利用返回地址保护机制防御代码复用类攻击

摘要/Abstract

摘要： 尽管现有多种防御方法和技术,但是针对软件系统和网络的攻击仍然是难以防范的威胁。在引入只读/写和地址空间随机化排列方法后,现代操作系统能有效地应对恶意代码注入类型的攻击。但是攻击者可以利用程序中已经存在的代码,将其组装成具有图灵完全计算功能的连续的代码块,用以绕过已有的防御机制。针对代码复用类攻击防御方法的局限性, 提出了一种利用返回地址实时保护机制的防御方法,以有效防御代码复用类攻击,特别是ROP攻击。在程序运行时,通过对其栈中返回地址值的加密保护和实时检测,防止所有的以0xC3字符(即ret指令)结尾的短序列代码段的连续执行。该方法不需要源代码和调试信息,能完全防御ROP攻击,并且其性能开销也具有明显的优势。

关键词: 代码复用类攻击,ROP攻击,返回地址保护,二进制代码动态翻译中图法分类号TP303.08文献标识码A

Abstract: Despite the numerous prevention and protection techniques that have been developed,the exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks．Because of the adoption of the write or execute only policy (W⊕X) and address space layout randomization (ASLR),modern operate systems have been strengthened against code injection attacks．However,attackers have responded by employing code reuse attacks,in which software vulnerability is exploited to weave control flow through existing code base.Solutions targeting different aspects of the attack itself have got some success,but none of them can be a silver bullet．Under this situation,a novel defense technique was presented in order to prevent code reuse attacks,especially return-oriented programming (ROP) attacks．This new defense technique,which was benefit from the protection of return address,could dynamically prevent the execution of gadgets ending with 0xc3．Without requiring access to side information such as source code or debugging information,this defense technique could prevent ROP attacks with low performance overhead.

Key words: Code reuse attacks,Return-oriented programming attacks,Return address protection,Binary dynamic translation

陈林博,江建慧,张丹青. 利用返回地址保护机制防御代码复用类攻击[J]. 计算机科学, 2013, 40(9): 93-98. https://doi.org/

CHEN Lin-bo,JIANG Jian-hui and ZHANG Dan-qing. Prevention of Code Reuse Attacks through Return Address Protection[J]. Computer Science, 2013, 40(9): 93-98. https://doi.org/

参考文献

[1] Designer S．Getting around non-executable stack (and fix)[EB/OL]．http://seclists.org/bugtraq/1997/Aug/63, Bugtraq,1997
[2] Nergal．The Advanced Return-into-libc(c) Exploits:PaX Case Study[J]．Phrack Magazine,2001,11(0x58)
[3] Shacham H．The Geometry of Innocent Flesh on the Bone:Return-into-libc without Function Calls (on the x86) [C]∥Proceedings of ACM Conference on Computer and Communications Security (CCS)．Whistler:ACM New York Press,2007:552-561
[4] Rop attack against data execution prevention technology [EB/OL]．http://www.h-online.com/security/news/item/Exploit-s-new-technology-trick-%dodges-memory-protection-959253.ht-ml,2012-12
[5] Cowan C,Pu C,Maier D,et al．StackGuard:automatic adaptive detection and prevention of buffer-overflow attacks [C]∥Proceedings of the 7th Conference on USENIX Security Sympo-sium．San Antonio:USENIX Association,1998:63-78
[6] Etoh H．ProPolice:GCC extension for protecting applicationsfrom stack-smashing attacks [EB/OL]．http://www.trl.ibm.com/projects/security/ssp/
[7] Cowan C,Beattie S,Johansen J,et al．Point-guard:Protectingpointers from buffer overflow vulnerabilities [C]∥Proceedings of the 12th USENIX Security Symposium．Washington:USENIX Association,2003:91-104
[8] Vendicator．Stack Shield technical info file v0.7[EB/OL].http://www.angelfire.com/sk/stackshield/,2012-12
[9] Frantzen M,Shuey M．StackGhost:Hardware facilitated stack protection [C]∥Proceedings of the 10th USENIX Security Symposium．Washington:USENIX Association,2001:271-286
[10] Abadi M,Budiu M,Erilingsson U,et al.Control-Flow Integrity:Principles,Implementations,and Applications[J]．ACM Transa-ctions on Information and System Security,2009,13(1)
[11] Kiriansky V,Bruening D,Amarasinghe S．Secure Execution Via Program Shepherding [C]∥Proceedings of 11th USENIX Security Symposium．San Francisco:USENIX Association,2002:191-206
[12] Bletsch T,Jiang Xu-xian,Freeh V．Mitigating Code-Reuse At-tacks with Control-Flow Locking [C]∥Proceedings of the 27th Annual Computer Security Applications Conference．Orlando:ACM New York Press,2011:353-362
[13] Chen Lin-bo,Jiang Jian-hui,Zhang Dan-qing.Code Reuse Prevention through Control Flow Lazily Check [C]∥Proceedings of the 2012IEEE 18th Pacific Rim International Symposium on Dependable Computing．Niigata:IEEE Computer Society,2012:51-60
[14] Li J,Wang Z,Jiang X,et al.Defeating return-oriented rootkits with return-less kernels [C]∥Proceedings of the 5th European Conference on Computer Systems．Paris:ACM New York Press,2010:195-208
[15] Onarlioglu K,Bilge L,Lanzi A,et al．G-Free:Defeating return-oriented programming through gadget-less binaries [C]∥Proceedings of 26th Annual Computer Security Applications Conference．Austin:ACM New York Press,2010:49-58
[16] Pappas V,Polychronakis M,Keromytis A D．Smashing theGadgets:Hindering Return-Oriented Programming Using In-Place Code Randomization[C]∥Proceedings of IEEE Sympo-sium on Security and Privacy．Oakland:IEEE Computer Society,2012:601-615
[17] Hiser J,Nguyen-Tuong A,Co M,et al．ILR:where’d my gadget go [C]∥Proceedings of IEEE Symposium on Security and Privacy．Oakland:IEEE Computer Society,2012:571-585
[18] Wartell R,Mohan V,Hamlen K W,et al．Binary Stirring:Self-randomizing Instruction Addresses of Legacy x86Binary Code [C]∥Proceedings of the 2012ACM Conference on Computer and Communications Security．Raleigh,North Carolina:ACM New York Press,2012:157-168
[19] Chen P,Xiao H,Shen X,et al.Drop:Detecting Return-oriented Programming Malicious Code [C]∥Proceedings of the 5th International Conference on Information Systems Security．Kolka-ta,India:Springer,2009:163-177
[20] Davi L,Sadeghi A,Winandy M．Dynamic Integrity Measurement and Attestation:Towards Defense against Return-oriented Programming Attacks [C]∥Proceedings of the 2009ACM Workshop on Scalable Tursted Computing．Chicago:ACM New York Press,2009:49-54
[21] Davi L,Sadeghi A,Winandy M．ROPdefender:A detection tool to defend against return-oriented programming attacks [C]∥Proceedings of the 6th ACM Symposium on Information,Computer and Communications Security．Hong Kong:ACM New York Press,2011:40-51
[22] Chi-Keung Luk,Cohn R,Muth R,et al．Pin:Building Customi-zed Program Analysis Tools with Dynamic Instrumentation [C]∥Proceedings of 2005ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)．Chicago:ACM New York Press,2005:190-200
[23] Adobe CoolType SING Table ‘uniqueName’ Stack Buffer Overflow [EB/OL]．http://www.exploit-db.com/exploits/16619/,2010-09-25
[24] Integard Pro 2.2.0.9026(Win7ROP-Code Metasploit Module) [EB/OL]．http://www.exploit-db.com/exploits/15016/,2010-09-25
[25] MPlayer (r33064Lite) Buffer Overflow + ROP exploit [EB/OL]． http://www.exploit-db.com/exploits/17124/,2011-04-06
[26] Checkoway S,Davi L,Dmitrienko A．Return-Oriented Programming without Returns [C]∥Proceedings of ACM Conference on Computer and Communications Security (CCS)．Chicago:ACM New York Press,2010:559-572
[27] Zovi D D．SOURCE Boston 2010: Practical return-oriented programming[EB/OL]．http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf
[28] Bhatkar S,Sekar R,DuVarney D C．Efficient Techniques forComprehensive Protection from Memory Error Exploits [C]∥Proceedings of 14th USENIX Security Symposium．Baltimore:USENIX Association,2005:105-120
[29] Roglia G,Martignoni L,Paleari R,et al．Surgically returning to randomized lib(c) [C]∥Proceedings of Annual Computer Security Applications Conference．Honolulu:ACM New York Press,2009:60-69
[30] Chiueh T-C,Hsu F-H．RAD:A compile-time solution to buffer overflow attacks [C]∥Proceedings of the 21st International Conference on Distributed Computing Systems．Phoenix:IEEE Computer Society,2001:409-420
[31] Schwartz E J,et al．Q:exploit hardening made easy[C]∥Proceedings of 20th USENIX Security Symposium．San Francisco:USENIX Association,2011:379-394

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed