Unlock instant, AI-driven research and patent intelligence for your innovation.

A virtual machine-based rop attack detection method and system

An attack detection and virtual machine technology, applied in the field of system security, can solve problems such as insufficient detection and prevention methods, failure of ROP attack protection, etc., and achieve the effects of protection availability, low false alarm rate, and high detection rate

Active Publication Date: 2014-10-01
INST OF INFORMATION ENG CHINESE ACAD OF SCI
View PDF5 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

For these ROP attack construction methods, the current detection and prevention methods have revealed shortcomings
In addition, since the current prevention methods are all implemented on the operating system and rely on the security of the operating system itself, when the credibility of the attacked system itself cannot be guaranteed, the protection against ROP attacks will fail

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A virtual machine-based rop attack detection method and system
  • A virtual machine-based rop attack detection method and system
  • A virtual machine-based rop attack detection method and system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0040] The technical scheme of the present invention is described in detail below in conjunction with accompanying drawing:

[0041] Such as figure 2 Shown, the ROP attack defense system based on virtual machine of the present invention, this system is based on virtual machine, is made up of six main parts: event processing module, stack mark module, breakpoint location module, stack inspection module, dynamic link library location module and attack isolation module. In order to realize the interception of stack write operation and check of stack content in the process of ROP detection and attack defense, three event handlers in the virtual machine are modified in the event processing module. When the context is switched to the process to be protected and the stack inspection is performed, the stack marking module is responsible for marking the stack as read-only, thereby causing a page fault so that the write operation to the stack can be intercepted and processed. The bre...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

Belonging to the technical field of system safety, the invention discloses an ROP attack detection method and an ROP attack detection system based on a virtual machine. The method comprises: 1) running a to-be-protected operating system in a virtual domain environment; 2) positioning a set target process, and acquiring the process information of the target process; 3) monitoring the running of the process in the system, and marking the stack of the current target process as read only when a context switches to the target process; 4) intercepting the write operation occurred after a page error is caused by marking a writable stack memory region as read only, and marking the corresponding stack page as writable; 5) positioning the next place with stack checking need in the implementation of the current target process, and setting a breakpoint; and 6) intercepting the breakpoint and detecting whether the ROP attack exists, stopping the current target process if the ROP attack is detected, continuing to running the target process if the ROP attack is not detected, and marking the stack of the target process as read only. The method has the advantages of a high detection rate, a low rate of false alarm, etc.

Description

technical field [0001] The invention belongs to the technical field of system security, and in particular relates to a virtual machine-based ROP attack detection method and system. Background technique [0002] With the continuous deepening of the application of computer systems in various fields of society, its security issues have become the focus of both industry and academia. Malicious code has always been one of the main threats and hidden dangers of computer system security, and its harmfulness continues to increase with the increase of society's dependence on computer systems. With the continuous development of computer technology, malicious code technology has also been continuously upgraded. The emergence of new attack technologies and the improvement of countermeasures have brought severe challenges to traditional detection and prevention technologies. [0003] The malicious code attack constructed by Return Oriented Programming (ROP) has become one of the difficu...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56G06F9/455G06F21/52G06F21/53
Inventor 贾晓启王蕊姜军
Owner INST OF INFORMATION ENG CHINESE ACAD OF SCI