Research And Implementation Of Vulnerability Defense Technology Based On ELF

With the development of information technology in the 21st century,the information revolution brought by the Internet has penetrated into all walks of life,and has greatly promoted the rapid development of economy,culture,society and other aspects.The vast amount of program codes on the Internet are written by hard-working programmers,and there are many vulnerabilities there.Nowadays,software vulnerabilities have existed for at least 30 years.Every outbreak of vulnerabilities will cause huge economic losses to the society.Linux is the cornerstone of the Internet development.In the past few decades,attacks and defense technologies of software vulnerabilities have spiraled for a long time.Defenders have proposed various defense technologies.Even today,attackers are still able to bypass multiple defense mechanisms by combining multiple vulnerabilities and ultimately control the target system.This thesis further summarizes the essential characteristics of vulnerability exploitation through researching on the types of user-mode software vulnerabilities on Linux platforms in depth,existing defense mechanisms,vulnerabilities bypass technologies and so on.What's more,study the file format and running principle of the ELF in depth and propose a set of vulnerability defense technologies from the perspective of the ELF file itself and the dynamic execution of it in order to limit the attacker's vulnerability exploitation process.Firstly,this thesis proposed an universal Segment extension technique for ELF.After that,inject the protection code and let it to be executed when the program runs,which greatly reduces the attack surface of the program.Then,this thesis proposed a vulnerability mitigation mechanism named Backtrace Canary.When the ELF file is executed,the Backtrace Canary of the function is going to be checked to determine the validity of the function call,which greatly limits the attacker's vulnerability exploitation process.Based on the above two methods,this thesis have designed and implemented a set of vulnerability prevention systems,including a static vulnerability prevention subsystem and a dynamic vulnerability prevention subsystem.Experiments show that the vulnerability defense system is very practical.And it can effectively prevent attackers from gaining control of the Linux operating system through software vulnerabilities.