| In the past ten years, buffer overflow attack is the most common means of attack, intruders can gain partial or entire control easily by overflow attack.By writing into the processing buffer more than the length it is allocated, Overflow Attack destroys process stack or other data areas, as a result, the process jumps to execute other orders. In other words, there are two objectives Overflow Attack wants to achieve: firstly, inject attacking codes into the process; secondly, modify function return address like RET to jump the execution of process to where shellcode is. In addition, by extending the authority of shell of general users, the intruders get a shell with root authority.Overflow attack nowadays makes use of address dynamic linking of ELF files, and program and disguise shellcode smartly in order to bypass the firewall and IDS. By the analysis of address dynamic linking of ELF, the structure and feature of shellcode, the technology of buffer overflow, the paper puts forwards the shellcode detecting methods and analyzing formula basing on abnormal binary codes. the paper both adopts the detectation of parameter and environmental variable, and means of tracking user authority during executing, at last, alters the Linux kernel, fulfilling the detection archetype of system call execve(). Besides, the paper raises an idea of the prevention of fake stack frame by checking ebp. |
PDF Full Text Request