摘要
针对现有面向返回编程(return oriented programming,ROP)攻击检测方案难以满足云计算平台下要求部署灵活、可移植性强、检测透明的特点,该文提出一种基于硬件辅助的ROP攻击实时检测方法,利用Intel最后分支记录器(last branch record,LBR)可以记录客户虚拟机间接分支跳转信息的硬件特性,在虚拟机监视器中实现快速的ROP配件攻击链检测,使用虚拟机自省(virtual machine introspection,VMI)技术在特权域Dom0中完成间接分支跳转的合法性验证,达到保护客户虚拟机进程空间中共享链接库控制流完整性的目的。结果表明:该方法能有效地检测ROP攻击,引入的平均性能开销低于7%。
Existing detection approaches of return oriented programming (ROP) attacks cannnot simultaneously provide flexible deployment, allow portability, and allow transparent detection in the cloud environment. A hardware-assisted method was developed to detect ROP attacks in real time using the hardware features of the Intel last branch record (LBR) to record indirect branch information of a guest virtual machine (VM) to achieve rapid detection of gadget attack chains in the hypervisor. In the privileged domain, the method takes advantage of the virtual machine introspection (VMI) technology to validate the legitimacy of indirect branches to guarantee the control flow integrity of the shared link library in the process address space of the guest VM. Tests show that this demonstrate method can detect ROP attacks with an average run-time overhead of less than 7 %.
出处
《清华大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2018年第3期237-242,共6页
Journal of Tsinghua University(Science and Technology)
基金
国家“八六三”高技术项目(2015AA016004)
国家自然科学基金资助项目(61373169,61672394)
NSFC-通用技术基础研究联合基金资助项目(U1536204)
关键词
云平台
面向返回编程检测
控制流完整性
最后分支记录器
cloud platform
return oriented programming(ROP) detection
control flow integrity
last branch record
