快速偵測與恢復軟體溢位錯誤之方法

Abstract

緩衝區溢位(buffer overflow)是一個常見的軟體漏洞，現今許多應用程式都發現有過這種漏洞，因而造成嚴重的安全問題。為了要能夠有效地解決緩衝區溢位問題，研究者提出各種緩衝區溢位的偵測與恢復機制，而這些機制所造成的額外效能負擔多寡是這些機制是否實用的關鍵。此外，我們經由實驗得知，一個沒有恢復能力的偵測機制，受其保護的程式在遭遇攻擊時，服務的能力將大幅度下降，所以我們的研究中專注在有效率的緩衝區溢位偵測與恢復機制上。

目前被認為偵測範圍最廣的CRED (C Range Error Detector) 偵測技術與以CRED為基礎的BMB (Boundless Memory Blocks) 恢復技術，某些情形下會造成執行效能相較原程式約30倍的低落。本論文提出一個名叫BODAR(Buffer Overflow Detection And Recovery)的方法，能夠在執行時期利用作業系統的分頁保護機制，以事件驅動的方式正確且有效率地偵測緩衝區溢位的發生。此外，BODAR離散地配置各個緩衝區，使得各緩衝區後都有一塊未配置區域能夠用來容忍溢位的資料，進行恢復時只需直接增長緩衝區至未配置區域。如此除了能得到與CRED近乎相同的偵測與恢復能力以外，亦能有相當優良的效能表現。我們的實驗顯示有BODAR保護的程式只比原來的程式多增加了10%到80%的執行時間。

Buffer overflow is a kind of common software vulnerabilities. Today, it exists in many applications and therefore causes serious security problems. In order to solve such problems, many researchers have proposed mechanisms for buffer overflow detection and recovery. On one hand, the practicability of these mechanisms could be primarily decided by the amount of overhead in runtime. On the other hand, according to our experiments, when attacking a server with the detection ability but without recovery ability, we found that its service availability would be degraded significantly. Based on the two observations, our research is focused on an efficient buffer overflow detection and recovery mechanism.

Two past solutions, CRED(C Range Error Detector) and BMB(Boundless Memory Blocks), have been recognized as the best protection method in overflow-detecting and the most practical recovery method base on CRED, respectively. However, in certain situations, both could result in lower performance by a factor of 30. In this paper, we proposed a method named BODAR for the buffer overflow problem. BODAR uses the page protection mechanism of OS which is event-driven to detect buffer overrun correctly and efficiently. BODAR also sparsely setup an unallocated region behind each buffer. The unallocated regions would be allocated for tolerance of out-of-bound data when recovering. Our experiments showed that the execution time of BODAR-enable programs was only 10% to 80% slower than that of non-protected ones.