信息网络安全 ›› 2016, Vol. 16 ›› Issue (6): 48-55.doi: 10.3969/j.issn.1671-1122.2016.06.008

• • 上一篇    下一篇

融合多种技术的堆喷射方法研究

毛焱颖(), 罗森林   

  1. 北京理工大学信息系统及安全对抗实验中心,北京 100081
  • 收稿日期:2016-03-20 出版日期:2016-06-20 发布日期:2020-05-13
  • 作者简介:

    作者简介: 毛焱颖(1993—),女,重庆,硕士研究生,主要研究方向为信息安全;罗森林(1968—),男,河北,教授,博士,主要研究方向为信息安全、数据挖掘、文本安全等。

  • 基金资助:
    国家242信息安全计划[2005C48]

Research on Heap Spray for Integration of Multiple Technologies

Yanying MAO(), Senlin LUO   

  1. Information System and Security & Countermeasures Experimental Center, Beijing Institute of Technology, Beijing 100081, China
  • Received:2016-03-20 Online:2016-06-20 Published:2020-05-13

摘要:

堆喷射(Heap Spray)是一种利用应用程序中可操控的脚本环境,进行大量且重复的内存申请操作,将shellcode等数据布局在需要的内存空间,从而绕过ASLR保护的攻击技术。由于堆喷射攻击具有很高的成功率,因而已经成为一种常见的漏洞利用技术。堆喷射技术是安全研究人员的研究重点,同样也是应用程序和安全软件防护的重点。因此,研究最新软件环境下的可靠且精准的堆喷射方法具有重要的实际应用价值,有利于促进堆喷射检测与保护技术的发展。在堆喷射技术实现方面,已有的方法不能够适应最新的软件环境,且准确率低、容易被检测和阻止。针对该问题,文章提出一种融合多种技术的堆喷射方法,该方法先通过编码技术对shellcode进行编码,添加一系列无效反汇编指令后,再根据IE浏览器堆管理机制构造大小合适且具有随机性的喷射块,最后对喷射代码进行混淆,得到最终的堆喷射代码。实验结果表明,该方法能够绕过多种安全防护技术在最新的IE浏览器中进行精确堆喷射,方法的准确率高,兼容性与抗查杀性强。

关键词: 堆喷射, IE浏览器, 漏洞利用

Abstract:

Heap spray is an attack technology to bypass ASLR. It uses the scripting support in program to put the shellcode at a predictable address by allocating and filling chunks of memory in the heap. The heap spray attack has a high success rate, and it is a common vulnerability exploitation technique. Heap spray technology is the focus of security researcher’s study, as well as the priority of application and security software’s protection. Therefore, the study on reliable and accurate heap spray technique under the latest software environment will help to improve the detection and protection technique of it. As to the realization of heap spray technique, existing technique is not adapted to the latest software environment which lacks precision and can be easily monitored as well as prevented. This paper proposes a comprehensive heap spray technique. With the new technique, we can code the shellcode and add a series of ineffective disassemble instructions, thus, to build randomized spray chunk structure with the right size based on the IE browser’s heap management mechanism and obfuscate the heap spray script in order to get the final one. The results suggested that the new technique can achieve precision heap spray of the latest IE browser bypassing lots of safety prevention. Besides, the new technique is remarkably accurate and more compatible.

Key words: heap spray, IE browser, vulnerability exploitation

中图分类号: