计算机科学

计算机科学 ›› 2017, Vol. 44 ›› Issue (11): 87-90.doi: 10.11896/j.issn.1002-137X.2017.11.013

• 2016 年全国软件与应用学术会议 • 上一篇    下一篇

上下文敏感的控制流完整性保护的改进方法

沈钦涛,张丽,罗磊,马俊,余杰,吴庆波   

  1. 国防科学技术大学计算机学院 长沙410000,国防科学技术大学计算机学院 长沙410000,国防科学技术大学计算机学院 长沙410000,国防科学技术大学计算机学院 长沙410000,国防科学技术大学计算机学院 长沙410000,国防科学技术大学计算机学院 长沙410000
  • 出版日期:2018-12-01 发布日期:2018-12-01
  • 基金资助:
    本文受自然科学基金项目(61303191,6130319,61402503)资助

Improved Method of Context-sensitive Control Flow Integrity Protection

SHEN Qin-tao, ZHANG Li, LUO Lei, MA Jun, YU Jie and WU Qing-bo   

  • Online:2018-12-01 Published:2018-12-01

PDF (PC)

584

摘要: 面对控制流劫持攻击的威胁,业界使用控制流完整性保护技术来保障进程的执行安全。传统的控制流完整性验证保护机制依赖于动态二进制改写技术,在分析、实施等过程中难度较大,且有可能带来二进制兼容的问题。通过研究近几年提出的上下文敏感的控制流保护技术PathArmor,分析了其检测进程控制流的时机。然后针对PathArmor只在进程做系统调用时才进行检测的机制,提出了改进的方法。该方法依据内核页错误中断处理机制,通过修改用户页面的保护属性主动触发可执行页面的执行错误;接着,修改页错误中断处理过程,钩挂do_page_fault以处理主动触发的执行错误。用户进程代码和数据的完整性得以保证的同时,得到了更多陷入内核接受检查的机会。在Nginx,bzip2,SQLite等典型应用环境下的实验结果表明,改进的方法能够明显增加系统安全分析的粒度,更好地保护程序的控制流。

关键词: 控制流完整性,执行路径,硬件特性,控制流保护,内核陷入

Abstract: Facing the threat of control flow hijacking,the industry uses control flow integrity protection technology.It is difficult to achieve the goal for those traditional control-flow integrity protection mechanisms which depend on dynamic binary rewriting technology,and it’s not easy for analysis and implementation.It may also bring out the problem of binary compatibility.The recently proposed context-sensitive control-flow integrity,PathArmor,only verifies the control flow when tasks are calling system functions.To achieve enhanced protection,an improved method was proposed in this paper.The improved method means to trigger more page fault intentionally by modifying the pages’ protection flag of the target task,with the kernel’s mechanism of page fault.Then it hooks the origin system IDT (Interrupt Description Table) and creates new do_page_fault function to handle the generated page fault.With doing some experiments on typi-cal application like nginx,bzip2,SQLite and so on,the result shows that the counts for tasks to be verified increase significantly,and it can get better protection with the improved method.

Key words: Control-flow integrity,Execution path,Hardware feature,Control-flow protection,Kernel trap

[1] DESIGNER S.Return-to-libc attack[M].Bugtraq,1997.
[2] SHACHAM H.The geometry of innocent flesh on the bone:Return-into-libc without function calls (on the x86)[C]∥Proceedings of the 14th ACM Conference on Computer and Communications Security.ACM,2007:552-561.
[3] ROEMER R,BUCHANAN E,SHACHAM H,et al.Return-oriented programming:Systems,languages,and applications[J].ACM Transactions on Information and System Security,2012,15(1):1-34.
[4] ABADI M,BUDIU M,ERLINGSSON U,et al.Control-flow integrity[C]∥Proceedings of the 12th ACM Conference on Computer and Communications Security.ACM,2005:340-353.
[5] ZHANG M,SEKAR R.Control Flow Integrity for COTS Binaries[C]∥Usenix Security Symposium.2013:337-352.
[6] ZHANG C,WEI T,Chen Z,et al.Practical control flow integrity and randomization for binary executables[C]∥2013 IEEE Symposium on Security and Privacy (SP).IEEE,2013:559-573.
[7] TEAM P X.PaX address space layout randomization (ASLR).http://pax.grsecurity.net/docs/aslr.txt.
[8] CHENG Y,ZHOU Z,MIAO Y,et al.ROPecker:A generic and practical approach for defending against ROP attack[C]∥ Network & Distributed System Security Sympoisum.2014.
[9] VAN DER VEEN V,ANDRIESSE D,GKTAS, E,et al.Practical context-sensitive cfi[C]∥Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.ACM,2015:927-940.
[10] GOKTAS E,ATHANASOPOULOS E,BOS H,et al.Out of control:Overcoming control-flow integrity[C]∥2014 IEEE Symposium on Security and Privacy (SP).IEEE,2014:575-589.
[11] DAVI L,LEHMANN D,SADEGHI A R,et al.Stitching thegadgets:On the ineffectiveness of coarse-grained control-flow integrity protection[C]∥USENIX Security Symposium.2014.
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发