计算机科学 ›› 2020, Vol. 47 ›› Issue (6): 284-293.doi: 10.11896/jsjkx.190700109

所属专题: 信息安全 虚拟专题

• 信息安全 • 上一篇    下一篇

GDL:一种通用型代码重用攻击gadget描述语言

蒋楚, 王永杰   

  1. 国防科技大学电子对抗学院 合肥230037
  • 收稿日期:2019-07-17 出版日期:2020-06-15 发布日期:2020-06-10
  • 通讯作者: 王永杰(w_yont_j@189.cn)
  • 作者简介:1532173962@qq.com

GDL:A Gadget Description Language for General Code Reuse Attack

JIANG Chu, WANG Yong-jie   

  1. College of Electronic Engineering,National University of Defense Technology,Hefei 230037,China
  • Received:2019-07-17 Online:2020-06-15 Published:2020-06-10
  • About author:JIANG Chu,born in 1995,postgra-duate,is a member of China Computer Federation.His main research interests include software security and so on.
    WANG Yong-jie,born in 1974,Ph.D,associate professor.His main research interests include cyber security and so on.

摘要: 由于代码重用攻击的方式方法多样,相应的gadget在结构上也不尽相同,目前尚没有一种通用的方法能够用来描述多种代码重用攻击下的gadget。结合几种常见代码重用攻击的攻击模型和图灵机模型,文中提出了一种代码重用攻击的通用模型,为了能够对代码重用攻击中的gadget进行结构化的描述,设计了一种用于代码重用攻击的gadget描述语言(Gadget Description Language,GDL)。首先,介绍了代码重用攻击的发展历程,总结了代码重用攻击的攻击模型和gadget特征;然后,以此为基础设计了GDL,给出了GDL中的关键字和各种约束类型的语法规范;最后,在ply和BARF等开源项目的基础上,实现了基于GDL的gadget搜索原型系统GDLgadget,并描述了GDLgadget的执行流程,通过实验验证了GDLgadget的可用性。

关键词: gadget描述, gadget搜索, 代码重用攻击, 攻击模型, 图灵机模型

Abstract: Considering code reuse attacks have various types,and the corresponding gadgets are different in structure,there is no general method to describe gadgets under multiple code reuse attacks.Combining several common attack models of code reuse attack and Turing machine,this paper proposes a general model of code reuse attack.A gadget description language(GDL) for code reuse attack is designed to describe the gadget in code reuse attack structurally.Firstly,the development history of code reuse attack is introduced,and the attack model and gadget characteristics of code reuse attack are summarized.Secondly,GDL is designed and the key words and grammatical specifications of various constraint types in GDL are given.Finally,on the basis of open-source project such as ply and BARF,the gadget searching prototype system named GDLgadget is implemented,which is based on GDL.The execution process of GDLgadget is described,and the effectiveness of GDLgadget is verified in experiments.

Key words: Attack model, Code reuse attack, gadget description, gadget discovery, Turing machine

中图分类号: 

  • TP309
[1]SOLAR DESIGNER.Getting around non-executable stack (and fix)[EB/OL].https://seclists.org/bugtraq/1997/Aug/63.
[2]SHACHAM H.The geometry of innocent flesh on the bone: Return-into-libc without Function Calls (on the x86)[C]//ACM Conference on Computer and Communications Security.2007:552-561.
[3]CHECKOWAY S,DAVI L,DMITRIENKO A,et al.Return-Oriented Programming without Returns[C]//Proceedings of the 17th ACM Conference on Computer and Communications Security.2010:559-572.
[4]BLETSCH T,JIANG X,FREEH V W,et al.Jump-Oriented Programming:A New Class of Code-Reuse Attack[C]//Proceedings of the 6th ACM Symposium on Information.Computer and Communications Security,2011:30-40.
[5]SADEGHI A,NIKSEFAT S,ROSTAMIPOUR M.Pure-Call Oriented Programming ( PCOP ):chaining the gadgets using call instructions[J].Journal of Computer Virology and Hacking Techniques,Springer Paris,2018,14(2):139-156.
[6]MICROSOFT.Control Flow Guard[EB/OL].https://docs.microsoft.com/en-us/windows/desktop/secbp/control-flow-guard.
[7]ABADI M,BUDIU M,ERLINGSSON U,et al.Control-Flow Integrity:Principles,Implementations,and Applications[J].ACM Computing Surveys,2005,50(1):1-33.
[8]HISER J,NGUYEN-TUONG A,CO M,et al.ILR:Where’d my gadgets go?[C]//2012 IEEE Symposium on Security and Privacy.2012:571-585.
[9]WARTELL R,MOHAN V,HAMLEN K W,et al.Binary Stirring:Self-randomizing Instruction Addresses of Legacy x86 Binary Code[C]//Proceedings of the 2012 ACM Conference on Computer and Communications Security.2012:157-168.
[10]PAPPAS V,POLYCHRONAKIS M,KEROMYTIS A D. Smashing the gadgets:Hindering return-oriented programming using in-place code randomization[C]//2012 IEEE Symposium on Security and Privacy.2012:601-615.
[11]CHEN X,BOS H,GIUFFRIDA C.CodeArmor:Virtualizing the Code Space to Counter Disclosure Attacks[C]//2017 IEEE European Symposium on Security and Privacy (EuroS&P).2017:514-529.
[12]BACKES M,NÜRNBERGER S,PLANCK M,et al.Oxymoron:Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing[C]//23rd USENIX Security Symposium.2014:433-447.
[13]SNOW K Z,MONROSE F,DAVI L,et al.Just-in-time code reuse:On the effectiveness of fine-grained address space layout randomization[C]//2013 IEEE Symposium on Security and Privacy.2013:574-588.
[14]PAX TEAM.PaX address space layout randomization[EB/ OL].https://pax.grsecurity.net/docs/aslr.txt.
[15]GOKTAS E,KOLLENDA B,KOPPE P,et al.Position-Independent Code Reuse:On the Effectiveness of ASLR in the Absence of Information Disclosure[C]//2018 IEEE European Symposium on Security and Privacy (EuroS&P).IEEE,2018:227-242.
[16]ZHANG M,SEKAR R.Control Flow Integrity for COTS Binaries[C]//22nd USENIX Security Symposium.2013:337-352.
[17]ZHANG C,WEI T,CHEN Z,et al.Practical Control Flow Integrity & Randomization for Binary Executables[C]//2013 IEEE Symposium on Security and Privacy.2013:559-573.
[18]VEEN V V D,GOKTAS E,CONTAG M,et al.A Tough Call:Mitigating Advanced Code-Reuse Attacks at the Binary Level[C]//2016 IEEE Symposium on Security and Privacy (SP).2016:934-953.
[19]LIU Y,SHI P,WANG X,et al.Transparent and Efficient CFI Enforcement with Intel Processor Trace[C]//2017 IEEE International Symposium on High Performance Computer Architecture (HPCA).2017:529-540.
[20]BOSMAN E,BOS H.Framing Signals-A Return to Portable Shellcode[C]//2014 IEEE Symposium on Security and Privacy.2014:243-258.
[21]LAN B,LI Y,SUN H,et al.Loop-oriented programming:A new code reuse attack to bypass modern defenses[C]//2015 IEEE Trustcom/BigDataSE/ISPA.2015:190-197.
[22]SCHUSTER F,TENDYCK T,LIEBCHEN C,et al.Counterfeit Object-oriented Programming on the Difficulty of Preventing Code Reuse Attacks in C++Applications[C]//2015 IEEE Symposium on Security and Privacy.2015:745-762.
[23]CARLINI N,BARRESI A,PAYER M,et al.Control-Flow Bending:On the Effectiveness of Control-Flow Integrity[C]//24th USENIX Security Symposium.2015:161-176.
[24]ISPOGLOU K K,ALBASSAM B,JAEGER T,et al.Block Oriented Programming:Automating Data-Only Attacks[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018:1868-1882.
[25]BIONDO A,CONTI M,LAIN D.Back To The Epilogue:Evading Control Flow Guard via Unaligned Targets[C]//Network and Distributed Systems Security (NDSS) Symposium.2018.
[26]JIANG C,WANG Y J.A Technique of gadget Semantic Analysis Based on Expression Tree[J/OL]. Computer Engineering:1-10[2020-05-28].https://doi.org/10.19678/j.issn.1000-3428.0056671.
[27]SCHWARTZ E J,AVGERINOS T,BRUMLEY D.Q?: Exploit Hardening Made Easy[C]//USENIX Security Symposium. 2011: 2541.
[1] 王前,冯亚军,杨兆民,姚磊.
基于本体的网络攻击模型及其应用
Network Attack Model Based on Ontology and its Application
计算机科学, 2010, 37(6): 114-117.
[2] 杨林 霍跃华.
IPSAN抗攻击部署模型研究

计算机科学, 2009, 36(3): 109-111.
[3] 余力 董斯维 郭斌.
电子商务推荐攻击研究

计算机科学, 2007, 34(5): 134-138.
[4] .
移动代理系统中恶意主机攻击模型的研究

计算机科学, 2006, 33(12): 78-80.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!