Research On Control Flow Hijack Detection And Defense Based On Resource Access Control

Driven by factors such as commercial interests,various types of malware technologies have attacked operating systems,resulting in more and more serious security problems.Among them,control flow hijacking is widely used by attackers as one of the basic means of attacking the operating system.Control flow hijacking means that an attacker hijacks the control flow to flow as the attack intention by traversing data with control attributes or guiding the control flow for illegally jumping.For the kernel control flow,the attacker usually uses the rootkit technology to destroy the integrity of the kernel to implement control flow redirection.For the user control flow,the attacker usually uses the code reuse attack technology to realize the illegal jump of the control flow.The attacker can use the hijacked control flow to achieve its attack purpose,so how to detect and defend against control flow hijacking is a key issue to ensure system security.The reason of the the control flow hijacking is the inherent privilege deployment and the minimal intervention architecture design for the executing entity of the operating system,which results in its lack of effective control to the access of the executing entity resources.In the traditional operating system deployment structure,the operating system occupies the highest privilege level ring0,so that the highest execution permission that all execution entities in the operating system can obtain is not higher than the privilege level of the operating system.At the same time,in order to improve the efficiency of execution,the existing operating system structure design only makes basic behavioral norms for the control flow of the executing entity.These factors make it difficult for existing security tools to establish an effective resource access control model,which limits the ability to detect and defend against control flow redirection and illegal jumps.Although the existing virtualization-based methods can solve these problems to a certain extent,they rely on complex virtualization platforms.On the one hand,the performance loss of the operating system is large,and on the other hand,the fine-grained control mechanism of resource access is lacking.Aiming at the above problems,this dissertation constructs the resource access control model VirtWall based on virtualization technology.It provides resource access control mechanism for control flow hijacking detection and defense.This dissertation establishes kernel control flow hijacking detection and defense model and user control flow detection and defense model based on this mechanism.In summary,the research content of this dissertation mainly includes three aspects:(1)In view of the problem that the existing methods can not effectively control the access of operating system resources,we build the resource access control model VirtWall based on hardware virtualization technology.(2)Based on VirtWall,the memory access control mechanism and event injection mechanism are established.Then the detection and defense model SecProtector for kernel control flow hijacking is constructed.(3)Based on VirtWall,the page table redirection mechanism and code differentiation management mechanism are established,and the detection and defense model ProShadow for user control flow hijacking is constructed,which realizes the effective constraint on the illegal jump of user control flow.