Computer Science ›› 2020, Vol. 47 ›› Issue (6): 284-293.doi: 10.11896/jsjkx.190700109

Special Issue: Information Security

• Information Security • Previous Articles     Next Articles

GDL:A Gadget Description Language for General Code Reuse Attack

JIANG Chu, WANG Yong-jie   

  1. College of Electronic Engineering,National University of Defense Technology,Hefei 230037,China
  • Received:2019-07-17 Online:2020-06-15 Published:2020-06-10
  • About author:JIANG Chu,born in 1995,postgra-duate,is a member of China Computer Federation.His main research interests include software security and so on.
    WANG Yong-jie,born in 1974,Ph.D,associate professor.His main research interests include cyber security and so on.

Abstract: Considering code reuse attacks have various types,and the corresponding gadgets are different in structure,there is no general method to describe gadgets under multiple code reuse attacks.Combining several common attack models of code reuse attack and Turing machine,this paper proposes a general model of code reuse attack.A gadget description language(GDL) for code reuse attack is designed to describe the gadget in code reuse attack structurally.Firstly,the development history of code reuse attack is introduced,and the attack model and gadget characteristics of code reuse attack are summarized.Secondly,GDL is designed and the key words and grammatical specifications of various constraint types in GDL are given.Finally,on the basis of open-source project such as ply and BARF,the gadget searching prototype system named GDLgadget is implemented,which is based on GDL.The execution process of GDLgadget is described,and the effectiveness of GDLgadget is verified in experiments.

Key words: Attack model, Code reuse attack, gadget description, gadget discovery, Turing machine

CLC Number: 

  • TP309
[1]SOLAR DESIGNER.Getting around non-executable stack (and fix)[EB/OL].https://seclists.org/bugtraq/1997/Aug/63.
[2]SHACHAM H.The geometry of innocent flesh on the bone: Return-into-libc without Function Calls (on the x86)[C]//ACM Conference on Computer and Communications Security.2007:552-561.
[3]CHECKOWAY S,DAVI L,DMITRIENKO A,et al.Return-Oriented Programming without Returns[C]//Proceedings of the 17th ACM Conference on Computer and Communications Security.2010:559-572.
[4]BLETSCH T,JIANG X,FREEH V W,et al.Jump-Oriented Programming:A New Class of Code-Reuse Attack[C]//Proceedings of the 6th ACM Symposium on Information.Computer and Communications Security,2011:30-40.
[5]SADEGHI A,NIKSEFAT S,ROSTAMIPOUR M.Pure-Call Oriented Programming ( PCOP ):chaining the gadgets using call instructions[J].Journal of Computer Virology and Hacking Techniques,Springer Paris,2018,14(2):139-156.
[6]MICROSOFT.Control Flow Guard[EB/OL].https://docs.microsoft.com/en-us/windows/desktop/secbp/control-flow-guard.
[7]ABADI M,BUDIU M,ERLINGSSON U,et al.Control-Flow Integrity:Principles,Implementations,and Applications[J].ACM Computing Surveys,2005,50(1):1-33.
[8]HISER J,NGUYEN-TUONG A,CO M,et al.ILR:Where’d my gadgets go?[C]//2012 IEEE Symposium on Security and Privacy.2012:571-585.
[9]WARTELL R,MOHAN V,HAMLEN K W,et al.Binary Stirring:Self-randomizing Instruction Addresses of Legacy x86 Binary Code[C]//Proceedings of the 2012 ACM Conference on Computer and Communications Security.2012:157-168.
[10]PAPPAS V,POLYCHRONAKIS M,KEROMYTIS A D. Smashing the gadgets:Hindering return-oriented programming using in-place code randomization[C]//2012 IEEE Symposium on Security and Privacy.2012:601-615.
[11]CHEN X,BOS H,GIUFFRIDA C.CodeArmor:Virtualizing the Code Space to Counter Disclosure Attacks[C]//2017 IEEE European Symposium on Security and Privacy (EuroS&P).2017:514-529.
[12]BACKES M,NÜRNBERGER S,PLANCK M,et al.Oxymoron:Making Fine-Grained Memory Randomization Practical by Allowing Code Sharing[C]//23rd USENIX Security Symposium.2014:433-447.
[13]SNOW K Z,MONROSE F,DAVI L,et al.Just-in-time code reuse:On the effectiveness of fine-grained address space layout randomization[C]//2013 IEEE Symposium on Security and Privacy.2013:574-588.
[14]PAX TEAM.PaX address space layout randomization[EB/ OL].https://pax.grsecurity.net/docs/aslr.txt.
[15]GOKTAS E,KOLLENDA B,KOPPE P,et al.Position-Independent Code Reuse:On the Effectiveness of ASLR in the Absence of Information Disclosure[C]//2018 IEEE European Symposium on Security and Privacy (EuroS&P).IEEE,2018:227-242.
[16]ZHANG M,SEKAR R.Control Flow Integrity for COTS Binaries[C]//22nd USENIX Security Symposium.2013:337-352.
[17]ZHANG C,WEI T,CHEN Z,et al.Practical Control Flow Integrity & Randomization for Binary Executables[C]//2013 IEEE Symposium on Security and Privacy.2013:559-573.
[18]VEEN V V D,GOKTAS E,CONTAG M,et al.A Tough Call:Mitigating Advanced Code-Reuse Attacks at the Binary Level[C]//2016 IEEE Symposium on Security and Privacy (SP).2016:934-953.
[19]LIU Y,SHI P,WANG X,et al.Transparent and Efficient CFI Enforcement with Intel Processor Trace[C]//2017 IEEE International Symposium on High Performance Computer Architecture (HPCA).2017:529-540.
[20]BOSMAN E,BOS H.Framing Signals-A Return to Portable Shellcode[C]//2014 IEEE Symposium on Security and Privacy.2014:243-258.
[21]LAN B,LI Y,SUN H,et al.Loop-oriented programming:A new code reuse attack to bypass modern defenses[C]//2015 IEEE Trustcom/BigDataSE/ISPA.2015:190-197.
[22]SCHUSTER F,TENDYCK T,LIEBCHEN C,et al.Counterfeit Object-oriented Programming on the Difficulty of Preventing Code Reuse Attacks in C++Applications[C]//2015 IEEE Symposium on Security and Privacy.2015:745-762.
[23]CARLINI N,BARRESI A,PAYER M,et al.Control-Flow Bending:On the Effectiveness of Control-Flow Integrity[C]//24th USENIX Security Symposium.2015:161-176.
[24]ISPOGLOU K K,ALBASSAM B,JAEGER T,et al.Block Oriented Programming:Automating Data-Only Attacks[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018:1868-1882.
[25]BIONDO A,CONTI M,LAIN D.Back To The Epilogue:Evading Control Flow Guard via Unaligned Targets[C]//Network and Distributed Systems Security (NDSS) Symposium.2018.
[26]JIANG C,WANG Y J.A Technique of gadget Semantic Analysis Based on Expression Tree[J/OL]. Computer Engineering:1-10[2020-05-28].https://doi.org/10.19678/j.issn.1000-3428.0056671.
[27]SCHWARTZ E J,AVGERINOS T,BRUMLEY D.Q?: Exploit Hardening Made Easy[C]//USENIX Security Symposium. 2011: 2541.
[1] Jeffrey ZHENG. Meta Knowledge Intelligent Systems on Resolving Logic Paradoxes [J]. Computer Science, 2022, 49(1): 9-16.
[2] CHEN Lin-bo,JIANG Jian-hui and ZHANG Dan-qing. Prevention of Code Reuse Attacks through Return Address Protection [J]. Computer Science, 2013, 40(9): 93-98.
[3] LEE Yick Kuen , CHENG Lee Lung. Another Side of the Wall--Deeper Thinking in Turing Model [J]. Computer Science, 2011, 38(9): 282-287.
[4] ZHANG Hai-su,ZHANG Song-lin,CHEN Gui-sheng. Computational Emergence and its Constrained Generating Procedure Model [J]. Computer Science, 2011, 38(7): 302-305.
[5] WANG Qian,FENG Ya-jun,YANG Zhao-min,YAO Lei. Network Attack Model Based on Ontology and its Application [J]. Computer Science, 2010, 37(6): 114-117.
[6] YANG Lin, HUO Yue-hua (China University of Mining & Technology,Beijing 100083,China). [J]. Computer Science, 2009, 36(3): 109-111.
[7] YU Li, DONG Si-Wei, GUO Bin (Information School, Renmin University of China, Beijing 100872). [J]. Computer Science, 2007, 34(5): 134-138.
[8] MAO Han-Dong, CHEN Feng ,ZHANG Wei-Ming, ZHU Cheng (School of Information System and Management, NUDT, Changsha 410073). [J]. Computer Science, 2007, 34(11): 50-55.
[9] . [J]. Computer Science, 2006, 33(4): 234-235.
[10] . [J]. Computer Science, 2006, 33(12): 78-80.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!