计算机科学 ›› 2022, Vol. 49 ›› Issue (10): 279-284.doi: 10.11896/jsjkx.220500091

• 信息安全 • 上一篇    下一篇

一种基于实时代码装卸载的代码重用攻击防御方法

侯尚文, 黄建军, 梁彬, 游伟, 石文昌   

  1. 中国人民大学信息学院 北京 100872
  • 收稿日期:2022-05-11 修回日期:2022-07-23 出版日期:2022-10-15 发布日期:2022-10-13
  • 通讯作者: 黄建军(hjj@ruc.edu.cn)
  • 作者简介:(18810968233@163.com)
  • 基金资助:
    国家自然科学基金(U1836209)

Defense Method Against Code Reuse Attack Based on Real-time Code Loading and Unloading

HOU Shang-wen, HUANG Jian-jun, LIANG Bin, YOU Wei, SHI Wen-chang   

  1. School of Information,Renmin University of China,Beijing 100872,China
  • Received:2022-05-11 Revised:2022-07-23 Online:2022-10-15 Published:2022-10-13
  • About author:HOU Shang-wen,born in 1997,postgraduate,is a member of China Computer Federation.His main research interests include software security ana-lysis and so on.
    HUANG Jian-jun,born in 1986,Ph.D,assistant professor,master supervisor,is a member of China Computer Federation.His main research interests include program analysis,vulnerability detection and mobile security.
  • Supported by:
    National Natural Science Foundation of China(U1836209).

摘要: 近年来,代码重用攻击(Code Reuse Attack)已经成为针对二进制程序的一种主流攻击方式。以ROP为代表的代码重用攻击,利用内存空间中存在的指令片段,构建出能实现特定功能的指令序列,达成了恶意目标。文中根据代码重用攻击的基本原理,提出了基于实时装卸载函数代码的防御方法,通过动态装卸载的方式裁剪代码空间,从而达到缩小攻击面以防御代码重用的目的。首先,以静态分析的方式获取受保护程序依赖库的函数信息;以替换库的形式使用这些信息;其次,在Linux动态装载器中引入实时装载函数的操作及自动触发和还原的装卸载流程,为了减小频繁卸载导致的高额开销,设计了随机化批量卸载机制;最后,在真实环境中开展实验,验证了该方案防御代码重用攻击的有效性,展示了随机卸载策略的意义。

关键词: 代码重用攻击, 实时代码装卸载, 面向返回编程, 动态链接库, 随机卸载

Abstract: In recent years,code reuse attack has become a mainstream attack against binary programs.The code reuse attack such as ROP uses the instruction gadgets in the memory space to construct an instruction sequence that can realize specific functions and achieve malicious purposes.According to the basic principle of the code reuse attack,this paper proposes a defense method based on real-time function loading and unloading.More specifically,the method shrinks the code space by the dynamic loading/unloading,to reduce the attack surface and defend the code reuse.First,it extracts sufficient function information in the dependent libraries of the target program by static analysis,and uses this information in the form of replacement libraries.Second,it introduces real-time loading in the dynamic loader in Linux,and proposes an auto-triggerable and auto-restorable loading/unloading.In order to reduce the high overhead caused by frequent unloading,a randomized batch unloading mechanism is designed.Finally,experiments are carried out in a real environment to verify the effectiveness of the scheme against code reuse attacks,and the significance of the randomized unloading strategy is demonstrated.

Key words: Code reuse attack, Real-time code loading and unloading, Return oriented programming, Dynamic link library, Randomized unloading

中图分类号: 

  • TP309.5
[1]The PaX Team.Pax:non-executable pages design & implementation[EB/OL].https://pax.grsecurity.net/docs/noexec.txt.
[2]COntex.Bypassing non-executable-stack during exploitationusing return-to-libc[EB/OL].http://css.csail.mit.edu/6.858/2014/readings/return-to-libc.pdf.
[3]SHACHAM H.The geometry of innocent flesh on the bone:Returninto-libc without function calls(on the x86)[C]//Proceedings of the ACM Conference on Computer and Communications Security(CCS'07).2007:552-561.
[4]BLETSCH T,JIANG X,FREH V,et al.Jump Oriented Programming:A New Class of Code-Reuse[C]//Proceedings of the 6th ACM Symposium on Information,Computer and Communications Security(ASIACCS '11).2011:30-40.
[5]SNOW K Z,MONROSE F,DAVI L,et al.Just-in-time code reuse:On the effective-ness of fine-grained address space layout randomization[C]//IEEE.2013:574-588.
[6]VEEN V V D,ANDRIESSE D,STAMATOGIANNAKIS M,et al.The dynamics of innocent flesh on the bone:Code reuse ten years later[C]//the 2017 ACM SIGSAC Conference.ACM,2017:1675-1689.
[7]SADEGHI A,NIKSEFAT S,ROSTAMIPOUR M.Pure-calloriented programming(pcop):chaining the gadgets using call instructions[J].Journal of Computer Virology and Hacking Techniques,2018,14(2):139-156.
[8]HU H,SHINDE S,ADRIAN S,et al.Data-oriented program-ming:On the expressiveness of non-control data attacks[C]//2016 IEEE Symposium on Security and Privacy(SP).2016:969-986.
[9]RAINS T,MILLER M,WESTON D.Exploitation trends:From potential risk to actual risk[C]//RSA Conference.2015.
[10]LI X A,SZOR P.Emerging “stack pivoting” exploits bypass common security[EB/OL].https://securingtomorrow.mcafee.com/other-blogs/mcafeelabs/emerging-stack-pivoting-exploits-bypass-common-security/.
[11]SCHLOEGEL M,BLAZYTKO T,BASLER J,et al.TowardsAutomating Code-Reuse Attacks Using Synthesized Gadget Chains[C]//ESORICS.2021.
[12]ABADI M,BUDIU M,ERLINGSSON Ú,et al.Control-flow integrity[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security.ACM,2005:340-353.
[13]MASHTIZADEH A J,BITTAU A,BONEH D,et al.CCFI:Cryptographically enforced control flow integrity[C]//Procee-dings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security.ACM,NY,USA,2015:941-951.
[14]DENIS-COURMONT R,LILJESTRAND H,CHINEA C,et al.Camouflage:Hardware-assisted CFI for the ARM Linux kernel[C]//2020 57th ACM/IEEE Design Automation Conference(DAC).2020:1-6.
[15]HYEREAN J,MOON C P,DONG H L.IBV-CFI:Efficient fine-grained control-flow integrity preserving CFG precision[J].Computers & Security,2020,94:101828.
[16]QIANG W,HUANG Y,JIN H,et al.CloudCFI:Context-Sensitive and Incremental CFI in the Cloud Environment[J].In IEEE Transactions on Cloud Computing,2021,9(3):938-957.
[17]FU A M,DING W J,KUANG B Y,et al.FH-CFI:Fine-grained hardware-assisted control flow integrity for ARM-based IoT devices[J].Computers & Security,2022,116:102666.
[18]PAX Team.Address Space Layout Randomization[EB/OL].http://pax.grsecurity.net/docs/aslr.txt.
[19]BLETSCH T.Code-reuse attacks:New frontiers and defenses[J/OL].https://repository.lib.ncsu.edu/bitstream/handle/1840.16/6698/etd.pdf;jsessionid=DF7DE65EDFDB8C2D7110D1CA2BB6DEAC-sequence=1.
[20]POMONIS M.Preventing Code Reuse Attacks On Modern Operating Systems[M].Columbia:Columbia University,2020.
[21]MISHRA S,POLYCHRONAKIS M.SGXPecial:SpecializingSGX Interfaces against Code Reuse Attacks[C]//Sixteenth European Conference on Computer Systems(EuroSys'21).2021.
[1] 蒋楚, 王永杰.
GDL:一种通用型代码重用攻击gadget描述语言
GDL:A Gadget Description Language for General Code Reuse Attack
计算机科学, 2020, 47(6): 284-293. https://doi.org/10.11896/jsjkx.190700109
[2] 陈志泊,林 健.
基于DirectUl可扩展应用程序架构的设计与实现
Expanded Application Framework Based on DirectUI
计算机科学, 2012, 39(Z11): 295-300.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!