Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1202814
  • 博文数量: 272
  • 博客积分: 3899
  • 博客等级: 中校
  • 技术积分: 4734
  • 用 户 组: 普通用户
  • 注册时间: 2012-06-15 14:53
文章分类

全部博文(272)

文章存档

2012年(272)

分类: 网络与安全

2012-06-26 16:59:20

Past, Present, and Future of Security and the Security Community


作者言辞激烈的抨击了一些现在安全行业的弊端,并进行反思。不过blogspot被和谐了,想看的请***。


此外昨天出来的一篇paper,关于 Heapspray 检测的。这个项目叫:Nozzle

http://www.cgisecurity.com/2009/11/nozzle-a-defense-against-heapspraying-code-injection-attacks.html

(请***)

比较讽刺的是这篇paper是Microsoft Research的几个人写的,但是他们的实验环境却是在 Firefox 上。

他们结合了Firefox 的内存管理器,使用统计学和一些算法,研究 HeapSpray的特征。

In this paper, we describe Nozzle, a runtime infrastructure that detects
heap spraying attacks by exploiting the fact that spraying places many copies
of objects with specific characteristics into the heap. Nozzle uses a combi-
nation of methods including statistics, object examination, and lightweight
emulation to estimate whether a given object is part of a spraying attack.
Because heap spraying involves large-scale changes to the heap contents,
we exploit this characteristic to reduce our false positive and false negative
detection rates. We develop a general notion of global “heap health” based
on the measured attack surface of the heap contents.

Because Nozzle only examines object contents and requires no changes
to the object or heap structure, it can easily be integrated into both na-
tive and garbage-collected heaps. In this paper, we implement Nozzle by
intercepting calls to the memory manager in the Mozilla Firefox browser
(version 2.0.0.16)
. Because browsers are the most popular target of heap
spray attacks, it is crucial for a successful spray detector to both provide
very high successful detection rates and very low false positive rates.

正好前天我还和朋友聊到了Heapspray类浏览器攻击的防范和检测,去年的xKungfoo 上,TK教主演示的那个先分配自己的shellcode,占用了HEAP的思路就很巧妙。

但是想真正监视内存去检测Heapspray还是需要写浏览器插件。不过Heapspray的方法毕竟是有限的,因为能够用来做Heapspray的地址是有限的,要求这个地址能够当做指令执行,且能够起到NOP的作用才可以。所以这种方案还是有一定的可行性。



不过我还是觉得知道创宇的使用虚拟机启动IE进程检测网页挂马的方案比较靠谱,因为准确,基本上没误报。对AV类产品来说,有时候宁可漏报也不要误报。

而对于Nozzle来说,仅仅是基于Heapspray的检测,所以对于一些利用逻辑漏洞(MS06-014为代表)、栈溢出(QQ ActiveX溢出为代表)、Heap Fengshui(没找到公开的代表)等形式的攻击,还是无能为力的。

PS: 该文中还有不少拼写错误 #_#
阅读(1190) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~