Embedded TaintTracker: 一個輕型污染資料追縱系統以對抗緩衝區溢位的惡意程式碼攻擊

Abstract

緩衝區溢位是指在一已配置的記憶體中，寫入超過配置大小的資料，其目的在於取得系統的控制權。在過去的數年裡，有將近40%的程式弱點屬於緩衝區溢位。先前的解決方案中，有人提出了基於污染追縱的方式來對抗緩衝區溢位攻擊，他們藉由將欲保護的程式運行在模擬器上，得以追縱源自網路上的污染資料並檢查是否有執行它們。然而，這類的實做方式卻造成了龐大的效能損失。我們分析其來源，發現有近60%的損失是來自模擬器、另外40%的損失則是用來動態欄截指令及維護污染資料的資訊。在本論文中，我們提出了Embedded TaintTracker，一個新的對抗緩衝區溢位的輕型污染資料追縱系統。這個系統藉著將檢查機制壓縮至作業系統的核心中，以及將汙染資料的追縱程式在編譯時期插入，得以消除來自模擬器及動態欄截指令的效能損失。在我們的實驗中，證實了運作在Embedded TaintTracker的程式只會有9.3%的效能損失，比起之前的解決方案TaintCheck其效能至少增進了8倍。

A buffer overflow attack occurs when a program writes data outside the allocated memory and aims at invading a system. Around forty percent of all software vulnerabilities were attributed to buffer overflow over the past several years. The previous works based on taint tracking, a novel technique to prevent buffer overflow, ran a victim's program on an emulator to dynamically instrument the code for tracking the propagation of data originated from network in memory and checking whether malicious code is executed. However, the critical problem of these works is their heavy performance overhead. We analyzed the overhead and found that 60% of overhead is from the emulator and remaining 40% is from dynamic instrumentation and taint information maintenance. In this thesis, a new taint-style system, Embedded TaintTracker, is proposed to eliminate overhead in the emulator and dynamic instrumentation by compressing a checking mechanism into the kernel of operating system (OS) and moving instrumentation from runtime to compilation time. The evaluation demonstrated that our system imposes only 9.3% performance degradation, and thus it outperforms the previous work, TaintCheck, by at least 8 times.