Background technology
At present, it also is most threatening attack pattern that the attack of overflowing based on buffering area has become the most common in the network attack, and the attack that many harm are very big all belongs to this mode.
Buffering area overflows and is meant, computer program has surpassed the border of buffering area and overflowing of causing at the data bits of buffering area input.The data of overflowing may cover the legal data in the buffering area adjacent memory, destroy the data integrity of software, function return address in also possible coverage function pointer of the data of overflowing or the storehouse, the execution flow process of Rogue program, make calling program carry out some untrusted codes, thereby buffer-overflow vulnerability occurred.After the assailant finds Overflow Vulnerability, utilize program to surpass the code of its boundary length in the buffering area input, cause and overflow, after making the data of overflowing cover the return address, write at return address place can the reprogramming flow process address (being jump address), make this address point to the rogue program of oneself, thereby reach the purpose of attack, destruction system.
For the attack that prevents to overflow based on buffering area, prior art is by getting in touch with the system api function, check the return address of storehouse, judging whether to take place buffering area according to the position of return address and attribute overflows, and after finding that buffering area overflows, will cause that thread or process that this overflows finish.The flow process of this method as shown in Figure 1, concrete steps are as follows:
(1) links up with for system's api function of key and call;
(2) return address of inspection function
(3) position of judgement return address if the position of return address is in the address realm of stack, then is judged as stack overflow has taken place;
(4) read-write properties of judgement return address if the attribute of return address is to write, then is judged as to take place to pile and overflows.
The inventor finds that there are the following problems at least in the prior art in realizing process of the present invention:
The return address can be revised by malicious code, be that the assailant can seek the return instruction code, revise above-mentioned return address and make it point to this return instruction that the redirect by this return instruction comes back in the stack to be carried out, thereby walk around the protection of prior art, reach the purpose of attacking the destruction system.In addition, the attribute of return address can be revised by malicious code, and for example the assailant can be with the attribute modification of this return address for writing, thereby walk around the right protection of prior art, reaches attack, destroys the purpose of system.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
In embodiments of the present invention, for buffer overflow attack was lost efficacy, a kind of address processing method is provided, the jump address of reprogramming flow process is in the dynamic link library that loads the time, then specifically can carry out the base address randomization to the current dynamic link library that needs to load, obtain the base address value after the described randomization, modification is used to load the parameter value of the initial base address of dynamic link library that described current needs load, and makes the base address value after this amended parameter value points to described randomization.
Accordingly, the memory headroom that base address in the embodiment of the invention after the randomization is pointed to also is different from the memory headroom that the base address is pointed under the base address arrangement mode of system default, change has also taken place in the data of former dynamic link library address space, comprises that change has also taken place for jump address and position thereof.
Wherein, randomization is carried out in base address to dynamic link library, comprise: calculate the randomization result according to randomized algorithm, and according to this randomization result and the base address information of having carried out the dynamic link library of base address randomization, calculate the described current base address value that needs the chained library that loads.
Concrete, above-mentioned the parameter value that is used to load the initial base address of current described dynamic link library is made amendment, for example can be to the value that is used to load the base address (parameter for example
*The value that BaseAdress is pointed) makes amendment.Can when loading dynamic link library, load initial base address during application according to above-mentioned amended parameter value.
For ease of understanding, be described in detail below in conjunction with the method flow of accompanying drawing to the embodiment of the invention to the embodiment of the invention.
To be the embodiment of the invention carry out the method flow diagram of randomization to DLL to Fig. 2, and concrete treatment step can comprise:
Step 21: the current dynamic link library that needs to load is carried out the base address randomization, obtain the base address value after the described randomization, concrete steps can comprise: calculate the randomization result according to randomized algorithm earlier, and according to this randomization result and the base address information of having carried out the dynamic link library of base address randomization, calculate the described current base address value that needs the dynamic link library that loads; In concrete the application, above-mentioned base address information can comprise: carried out the length information of the dynamic link library of base address randomization, or name information, or the positional information in disk, or base address value etc.;
For example, can utilize function to carry out randomization during specific implementation: the time with system is that variable utilizes function to produce a random number seed earlier, utilize this random number seed to generate random number again by another function, because this random number produced by the current time, therefore can guarantee the randomness of this random number; Then according to this random number, and the length information that has carried out the dynamic link library of base address randomization, or name information, or the positional information in disk, or information such as base address value, above-mentioned random number is transformed to the numerical value that meets the base address rule, and this numerical value is used for the value that the replacement system is used to distribute the function parameters pointed of DLL internal memory base address, and promptly this numerical value that obtains is the current base address value that needs the dynamic link library that loads; Simultaneously, when carrying out above-mentioned conversion, need consider to avoid the storage allocation space of base address value that obtains and the dynamic link library that has carried out the base address randomization to have and intersect, make mistakes, also can determine the address realm of current loading object to avoid loading;
Step 22: revise the parameter value of the initial base address of dynamic link library be used to load described current needs loading, make the base address value after this amended parameter value points to described randomization; For example during specific implementation, can make the parameter value of the initial base address of the relevant loading DLL in the function obtain revising by handling to being used for that the function that dynamic link library (DLL) is mapped to process or thread address space is linked up with (Hook);
For example, parameter
*BaseAddress is loading base address pointer, when
*Be dll file allocation base address by system according to the algorithm of acquiescence when the BaseAddress value is zero; When the embodiment of the invention will
*After the BaseAddress value was made amendment, system can be according to parameter
*The value that the BaseAddress value is pointed to is DLL allocation base address; Concrete, the embodiment of the invention can be made amendment to the parameter value that is used to load the initial base address of dynamic link library (DLL) that is used for dynamic link library (DLL) is mapped to the function of process or thread address space, comprises the value of the loading base address pointed in this function is made amendment;
Step 23: when loading described dynamic link library, load initial base address according to described amended parameter value; Concrete, system can be a pointer with the value of amended loading base address pointer, and distributes to the DLL of current loading with the value of this pointed as the initial base address of the DLL of current loading, and loads this DLL by this base address; Because a lot of DLL that need loading can be arranged in the system, therefore considered current base address information of having carried out other dynamic link library of base address randomization when revising the parameter that is used to load initial base address, the for example length information of dynamic link library, name information etc., there is intersection in the space that just can avoid distributing when loading these DLL like this, has also avoided loading and has made mistakes; Also can determine simultaneously the address realm of current loading object; After for example system has loaded the 1st, 2 dynamic link library successively, when loading the 3rd DLL, owing to just considered position, the size of the 1st, 2 DLL when calculating base address value, therefore, just avoided intersecting when loading the 3rd DLL with the allocation space of the 1st, 2 DLL.
Further, when the unique backup of a DLL in all process shared drives of system requirements, just carry out the randomization and the loading of base address in the time of can loading DLL for the first time after restarting system, all like this processes can be shared the dynamic link library (DLL) after this base address randomization; And after the DLL address randomization of being correlated with, along with the variation of DLL base address, the data of former DLL address space also change; Comprising, after the base address changed, jump address and position thereof in the raw address scope also changed accordingly.
Need to prove that the method that produces random number in the embodiment of the invention is a lot, be not limited in the method for above-mentioned generation random number, for example can also produce random number or be parameter generating random number etc. according to randomized function with other variable.
In technique scheme as can be seen, the embodiment of the invention is by the base address of randomization DLL, jump address and position thereof that can the reprogramming flow process, make buffer overflow attack can not find jump address, also just can't make jump address point to rogue program, thereby make the buffer overflow attack failure.Therefore, the embodiment of the invention buffer overflow attack that the jump address of utilizing dynamic link library is carried out lost efficacy.
Because when the assailant implements buffer overflow attack, can be according to general system assignment dynamic link library (DLL, the arrangement mode of base address dynamic link library), calculate the position of return address, make overflow data cover this return address then, and the jump address of writing the sensing rogue program at this place, return address, attack with realization; That is to say, because the particular location of DLL base address knows easily, so be easy to the victim utilization row buffer flooding of going forward side by side.Therefore, can find this situation of return address at the assailant according to system default or other general DLL base address arrangement mode, the embodiment of the invention is carried out randomization by the base address to DLL, change is given the base address of each DLL according to system assignment, makes DLL base address after the randomization of loading be different from the base address of the DLL that system distributes according to acquiescence or other general mode; When the assailant goes for the return address according to the base address distributing position of system default or other general distribution DLL again, will be because of finding the return address that is used to attack, and can't make jump address point to rogue program, thereby make the buffer overflow attack failure; Simultaneously, the embodiment of the invention also can effectively be protected the attack of walking around prior art.
Below in conjunction with utilizing the method that the buffer-overflow vulnerability in the browser auxiliary object ActiveX control carries out flooding in the playout software, the application process of the embodiment of the invention is described in detail.
For example, the user browse have a playout software browse the webpage of auxiliary object Active control the time, can trigger this buffer-overflow vulnerability.Concrete, according to the characteristic of above-mentioned leak, what the assailant used is the jump address among the pncrt.dll in this playout software.For example the supposing the system base address of distributing to pncrt.dll according to general allocation base address mode is 60A20000, and the assailant just can finish by the jump address in this address realm the buffering area of custom system is attacked.
If the technical scheme that adopts the embodiment of the invention to provide, after randomization is carried out in the base address that is about to the DLL of above-mentioned application program, the base address of the pncrt.dll that loads in subscriber equipment is 60A20000 no longer just, like this, when the assailant goes for jump address again according to the base address of imagining, just can't find the jump address of this imagination, also just can't make jump address point to rogue program, thereby make the buffer overflow attack failure.
From foregoing description as can be seen, the address processing method that the embodiment of the invention provides is compared with the method that allows malicious code carry out detection more earlier of prior art and is wanted safety, efficient a lot, and buffering area leak flooding for the unknown, also can tackle accurately and efficiently, make buffer overflow attack when also system not being worked the mischief, be prevented from carrying out; And the security protection software of having avoided prior art hysteresis quality that new leak condition code is obtained.
The embodiment of the invention also provides a kind of address process device, and the specific implementation structure can comprise as shown in Figure 3:
Randomization unit 31 is used for the dynamic link library that current needs load is carried out the base address randomization, obtains the base address value after the described randomization; Specifically can comprise:
Random cells 311 is used for calculating the randomization result according to randomized algorithm; For example, can be earlier during specific implementation with time of system be that variable utilizes function to produce a random number seed, utilize this random number seed to generate random number again by another function, promptly obtain the randomization result, because this random number produced by the current time, therefore can guarantee the randomness that this is digital; Certainly, the embodiment of the invention also comprises can use the method that other method produces random number, for example can also produce random number or is parameter generating random number etc. with other variable according to randomized function;
Computing unit 312 is used for the randomization result according to described random cells 311, and the base address information of having carried out the dynamic link library of base address randomization, calculates the described current base address value that needs the dynamic link library of loading; For example according to the randomization result of random cells 311 with carried out the length information of the dynamic link library of base address randomization, or name information, or the positional information in disk, or information such as base address value calculates the current base address value that needs the dynamic link library that loads;
Revise parameter unit 32, base address value after the described randomization that is used for obtaining according to described randomization unit 31, modification is used to load the parameter value of the initial base address of dynamic link library that described current needs load, and makes the base address value after this amended parameter value points to described randomization;
Load address unit 33 is used for loading initial base address according to described modification parameter unit 32 amended parameter values when loading described dynamic link library; For example, when loading described dynamic link library for the first time, load initial base address according to described modification parameter unit 32 amended parameter values; Concrete, load address unit 33 is according to revising the parameter value that parameter unit 32 is revised, and the value that this parameter is pointed to is distributed to the DLL of current loading as the base address, and loads described DLL according to the memory headroom of this distribution, thereby realizes DLL base address randomization.
By said apparatus, can carry out Hook and handle being used for dynamic link library (DLL) is mapped to the function of process or thread address space in the practical application, make the parameter value of the initial base address of the relevant loading DLL in this function obtain revising; And according to this amended parameter value loading DLL, thereby realize DLL base address randomization.
The address process device that provides in the embodiment of the invention can be arranged in the security protection software, with further raising systematic protection level.
In sum, various embodiments of the present invention are compared with prior art, the method that the embodiment of the invention provides is compared safer, efficient with the method that allows malicious code carry out detection more earlier of prior art, and the buffer-overflow vulnerability for the unknown is attacked, also can tackle accurately and efficiently, make buffer overflow attack when also system not being worked the mischief, be prevented from carrying out; And the security protection software of having avoided prior art hysteresis quality that new leak condition code is obtained.Therefore, the embodiment of the invention has realized effectively preventing the purpose of buffer overflow attack; Also can effectively protect simultaneously the attack of walking around prior art.
The above; only for the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, and anyly is familiar with those skilled in the art in the technical scope that the present invention discloses; the variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of claim.