北京邮电大学学报

  • EI核心期刊

北京邮电大学学报 ›› 2017, Vol. 40 ›› Issue (s1): 122-125,129.doi: 10.13190/j.jbupt.2017.s.027

• 论文 • 上一篇    下一篇

基于Canary复用的SSP安全缺陷分析

刘松, 秦晓军, 甘水滔, 姜海波   

  1. 江南计算技术研究所, 江苏 无锡 214083
  • 收稿日期:2016-05-30 出版日期:2017-09-28 发布日期:2017-09-28
  • 作者简介:刘松(1992-),男,硕士生,Email:yeshawuya@126.com;秦晓军(1975-),男,高级工程师.

Analysis of SSP Security Based on Canary Reuse

LIU Song, QIN Xiao-jun, GAN Shui-tao, JIANG Hai-bo   

  1. Jiangnan Institute of Computing Technology, Jiangsu Wuxi 214083, China
  • Received:2016-05-30 Online:2017-09-28 Published:2017-09-28

摘要: 核保护机制(SSP)是缓解栈缓冲区溢出漏洞攻击最有效的安全机制,通过系统生成的随机数保证栈不被修改,目前关于SSP机制的绕过技术主要是基于暴力破解. 为此,揭示了一种可以泄露随机数的安全缺陷模型,由于操作系统没有及时清空死亡栈帧,导致随机数可能存在于无效空间,利用此特性的绕过方式被称为Canary复用. 实验验证了这种安全缺陷的可利用性与稳定性,基于此特点,提出了两种有效的解决方案.

关键词: 栈保护机制, Canary复用, Linux随机数, 栈缓冲区溢出

Abstract: Stack smashing protector(SSP) is the most effective security mechanism to mitigate the stack buffer overflow vulnerability, which guarantees stack unmodified by generating random numbers. At present, the main technology to bypass SSP mechanism is based on brute force attack. This paper reveals a security defect model which can reveal the random number. Because the operating system does not empty the dead stack frame in time, the random number exists in the invalid space, and the bypass to leverage this characteristic is called reuse of canary attack. The experiment proves the usability and stability of this security model. Based on this feature, two effective solutions are proposed.

Key words: stack smashing protector, Canary reuse, Linux random number, stack buffer overflow

中图分类号: