摘要
针对传统函数指针攻击检测技术无法检测面向返回编程(ROP)攻击的问题,提出了一种基于跳转地址完整性检查的新方法,在二进制代码层面能够检测多种类型的函数指针攻击。首先,通过静态分析得到函数地址信息,然后动态检查跳转目标地址是否位于合法函数区间。分析了非入口点跳转,提出一种动静结合方法检测ROP攻击。基于二进制代码插桩工具实现原型系统fpcheck,对真实攻击和正常程序进行了测试。实验结果表明fpcheck能够检测包括ROP在内的多种函数指针攻击,通过准确的检测策略,误报率显著下降,性能损失相比原始插桩仅升高10%~20%。
Traditional detection techniques of function pointer attack cannot detect Return-Oriented-Programming (ROP) attack. A new approach by checking the integrity of jump address was proposed to detect a variety of function pointer attacks on binary code. First, function address was obtained with static analysis, and then target addresses of jump instructions were checked dynamically whether they fell into allowed function address space. The non-entry function call was analyzed, based on which a new method was proposed to detect ROP attack by combining static and dynamic analysis. The prototype system named fpcheek was developed using binary instrumentation tool, and evaluated with real-world attacks and normal programs. The experimental results show that fpcheck can detect various function pointer attacks including ROP, the false positive rate reduces substantially with accurate policies, and the performance overhead only increases by 10% to 20% compared with vanilla instrumentation.
出处
《计算机应用》
CSCD
北大核心
2015年第2期424-429,共6页
journal of Computer Applications
基金
2013年四川省学术和技术带头人培养资金资助项目(13XSJS002)
关键词
缓冲区溢出
面向返回编程
非入口点跳转
动态分析
二进制代码插桩
buffer overflow
Return-Oriented-Programming (ROP)
non-entry function call
dynamic analysis
binary instrumentation