摘要
针对传统的代码注入和代码复用等攻击技术的缺陷,返回导向编程(Return-Oriented Programming,ROP)提出了复用以ret指令结尾的短指令序列,实现图灵完备编程的思想.ROP攻击可以绕开现有的针对代码注入的防御,且相比于传统代码复用技术,构造功能更为强大.但ROP攻击使用的ret指令结尾的指令序列具有明显的特征,这些特征导致ROP攻击容易被检测到.现有的ROP改进技术使用jmp指令结尾的短指令序列构造攻击,虽然消除了以ret指令结尾的特征,但同时引入了新的特征,且并不具有实用性.文中提出了一种分支指令导向(Branch Instruction-Oriented Programming,BIOP)攻击技术,使用jmp指令或call指令结尾的短指令序列构造攻击.相比于以前的工作,BIOP不引入新的特征,能有效避免现有的防御技术.同时我们分析并解决了构造攻击时寄存器的副作用,提出控制指令序列概念解决构造时内存冲突,实现自动化构造BIOP攻击.作者设计了一个自动化构造BIOP工具,构造了大量实际的BIOP shellcode,实验结果表明BIOP攻击可以绕过现有的ROP防御技术.
Return-Oriented Programming (ROP)is a technique which leverages the instructionsnippets in existing libraries/executables to construct Turing Complete programs.Such techniquecan generate the shellcode which evades most code injection defenses.However,ROP attack isusually composed with gadgets which are ending in ret instruction without the corresponding callinstruction.Based on this fact,several defense mechanisms have been proposed to detect theROP malicious code.In this paper,we present Branch Instruction-Oriented Programming(BIOP)attack which uses the gadgets ending in jmp instruction or call instruction.This newtechnique,which uses jmp instruction or call instruction to replace the ret instruction,breaks thehypothesis of existing defense tools.Meanwhile we propose a tool to automatically construct thereal-world BIOP attack,which as demonstrated in our experiment can bypass most of the exiting ROP defenses.
出处
《计算机学报》
EI
CSCD
北大核心
2014年第5期1111-1123,共13页
Chinese Journal of Computers
基金
国家自然科学基金(61073027
60773171
90818022
61272078
61321491)
国家"八六三"高技术研究发展计划项目基金(2007AA01Z448
2011AA1A202)资助~~
关键词
返回导向编程
指令序列
寄存器副作用
自动化
信息安全
网络安全
Return-Oriented Programming (ROP)
gadget
side effect of register
automation
information security
network security
