基于静态分析法检测多态缓冲区溢出攻击(IJWMT-V1-N1-3).pdfVIP

I.J. Wireless and Microwave Technologies, 2011, 1, 13-22 Published Online February 2011 in MECS () DOI: 10.5815/ijwmt.2011.01.03 Available online at http://www.mecs-press .net/ijwmt Detecting Polymorphic Buffer Overflow Exploits with a Static Analysis Approach a,* a a Guo Fan , Lu JiaXing , Yu Min a College of Computer Information Engineering, Jiangxi Normal University, Nanchang, China Abstract Remote exploit attacks are the most serious threats in network security area. Polymorphism is a kind of code- modifying technique used to evade detection. A novel approach using static analysis methods is proposed to discover the polymorphic exploit codes hiding in network data flows. The idea of abstract execution is firstly adopted to construct control flow graph, then both symbolic execution and taint analysis are used to detect exploit payloads, at last predefined length of NOOP instruction sequence is recognized to help detection. Experimental results show that the approach is capable of correctly distinguishing the exploit codes from regular network flows. Index Terms: Exploit Code; Polymorphism; Abstract Execution; Symbolic Execution; NOOP Instruction Sequence © 2011 Published by MECS Publisher. Selection and/or peer review under responsibility of the Research Association of Modern Education and Computer Science 1. Introduction In the world of Internet, hackers usually exploit remote vulnerabilities to gain the control of the hosts. The most serious threats are remote buffer overflow exploits. Well configured firewalls may prevent some vulnerable service from being attacked, but