CN113641995A - Cisco IOS-oriented ROP attack positioning and code capturing method - Google Patents

Cisco IOS-oriented ROP attack positioning and code capturing method Download PDF

Info

Publication number
CN113641995A
CN113641995A CN202110775693.1A CN202110775693A CN113641995A CN 113641995 A CN113641995 A CN 113641995A CN 202110775693 A CN202110775693 A CN 202110775693A CN 113641995 A CN113641995 A CN 113641995A
Authority
CN
China
Prior art keywords
return address
attack
hash
instruction
rop
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110775693.1A
Other languages
Chinese (zh)
Other versions
CN113641995B (en
Inventor
蔡瑞杰
李鹏宇
尹小康
何杰
郭世臣
刘胜利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information Engineering University of PLA Strategic Support Force
Original Assignee
Information Engineering University of PLA Strategic Support Force
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information Engineering University of PLA Strategic Support Force filed Critical Information Engineering University of PLA Strategic Support Force
Priority to CN202110775693.1A priority Critical patent/CN113641995B/en
Publication of CN113641995A publication Critical patent/CN113641995A/en
Application granted granted Critical
Publication of CN113641995B publication Critical patent/CN113641995B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a Cisco IOS-oriented ROP attack positioning and code capturing method according to the characteristics of Cisco IOS instructions, records and verification of function return addresses are carried out by utilizing a hash table, records of memory pointers of the return addresses are increased to be used as indexes for hash search, the shadow memory search efficiency is improved, and the return address copy can be prevented from being tampered. The method is realized on a virtual simulator, the method is verified through a real ROP attack sample, ROP attack can be aligned and determined on the premise of not depending on static analysis, and the method has certain capture capability of ROP attack codes.

Description

Cisco IOS-oriented ROP attack positioning and code capturing method
Technical Field
The invention belongs to the technical field of network equipment safety, and particularly relates to a Cisco IOS-oriented ROP attack positioning and code capturing method.
Background
The core of the security of the Cisco network device is the security of a Cisco Operating System (internet Operating System, Cisco IOS, abbreviated as IOS). In recent years, security problems exist in continuous exposure of the Cisco IOS, an attacker can obtain control over the Cisco router device under an unauthorized condition by utilizing a Cisco IOS vulnerability, monitoring and stealing of a target network are realized, and serious threats are caused to network security.
In many vulnerability attacks, buffer overflow has always been a significant cause of application security problems. Return-Oriented programming (ROP) has proven to be well-behaved as the dominant method of buffer overflow attacks. Firstly, a short code segment gadget with a special memory operation instruction is searched in a program code, and the gadget is connected in series into a program block with a complete logic function by controlling function return address jump so as to achieve the attack purpose. Due to hardware conditions and programming constraints, Cisco IOS has drawbacks in protecting against ROP attacks that are easily circumvented.
There are several methods that can be used to prevent or detect ROP attacks, but there are corresponding drawbacks.
1. ASLR technology
The Address Space Layout Randomization (ASLR) technology randomizes addresses of heap, stack, code, shared library and the like of a process every time a program runs, so that the difficulty of analyzing and positioning the correct position of the code by an attacker can be greatly increased. In practice, however, ASLR is not absolute, and especially in implementation, the internal structure of each module is still relatively fixed, or there is a certain correlation, and an attacker can achieve the same attack effect through an inactivated ASLR part or a not complete randomization part.
2. Inn canary number
When the function is called, a random integer (canary value) is inserted in front of the return address, and when the function returns, whether the values are changed is checked, so that whether the program execution flow is changed is judged. The disadvantage is that only the sequence covering problem of stack overflow is considered, and the method of using the leaked canary value can bypass the protection mechanism, but not really checking the falsification condition of the return address.
3. Program control flow integrity checking
The idea of program Control Flow Integrity (CFI) is to construct a program operation Control Flow graph, which limits program operation to a legal range. The method is divided into a stateful control flow and a stateless control flow, the stateless control flow is a legal return set which is constructed without considering the calling of an actual function, and the method is easy to suffer from control flow bending attack. Stateful control flow recording requires context-sensitive information to be saved through techniques such as branch recording, and hardware is consumed seriously, which is not suitable for most scenes.
4. Shadow stack
And maintaining a relatively independent memory as a stack space copy of the program, and detecting the ROP attack by comparing the consistency of the return address and the address in the shadow stack when the function returns. There are generally two types of design implementation: a parallel shadow stack and a compact shadow stack. The parallel shadow stack realizes integrity check by a method of completely backing up a memory space, has the advantages of simple realization and convenient maintenance, and has the defects of large memory consumption and easy discovery and tampering of the shadow memory space by an attacker. The compact type shadow stack only records a return address part, has the advantages of low memory overhead and the defects of maintaining the consistency of the shadow stack and a program stack, cannot completely match the irregular stack expansion of setjmp/longjmp and C + + exception processing, and brings extra overhead when adjusting a shadow stack pointer, so that the research of a Cisco IOS-oriented ROP attack positioning and code capturing method is necessary.
Disclosure of Invention
Aiming at solving the defects of the conventional ROP protection technology in Cisco IOS protection, the ROP attack positioning and code capturing method facing to the Cisco IOS is provided, and the ROP attack facing to the Cisco IOS can be effectively detected and the ROP attack code can be captured based on the method of returning address memory hash verification.
The technical scheme adopted by the invention for solving the technical problems is as follows: a Cisco IOS-oriented ROP attack positioning and code capturing method comprises the following steps:
(1) dynamically intercepting a Cisco IOS operation instruction;
simulating the execution environment of the Cisco IOS by using a virtualization simulation router, adding an instruction interception module in the CPU instruction execution process of the simulation router, dynamically tracking the CPU operation state, and intercepting the Cisco IOS operation instruction;
(2) dynamically recording a legal return address;
constructing a hash table to record legal return address information of program operation, wherein the legal return address information comprises:
1) when the sub-function call occurs, the IOS program executes a stack memory pointer point of the return address stacking operation;
2) the legal return address ret of the actual stack entry;
the hash recording process is as follows:
1) performing instruction identification, and if the instruction is a return address stacking instruction, performing hash transformation on the point to be stacked to obtain an actual storage location index of the return address ret in a hash table (hash table 1), wherein the hash change mode is as follows:
Figure DEST_PATH_IMAGE001
2-1
2) carrying out hash encryption on the legal return address ret to obtain a value which is stored in the position of the index in the hash table1, wherein the encryption mode is as follows:
Figure 872580DEST_PATH_IMAGE002
2-2
(3) ROP attack determination and positioning;
1) performing instruction identification, and jumping to the step 2 if the return address stack-entering instruction is adopted; if the return address is the pop instruction, jumping to the step 3; if the return address is the jump instruction, jumping to 4; otherwise, the processing is not carried out and the execution is continued;
2) calculating values of the current index and the value according to Hash transformation and Hash encryption, storing the value at the index position in a Hash table, and storing legal return address information;
3) caching point and ret in the return address pop instruction at the moment into variables point 'and ret', and keeping two values of point 'and ret' to be obtained by the latest return address pop instruction all the time;
4) judging whether the jump instruction address jret is equal to ret' in the buffer, if so, indicating that the jret value of the current function return jump comes from a return address stored in a stack space, namely the return address needing to be verified, and turning to 5); if not, it shows that the jret jumps to the return address of the leaf function, no verification is needed, and go to 8).
5) Attempting to hash in a hash table1Taking out the value at the (point') position and judging whether the value exists; if the ROP attack exists, the next step of judgment is carried out, and the step goes to 6), and if the ROP attack does not exist, the step goes to 8).
6) Comparing value with hash2(ret') are equal. If the two are equal, the result shows that the current time is the normal return to 7); otherwise, the return address is falsified, and the flow goes to 8).
7) Deleting the copy of the return address in the hash table, and continuing to execute the instruction;
8) continuing to execute the instruction;
(4) capturing attack codes:
starting an attack code capturing flow after judging that attack is triggered, wherein the attack code capturing step is as follows:
1) initially, ROPflag is set to 0;
2) judging whether the current return address is normal, if so, turning to 3), and if not, turning to 4);
3) judging whether the ROPflag is 1 or not; if yes, the ROPflag is set to be 0, which indicates that the ROP is currently under the attack, and the ROPflag is a signal for stopping the attack at the moment; if not, the judgment result shows that the current situation is not in the ROP attack, the instruction is executed continuously without processing;
4) and judging whether the ROPflag is 0 or not. If yes, the ROPflag is set to be 1, which indicates that the ROP is not in ROP attack currently and is an ROP attack starting signal at the moment; if not, the current state is in the ROP attack, and the attack record is started, the instruction is executed continuously without processing;
wherein, the ROPflag is a flag indicating whether the ROP attack is currently suffered, 0 indicates that the ROP attack is not suffered, and 1 indicates that the ROP attack is in the process. ,
further, the storage structure of the hash table adopts a chain address method.
Further, before the sub-function is called, when a return address is executed to be stacked, defining a stack memory pointer for storing the return address as point, and defining the return address value actually stacked as ret, namely the legal return address of the sub-function;
then point and ret under the two platform architectures of MIPS and Power are calculated by the following equations (1-1) and (1-2), respectively:
Figure DEST_PATH_IMAGE003
(1-1)
Figure 433006DEST_PATH_IMAGE004
(1-2)
wherein xx is a memory offset value, and sp and r1 are values of stack register address registers in the MIPS platform and the PowerPC platform respectively; ra and r0 are the values of return address registers in the MIPS platform and the PowerPC platform respectively;
before the subfunction returns and when the return address is popped, the stack memory pointer for storing the return address is defined as point 'and the actual popped return address value is ret'.
Then point 'and ret' under the two platform architectures of MIPS and Power are calculated by the equations (1-3) and (1-4), respectively:
Figure DEST_PATH_IMAGE005
(1-3)
Figure 987615DEST_PATH_IMAGE006
(1-4)
and defining a target return address jret of the subfunction return jump, and calculating the jret under the two platform architectures of MIPS and Power according to the formula (3):
Figure DEST_PATH_IMAGE007
(1-5)
further, when ROP attack is judged, the point after hash encryption is equal and the ret after encryption is equal, otherwise, the ROP attack is suffered, and the specific judgment formula is that
(index==hash1(point'))&&(value==hash2(ret')) (3-1)。
The invention has the beneficial effects that:
1. security for return address copies
Similar to the shadow stack, the invention uses the legal return address copy as the ROP attack detection basis. The difference is that in the implementation of the shadow stack, if there is a leak in the copy, the attacker can implement the bypass of the shadow stack by tampering with the return address and verifying the value of the copy at the same time. In the invention, since the function legal return address is hashed, namely the function return address after hash encryption is stored in the copy, an attacker cannot position the storage position information of the legal return address in the copy by analyzing the function legal return address in the memory, and cannot tamper the return address at the legal storage position, thereby ensuring the safety and reliability of the return address copy.
2. The search speed is high
When a compact shadow stack encounters a program exception, in order to verify the validity of an address, it is common practice to traverse the shadow stack until a return address matching the shadow stack is found, which causes a significant overhead. The invention adopts the method of hash calculation and direct positioning memory to look up the table, only needs one-time table look-up under the condition of no collision, and greatly improves the table look-up performance.
3. Good universality
The method is dynamic detection, does not need to carry out prepositive static analysis on the IOS, does not need to construct a legal function return address set in advance, does not have the problem of inaccurate construction of the legal set by static analysis, and does not have the problem of incapability of detection caused by the absence of prepositive condition information of static analysis after the ASLR is started. Compared with the situation that a compact shadow stack cannot effectively deal with the exception handling of setjmp/longjmp and the like, the method adopts the dual authentication of the memory address and the return address, solves the problem of shadow stack misordering caused by interrupt exception and the like, does not need to maintain the correspondence between the copy and the program stack frame in real time, and therefore, has applicability to the exception handling.
According to the invention, on the basis of the idea of compact shadow memory protection, the storage mode of the traditional shadow memory is modified into a hash-based memory lookup mode, the record of the memory pointer of the return address is added as the index of hash lookup, the shadow memory lookup efficiency is improved, and meanwhile, the shadow memory tampering caused by memory leakage can be resisted.
Drawings
Fig. 1 is a flowchart of ROP attack localization.
Fig. 2 is an exemplary diagram of a ROP attack.
Fig. 3 is a flowchart of attack code capture.
Fig. 4 is a diagram of the detection system architecture.
FIG. 5 is a schematic diagram of a test environment.
FIG. 6 shows the use of ida to resolve the attack code fragment of "c 1700-entbase-mz.124-5" IOS firmware at the relevant location.
Fig. 7 is the alarm information of the system for detecting the ROP attack and capturing the code.
Fig. 8 is a diagram of attack detection results.
Fig. 9 is a graph showing the test results of the time consumption ratio.
Detailed Description
The invention is further illustrated with reference to the following figures and examples.
Example 1: the embodiment aims to provide a Cisco IOS-oriented ROP attack positioning and code capturing method, mainly provides a dynamic detection method based on memory hash verification, aims at overcoming the defects of the traditional ROP protection technology in Cisco IOS protection, provides a method based on return address memory hash verification, can effectively detect the ROP attack facing the Cisco IOS, and captures an ROP attack code.
The present embodiment specifically includes the following contents;
(1) dynamically intercepting a Cisco IOS operation instruction;
the execution environment of the Cisco IOS is simulated by adopting a virtualization scheme, and the simulation software selects the Cisco router open source simulator dynamips. An instruction interception module is added in the instruction execution process of the CPU of the analog router to dynamically track the running state of the CPU.
The Cisco IOS function calls and returns symbolization, and the following definitions are carried out;
definition 1: before the sub-function is called, when the return address is executed to be stacked, the stack memory pointer for storing the return address is point, and the return address value actually stacked is ret, namely the legal return address of the sub-function.
Then point and ret under the two platform architectures of MIPS and Power are calculated by the following equations (1-1) and (1-2), respectively:
Figure 215465DEST_PATH_IMAGE008
(1-1)
Figure DEST_PATH_IMAGE009
(1-2)
wherein xx is a memory offset value, and sp and r1 are values of stack register address registers in the MIPS platform and the PowerPC platform respectively; ra, r0 are the values of return address registers in the MIPS platform and the PowerPC platform, respectively, the following is the same.
Definition 2: before the subfunction returns and the return address is popped, the stack memory pointer for storing the return address is point 'and the actual popped return address value is ret'.
Then point 'and ret' under the two platform architectures of MIPS and Power are calculated by the equations (1-3) and (1-4), respectively:
Figure 767800DEST_PATH_IMAGE010
(1-3)
Figure DEST_PATH_IMAGE011
(1-4)
definition 3: and the target return address jret of the sub-function return jump is calculated by the following formula (1-5) under the two platform architectures of MIPS and Power:
Figure 877839DEST_PATH_IMAGE012
(1-5)
(2) dynamically recording a legal return address;
constructing a hash table to record legal return address information of program operation, wherein the legal return address information comprises:
1) when the sub-function call occurs, the IOS program executes a stack memory pointer point of the return address stacking operation;
2) the legal return address ret of the actual stack entry;
the hash recording process is as follows:
1) performing instruction identification, and if the instruction is a return address stacking instruction, performing hash transformation on the point to be stacked to obtain an actual storage location index of the return address ret in a hash table (hash table 1), wherein the hash change mode is as follows:
Figure DEST_PATH_IMAGE013
(2-1)
2) carrying out hash encryption on the legal return address ret to obtain a value which is stored in the position of the index in the hash table1, wherein the encryption mode is as follows:
Figure 908243DEST_PATH_IMAGE014
(2-2)
the hash table is used as a function return address copy to record point and ret, a chain address method is adopted to avoid hash collision, index is storage position index of data in the hash table, and hash is used for storing the index1Function(s)Carrying out Hash calculation on the point to obtain; value is the value at index position in the hash table, and the normal function return address ret is hashed2Then obtain
(3) ROP attack determination and positioning;
the object of ROP attack positioning is to find the program running address when the function illegal return occurs, and record the illegal return address of the current function. The idea is that when the program runs to the function call, a legal return address copy is constructed, when the program runs to the required return, the return address is verified, and if the program runs to the required return address, the program running address and the function return address at the moment are the required addresses.
The legal return address copy comprises a key value pair consisting of a current stack memory pointer and an actual stack return address value.
The judgment criterion returned by the function legality is that the formula 3-1 is true, that is, point and point 'are equal and ret' are equal, otherwise, the function is under ROP attack.
(point== point')&&(ret==ret') (3-1)
Since the hash table is used to store the legally returned information in this embodiment, the judgment of the legally returned function is based on the assumption that equation 3-2 is true, that is, the point after hash encryption is equal to the ret after encryption, otherwise, the node is attacked by ROP.
(index==hash1(point'))&&(value==hash2(ret')) (3-2)
As shown in fig. 1, the ROP attack localization procedure is as follows:
1) performing instruction identification, and jumping to the step 2 if the return address stack-entering instruction is adopted; if the return address is the pop instruction, jumping to the step 3; if the return address is the jump instruction, jumping to 4; otherwise, the processing is not carried out and the execution is continued;
2) calculating values of the current index and the value according to Hash transformation and Hash encryption, storing the value at the index position in a Hash table, and storing legal return address information;
3) caching point and ret in the return address pop instruction at the moment into variables point 'and ret', and keeping two values of point 'and ret' to be obtained by the latest return address pop instruction all the time;
4) judging whether the jump instruction address jret is equal to ret' in the buffer, if so, indicating that the jret value of the current function return jump comes from a return address stored in a stack space, namely the return address needing to be verified, and turning to 5); if not, it shows that the jret jumps to the return address of the leaf function, no verification is needed, and go to 8).
5) Attempting to hash in a hash table1Taking out the value at the (point') position and judging whether the value exists; if the ROP attack exists, the next step of judgment is carried out, and the step goes to 6), and if the ROP attack does not exist, the step goes to 8).
6) Comparing value with hash2(ret') are equal. If the two are equal, the result shows that the current time is the normal return to 7); otherwise, the return address is falsified, and the flow goes to 8).
7) Deleting the copy of the return address in the hash table, and continuing to execute the instruction;
8) continuing to execute the instruction;
(4) capturing attack codes:
an attacker hijacks control flow in order to realize certain functions or execute embedded codes, and for ROP attacks based on stack overflow, namely tampering with return addresses stored on a stack through overflow, when a function returns, the attacker jumps to modified target addresses and executes the constructed gadget attack chain codes to realize specific functions.
In order to avoid program crash, the complete ROP attack needs to restore the register and balance the stack space when the gadgets attack chain is finished, and simultaneously, the program execution flow is transferred to the execution flow before the first return address is tampered, so as to avoid the program from being abnormal.
As shown in fig. 2, a common example of ROP attack, where a program makes a ROP attack at the function FuncB, control flow is transferred to the gadget chain, and after the gadget is executed, the attacker passes control flow back to the function FuncA, which is the upper call function of the function FuncB.
Based on this, from the process of the occurrence of the return address tampering to the process of the control flow crossing back to the normal execution sequence, the program execution in this period is the complete attack code, as shown in fig. 3, the attack code capturing process is started after the attack is judged, and the attack code capturing step is as follows:
1) initially, ROPflag is set to 0;
2) judging whether the current return address is normal, if so, turning to 3), and if not, turning to 4);
3) judging whether the ROPflag is 1 or not; if yes, the ROPflag is set to be 0, which indicates that the ROP is currently under the attack, and the ROPflag is a signal for stopping the attack at the moment; if not, the judgment result shows that the current situation is not in the ROP attack, the instruction is executed continuously without processing;
4) and judging whether the ROPflag is 0 or not. If yes, the ROPflag is set to be 1, which indicates that the ROP is not in ROP attack currently and is an ROP attack starting signal at the moment; if not, the condition is that the current state is in the ROP attack and the attack record is started, the instruction is executed continuously without processing.
Wherein, the ROPflag is a flag indicating whether the ROP attack is currently suffered, 0 indicates that the ROP attack is not suffered, and 1 indicates that the ROP attack is in the process.
Example 2: in this embodiment, the method in embodiment 1 is verified based on the content in embodiment 1, and the specific content is as follows:
for the method in embodiment 1, as shown in fig. 4, a crosds system is designed and implemented on the basis of a Dynamips platform, and the system completes virtualization emulation of a Cisco router, and can load and execute a Cisco IOS to generate a virtual router. The instruction execution is monitored in the Cisco IOS virtualization execution process, the ROP attack positioning method is realized by the aid of the detection alarm module by means of the method, and the ROP attack code capturing method is realized by the aid of the code capturing module through the attack utilization process records.
The test environment is set up as shown in fig. 5. The server B runs a CROPDS system, the router R1 is a router virtualized by CROPDS, the R1 can communicate with the outside by means of a network port of the server B through a port mapping technology, the host A is an attack verification host and is in the same network with the virtual router R1, the attack machine A is used for launching ROP attack to the R1, and meanwhile whether the CROPDS system can accurately discover the attack and capture related attack codes is observed. All the utilized codes used in the experiment are real and effective EXP, and the attack mode is ROP attack.
The method is described below by taking the example of the CVE-2017 and 6736 loopholes. The vulnerability is a snmp protocol implementation vulnerability of Cisco IOS, essentially belongs to a buffer overflow vulnerability, and widely exists in IOS versions 12.0-12.4 and 15.0-15.4. An attacker triggers a buffer overflow vulnerability by sending a carefully constructed snmp data packet to the router and executes shellcode, and the c1700 router with the IOS version of 'c 1700-entry base-mz.124-5' with the vulnerability is selected for ROP attack verification.
Fig. 6 is an attack code fragment of "c 1700-entry base-mz.124-5" IOS firmware at a relevant position analyzed by ida in advance, fig. 7 is alarm information of the detection of the ROP attack and code capture by the system, and it can be seen from the alarm information that the system finds that the return address is incorrect for the first time when the program runs to 0x8049 base, and an alarm is given. The exception instructions at this time are lwz r0, r1, 52. The stack memory address with exception is 0x82bff63c, and the original function return address 0x80497860 stored here is tampered with as 0x800adfb4, which matches with the gadget0 related code in the ida firmware resolution shown in fig. 6 (a), thus proving that the positioning is accurate.
The last 17 codes are attack capture codes, which show that the program runs 17 instructions after ROP attack. Program control flow is transferred to 0x800adfb4 for execution after a malicious function returns, followed by two stack return address tampers at 0x80127e54, 0x810b4f30, respectively. After the attack effect is achieved, the control flow is transferred to a normal function call sequence at 0x810b4f40, and the attack is ended. The attack code matches (b), (c) and (d) in fig. 6, which shows that the attack code is captured correctly.
Example 3: this example further verifies the technical solution of example 1.
To test the versatility and performance of CROPDS, CtaintDetect, CIDS and Dynamips prototype systems were chosen for comparative experiments. The Dynamips is a Cisco router simulation prototype system, and the Dynamips does not have attack detection capability and can be used as a reference standard for running time efficiency. Both the former two and the system are developed based on a Dynamips prototype system, and both have the capability of detecting the vulnerability-related attack of the Cisco IOS, so that the system can be used as a universal reference.
To verify the versatility of a system to ROP attacks from different types of vulnerabilities in different versions of an IOS. In the embodiment, three Cisco IOS protocols of FTP, IP and SNMP are selected to realize the upper buffer overflow vulnerability, and ROP attack tests are carried out on routers with different IOS versions. Wherein, each vulnerability needs to be attacked by respectively selecting 10 different IOS versions under different platform routers, and the detection result is recorded.
The attack detection results are shown in fig. 8. It can be seen that in the ROP attack detection of 50 IOSs of the three vulnerabilities, the detection success rate of the method in embodiment 1 reaches 96%, which is superior to that of the first two systems, and the method has attack code capturing capability that the first two systems do not have, which illustrates that the method in embodiment 1 has the universality of ROP attack detection of IOS version types and vulnerability types.
To test the operational performance of CROPDS, CtaintDetect, CIDS, CROPDS and Dynamips system response times ti were recorded in the vulnerability attack test, respectively. Taking the operation response time t of the Dynamips virtualization prototype system as a reference unit 1, and taking the time consumption ratio as a reference index, wherein the time consumption ratio of each platform system is calculated in the following mode: ti/t.
It can be seen from FIG. 9 that CtaintDetect is about 4 times of Dynamips, CIDS time consumption is about 1.5 times of Dynamips, CROPDS is about 1.3 times of Dynamips, and the processing performance is superior to the above two. The CtaintDetect needs to repeatedly track the memory pollution transfer condition from the introduction of an abnormal data packet due to the taint analysis algorithm, and the memory read-write consumption is large, so the time consumption is high. The CIDS needs to rely on a static analysis library established in advance for IOS to serve as a legal return reference, and the table lookup range is a legal return set of the whole IOS, so that the time consumption is large.
Based on this, this embodiment provides a ROP attack detection method based on stack return address memory hash check according to the Cisco IOS instruction characteristics, and records and verifies function return addresses by using a hash table, so that records of return address memory pointers are added as indexes for hash lookup, the shadow memory lookup efficiency is improved, and the return address copy can be prevented from being tampered. The method is realized on a virtual simulator, and the method is verified through a real ROP attack sample.
The embodiment can align the ROP attack of the determined bit on the premise of not depending on static analysis, has certain capture capacity of ROP attack codes, can be directly deployed in the Internet as a honeypot by simulating the virtual router generated by executing the Cisco IOS by using the CROPDS realized by the method, captures the ROP attack execution flow suffered by the Cisco IOS, and is convenient for discovering and utilizing the buffer overflow vulnerability.

Claims (4)

1. A Cisco IOS-oriented ROP attack positioning and code capturing method is characterized by comprising the following steps: the method comprises the following steps:
(1) dynamically intercepting a Cisco IOS operation instruction;
simulating the execution environment of the Cisco IOS by using a virtualization simulation router, adding an instruction interception module in the CPU instruction execution process of the simulation router, dynamically tracking the CPU operation state, and intercepting the Cisco IOS operation instruction;
(2) dynamically recording a legal return address;
constructing a hash table to record legal return address information of program operation, wherein the legal return address information comprises:
1) when the sub-function call occurs, the IOS program executes a stack memory pointer point of the return address stacking operation;
2) the legal return address ret of the actual stack entry;
the hash recording process is as follows:
1) performing instruction identification, and if the instruction is a return address stacking instruction, performing hash transformation on the point to be stacked to obtain an actual storage location index of the return address ret in a hash table (hash table 1), wherein the hash change mode is as follows:
Figure DEST_PATH_IMAGE002
2-1
2) carrying out hash encryption on the legal return address ret to obtain a value which is stored in the position of the index in the hash table1, wherein the encryption mode is as follows:
Figure DEST_PATH_IMAGE004
2-2
(3) ROP attack determination and positioning;
1) performing instruction identification, and jumping to the step 2 if the return address stack-entering instruction is adopted; if the return address is the pop instruction, jumping to the step 3; if the return address is the jump instruction, jumping to 4; otherwise, the processing is not carried out and the execution is continued;
2) calculating values of the current index and the value according to Hash transformation and Hash encryption, storing the value at the index position in a Hash table, and storing legal return address information;
3) caching point and ret in the return address pop instruction at the moment into variables point 'and ret', and keeping two values of point 'and ret' to be obtained by the latest return address pop instruction all the time;
4) judging whether the jump instruction address jret is equal to ret' in the buffer, if so, indicating that the jret value of the current function return jump comes from a return address stored in a stack space, namely the return address needing to be verified, and turning to 5); if not, the jret is jumped to the return address of the leaf function, and the jump is turned to 8) without verification;
5) attempting to hash in a hash table1Taking out the value at the (point') position and judging whether the value exists; if the ROP attack exists, the next step of judgment is carried out, and the step goes to 6), and if the ROP attack does not exist, the step goes to 8);
6) comparing value with hash2(ret') equals; if the two are equal, the result shows that the current time is the normal return to 7); otherwise, the return address is falsified, and the operation goes to 8);
7) deleting the copy of the return address in the hash table, and continuing to execute the instruction;
8) continuing to execute the instruction;
(4) capturing attack codes:
starting an attack code capturing flow after judging that attack is triggered, wherein the attack code capturing step is as follows:
1) initially, ROPflag is set to 0;
2) judging whether the current return address is normal, if so, turning to 3), and if not, turning to 4);
3) judging whether the ROPflag is 1 or not; if yes, the ROPflag is set to be 0, which indicates that the ROP is currently under the attack, and the ROPflag is a signal for stopping the attack at the moment; if not, the judgment result shows that the current situation is not in the ROP attack, the instruction is executed continuously without processing;
4) judging whether the ROPflag is 0 or not; if yes, the ROPflag is set to be 1, which indicates that the ROP is not in ROP attack currently and is an ROP attack starting signal at the moment; if not, the current state is in the ROP attack, and the attack record is started, the instruction is executed continuously without processing;
wherein, the ROPflag is a flag indicating whether the ROP attack is currently suffered, 0 indicates that the ROP attack is not suffered, and 1 indicates that the ROP attack is in the process.
2. The Cisco IOS-oriented ROP attack localization and code capture method of claim 1, wherein: the storage structure of the hash table adopts a chain address method.
3. The ROP attack localization and code capture method for Cisco IOS of claim 1, wherein:
before the sub-function is called, when the return address is executed and the stack is pushed, defining a stack memory pointer for storing the return address as point, and actually pushing the return address as ret, namely the legal return address of the sub-function;
then point and ret under the two platform architectures of MIPS and Power are calculated by the following equations (1-1) and (1-2), respectively:
Figure DEST_PATH_IMAGE006
(1-1)
Figure DEST_PATH_IMAGE008
(1-2)
wherein xx is a memory offset value, and sp and r1 are values of stack register address registers in the MIPS platform and the PowerPC platform respectively; ra and r0 are the values of return address registers in the MIPS platform and the PowerPC platform respectively;
before the subfunction returns and when the return address is popped, defining a stack memory pointer for storing the return address as point 'and the actual popped return address value as ret';
then point 'and ret' under the two platform architectures of MIPS and Power are calculated by the equations (1-3) and (1-4), respectively:
Figure DEST_PATH_IMAGE010
(1-3)
Figure DEST_PATH_IMAGE012
(1-4)
and defining a target return address jret of the subfunction return jump, and calculating the jret under the two platform architectures of MIPS and Power according to the formula (3):
Figure DEST_PATH_IMAGE014
(1-5)。
4. the ROP attack localization and code capture method for Cisco IOS of claim 1, wherein:
when ROP attack is judged, the point after hash encryption is equal and the ret after encryption is equal, otherwise, the ROP attack is suffered, and the specific judgment formula is
(index==hash1(point'))&&(value==hash2(ret')) (3-1)。
CN202110775693.1A 2021-07-08 2021-07-08 Cisco IOS-oriented ROP attack positioning and code capturing method Active CN113641995B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110775693.1A CN113641995B (en) 2021-07-08 2021-07-08 Cisco IOS-oriented ROP attack positioning and code capturing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110775693.1A CN113641995B (en) 2021-07-08 2021-07-08 Cisco IOS-oriented ROP attack positioning and code capturing method

Publications (2)

Publication Number Publication Date
CN113641995A true CN113641995A (en) 2021-11-12
CN113641995B CN113641995B (en) 2022-12-09

Family

ID=78416967

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110775693.1A Active CN113641995B (en) 2021-07-08 2021-07-08 Cisco IOS-oriented ROP attack positioning and code capturing method

Country Status (1)

Country Link
CN (1) CN113641995B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105260659A (en) * 2015-09-10 2016-01-20 西安电子科技大学 Kernel-level code reuse type attack detection method based on QEMU
CN109858253A (en) * 2019-01-08 2019-06-07 中国人民解放军战略支援部队信息工程大学 Stack buffer overflow attack defence method based on LBR

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105260659A (en) * 2015-09-10 2016-01-20 西安电子科技大学 Kernel-level code reuse type attack detection method based on QEMU
CN109858253A (en) * 2019-01-08 2019-06-07 中国人民解放军战略支援部队信息工程大学 Stack buffer overflow attack defence method based on LBR

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李昆仑等: "二进制代码级函数指针攻击机理与检测研究", 《小型微型计算机系统》 *

Also Published As

Publication number Publication date
CN113641995B (en) 2022-12-09

Similar Documents

Publication Publication Date Title
US10305919B2 (en) Systems and methods for inhibiting attacks on applications
US10242186B2 (en) System and method for detecting malicious code in address space of a process
Parampalli et al. A practical mimicry attack against powerful system-call monitors
US9177153B1 (en) Verifying integrity and guaranteeing execution of code on untrusted computer platform
Crandall et al. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits
US7953980B2 (en) Signed manifest for run-time verification of software program identity and integrity
Liang et al. Fast and automated generation of attack signatures: A basis for building self-protecting servers
US8364973B2 (en) Dynamic generation of integrity manifest for run-time verification of software program
US8701187B2 (en) Runtime integrity chain verification
US20050204205A1 (en) Methodology, system, and computer readable medium for detecting operating system exploitations
US11290484B2 (en) Bot characteristic detection method and apparatus
RU2697954C2 (en) System and method of creating antivirus record
Prigent et al. IpMorph: fingerprinting spoofing unification
CN114679315B (en) Attack detection method, apparatus, computer device, storage medium, and program product
KR20060092832A (en) Containment of worms
CN110647748B (en) Code multiplexing attack detection system and method based on hardware characteristics
CN116389027A (en) Payload process detection method and device in cloud environment based on eBPF
US9306908B2 (en) Anti-malware system, method of processing packet in the same, and computing device
Cui et al. Killing the Myth of Cisco {IOS} Diversity: Recent Advances in Reliable Shellcode Design
CN113641995B (en) Cisco IOS-oriented ROP attack positioning and code capturing method
CN113608907B (en) Database auditing method, device, equipment, system and storage medium
Li et al. Kernel malware core implementation: A survey
JP2005182187A (en) Unauthorized access detecting method, unauthorized access detecting system and unauthorized access detecting program
CN110598378A (en) Global offset table measuring method, dynamic measuring method, related device and equipment
Liang et al. Automated, sub-second attack signature generation: A basis for building self-protecting servers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant