|
|
- 2015
采用控制流监控的Cisco IOS指针攻击检测方法
|
Abstract:
针对当前Cisco IOS(internetwork operating system)漏洞攻击检测方法检测效率低的问题,提出了一种采用控制流监控来判定Cisco IOS指针攻击的方法。该方法通过静态分析和动态跟踪相结合的方式对Cisco IOS中不同类别的控制流分别构造合法转移地址集合(legal transfer address collection,LTAC),并在发生控制流转移时将转移地址在LTAC之外的控制流判定为攻击,同时捕获异常控制流转移的详细信息。实验结果表明:该方法可以准确地捕获针对Cisco IOS的指针攻击,支持对攻击过程的分析,与现有的Cisco IOS漏洞攻击检测方法相比,具有较高的检测效率,能够为网络安全性的提升提供帮助。
A method to detect Cisco IOS(internetwork operating system) pointer attacks using control flow monitoring is proposed to solve the problem that current methods for detecting exploit attacks have low detection efficiency. Legal transfer address collection (LTAC) is constructed for different categories of control flows through a combination of static analysis and dynamic tracking. When an event of control flow transfer occurs, the control flow with jump address out of LTAC will be determined to be an attack and the details of the exception control flow transfer can be captured. Experimental results show that the proposed method can accurately capture pointer attacks against Cisco IOS, and support the analysis of attack process. Comparisons with the current detection methods show that the proposed method has higher detection efficiency, and can help to enhance network security
| [1] | [8]Recurity Labs. CIR [EB/OL]. (2008??02??16)[2014??01??12]. http: ∥cir?? recurity??com. |
| [2] | [9]SU Xiaoyan, WU Dongying, XIAO Da, et al. Research on Cisco IOS security mechanisms [C]∥ Proceedings of the International Conference on Computer Science and Information Technology. Piscataway, NJ, USA: IEEE, 2012, 51: 653. |
| [3] | [10]陈立根, 刘胜利, 高翔, 等. 一种基于动态污点分析的Cisco IOS漏洞攻击检测方法 [J]. 小型微型计算机系统, 2014, 35(8): 1798??1802. |
| [4] | CHEN Ligen, LIU Shengli, GAO Xiang, et al. A vulnerability attack detection method based on dynamic taint analysis for Cisco IOS [J]. Journal of Chinese Computer Systems, 2014, 35(8): 1798??1802. |
| [5] | [11]COWAN C, PU C, MAIER D, et al. StackGuard: automatic adaptive detection and prevention of buffer??overflow attacks [C]∥Proceedings of the 7th Conference on USENIX Security Symposium. Berkeley, CA, USA: USENIX, 1998: 63??78. |
| [6] | [12]WANG Hua, GUO Yao, CHEN Xianqqun. FPValidator: validating type equivalence of function pointers on the fly [C]∥Proceedings of the 2009 Annual Computer Security Applications Conference. Piscataway, NJ, USA: IEEE, 2009: 51??59. |
| [7] | [13]NEWSOME J, SONG D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software [C]∥Proceedings of the 12th Annual Network and Distributed System Security Symposium. Reston, VA, USA: ISOC, 2005: 1??17. |
| [8] | [14]ABADI M, BUDIU M, ERLINGSSON U, et al. Control??flow integrity [C]∥Proceedings of the 12th ACM Conference on Computer and Communications Security. New York, USA: ACM, 2005: 340??353. |
| [9] | [15]ANUZELLI G, FILES N, EMULATION P I X, et al. Dynamips/Dynagen: tutorial [EB/OL]. (2011??10??07)[2013??07??13]. http: ∥materias??fi??uba??ar/7543 /2010??02/download/DynamipsTutorial??doc. |
| [10] | [16]代伟, 刘智, 刘益和. 基于地址完整性检查的函数指针攻击检测 [J]. 计算机应用, 2015, 35(2): 424??429. |
| [11] | [21]CISCO. Cisco IOS next hop resolution protocol vulnerability [EB/OL]. (2007??08??08)[2014??05??03]. http: ∥tools??cisco??com/security/center/CiscoSecurityAdvisory/cisco??sa??20070808??nhrp. |
| [12] | [17]EAGLE C. The IDA pro book: the unofficial guide to the world’s most popular disassembler [M]. San Francisca, CA, USA: No Starch Press, 2011. [18]PRAKASH A, YIN H, LIANG Z. Enforcing system??wide control flow integrity for exploit detection and diagnosis [C]∥Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. New York, USA: ACM, 2013: 311??322. |
| [13] | [22]CISCO. Crafted IP option vulnerability [EB/OL]. (2007??01??24)[2014??04??18]. http: ∥tools??cisco??com/security/center/content/CiscoSecurityAdvisory/cisco??sa??20070124??crafted??ip??option. |
| [14] | [1]IDC. IDC’s worldwide quarterly Ethernet switch and router tracker shows record ethernet switch market size, weaker router market [EB/OL]. (2014??12??03)[2015??03??15]. http: ∥www??idc??com/getdoc??jsp?containerId=prUS25266314. [2]LINDER F. Design and software vulnerability in embedded system [EB/OL]. (2003??04??25)[2014??08??19]. https: ∥www??blackhat??com/presentation/bh??usa??03/bh??us??03??fx??pdf. |
| [15] | [4]MUNIZ S. Killing the myth of Cisco IOS rootkits: DIK (Da IOS rootKit) [EB/OL]. (2008??03??26)[2014??06??19]. http: ∥www??coresecurity??com/content/killing??the??myth??cisco??ios??pdf. |
| [16] | [5]LINDER F. Cisco IOS router exploitation [EB/OL]. (2009??06??22)[2014??09??02]. http: ∥www??blackhat?? com/presentations/bh??usa??09/Linder/BH_US_09_ |
| [17] | Linder_RouterExploit_PAPER??pdf. |
| [18] | [6]MUNIZ S, ORTEGA A. Fuzzing and debugging Cisco IOS [EB/OL]. (2011??12??21)[2014??07??18]. http: ∥www??pdfpedia??com/download/13758/fuzzing??and??debugging??cisoc??ios??blackhat??europe??2011??pdf??html. |
| [19] | [7]LINDER F. Developments in Cisco IOS forensics [EB/OL]. (2009??08??14)[2013??03??10]. http: ∥www?? blackhat??com/presentions/bn??usa??08/Linder/BH_US_08_Linder_Developments_in_IOS_Froensics??pdf. |
| [20] | [19]CISCO. Multiple vulnerabilities in the IOS FTP server [EB/OL]. (2007??05??09)[2013??11??10]. http: ∥tools?? cisco??com/security/center/CiscoSecurityAdvisory/cisco??sa??20070509??iosftp. |
| [21] | [3]LYNN M. The holy grail: Cisco IOS shellcode and exploitation techniques [EB/OL]. (2005??11??12)[2014??10??14]. http: ∥cryptome??org/lynn??cisco??pdf. |
| [22] | DAI Wei, LIU Zhi, LIU Yihe. Function pointer attack detection with address integrity checking [J]. Journal of Computer Applications, 2015, 35(2): 424??429. |
| [23] | [20]CISCO. TFTP long filename vulnerability [EB/OL]. (2002??07??20)[2014??04??10]. http: ∥tools??cisco??com/security/center/CiscoSecurityAdvisory/cisco??sa??2002 0730??ios??tftp??lfn. |
