Page 273 - 《软件学报》2020年第11期
P. 273
软件学报 ISSN 1000-9825, CODEN RUXUEW E-mail: jos@iscas.ac.cn
Journal of Software,2020,31(11):3588−3602 [doi: 10.13328/j.cnki.jos.005829] http://www.jos.org.cn
©中国科学院软件研究所版权所有. Tel: +86-10-62562563
∗
基于硬件分支信息的 ROP 攻击检测方法
1,2
1,2
1
1
1
李威威 , 马 越 , 王俊杰 , 高伟毅 , 杨秋松 , 李明树 1
1
(中国科学院 软件研究所 基础软件国家工程研究中心,北京 100190)
2
(中国科学院大学,北京 100049)
通讯作者: 李威威, E-mail: weiwei@nfs.iscas.ac.cn
摘 要: 控制流完整性保护技术(control flow integrity,简称 CFI)是防御面向返回编程攻击(return-oriented
programming,简称 ROP)的一种有效途径.针对现有 CFI 中存在的四大问题:性能开销大、依赖程序代码信息、容易
遭受历史刷新攻击以及规避攻击,提出了基于硬件分支信息的 ROP 攻击检测方法——MIBChecker(mispredicted
indirect branch checker).该方法实时地利用硬件性能管理单元(performance monitor unit,简称 PMU)的事件触发机制,
针对每个预测失败的间接分支进行 ROP 攻击检测,规避了历史刷新攻击的可能,同时提出基于敏感系统调用参数的
新型检测方法来检测短攻击链(称为 gadgets-chain)ROP 攻击.实验结果表明,MIBChecker 能够不受历史刷新攻击的
影响进行ROP短指令片段(称为gadget)检测,可有效地检测出常规ROP攻击和规避攻击,并仅引入5.7%的性能开销.
关键词: 面向返回编程;控制流完整性;历史刷新攻击;规避攻击
中图法分类号: TP309
中文引用格式: 李威威,马越,王俊杰,高伟毅,杨秋松,李明树.基于硬件分支信息的 ROP 攻击检测方法.软件学报,2020,31(11):
3588−3602. http://www.jos.org.cn/1000-9825/5829.htm
英文引用格式: Li WW, Ma Y, Wang JJ, Gao WY, Yang QS, Li MS. ROP attack detection approach based on hardware branch
information. Ruan Jian Xue Bao/Journal of Software, 2020,31(11):3588−3602 (in Chinese). http://www.jos.org.cn/1000-9825/
5829.htm
ROP Attack Detection Approach Based on Hardware Branch Information
1
1,2
1
1,2
1
LI Wei-Wei , MA Yue , WANG Jun-Jie , GAO Wei-Yi , YANG Qiu-Song , LI Ming-Shu 1
1
(National Engineering Research Center of Fundamental Software, Institute of Software, Chinese Academy of Sciences, Beijing 100190,
China)
2
(University of Chinese Academy of Sciences, Beijing 100049, China)
Abstract: Control flow integrity (CFI) is an effective method to defend against return-oriented programming (ROP) attack. To address
the four drawbacks of current CFI approaches, i.e., high performance overhead, relying on software code information, subject to history
flushing attack, and evasion attack, this study proposed an ROP attack detection approach based on hardware branch information—
mispredicted indirect branch checker, called MIBChecker. It performs real time ROP detection on every mispredicted indirect branch via
events triggered by performance monitor unit, and produces a new critical syscall data detection approach to defend against ROP attacks
using short gadgets-chain. Experiments show that MIBChecker can detect gadgets which is not affected by history flushing attack, and can
effectively detect common ROP attack and evasion attack with only 5.7% performance overhead.
Key words: return-oriented programming; control flow integrity; history flushing attack; evasion attack
ROP 攻击是当前最主要的控制流劫持攻击方式之一,如何防御 ROP 攻击,是计算机安全领域近年来研究的
∗ 基金项目: “核高基”国家科技重大专项(2014ZX01029101-002); 中国科学院战略性先导科技专项(XDA-Y01-01)
Foundation item: National Science and Technology Major Program for Core Electronic Device, High-end Chip, and Basic Software
Product (2014ZX01029101-002); Strategic Priority Research Program of Chinese Academy of Sciences (XDA-Y01-01)
收稿时间: 2018-07-14; 修改时间: 2018-11-06; 采用时间: 2019-02-28
