%0 Journal Article
%T 面向云平台的硬件辅助ROP检测方法<br>Hardware-assisted ROP attack detection on cloud platforms
%A 王丽娜
%A 周伟康
%A 刘维杰
%A 余荣威
%J 清华大学学报（自然科学版）
%D 2018
%R 10.16511/j.cnki.qhdxxb.2018.26.008
%X 针对现有面向返回编程（return oriented programming，ROP）攻击检测方案难以满足云计算平台下要求部署灵活、可移植性强、检测透明的特点，该文提出一种基于硬件辅助的ROP攻击实时检测方法，利用Intel最后分支记录器（last branch record，LBR）可以记录客户虚拟机间接分支跳转信息的硬件特性，在虚拟机监视器中实现快速的ROP配件攻击链检测，使用虚拟机自省（virtual machine introspection，VMI）技术在特权域Dom0中完成间接分支跳转的合法性验证，达到保护客户虚拟机进程空间中共享链接库控制流完整性的目的。结果表明：该方法能有效地检测ROP攻击，引入的平均性能开销低于7%。<br>Abstract：Existing detection approaches of return oriented programming (ROP) attacks cannnot simultaneously provide flexible deployment, allow portability, and allow transparent detection in the cloud environment. A hardware-assisted method was developed to detect ROP attacks in real time using the hardware features of the Intel last branch record (LBR) to record indirect branch information of a guest virtual machine (VM) to achieve rapid detection of gadget attack chains in the hypervisor. In the privileged domain, the method takes advantage of the virtual machine introspection (VMI) technology to validate the legitimacy of indirect branches to guarantee the control flow integrity of the shared link library in the process address space of the guest VM. Tests show that this demonstrate method can detect ROP attacks with an average run-time overhead of less than 7%.
%K 云平台
%K 面向返回编程检测
%K 控制流完整性
%K 最后分支记录器
%K &lt
%K br&gt
%K cloud platform
%K return oriented programming(ROP) detection
%K control flow integrity
%K last branch record
%U http://jst.tsinghuajournals.com/CN/Y2018/V58/I3/237