CN101887497A - Stack allocation law-based buffer overflow detection method - Google Patents
Stack allocation law-based buffer overflow detection method Download PDFInfo
- Publication number
- CN101887497A CN101887497A CN 201010208187 CN201010208187A CN101887497A CN 101887497 A CN101887497 A CN 101887497A CN 201010208187 CN201010208187 CN 201010208187 CN 201010208187 A CN201010208187 A CN 201010208187A CN 101887497 A CN101887497 A CN 101887497A
- Authority
- CN
- China
- Prior art keywords
- buffer
- buffer zone
- allocation
- detection method
- law
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a stack allocation law-based buffer overflow detection method, which comprises: waiting to allocate a buffer; recording the size and content of the buffer allocation; judging if the buffer is in accordance with the allocation law or has repeated contents; and under the condition that the buffer is in accordance with the allocation law and has repeated contents, detecting buffer overflow attacks. The method provided by the invention can realize the effective detection of the overflow attacks of the buffers of which the allocation law and allocated contents are known.
Description
Technical field
The present invention relates to field of information security technology, particularly a kind of detection method of overflowing based on the buffer zone of stack allocation law.
Background technology
Along with Internet development with popularize, the ratio of carrying out virus disseminating by network is just progressively soaring, follows it and what come is more and more outstanding information security issue.It is a kind of attack method in rising trend in recent years that buffer zone overflows.Change the person of hitting and utilize browser leak or system vulnerability to hang the horse attack, malicious code is covered appointed positions and execution, to reach the purpose of attack.The detection mode bag that buffer zone is overflowed is talked about following several at present:
1, detect by buffer contents, judgement is that content is not an attack code.This mode detects accurately, but must know the feature of attack code.Need more deep analysis be arranged to shellcode and spill point, and extract accurate feature.The situation that does not get access to sample is not had detectability, and feature changes and also can't detect.
2, by crucial API Calls storehouse is reviewed look for do not have under block code judge whether to overflow.This kind mode must guarantee that this API is called by attack code, if flooding code does not use this API then can't detect.And when detecting, attack and in fact take place.
3, whether having threat by the behavior behind the execution flooding code is on the defensive.Flooding carry out the back system may be can't operate as normal, detect and also just can't carry out.The limitation of the method is stronger.
Whether above-described detection method can not effectively detect buffer zone and overflow, and practicality is not strong.
Summary of the invention
At above deficiency, the technical problem to be solved in the present invention provides a kind of detection method of overflowing based on the buffer zone of stack allocation law, the rule that this method can be distributed according to buffer zone and distribute after buffer zone in have a large amount of duplicate contents (shellcode), the buffer overflow attack to browser detects effectively.
In order to solve the problems of the technologies described above, the invention provides a kind of detection method of overflowing based on the buffer zone of stack allocation law, comprising:
Wait for the allocation buffer;
Write down this buffer zone allocated size and content;
Judge whether buffer zone meets the distribution rule or whether buffer zone has duplicate contents;
Under the condition that meets step c, detect buffer overflow attack.
Further, among the step c and historical record relatively, the content of detection includes but not limited to following:
Whether c1, buffer zone contain duplicate contents;
Whether the allocated size of c2, buffer zone has obvious distribution rule.
Method provided by the invention can realize the buffer overflow attack of known allocation rule or allocation contents is detected effectively.Not only can detect the leak of known sample or shellcode and attack, can also detect and meet unknown sample of distributing rule and the buffer overflow attack that utilizes unknown leak, and can not be subjected to the influence that different shellcode call different API.
Description of drawings
Fig. 1 is the concrete implementing procedure figure of detection method of overflowing based on the buffer zone of stack allocation law of the present invention.
Embodiment
Below in conjunction with drawings and Examples technical scheme of the present invention is described in detail.
Detection method of overflowing based on the buffer zone of stack allocation law of the present invention comprises the steps: as shown in Figure 1
Wait for the allocation buffer;
Write down this buffer zone allocated size and content;
Wherein and historical record relatively, the content of detection includes but not limited to: whether buffer zone contains duplicate contents; Whether the allocated size of buffer zone has obvious distribution rule;
Judge whether buffer zone meets the distribution rule or whether buffer zone has duplicate contents;
Under the condition that meets step C, detect buffer overflow attack; If ineligible, then wait for allocation buffer next time.
Further be illustrated with two application examples of the present invention below.
Detecting with the browser Javascript buffer overflow attack is example:
The Javascript script engine can call the SysAllocStringByteLen function and carry out the core buffer distribution.Should be as follows with the concrete implementation step of embodiment:
Wait for the allocation buffer;
Hook SysAllocStringByteLen writes down each addresses distributed and length;
Distribute when taking place the following content in the detection history record next time:
This time in allocated length historical record nearly 3 times in a geometric ratio or arithmetic progression;
Judge whether buffer contents is included in addresses distributed last time;
If above-mentioned 2 meet then report that detecting buffer zone overflows.
Detecting with browser HTML parsing buffer overflow attack is example:
The HTML analytics engine can call the HeapAlloc function and carry out the core buffer distribution.Should be as follows with the concrete implementation step of embodiment:
Wait for the allocation buffer;
Hook HeapAlloc writes down each addresses distributed and length;
Distribute when taking place the following content in the detection history record next time:
This time in allocated length historical record nearly 3 times in a geometric ratio or arithmetic progression;
Judge whether buffer contents is included in addresses distributed last time;
If above-mentioned 2 meet then report that detecting buffer zone overflows.
Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection domain of the appended claim of the present invention.
Claims (2)
1. a detection method of overflowing based on the buffer zone of stack allocation law is characterized in that, comprising:
A, wait allocation buffer;
B, write down this buffer zone allocated size and content;
C, judge whether buffer zone meets and distribute rule or buffer zone whether duplicate contents is arranged;
D, under the condition that meets step c, detect buffer overflow attack.
2. detection method of overflowing based on the buffer zone of stack allocation law as claimed in claim 1 is characterized in that: among the step c and historical record relatively, the content of detection includes but not limited to following:
Whether c1, buffer zone contain duplicate contents;
Whether the allocated size of c2, buffer zone has obvious distribution rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010208187 CN101887497A (en) | 2010-06-24 | 2010-06-24 | Stack allocation law-based buffer overflow detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010208187 CN101887497A (en) | 2010-06-24 | 2010-06-24 | Stack allocation law-based buffer overflow detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101887497A true CN101887497A (en) | 2010-11-17 |
Family
ID=43073414
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010208187 Pending CN101887497A (en) | 2010-06-24 | 2010-06-24 | Stack allocation law-based buffer overflow detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101887497A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102609655A (en) * | 2012-02-08 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for detecting heap-sprayed webpage Trojans |
| CN105653939A (en) * | 2015-07-13 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Document overflow preventing method and apparatus |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564098A (en) * | 2004-04-09 | 2005-01-12 | 南京大学 | Dynamic stacking memory management method for preventing buffering area from overflow attacking |
| US20090300764A1 (en) * | 2008-05-28 | 2009-12-03 | International Business Machines Corporation | System and method for identification and blocking of malicious code for web browser script engines |
-
2010
- 2010-06-24 CN CN 201010208187 patent/CN101887497A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564098A (en) * | 2004-04-09 | 2005-01-12 | 南京大学 | Dynamic stacking memory management method for preventing buffering area from overflow attacking |
| US20090300764A1 (en) * | 2008-05-28 | 2009-12-03 | International Business Machines Corporation | System and method for identification and blocking of malicious code for web browser script engines |
Non-Patent Citations (1)
| Title |
|---|
| 《Microsoft Research Technical Report MSR-TR-2008-176》 20081119 Benjamin Livshits,et al Nozzle: A Defense Against Heap-spraying Code Injection Attacks 第2~15页 1,2 , 2 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102609655A (en) * | 2012-02-08 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for detecting heap-sprayed webpage Trojans |
| CN105653939A (en) * | 2015-07-13 | 2016-06-08 | 哈尔滨安天科技股份有限公司 | Document overflow preventing method and apparatus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102724187B (en) | A kind of safety detection method for network address and device | |
| CN102739653B (en) | Detection method and device aiming at webpage address | |
| CN102043919A (en) | Universal vulnerability detection method and system based on script virtual machine | |
| CN101964026A (en) | Method and system for detecting web page horse hanging | |
| KR20140098025A (en) | System and Method For A SEcurity Assessment of an Application Uploaded to an AppStore | |
| US11399033B2 (en) | Malicious advertisement protection | |
| JP6096389B2 (en) | Detection device, detection method, and detection program | |
| US20150278852A1 (en) | System And Method For Identifying Online Advertisement Laundering And Online Advertisement Injection | |
| CN105095751A (en) | Method for detecting malicious phishing application for Android platform | |
| CN101848092A (en) | Malicious code detection method and device | |
| CN105610812B (en) | Method and device for preventing webpage from being hijacked | |
| CN103559439A (en) | Detection method and system for buffer overflow | |
| CN111177727A (en) | Vulnerability detection method and device | |
| CN103902906A (en) | Mobile terminal malicious code detecting method and system based on application icon | |
| CN101887497A (en) | Stack allocation law-based buffer overflow detection method | |
| KR100916324B1 (en) | The method, apparatus and system for managing malicious code spreading site using fire wall | |
| CN106682493B (en) | A kind of method, apparatus for preventing process from maliciously being terminated and electronic equipment | |
| CN106302347B (en) | A kind of network attack treating method and apparatus | |
| Klein et al. | Accept all exploits: exploring the security impact of cookie banners | |
| US8910305B1 (en) | Method and apparatus for analyzing mouse cursor path | |
| CN104506529A (en) | Website protection method and device | |
| CN116595523A (en) | Multi-engine file detection method, system, equipment and medium based on dynamic arrangement | |
| CN105184630A (en) | Transaction flow legality detection method and system | |
| US10579794B1 (en) | Securing a network device by automatically identifying files belonging to an application | |
| US11381596B1 (en) | Analyzing and mitigating website privacy issues by automatically classifying cookies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20101117 |