簡易檢索 / 詳目顯示
| 研究生: |
王勛 |
|---|---|
| 論文名稱: |
A Study of Native API Protection Mechanism against Malicious Codes in Windows Kernel Mode 於視窗系統核心模式中阻止惡意程式的保護機制之研究 |
| 指導教授: | 孫宏民 |
| 口試委員: | |
| 學位類別: |
碩士 Master |
| 系所名稱: |
電機資訊學院 - 資訊系統與應用研究所 Institute of Information Systems and Applications |
| 論文出版年: | 2008 |
| 畢業學年度: | 96 |
| 語文別: | 英文 |
| 論文頁數: | 46 |
| 中文關鍵詞: | 惡意程式 、核心模式 |
| 相關次數: | 點閱:3 下載:0 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
越來越多的弱點在視窗作業系統上被發現,也出現許多惡意程式
碼利用這些已公佈的弱點在網路上蔓延。相對於使用的特徵辨識為基
礎的防禦機制而言,對於攻擊程式的異常行為的偵測被認為是較有效
率的一種方法。目前已經有多種針對程式異常行為的偵測方法被提出
來。但多數的偵測方法都是針對高階的API(Application Programming Interface)來辨別是否有異常的呼叫。但是這樣的防禦機制並無法對
直接取用系統呼叫(system call)的惡意程式碼有任何抵擋的效果。
在本篇論文中,我們提出一個針對於直接取用系統呼叫的惡意程
式碼的防禦架構。我們將架構放置於作業系統核心模式中,這是一個
一般惡意程式碼不容易取得控制的區域,在此將程式導向檢查的函
式。我們的系統經過一系列的實驗及安全性分析,對於現實存在的惡
意程式碼能有效的阻擋,並且對於系統效能的影響不大。
[1] Osr driver loader. http://www.osronline.com/.
[2] Windows driver kit. http://www.microsoft.com/whdc/devtools/WDK.
[3] P. Akritidis, E. Markatos, M. Polychronakis, and K. Anagnostakis. Stride: Polymor-
phic sled detection through instruction sequence analysis. 20th IFIP International
Information Security Conference, 2005.
[4] A. Baker and J. Lozano. The Windows 2000 Device Driver Book: A Guide for
Programmers. Prentice Hall Ptr, 2001.
[5] P. Bania. Windows Syscall Shellcode, 2005.
[6] E. Barrantes, D. Ackley, S. Forrest, T. Palmer, D. Stefanovic, and D. Dai Zovi.
Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks.
[7] T. Chiueh and F. Hsu. RAD: A compile-time solution to bu®er over°ow attacks. 21st
International Conference on Distributed Computing, page 409.
[8] C. Cowan, M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier.
FormatGuard: automatic protection from printf format string vulnerabilities. Pro-
ceedings of the 10th conference on USENIX Security Symposium-Volume 10 table of
contents, pages 15{15, 2001.
[9] C. Cowan, S. Beattie, J. Johansen, and P. Wagle. Pointguardtm: protecting pointers
from bu®er over°ow vulnerabilities. In SSYM'03: Proceedings of the 12th conference
on USENIX Security Symposium, pages 7{7, Berkeley, CA, USA, 2003. USENIX
Association.
[10] C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier,
P. Wagle, and Q. Zhang. Stackguard: automatic adaptive detection and preven-
tion of bu®er-over°ow attacks. In SSYM'98: Proceedings of the 7th conference on
USENIX Security Symposium, 1998, pages 5{5, Berkeley, CA, USA, 1998. USENIX
Association.
[11] P. S. C. Dafydd Stuttard. Writing Small Shellcode. http://www.ngssoftware.com,
2003.
[12] H. ETO and K. YODA. propolice: Improved stack-smashing attack detection. IEIC
Technical Report (Institute of Electronics, Information and Communication Engi-
neers), 101(214):181{188, 2001.
[13] D. Evans, J. Guttag, J. Horning, and Y. Tan. LCLint: a tool for using speci‾cations
to check code. Proceedings of the 2nd ACM SIGSOFT symposium on Foundations of
software engineering, pages 87{96, 1994.
[14] H. Father. Hooking Windows API-Technics of hooking API functions on Windows.
2002.
[15] J. Gulbrandsen. System Call Optimization with the SYSENTER Instruction.
[16] G. Hunt and D. Brubacher. Detours: Binary Interception of Win32 Functions.
[17] X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through vmm-based" out-
of-the-box" semantic view reconstruction. Proceedings of the 14th ACM conference
on Computer and communications security, pages 128{138, 2007.
[18] D. Larochelle and D. Evans. Statically detecting likely bu®er over°ow vulnerabilities.
Proceedings of the 10th USENIX Security Symposium, 10, 2001.
[19] K. Lhee and S. Chapin. Type-assisted dynamic bu®er over°ow detection. Proceedings
of the 11th USENIX Security Symposium, pages 81{90, 2002.
[20] C. M. Linn, M. Rajagopalan, S. Baker, C. Collberg, S. K. Debray, and J. H. Hartman.
Protecting against unexpected system calls. In SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium, pages 16{16, Berkeley, CA, USA, 2005.
USENIX Association.
[21] M. Miller. Understanding Windows Shellcode. nologin. org, Dec, 2003.
[22] G. Nebbett. Windows Nt/2000 Native Api Reference. Sams, 2000.
[23] L. Nguyen, T. Demir, J. Rowe, F. Hsu, and K. Levitt. A framework for diversifying
windows native APIs to tolerate code injection attacks. Proceedings of the 2nd ACM
symposium on Information, computer and communications security, pages 392{394,
2007.
[24] A. One. Smashing the stack for fun and prot. Phrack Magazine, 49:14, 1998.
[25] U. Payer, P. Teu°, and M. Lamberger. Hybrid Engine for Polymorphic Shellcode De-
tection. Detection of Intrusions And Malware, and Vulnerability Assessment: Second
International Conference, DIMVA 2005, Vienna, Austria, July 7-8, 2005: Proceed-
ings, 2005.
[26] J. Rabek, R. Khazan, S. Lewandowski, and R. Cunningham. Detection of injected,
dynamically generated, and obfuscated malicious code. Proceedings of the 2003 ACM
workshop on Rapid Malcode, pages 76{82, 2003.
[27] M. Rajagopalan, S. Baker, C. Linn, S. Debray, R. Schlichting, and J. Hartman. Signed
system calls and hidden ‾ngerprints. Technical report, Technical report, TR04-15,
Department of Computer Science, The University of Arizona, Tucson, AZ 85721, May
2004.
[28] M. Rajagopalan, M. Hiltunen, T. Jim, and R. Schlichting. Authenticated System
Calls. Proc. IEEE International Conference on Dependable Systems and Networks
(DSN-2005), 2005.
[29] M. Russinovich. Inside the Native API, 1998.
[30] S. Schreiber. Undocumented Windows 2000 secrets. Addison-Wesley Boston, 2001.
[31] T. Toth and C. Kruegel. Accurate Bu®er Over°ow Detection via Abstract Payload
Execution. In 5th Symposium on Recent Advances in Intrusion Detection (RAID),
2002.
[32] Vendicator. Stack shield. http://www.angel‾re.com/sk/stackshield/, Jan 2000.
全文公開日期 本全文未授權公開 (校內網路)全文公開日期 本全文未授權公開 (校外網路)