory allocation function (according to any module configuration). The heap memory allocation function call history recording unit 9 as shown in FIG. 3 ensures that a buffer is allocated on the heap memory when the heap memory allocation function is called, as shown in FIG. The stack trace to the top of the stack, identify the function history until the heap memory allocation function is called, and associate it with the address of the buffer allocated in the heap memory, and the heap memory Processing to be recorded in the secured function call history storage unit 8 is executed.

  Specifically, as shown in FIG. 4, the buffer overflow vulnerability analysis system includes a plurality of user terminals 10, a correction location information providing device 11, and a program developer terminal that develop a program that is subject to a buffer overflow attack. 12 is constructed by a system connected to the network via the network 13, and the user terminal 10 includes a buffer overflow detection unit 1 / correction location extraction unit 2 / heap memory allocation function call history shown in FIG. The storage unit 8 / heap memory allocation function call history recording unit 9 is provided, and the corrected location information providing device 11 includes the known vulnerability determination unit 3 / known vulnerability information storage unit 4 / dialog registration unit 5 shown in FIG. / The coping part 6 will be provided.

  The correction location information providing device 11 may be prepared in a form incorporated in the program developer terminal 12.

  Next, a rough processing flow of the buffer overflow vulnerability analysis system configured as described above will be described.

  First, when the buffer overflow detection unit 1 detects a buffer overflow, the location of the buffer where the overflow has occurred (stack memory or heap memory) is specified, and control is passed to the correction location extraction unit 2.

  In response to this, the correction location extraction unit 2 extracts the location where the buffer is secured (information about which function secured the buffer). In addition, in order to specify the location where the buffer size should be checked, the function call history from buffer allocation to buffer overflow attack is performed by performing a stack trace to the function that secured the buffer using the frame pointer at the time of overflow occurrence. To extract. Then, the correction location information extracted in this way is passed to the known vulnerability determination unit 3.

  In response to this, the known vulnerability determination unit 3 checks whether or not the corrected part information passed from the corrected part extraction unit 2 is stored in the known vulnerability information storage unit 4, and the corrected part information Is not stored in the known vulnerability information storage unit 4, the corrected part information is stored in the known vulnerability information storage unit 4, and the program developer is notified via the dialog registration unit 5. The correction part information is transmitted.

  In response to this, the program developer inputs known vulnerability information (cause of buffer overflow, countermeasure information, etc.), so the dialog registration unit 5 inputs it and stores it in the known vulnerability information storage unit 4. Store.

  On the other hand, when the known vulnerability determination unit 3 determines that the corrected part information passed from the corrected part extraction unit 2 is stored in the known vulnerability information storage unit 4, the known vulnerability information is extracted from the corresponding known vulnerability information. The coping information created by the program developer is acquired and transmitted to the coping unit 6.

  In response to this, the coping section 6 presents the coping information to the user based on the coping information received from the known vulnerability determination section 3, or automatically performs coping based on the coping information.

  Next, detailed processing of the buffer overflow vulnerability analysis system configured as described above will be described.

[1] Processing of Buffer Overflow Detection Unit 1 First, the processing of the buffer overflow detection unit 1 will be described.

  The buffer overflow detection unit 1 can use the buffer overflow detection technology disclosed in Japanese Patent Application No. 2004-40962 filed earlier by the present inventors.

  In the buffer overflow detection technology disclosed by the present inventors, the standard copy function call is hooked at the time of program execution, and when the copy destination buffer does not exist in the stack memory, the heap management block is searched, It is possible to detect the buffer overflow of the buffer secured in the heap memory.

  The conventional technology for detecting buffer overflow so far cannot detect the buffer overflow of the buffer secured on the heap memory, but the buffer overflow detection technology disclosed by the present inventors can detect the buffer overflow. There is a great feature in this, and this makes it possible to realize the buffer overflow detector 1 constituting the present invention.

  FIG. 5 illustrates a configuration example of the buffer overflow detection unit 1 configured according to the invention disclosed by the present inventors.

  As shown in this figure, the buffer overflow detection unit 1 includes a standard copy function hook library 21 that performs a buffer overflow attack detection process in order to detect a buffer overflow attack performed on the attack target process 20, and an attack. And a library injection program 22 for performing processing for loading the standard copy function hook library 21 into the target process 20.

  A buffer overflow attack is executed by writing attack data in a copy source buffer, and the attack target process 20 specifies a copy source buffer and a copy destination buffer and calls a standard copy function to copy from the copy source buffer to the copy destination buffer. When copying to a buffer, the return address is rewritten due to overflow of the copy destination buffer.

  The buffer overflow detection unit 1 executes processing for detecting such a buffer overflow attack.

  FIG. 6 shows a configuration example of the standard copy function hook library 21 prepared for realizing this detection process.

  As shown in this figure, the standard copy function hook library 21 includes a library initialization function 210 that is called from the OS and loader when the library is loaded, and hook functions corresponding to each standard copy function. A standard copy function hook function group 211, and a trampoline code area 212 which is a copy destination of the entry point of the standard copy function.

  In the buffer overflow detection unit 1 configured as described above, first, the library injection program 22 is started to inject the standard copy function hook library 21 into the attack target process space.

  The library initialization function 210 of the injected standard copy function hook library 21 hooks the call of the standard copy function by the attack target process 20 by rewriting the attack target process 20. If this hook gives control to the hook function and a buffer overflow attack has occurred, the hook function detects it and forcibly terminates the attack target process 20.

  Next, processing performed by the library initialization function 210 in the standard copy function hook library 21 will be described with reference to FIGS.

  Here, 30 shown in FIG. 7 is a program part related to the attack target process 20, and shows a calling part of “strcpy function” which is an example of a standard copy function and a head part of the “strcpy function”. Yes. Here, "dst" specified when calling the "strcpy function" indicates the address of the copy destination buffer, and "src" specified when calling the "strcpy function" indicates the address of the copy source buffer. ing.

  Reference numeral 31 corresponds to the trampoline code area 212 of FIG. Reference numeral 32 denotes a calling part of the “strcpy function” immediately after the library initialization function 210 is executed, and a head part of the “strcpy function”. Reference numeral 33 denotes a trampoline code area 212 immediately after the library initialization function 210 is executed. Reference numeral 34 denotes a hook function corresponding to the “strcpy function”.

  The library initialization function 210 in the standard copy function hook library 21 first copies the head part of the “strcpy function” in 30 to an empty space in the 31 trampoline code area. As a result, 31 becomes a state indicated by 33.

  Subsequently, the head part of the “strcpy function” in 30 is rewritten to an instruction (jmp hook-strcpy) for jumping to the hook function corresponding to this “strcpy function”. As a result, 30 becomes the state shown in 32.

  Thus, when the “strcpy function” is called from the attack target process 20, control is passed to the hook function corresponding to this “strcpy function” shown in 34 according to the jump instruction so that the buffer size can be checked. Become.

  When it is determined that a buffer overflow attack has not occurred as a result of checking the buffer size, this hook function uses the “strcpy function” copied to the trampoline code area 33 according to the instruction code “call trampoline-strcpy”. The head portion is executed, and then control is returned to the “strcpy function” according to the instruction code “jmp strcpy + N” described in the trampoline code area 33.

  FIG. 8 shows a processing flow executed by the library initialization function 210 in the standard copy function hook library 21.

  Next, processing executed by the library initialization function 210 will be described in detail according to this processing flow.

  As shown in the processing flow of FIG. 8, the library initialization function 210 first suspends all threads other than the thread that processes the library initialization function 210 in step 20.

  Subsequently, in step 21, the entry point of the standard copy function is acquired, and in step 22, the instruction that will be overwritten when the acquired entry point is rewritten to an instruction that jumps to the hook function is stored in the trampoline code area. Copy to 212 (31 in FIG. 7).

  Subsequently, in step 23, it is determined whether or not there is a thread that is executing the entry point of the standard copy function (which will be rewritten in the process described later). If there is, the process proceeds to step 24. The thread that is executing the entry point of the standard copy function is resumed, the process is advanced to prevent the entry point from being executed, the process is stopped again, and the process returns to step 23.

  Then, by repeating the return to step 23 to create a state in which all threads are not executing the entry point of the standard copy function, the process proceeds to step 25 to erase the contents of the instruction cache of the CPU. Subsequently, in step 26, the entry point of the standard copy function is rewritten with an instruction for jumping to the hook function.

  Subsequently, in step 27, it is determined whether or not all standard copy function entry points have been rewritten. If there is a standard copy function entry point that has not yet been rewritten, the process returns to step 21.

  If it is determined that the entry points of all the standard copy functions have been rewritten by repeating the return to step 21, the process proceeds to step 28, where all threads are resumed and the process is terminated.

  In this way, the library initialization function 210 hooks the call of the standard copy function by the attack target process 20 by rewriting the entry point of the standard copy function called by the attack target process 20 into an instruction to jump to the hook function. And process so that control is passed to the hook function.

  Next, processing performed by the hook functions constituting the standard copy function hook function group 211 will be described with reference to FIGS.

  Here, reference numeral 40 shown in FIGS. 9 and 10 denotes a stack memory of the attack target process 20 (corresponding to 7 in FIG. 1), and a frame for recording information about the called function is stacked in units of functions. 10 indicates heap memory (a memory area used when a buffer is dynamically allocated during process execution), and 42 illustrated in FIG. 10 indicates heap management for managing the heap memory 41. Indicates a block.

  The hook function searches the stack memory 40 of the attack target process 20 and searches the frame pointer of the caller function in order from the area pointed to by the current frame pointer, so that the head of the copy destination buffer (the attack target process 20 is the standard copy). When the function frame to which the address of the copy destination buffer (designated when calling the function) belongs is obtained and the function frame to which it belongs is obtained, as shown in FIG. 9, the obtained function frame from the top of the copy destination buffer. Is obtained as the size of the copy destination buffer.

  In this way, the hook function sequentially follows the frame pointer of the caller function from the area pointed to by the current frame pointer. However, as shown in FIG. 10, the head of the copy destination buffer points to the heap memory 41. If there is no copy destination buffer in the stack memory 40, the stack bottom is finally reached.

  From now on, considering that the hook function may exist in the heap memory 41 due to the dynamic allocation of the copy destination buffer when the stack bottom is reached by following the frame pointer in order, FIG. As shown in the figure, the heap management block 42 finds out whether or not the copy destination buffer is managed (searches by checking whether or not the start address of the copy destination buffer is managed). The managed buffer size is obtained as the size of the copy destination buffer.

  Here, the stack bottom address of the stack memory 41 may be fixed depending on the execution environment. In this case, the fixed value is acquired as the stack bottom, but the execution environment where the stack bottom is not fixed. Then, since it is managed by a thread environment block (TEB), it is acquired by referring to this.

  FIG. 11 shows a processing flow executed by hook functions constituting the standard copy function hook function group 211.

  Next, processing executed by the hook function will be described in detail according to this processing flow.

  As shown in the processing flow of FIG. 11, the hook function first obtains the size of the copy source buffer from the specification of each standard copy function in step 30. Subsequently, in step 31, the addresses of the stack top and stack bottom are acquired, and in step 32, whether the area pointed to by the frame pointer (the starting point is the frame pointer at the time when the own function is called) is in the stack or not. Judging.

  If it is determined that the area pointed to by the frame pointer is in the stack according to the determination process in step 32, the process proceeds to step 33 to acquire the frame of the caller function. It is determined whether or not the copy destination buffer belongs to the frame.

  If it is determined that the copy destination buffer does not belong to the frame of the caller function according to the determination process of step 34, the process proceeds to step 35, and the variable for storing the frame pointer is updated to the frame pointer of the caller function. Return to step 32.

  On the other hand, when it is determined that the copy destination buffer belongs to the frame of the caller function according to the determination process of step 34, the process proceeds to step 36, and the caller is called from the head of the copy destination buffer as shown in FIG. After obtaining the distance to the point just before the frame pointer of the function as the size of the copy destination buffer, the processing of step 39 described later is performed.

  On the other hand, if it is determined that the area pointed to by the frame pointer is not in the stack according to the determination process in step 32, the process proceeds to step 37, and it is checked whether the copy destination buffer is managed by the heap management block.

  If it is determined that the copy destination buffer is not managed by the heap management block 42 in accordance with the determination processing in step 37, the process proceeds to step 41 without checking the buffer size, and the trampoline code area 212 (FIG. 7 of 31), by calling the head part of the standard copy function copied, the process of the attack target process 20 is continued by passing control to the standard copy function.

  On the other hand, when it is determined that the copy destination buffer is managed by the heap management block 42 in accordance with the determination processing in step 37, the process proceeds to step 38, and the size of the copy destination buffer is set according to the managed buffer size. get.

  Subsequently, when it is determined in step 39 that the acquired copy source buffer size is compared with the acquired copy destination buffer size and the copy destination buffer size is smaller than the copy source buffer size. Detects that a buffer overflow attack has been performed, and proceeds to step 40 to forcibly terminate the attack target process 20.

  On the other hand, if it is determined that the size of the copy destination buffer is larger than the size of the copy source buffer according to the determination process of step 39, it is detected that a buffer overflow attack has not been performed, and the process proceeds to step 41. The process of the attack target process 20 is continued by transferring the control to the standard copy function by calling the head part of the standard copy function copied to the trampoline code area 212 (31 in FIG. 3).

  In this way, the hook function enters the operation when the attack target process 20 calls the standard copy function, obtains and compares the size of the copy source buffer and the size of the copy destination buffer, and accordingly, the attack target Processing is performed so as to detect whether or not a buffer overflow attack has been performed on the process 20.

  According to this configuration, the buffer overflow detection unit 1 shown in FIG. 1 hooks the call of the standard copy function at the time of program execution, and searches the heap management block when the copy destination buffer does not exist in the stack memory. Therefore, it is possible to detect a buffer overflow attack of the buffer allocated in the heap memory.

[2] Processing of Correction Location Extraction Unit 2 Next, the processing of the correction location extraction unit 2 shown in FIG. 1 will be described.

  The correction location extraction unit 2 extracts the information on the location where the buffer is secured (information about which function secured the buffer) by a method corresponding to the location of the overflowed buffer, and extracts it from the known vulnerability determination unit 3 Process to pass to.

  That is, when the overflowed buffer exists on the stack memory 7, the correction location extraction unit 2 first uses the frame pointer at the time of the overflow as shown in FIG. Stack trace is done until it crosses. Thereafter, the return address adjacent to the frame pointer immediately before the finally arrived frame pointer is extracted as a place where the overflowed buffer is secured.

  Furthermore, in response to the functions from the buffer securing function to the buffer overflow attack being the place where the buffer size should be checked, the correction location extraction unit 2 determines that the buffer size should be checked as shown in FIG. It also extracts the function call history shown in.

  In this way, when the overflowed buffer exists on the stack memory 7, the correction location extraction unit 2 corrects the correction location information as shown in FIG. 13 (necessary for the program developer to correct the program. To be extracted).

  On the other hand, when there is an overflowed buffer on the heap memory, the correction location extraction unit 2 uses the buffer address as a key to store a heap memory allocation function call history storage unit having a data structure as shown in FIG. By searching 8, the place where the overflowed buffer is secured is extracted.

  In order to secure a buffer on the heap memory, it is necessary to call a heap memory allocation function. Therefore, in order to be able to specify the location where the buffer is secured, the heap memory allocation function call history recording unit 9 hooks the heap memory allocation function in advance, and whenever the heap memory allocation function is called, FIG. As shown in FIG. 2, the stack trace is performed up to the top of the stack, and the function history until the heap memory allocation function is called is recorded in the heap memory allocation function call history storage unit 8 (having the data structure shown in FIG. 2). .

  From now on, when the overflowed buffer exists in the heap memory, the correction part extraction unit 2 searches the heap memory allocation function call history storage unit 8 by using the address of the buffer as a key. The secured location is extracted.

  In this way, when the overflowed buffer exists in the heap memory, the correction location extraction unit 2 performs processing to extract correction location information as shown in FIG.

  Next, processing executed by the correction location extraction unit 2 will be described according to the processing flow shown in FIG.

  That is, when the buffer overflow detection unit 1 detects a buffer overflow attack, the correction location extraction unit 2 first detects in step 40 the notification sent from the buffer overflow detection unit 1 as shown in the processing flow of FIG. According to the result, it is determined whether the place where the overflowed buffer exists is on the stack memory or the heap memory.

  When it is determined that the overflowed buffer is on the heap memory according to this determination processing, the process proceeds to step 41, and the function call history at the time of buffer allocation is obtained by referring to the heap memory allocation function call history storage unit 8. To get.

  In the subsequent step 42, control is passed to the known vulnerability determination unit 3 while notifying the acquired function call history information as correction location information (shown in FIG. 15).

  On the other hand, when it is determined that the overflowed buffer is on the stack memory, the process proceeds to step 43, and the function that secures the buffer is specified by performing the stack trace until the head of the overflowed buffer is crossed. Subsequently, in step 44, the function history from the function that secured the buffer to the overflowed function is acquired.

  Then, in the following step 45, while notifying the information of the specified buffer securing function and the acquired function call history information as the corrected portion information (shown in FIG. 13), the known vulnerability determination unit 3 is notified. Pass control.

  In this way, the correction location extraction unit 2 extracts the correction location information by a method corresponding to the location of the overflowed buffer, and processes so as to notify the known vulnerability determination unit 3 of the information.

[3] Processing of Known Vulnerability Determination Unit 3 Next, processing of the known vulnerability determination unit 3 shown in FIG. 1 will be described.

  The known vulnerability determination unit 3 checks whether the corrected part information passed from the corrected part extraction unit 2 is stored in the known vulnerability information storage unit 4, and the corrected part information is known vulnerability information. When determining that the information is not stored in the storage unit 4, the correction part information is stored in the known vulnerability information storage unit 4 and transmitted to the program developer via the dialogue registration unit 5. When it is determined that the information is stored, the countermeasure information created by the program developer is acquired from the corresponding known vulnerability information, and the information is transmitted to the countermeasure unit 6.

  FIG. 17 illustrates an example of known vulnerability information stored in the known vulnerability information storage unit 4.

  As shown in this figure, the known vulnerability information storage unit 4 includes, as known vulnerability information, information on a location where a buffer exists, information on a location where a buffer is secured, and a correction method for a buffer overflow vulnerability. Information, information on a location where a buffer size check is performed, and information on handling when a buffer overflow occurs are stored.

  Here, the information on the location where the buffer exists, the information on the location where the buffer is secured, and the information on the location where the buffer size check is performed are notified from the correction location extraction unit 2 as correction location information. .

  In addition, for information on how to correct the buffer overflow vulnerability (information that it has not been corrected, that the buffer size has been expanded, or that a program that checks the buffer size has been inserted), the program developer must extract the correction location. When the program is corrected based on the correction location information extracted in step 2, the program is stored in a form associated with the correction location information that is the basis of the correction.

  Here, when the modification method of inserting a program for checking the buffer size is adopted in the modification of this program, the modification is performed at any place as shown in the return address Y shown in FIG. Will be recorded.

  In addition, information on handling when a buffer overflow occurs (for example, information on a URL with a correction patch) is created by the program developer and stored in a form associated with the correction location information.

  FIG. 18 illustrates a processing flow executed by the known vulnerability determination unit 3. Next, processing executed by the known vulnerability determination unit 3 will be described according to this processing flow.

  When the correction location information is passed from the correction location extraction unit 2, the known vulnerability determination unit 3 first receives the correction location received from the correction location extraction unit 2 in step 50, as shown in the processing flow of FIG. It is checked whether or not the information “location where the buffer exists” and “location where the buffer is secured” exist in the known vulnerability information storage unit 4.

  When determining that the “location where the buffer exists” and the “location where the buffer is secured” of the correction location information received from the correction location extraction unit 2 does not exist in the known vulnerability information storage unit 4 according to this check process, Proceeding to step 55, the received correction part information is stored in the known vulnerability information storage unit 4, and in the subsequent step 56, the received correction part information is transmitted to the program developer via the dialog registration unit 5. .

  In response to this, the program developer corrects this vulnerability according to the transferred correction location information (expands the buffer size or checks the buffer size). In response, the known vulnerability information stored in the known vulnerability information storage unit 4 is updated. That is, when a correction method is registered, if the handling information is input, it is registered, and when the buffer size is checked, the size is actually checked at the buffer size check location. By marking the location, the known vulnerability information stored in the known vulnerability information storage unit 4 is updated.

  On the other hand, the known vulnerability determination unit 3 determines in step 50 that the “location where the buffer exists” and the “location where the buffer is secured” of the correction location information received from the correction location extraction unit 2 are the known vulnerability information storage unit 4. When it is determined that the correction method exists, the process proceeds to step 51 to check whether or not the correction method stored in association with the received correction portion information is “uncorrected”.

  When it is determined that the correction method associated with the received correction location information is “uncorrected” according to this check processing, the process proceeds to step 54 to check whether or not all the buffer size check locations are equal (function history). If they are all equal, the process proceeds to step 57 to transmit the corresponding countermeasure information stored in the known vulnerability information storage unit 4 to the countermeasure unit 6. On the other hand, when it is determined that they are not equal, the process proceeds to step 55, where the received corrected portion information is stored in the known vulnerability information storage unit 4, and in step 56, the received information is received via the dialog registration unit 5. Communicating the correction location information to the program developer.

  On the other hand, when it is determined that the correction method associated with the received correction location information is not “uncorrected” according to the check process of step 51, the process proceeds to step 52, where the correction method associated with the received correction location information is determined. Check if it is “buffer size extension”.

  When it is determined that the correction method associated with the received correction location information is “buffer size extension” according to this check processing, the process proceeds to step 57 and the corresponding stored in the known vulnerability information storage unit 4. The handling information is transmitted to the handling unit 6. On the other hand, when it is determined that the correction method is not “buffer size extension”, that is, when it is determined that the correction method is “buffer size check”, the process proceeds to step 53 to correct from the place where the buffer is secured. Check if the buffer size check locations are equal only up to the location.

  According to this check process, when it is determined that the size check location from the location where the buffer is secured to the correction location is equal, it is regarded as the known vulnerability information regardless of the function history thereafter, and the process proceeds to step 57. Corresponding countermeasure information stored in the known vulnerability information storage unit 4 is transmitted to the countermeasure unit 6. On the other hand, when it is determined that they are not equal to each other, the process proceeds to step 55 to store the received correction location information in the known vulnerability information storage unit 4 and then to the received correction via the dialog registration unit 5 in step 56. Communicate location information to the program developer.

  Then, when the corresponding handling information is transmitted to the handling unit 6 in accordance with the processing in step 57, the handling unit 6 receives this information and presents the handling information (handling method) to the user. To deal with buffer overflows automatically.

  In this way, the buffer overflow vulnerability analysis system realized by the present invention determines whether or not the generated buffer overflow is a known vulnerability, and in the case of an unknown vulnerability, it is necessary to correct the program. By extracting necessary information and communicating it to the program developer, it is possible to fix the program quickly, and in the case of known vulnerabilities, the countermeasure information registered by the program developer can be presented, By automatically taking action according to the action information, it becomes possible to quickly apply a correction patch.

It is an example of an embodiment of a buffer overflow vulnerability analysis system realized by the present invention. It is explanatory drawing of the data structure of a heap memory allocation function call history storage part. It is the processing flow which a heap memory allocation function call history recording part performs. 1 is a system configuration example of a buffer overflow vulnerability analysis system configured according to the present invention. It is an example of 1 structure of a buffer overflow detection part. It is an example of 1 structure of the library for a standard copy function hook. It is explanatory drawing of the process which a library initialization function performs. It is the processing flow which a library initialization function performs. It is explanatory drawing of the process which a hook function performs. It is explanatory drawing of the process which a hook function performs. It is the processing flow which a hook function performs. It is explanatory drawing of the process which a correction location extraction part performs. It is explanatory drawing of the correction location information which a correction location extraction part extracts. It is explanatory drawing of the process which a heap memory allocation function call history recording part performs. It is explanatory drawing of the correction location information which a correction location extraction part extracts. It is a processing flow which a correction location extraction part performs. It is explanatory drawing of the known vulnerability information stored in a known vulnerability information storage part. It is a processing flow which a known vulnerability determination part performs.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Buffer overflow detection part 2 Correction location extraction part 3 Known vulnerability determination part 4 Known vulnerability information storage part 5 Dialog registration part 6 Countermeasure part 7 Stack memory 8 Heap memory allocation function call history storage part 9 Heap memory allocation function call history recording Part

Claims (8)

A buffer overflow vulnerability analysis method that performs processing for providing analysis information necessary for correcting a program subjected to a buffer overflow attack to the developer of the program,
When a heap memory allocation function called when allocating a buffer on the heap memory is called, the function call history information until the buffer allocation processing is performed is obtained by performing a stack trace to the top of the stack. The process of recording the acquired information in the heap memory allocation function call history storage unit,
By entering the process when the attack target process calls the copy function and tracing the stack memory, the frame pointer of the caller function starts from the copy destination buffer, which is the address of the copy destination buffer specified by the copy function. obtains the distance to the immediately preceding, acquired as the size of the destination buffer comprising the distance attacked, this time, if the destination buffer is not present in the stack memory, the information in the buffer secured on the heap memory The size of the copy destination buffer is obtained by retrieving the size of the copy destination buffer by searching for the heap management block that manages the file, comparing the size of the copy source buffer with the size of the copy destination buffer obtained in this way. If There smaller than the size of the copy source buffer to attack process A step of detecting the presence or absence of attack occurs as a buffer overflow attack occurs,
When it is detected that the attack target buffer exists in the stack memory by the detection processing by the above trace, the return following the frame pointer immediately preceding the frame pointer that arrives first after the trace exceeding the head of the attack target buffer is reached Identifies the address, obtains information about the function that secured the attack target buffer at the address pointed to by the identified return address, and then attacks based on the return address identified in the trace. The process of acquiring function call history information from the allocation of the target buffer to the buffer overflow attack,
When it is detected that the attack target buffer exists in the heap memory by the detection process by the above trace, referring to the heap memory allocation function call history storage unit until the attack target buffer allocation process is performed. The process of obtaining call history information for
The process of determining whether the attack target buffer detected in the detection process by the trace exists in stack memory or heap memory and determining the acquired information as analysis information to be provided to the program developer. To prepare,
Characteristic buffer overflow vulnerability analysis method. The buffer overflow vulnerability analysis method according to claim 1,
Determining whether the determined analysis information has already been provided to the program developer by referring to known analysis information storage means for storing the analysis information already provided to the program developer;
When it is determined that the determined analysis information is not registered in the known analysis information storage means, the analysis information is provided to the program developer, and when it is determined that the analysis information is registered, the analysis is performed. A process of executing a countermeasure process against a buffer overflow attack based on the countermeasure information registered in the known analysis information storage means in association with the information,
Characteristic buffer overflow vulnerability analysis method. The buffer overflow vulnerability analysis method according to claim 2,
In the determination process, in determining whether the determined analysis information is registered in the known analysis information storage unit, a call from a function that secures a buffer to be attacked to a function that has been subjected to program modification is performed. For those whose history is the same as that of the analysis information registered in the known analysis information storage means, even if the function call history thereafter is different, it is treated as the same, and determination is made.
Characteristic buffer overflow vulnerability analysis method. A data processing device used in a buffer overflow vulnerability analysis system that performs processing to provide analysis information necessary for correcting a program that has been subject to a buffer overflow attack to the developer of the program. ,
When a heap memory allocation function called when allocating a buffer on the heap memory is called, the function call history information until the buffer allocation processing is performed is obtained by performing a stack trace to the top of the stack. Means for recording the acquired information in the heap memory allocation function call history storage unit;
By entering the process when the attack target process calls the copy function and tracing the stack memory, the frame pointer of the caller function starts from the copy destination buffer, which is the address of the copy destination buffer specified by the copy function. obtains the distance to the immediately preceding, acquired as the size of the destination buffer comprising the distance attacked, this time, if the destination buffer is not present in the stack memory, the information in the buffer secured on the heap memory The size of the copy destination buffer is obtained by retrieving the size of the copy destination buffer by searching for the heap management block that manages the file, comparing the size of the copy source buffer with the size of the copy destination buffer obtained in this way. If There smaller than the size of the copy source buffer to attack process It means for detecting the presence or absence of attack occurs as a buffer overflow attack occurs,
When it is detected that the attack target buffer exists in the stack memory by the detection processing by the above trace, the return following the frame pointer immediately preceding the frame pointer that arrives first after the trace exceeding the head of the attack target buffer is reached Identifies the address, obtains information about the function that secured the attack target buffer at the address pointed to by the identified return address, and then attacks based on the return address identified in the trace. A means of obtaining function call history information from the allocation of the target buffer to a buffer overflow attack;
When it is detected that the attack target buffer exists in the heap memory by the detection process by the above trace, referring to the heap memory allocation function call history storage unit until the attack target buffer allocation process is performed. Means for obtaining information on the function call history of
Means for determining whether the attack target buffer detected in the detection processing by the trace exists in stack memory or heap memory, and means for determining the acquired information as analysis information to be provided to the program developer; To prepare,
Characteristic data processing device. This is an analysis information provision device used in a buffer overflow vulnerability analysis system that performs processing to provide analysis information necessary for correcting a program subject to a buffer overflow attack to the developer of the program. And
5. The attack target buffer determined by the data processing device according to claim 4 as information to be provided to the program developer from the data processing device according to claim 4 exists in either the stack memory or the heap memory. And (i) when the attack target buffer exists in the stack memory, the data processing device according to claim 4 performs the process of securing the attack target buffer. Function information and function call history information from the buffer acquisition to the buffer overflow attack are determined as analysis information to be provided to the program developer, so the analysis information is also received (ii) When the attack target buffer exists in the heap memory, the data processing apparatus according to claim 4 is configured to execute the attack target buffer. Since the function call history information until the reservation process is performed is determined as analysis information to be provided to the program developer, the analysis information provided to the program developer is received by receiving the analysis information as well. Means,
Means for determining whether the received analysis information has already been provided to the program developer by referring to known analysis information storage means for storing the analysis information already provided to the program developer;
When it is determined that the received analysis information is not registered in the known analysis information storage means, the analysis information is provided to the program developer, and when it is determined that the analysis information is registered, the analysis is performed. Means for executing a countermeasure process for a buffer overflow attack based on the countermeasure information registered in the known analysis information storage means in association with the information,
A characteristic analysis information providing device. The analysis information providing apparatus according to claim 5,
The determining means determines whether or not the received analysis information is registered in the known analysis information storage means and calls from a function that secures a buffer to be attacked to a function that has undergone program modification. For those whose history is the same as that of the analysis information registered in the known analysis information storage means, even if the function call history thereafter is different, it is treated as the same, and determination is made.
A characteristic analysis information providing device.   An analysis information extraction processing program for causing a computer to realize the functions of the data processing apparatus according to claim 4.   An analysis information provision processing program for causing a computer to realize the function of the analysis information provision apparatus according to claim 5 or 6.

Images