基于静态指令分配的多模块ROP自动构造方法
|
摘要
返回导向式编程(ROP)是一种可有效绕过数据执行保护(DEP)机制的技术.已有的ROP自动构造技术缺少对ROP模块转换过程的静态指令分配的优化,导致ROP载荷需占用大量内存空间.为解决这一问题,基于已有的ROP自动构造系统Q,针对多模块ROP的模块转换过程,设计了新的静态指令分配规则SIA.SIA通过静态指令分配,构造中间指令序列;通过动态数据填充,实现ROP模块转换过程中的寻址与指针修改.实验表明,相比已有技术,通过SIA规则构造的多模块ROP载荷降低了内存空间占有率,提高了ROP载荷的实用性.
Return Oriented Programming(ROP) is a kind of technology to bypass the Data Execution Prevention(DEP).Existing technologies for automatic ROP generation can not optimize the progress of instructions assignment for modules switching in multi-modules ROP payload,leading to the problem of large amounts of memory space are occupied.In order to solve this problem,a new static instructions assignment rule SIA for ROP modules switching was designed based on the automatic ROP generation system Q.SIA constructs intermediate sequence of instructions by static instructions assignment,and finds the address and modifies the pointers by dynamic data filling.Experimental results show that, compared with the existing technologies, the multi-modules ROP payload gen-erated by SIA needs less memory space so that improve the practicability of ROP.
Return Oriented Programming(ROP) is a kind of technology to bypass the Data Execution Prevention(DEP).Existing technologies for automatic ROP generation can not optimize the progress of instructions assignment for modules switching in multi-modules ROP payload,leading to the problem of large amounts of memory space are occupied.In order to solve this problem,a new static instructions assignment rule SIA for ROP modules switching was designed based on the automatic ROP generation system Q.SIA constructs intermediate sequence of instructions by static instructions assignment,and finds the address and modifies the pointers by dynamic data filling.Experimental results show that, compared with the existing technologies, the multi-modules ROP payload gen-erated by SIA needs less memory space so that improve the practicability of ROP.
引文
[1] 邵思豪,高庆,马森,等.缓冲区溢出漏洞分析技术研究进展 [J].软件学报,2018,29(5):1179- 1198.SHAO Sihao,GAO Qing,MA Sen,et al.Progress in research on buffer overflow vulnerability analysis technologies [J].Journal of Software,2018,29(5):1179- 1198.
[2] TIAN D,JIA X,ZHAN L,et al.An online approach to defeating return oriented programming attacks [C]//International Symposium on Cyberspace Safety and Security.Xi’An,China:Springer,2017:236- 247.
[3] 魏强,韦韬,王嘉捷.软件漏洞利用缓解及其对抗技术演化 [J].清华大学学报(自然科学版),2011,51(10):1274- 1280.WEI Qiang,WEI Tao,WANG Jiajie,et al.Evolution of exploitation and exploit mitigation [J].Journal of Tsinghua University,2011,51(10):1274- 1280.
[4] SHACHAM H.The geometry of innocent flesh on the bone [C]//ACM Conference on Computer and Communications Security 2007.Alexandria,USA:ACM,2007:552- 561.
[5] BUCHANAN E,ROEMER R,SHACHAM H,et al.When good instructions go bad:Generalizing return-oriented programming to RISC [C]//Proceedings of the 15th ACM conference on Computer and communications security.Alexandria,USA:ACM,2008:27- 38.
[6] LU K,ZOU D,WEN W,et al.Packed,printable,and polymorphic return-oriented programming [C]//International Conference on Recent Advances in Intrusion Detection.Menlo Park,USA:Springer-Verlag,2011:101- 120.
[7] CHIPOUNOV V,KUZNETSOV V,CANDEA G.The S2E platform:design,implementation,and applications [J].ACM Transactions on Computer Systems,2012,30(1):1- 49.
[8] HUANG S K,HUANG M H,HUANG P Y,et al.CRAX:software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations [C]//IEEE Sixth International Conference on Software Security and Reliability.Gaithersburg,USA:IEEE Computer Society,2012:78- 87.
[9] SCHWARTZ E J,AVGERINOS T,BRUMLEY D.Q:exploit hardening made easy [C]//USENIX Conference on Security.San Francisco,USA:USENIX Association,2011:25- 41.
[10] BRUMLEY D,JAGER I,AVGERINOS T,et al.BAP:a binary analysis platform [C]//International Conference on Computer Aided Verification.Snowbird,USA:Springer-Verlag,2011:463- 469.
[11] 和亮,苏璞睿.软件漏洞自动利用研究进展 [J].中国教育网络,2016(s1):46- 48.HE Liang,SU Purui.Research progress on automatic exploitation of software vulnerabilities [J].China Education Network,2016(s1):46- 48.
[12] CHIPOUNOV V,KUZNETSOV V,CANDEA G.S2E:A platform for in-vivo multi-path analysis of software systems [C]//ACM SIGARCH Computer Architecture News.New York,USA:ACM,2011:265- 278.
[13] SANG K C,AVGERINOS T,REBERT A,et al.Unleashing mayhem on binary code [C]//Security and Privacy.San Francisco,CA,USA:IEEE,2012:380- 394.
[14] XING T,CHEN P,DING W B.BIOP:AUTOMATIC construction of enhanced ROP attack [J].Chinese Journal of Computers,2014,37(5):1111- 1123.
[15] 常超,刘克胜,谭龙丹,等.基于图模型的C程序数据流分析 [J].浙江大学学报(工学版),2017,51(5):1007- 1015.CHANG Chao,LIU Kesheng,TAN Longdan,et al.Data flow analysis for C program based on graph model [J].Journal of Zhejiang University(Engineering Science),2017,51(5):1007- 1015.
[2] TIAN D,JIA X,ZHAN L,et al.An online approach to defeating return oriented programming attacks [C]//International Symposium on Cyberspace Safety and Security.Xi’An,China:Springer,2017:236- 247.
[3] 魏强,韦韬,王嘉捷.软件漏洞利用缓解及其对抗技术演化 [J].清华大学学报(自然科学版),2011,51(10):1274- 1280.WEI Qiang,WEI Tao,WANG Jiajie,et al.Evolution of exploitation and exploit mitigation [J].Journal of Tsinghua University,2011,51(10):1274- 1280.
[4] SHACHAM H.The geometry of innocent flesh on the bone [C]//ACM Conference on Computer and Communications Security 2007.Alexandria,USA:ACM,2007:552- 561.
[5] BUCHANAN E,ROEMER R,SHACHAM H,et al.When good instructions go bad:Generalizing return-oriented programming to RISC [C]//Proceedings of the 15th ACM conference on Computer and communications security.Alexandria,USA:ACM,2008:27- 38.
[6] LU K,ZOU D,WEN W,et al.Packed,printable,and polymorphic return-oriented programming [C]//International Conference on Recent Advances in Intrusion Detection.Menlo Park,USA:Springer-Verlag,2011:101- 120.
[7] CHIPOUNOV V,KUZNETSOV V,CANDEA G.The S2E platform:design,implementation,and applications [J].ACM Transactions on Computer Systems,2012,30(1):1- 49.
[8] HUANG S K,HUANG M H,HUANG P Y,et al.CRAX:software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations [C]//IEEE Sixth International Conference on Software Security and Reliability.Gaithersburg,USA:IEEE Computer Society,2012:78- 87.
[9] SCHWARTZ E J,AVGERINOS T,BRUMLEY D.Q:exploit hardening made easy [C]//USENIX Conference on Security.San Francisco,USA:USENIX Association,2011:25- 41.
[10] BRUMLEY D,JAGER I,AVGERINOS T,et al.BAP:a binary analysis platform [C]//International Conference on Computer Aided Verification.Snowbird,USA:Springer-Verlag,2011:463- 469.
[11] 和亮,苏璞睿.软件漏洞自动利用研究进展 [J].中国教育网络,2016(s1):46- 48.HE Liang,SU Purui.Research progress on automatic exploitation of software vulnerabilities [J].China Education Network,2016(s1):46- 48.
[12] CHIPOUNOV V,KUZNETSOV V,CANDEA G.S2E:A platform for in-vivo multi-path analysis of software systems [C]//ACM SIGARCH Computer Architecture News.New York,USA:ACM,2011:265- 278.
[13] SANG K C,AVGERINOS T,REBERT A,et al.Unleashing mayhem on binary code [C]//Security and Privacy.San Francisco,CA,USA:IEEE,2012:380- 394.
[14] XING T,CHEN P,DING W B.BIOP:AUTOMATIC construction of enhanced ROP attack [J].Chinese Journal of Computers,2014,37(5):1111- 1123.
[15] 常超,刘克胜,谭龙丹,等.基于图模型的C程序数据流分析 [J].浙江大学学报(工学版),2017,51(5):1007- 1015.CHANG Chao,LIU Kesheng,TAN Longdan,et al.Data flow analysis for C program based on graph model [J].Journal of Zhejiang University(Engineering Science),2017,51(5):1007- 1015.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |