基于二进制重写的软件多样化方法

Software diversification method based on binary rewriting

软件多样化是应对代码重用攻击的有效方法,但现有软件多样化技术大多基于源代码实现,相比二进制文件,程序源代码并不容易获得。二进制文件难以做到精准拆卸、区分代码指针和数据常量,使得对二进制文件的多样化转换有限,难以产生足够高的随机化熵,容易被攻击者暴力破解。针对此问题,提出一种面向二进制文件的软件多样化方法,指令偏移随机化,该方法基于静态二进制重写技术在程序指令前以一定概率插入不同字节长度的无操作(NOP)指令,不仅能够减少程序中非预期的gadget数量,还使原指令地址发生随机偏移,打乱程序原有的内存布局,增加了代码重用攻击的成本。同时,针对所提方法设计了基于“热”代码的优化策略,通过动态插桩获得二进制文件中基本块的执行次数,以此调整每个基本块中NOP指令的插入概率,在执行频率更高的基本块中插入更少的NOP指令,可以保证较低性能开销的同时产生更高的随机化熵。实验部分使用SPEC基准测试程序,从性能开销、gadget存活率、文件大小等角度对优化后的方法进行实例测试,结果表明:当插入概率为15%时效果最好,程序中gadget平均存活率趋于稳定且小于1.49%,增加攻击者重复利用相同gadget攻击链攻击难度的同时,该安全性下仅额外增加了4.1%的运行开销和7.7%的文件膨胀率。

Software diversity is an effective defense against code-reuse attacks,but most existing software diversification technologies are based on source code.Obtaining program source code may be difficult,while binary files are challenging to disassemble accurately and distinguish between code pointers and data constants.This makes binary file diversification difficult to generate high levels of randomization entropy,and easily compromised by attackers.To overcome these challenges,a binary file oriented software diversification method was proposed based on static binary rewriting technology,namely instruction offset randomization.This method inserted NOP instructions of varying byte lengths before program instructions with a certain probability,reducing the number of unintended gadgets in the program and randomly offsetting the original instruction address.This disrupts the program’s original memory layout and increases the cost of code-reuse attacks.At the same time,an optimization strategy based on hot code was designed for this method.The execution times of basic blocks in binary files were obtained by dynamic pile insertion,so as to adjust the NOP instruction insertion probability in each basic block.The higher the execution frequency,the fewer NOP instructions were inserted into the basic block,which can ensure lower performance overhead and produce higher randomization entropy.In the experimental part,the SPEC benchmark program was used to test the optimized method from the aspects of performance overhead,gadget survival rate and file size.The results show that a 15%insertion probability achieves the best effect,with an average gadget survival rate of less than 1.49%,increasing attackers’difficulty in reusing the same gadget attack chain.Furthermore,only a 4.1%operation overhead and 7.7%space overhead are added,maintaining high levels of security.