Page 286 - 《软件学报》2020年第11期

P. 286

李威威等:基于硬件分支信息的 ROP 攻击检测方法 3601

性能开销超过了 10%.实验结果表明,MIBChecker 引入的性能开销在可接受范围之内.

5 结论
ROP 攻击是当今软件安全领域面临的主要安全威胁之一.本文针对 ROP 攻击展开研究,提出了一种基于硬
件分支信息的 ROP 攻击检测方法——MIBChecker.该方法具备如下优点.
1) 安全:首次利用硬件 PMI 机制实时地针对每个可能用于 ROP 攻击的间接分支进行 ROP 攻击检测,规
避了历史刷新攻击的可能,同时提出了敏感系统调用参数检测方法,能够有效地检测出短 gadgets-
chain ROP 攻击.
2) 透明:检测直接由 PMU 事件触发机制以及敏感系统劫持来触发,而且检测所需信息完全从运行时通
过 LBR 等提取,不依赖于程序源码或调试信息,整个检测过程对用户程序透明.
3) 性能开销低:结合 BPU、PMU 等硬件机制以及 ROP 攻击特性,对所需检测的间接分支进行了大规模
的筛减(减少约 89%的间接分支),大大降低了检测频度,进而降低了攻击检测本身引入的性能开销;同
时,高效的硬件触发机制也降低了触发攻击检测所引入的性能开销.
实验结果表明,该方法能够不受历史刷新攻击影响进行 gadget 检测,能够有效地检测出常规 ROP 攻击和规
避攻击,并仅引入 5.7%的性能开销.

References:
[1] Shacham H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: Proc. of the 14th
ACM Conf. on Computer and Communications Security (CCS 2007). Alexandria: ACM, 2007. 552−561. [doi: 10.1145/1315245.
1315313]
[2] Bletsch T, Jiang X, Freeh VW, Liang ZK. Jump-oriented programming: A new class of code-reuse attack. In: Proc. of the 6th ACM
Symp. on Information, Computer and Communications Security (ASIACCS 2011). Hong Kong: ACM, 2011. 30−40. [doi: 10.1145/
1966913.1966919]
[3] Schuster F, Tendyck T, Liebchen C, Davi L, Sadeghi AR, Holz T. Counterfeit object-oriented programming: On the difficulty of
preventing code reuse attacks in C++ applications. In: Proc. of the 2015 IEEE Symp. on Security and Privacy (SP). San Jose: IEEE,
2015. 745−62. [doi: 10.1109/SP.2015.51]
[4] Veen VVD, Andriesse D, Stamatogiannakis M, Chen X, Bos H, Giuffrida C. The dynamics of innocent flesh on the bone: Code
reuse ten years later. In: Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2017). Dallas:
ACM, 2017. 1675−1689.
[5] Abadi M, Budiu M, Erlingsson Ú, Ligatti J. Control-Flow integrity. In: Proc. of the 12th ACM Conf. on Computer and
Communications Security (CCS 2005). Alexandria: ACM, 2005. 340−353. [doi: 10.1145/1102120.1102165]
[6] Abadi M, Budiu M, Erlingsson Ú, Ligatti J. Control-flow integrity principles, implementations, and applications. ACM Trans. on
Information and System Security, 2009,13(1):4:1−4:40. [doi: 10.1145/1609956.1609960]
[7] Zhang C, Wei T, Chen ZF, Duan L, Szekeres L, McCamant S, Song D, Zou W. Practical control flow integrity and randomization
for binary executables. In: Proc. of the 2013 IEEE Symp. on Security and Privacy (SP). Berkeley: IEEE, 2013. 559−573. [doi:
10.1109/SP.2013.44]
[8] Zhang M, Sekar R. Control flow integrity for COTS binaries. In: Proc. of the 22nd USENIX Security Symp. (USENIX Security
2013). Washington: USENIX Association, 2013. 337−352.
[9] Mashtizadeh AJ, Bittau A, Boneh D. Cryptographically enforced control flow integrity. In: Proc. of the 22nd ACM SIGSAC Conf.
on Computer and Communications Security (CCS 2015). Denver: ACM, 2015. 941−951. [doi: 10.1145/2810103.2813676]
[10] Veen VVD, Andriesse D, Göktas E, Gras B, Sambuc L, Slowinska A, Bos H, Giuffrida C. Practical context-sensitive CFI. In: Proc.
of the 22nd ACM SIGSAC Conf. on Computer and Communications Security (CCS 2015). Denver: ACM, 2015. 927−940. [doi:
10.1145/2810103.2813673]
[11] Pappas V, Polychronakis M, Keromytis AD. Transparent ROP exploit mitigation using indirect branch tracing. In: Proc. of the 22nd
USENIX Security Symp. (USENIX Security 2013). Washington: USENIX Association, 2013. 447−462.
[12] Cheng YQ, Zhou ZW, Yu M, Ding XH, Deng RH. ROPecker: A generic and practical approach for defending against ROP attacks.
In: Proc. of the 2014 Network and Distributed System Security Symp. (NDSS 2014). San Diego: 2014. [doi: 10.14722/ndss.2014.
23156]

281 282 283 284 285 286 287 288 289 290 291