计算机科学 ›› 2020, Vol. 47 ›› Issue (6): 284-293.doi: 10.11896/jsjkx.190700109
所属专题: 信息安全 虚拟专题
蒋楚, 王永杰
JIANG Chu, WANG Yong-jie
摘要: 由于代码重用攻击的方式方法多样,相应的gadget在结构上也不尽相同,目前尚没有一种通用的方法能够用来描述多种代码重用攻击下的gadget。结合几种常见代码重用攻击的攻击模型和图灵机模型,文中提出了一种代码重用攻击的通用模型,为了能够对代码重用攻击中的gadget进行结构化的描述,设计了一种用于代码重用攻击的gadget描述语言(Gadget Description Language,GDL)。首先,介绍了代码重用攻击的发展历程,总结了代码重用攻击的攻击模型和gadget特征;然后,以此为基础设计了GDL,给出了GDL中的关键字和各种约束类型的语法规范;最后,在ply和BARF等开源项目的基础上,实现了基于GDL的gadget搜索原型系统GDLgadget,并描述了GDLgadget的执行流程,通过实验验证了GDLgadget的可用性。
中图分类号:
[1]SOLAR DESIGNER.Getting around non-executable stack (and fix)[EB/OL].https://seclists.org/bugtraq/1997/Aug/63. [2]SHACHAM H.The geometry of innocent flesh on the bone: Return-into-libc without Function Calls (on the x86)[C]//ACM Conference on Computer and Communications Security.2007:552-561. [3]CHECKOWAY S,DAVI L,DMITRIENKO A,et al.Return-Oriented Programming without Returns[C]//Proceedings of the 17th ACM Conference on Computer and Communications Security.2010:559-572. [4]BLETSCH T,JIANG X,FREEH V W,et al.Jump-Oriented Programming:A New Class of Code-Reuse Attack[C]//Proceedings of the 6th ACM Symposium on Information.Computer and Communications Security,2011:30-40. [5]SADEGHI A,NIKSEFAT S,ROSTAMIPOUR M.Pure-Call Oriented Programming ( PCOP ):chaining the gadgets using call instructions[J].Journal of Computer Virology and Hacking Techniques,Springer Paris,2018,14(2):139-156. [6]MICROSOFT.Control Flow Guard[EB/OL].https://docs.microsoft.com/en-us/windows/desktop/secbp/control-flow-guard. [7]ABADI M,BUDIU M,ERLINGSSON U,et al.Control-Flow Integrity:Principles,Implementations,and Applications[J].ACM Computing Surveys,2005,50(1):1-33. [8]HISER J,NGUYEN-TUONG A,CO M,et al.ILR:Where’d my gadgets go?[C]//2012 IEEE Symposium on Security and Privacy.2012:571-585. [9]WARTELL R,MOHAN V,HAMLEN K W,et al.Binary Stirring:Self-randomizing Instruction Addresses of Legacy x86 Binary Code[C]//Proceedings of the 2012 ACM Conference on Computer and Communications Security.2012:157-168. [10]PAPPAS V,POLYCHRONAKIS M,KEROMYTIS A D. Smashing the gadgets:Hindering return-oriented programming using in-place code randomization[C]//2012 IEEE Symposium on Security and Privacy.2012:601-615. [11]CHEN X,BOS H,GIUFFRIDA C.CodeArmor:Virtualizing the Code Space to Counter Disclosure Attacks[C]//2017 IEEE European Symposium on Security and Privacy (EuroS&P).2017:514-529. [12]BACKES M,NÜRNBERGER S,PLANCK M,et al.Oxymoron:Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing[C]//23rd USENIX Security Symposium.2014:433-447. [13]SNOW K Z,MONROSE F,DAVI L,et al.Just-in-time code reuse:On the effectiveness of fine-grained address space layout randomization[C]//2013 IEEE Symposium on Security and Privacy.2013:574-588. [14]PAX TEAM.PaX address space layout randomization[EB/ OL].https://pax.grsecurity.net/docs/aslr.txt. [15]GOKTAS E,KOLLENDA B,KOPPE P,et al.Position-Independent Code Reuse:On the Effectiveness of ASLR in the Absence of Information Disclosure[C]//2018 IEEE European Symposium on Security and Privacy (EuroS&P).IEEE,2018:227-242. [16]ZHANG M,SEKAR R.Control Flow Integrity for COTS Binaries[C]//22nd USENIX Security Symposium.2013:337-352. [17]ZHANG C,WEI T,CHEN Z,et al.Practical Control Flow Integrity & Randomization for Binary Executables[C]//2013 IEEE Symposium on Security and Privacy.2013:559-573. [18]VEEN V V D,GOKTAS E,CONTAG M,et al.A Tough Call:Mitigating Advanced Code-Reuse Attacks at the Binary Level[C]//2016 IEEE Symposium on Security and Privacy (SP).2016:934-953. [19]LIU Y,SHI P,WANG X,et al.Transparent and Efficient CFI Enforcement with Intel Processor Trace[C]//2017 IEEE International Symposium on High Performance Computer Architecture (HPCA).2017:529-540. [20]BOSMAN E,BOS H.Framing Signals-A Return to Portable Shellcode[C]//2014 IEEE Symposium on Security and Privacy.2014:243-258. [21]LAN B,LI Y,SUN H,et al.Loop-oriented programming:A new code reuse attack to bypass modern defenses[C]//2015 IEEE Trustcom/BigDataSE/ISPA.2015:190-197. [22]SCHUSTER F,TENDYCK T,LIEBCHEN C,et al.Counterfeit Object-oriented Programming on the Difficulty of Preventing Code Reuse Attacks in C++Applications[C]//2015 IEEE Symposium on Security and Privacy.2015:745-762. [23]CARLINI N,BARRESI A,PAYER M,et al.Control-Flow Bending:On the Effectiveness of Control-Flow Integrity[C]//24th USENIX Security Symposium.2015:161-176. [24]ISPOGLOU K K,ALBASSAM B,JAEGER T,et al.Block Oriented Programming:Automating Data-Only Attacks[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018:1868-1882. [25]BIONDO A,CONTI M,LAIN D.Back To The Epilogue:Evading Control Flow Guard via Unaligned Targets[C]//Network and Distributed Systems Security (NDSS) Symposium.2018. [26]JIANG C,WANG Y J.A Technique of gadget Semantic Analysis Based on Expression Tree[J/OL]. Computer Engineering:1-10[2020-05-28].https://doi.org/10.19678/j.issn.1000-3428.0056671. [27]SCHWARTZ E J,AVGERINOS T,BRUMLEY D.Q?: Exploit Hardening Made Easy[C]//USENIX Security Symposium. 2011: 2541. |
[1] | 王前,冯亚军,杨兆民,姚磊. 基于本体的网络攻击模型及其应用 Network Attack Model Based on Ontology and its Application 计算机科学, 2010, 37(6): 114-117. |
[2] | 杨林 霍跃华. IPSAN抗攻击部署模型研究 计算机科学, 2009, 36(3): 109-111. |
[3] | 余力 董斯维 郭斌. 电子商务推荐攻击研究 计算机科学, 2007, 34(5): 134-138. |
[4] | . 移动代理系统中恶意主机攻击模型的研究 计算机科学, 2006, 33(12): 78-80. |
|