DOI QR코드

DOI QR Code

Design and Implementation of Efficient Mitigation against Return-oriented Programming

반환 지향 프로그래밍 공격에 대한 효율적인 방어 기법 설계 및 구현

  • 김지홍 (성균관대학교 정보통신대학) ;
  • 김인혁 (성균관대학교 정보통신대학) ;
  • 민창우 (성균관대학교 정보통신대학) ;
  • 엄영익 (성균관대학교 정보통신대학)
  • Received : 2014.08.12
  • Accepted : 2014.09.22
  • Published : 2014.12.15

Abstract

An ROP attack creates gadget sequences which consist of existing code snippets in a program, and hijacks the control flow of a program by chaining and executing gadget sequences consecutively. Existing defense schemes have limitations in that they cause high execution overhead, an increase in the binary size overhead, and a low applicability. In this paper, we solve these problems by introducing zero-sum defender, which is a fast and space-efficient mitigation scheme against ROP attacks. We find a fundamental property of gadget execution in which control flow starts in the middle of a function without a call instruction and ends with a return instruction. So, we exploit this property by monitoring whether the execution is abused by ROP attacks. We achieve a very low runtime overhead with a very small increase in the binary size. In our experimental results, we verified that our defense scheme prevents real world ROP attacks, and we showed that there is only a 2% performance overhead and a 1% binary size increase overhead in several benchmarks.

Acknowledgement

Supported by : 한국연구재단

References

  1. Aleph One, "Smashing the Stack for Fun and Profit," Phrack Magazine, Vol. 49, No. 1, pp. 14-16, Aug. 1996.
  2. Blexim, "Basic Integer Overflows," Phrack Magazine, Vol. 60, No. 10, pp. 10-16, Dec. 2002.
  3. gera and riq, "Advances in Format String Exploitation," Phrack Magazine, Vol. 59, No. 7, pp. 7-18 Jul. 2002.
  4. Microsoft. (2006, Nov. 20). Data Execution Prevention (DEP) [Online]. Avaliable: http://support.microsoft.com/kb/875352
  5. PaX Team. (2003. May. 1). PaX Non-Executable Page Design & Implementation [Online]. Avaliable: http://pax.grsecurity.net
  6. Solar designer. (1997. Aug, 10). Getting around Non-Executable Stack (and Fix) [Online]. Avaliable: http://seclists.org/bugtraq/1997/Aug/63
  7. H. Shacham, "The Geometry of Innocent Flesh on the Bone: Return-Into-Libc without Function Calls (on the x86)," Proc. of ACM Conference on Computer and Communications Security, pp. 552-561, 2007.
  8. jduck. (2010. Mar, 18). The Latest Adobe Exploit and Session Upgrading [Online]. Avaliable: https://community.rapid7.com/community/metasploit/blog/2010/03/18/the-latest-adobe-exploit-and-session-upgrading
  9. D. Goodin. (2010. Aug, 30). Apple QuickTime Backdoor Creates Code-Execution Peril [Online]. Avaliable: http://www.theregister.co.uk/2010/08/30/apple_quicktime_critical_vuln/
  10. J. Halliday. (2010. Aug, 2). JailbreakMe Released for Apple Devices [Online]. Avaliable: http://www.guardian.co.uk/technology/blog/2010/aug/02/jailbreakme-released-apple-devices-legal
  11. R. Hund, T. Holz, and F. C. Freiling, "Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms," Proc. of USENIX Security Symposium, pp. 1-16, 2009.
  12. L. Davi, A. R. Sadeghi, and M. Winandy, "ROPdefender: A Detection Tool to Defend against Return-Oriented Programming Attacks," Proc. of ACM Symposium on Information, Computer and Communications Security, pp. 40-51, 2011.
  13. S. Bhatkar, R. Sekar, and D. C. DuVarney, "Efficient Techniques for Comprehensive Protection from Memory Error Exploits," Proc. of USENIX Security Symposium, pp. 271-286, 2005.
  14. J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davison, "ILR: Where'd My Gadgets Go?," Proc. IEEE Symposium on Security and Privacy, pp. 571-585, 2012.
  15. R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin, "Binary Stirring: Self-Randomizing Instruction Addresses of Legacy x86 Binary Code," Proc. ACM Conference on Computer and Communications Security, pp. 157-168, 2012.
  16. E. Shioji, Y. Kawakoya, M. Iwamura, and T. Hariu, "Code Shredding: Byte-Granular Randomization of Program Layout for Detecting Code-Reuse Attacks," Proc. Annual Computer Security Applications Conference, pp. 309-318, 2012.
  17. V. Pappas, M. Polychronakis, and A. D, Keromytis, "Transparent ROP Exploit Mitigation Using Indirect Branch Tracing," Proc. of USENIX Security Symposium, pp. 447-462, 2013.
  18. M. Kayaalp, M. Ozsoy, N. B. Abu-Ghazaleh, and D. Ponomarev, "Efficiently Securing Systems from Code Reuse Attack," IEEE Transactions on Computers, Vol. 63, No. 5, pp. 1144-1156, 2014. https://doi.org/10.1109/TC.2012.269
  19. M. Kayaalp, T. Schmitt, J. Nomani, N. Abu-Ghazaleh, and D. Ponomarev, "Signatrue-Based Protection form Code Reuse Attacks," IEEE Transactions on Computers, 2014. (To appear)
  20. S. Park, C. Pyo, S. Kim, and G. Lee, "An Implementation of Program Counter Encoding with TPM," Journal of KIISE: Computing Practices and Letters, Vol. 17, No. 1, pp. 13-19, Jan. 2011. (in Korean)
  21. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, "Control-Flow Integrity," Proc. ACM Conference on Computer and Communications Security, pp. 340-353, 2005.
  22. K. Onariloglu, L. Bilge, A. Lanzi, D. Balzarotti, and E, Kirda, "G-Free: Defeating Return-Oriented Programming through Gadget-Less Binaries," Proc. Annual Computer Security Applications Conference, pp. 49-58, 2010.
  23. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram, "Defeating Return-Oriented Programming through Gadget-Less Kernels," Proc. European Conference on Computer Systems, pp. 195-208, 2010.
  24. K. Kim, C. Pyo, S. Kim, and G. Le, "Dual-Encoding of Return Addresses for Detection and Defense against Stack Attacks," Journal of KIISE: Computing Practices and Letters, Vol. 17, No. 3, pp. 159- 164, Mar. 2011. (in Korean)
  25. K. Kim, T. Kim, C. Pyo, and G. Lee, "A Method Protecting Contfol Flow by Indirect Branch Monitoring and Program Counter Encoding," Journal of KIISE: Computing Practices and Letters, Vol. 20, No. 7, pp. 392-397, Jul. 2014. (in Korean)
  26. J. Kim, I. Kim, C. Min, and Y. I. Eom, "Zero-Sum Defender: Fast and Space-Efficient Defense against Return-Oriented Programming Attacks," IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences, Vol. E97-A, No. 1, pp. 303-305, Jan. 2014. https://doi.org/10.1587/transfun.E97.A.303
  27. S. McCamant and G. Morrisett, "Evaluating SFI for a CISC Architecture," Proc. of USENIX Security Symposium, pp. 1-16, 2006.
  28. B. Yee, D. Sehr, G. Dardyk, J. Bradley Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar, "Native Client: A Sandbox for Portable, Untrusted x86 Native Code," Proc. IEEE Symposium on Security and Privacy, pp. 79-93, 2009.
  29. L. Le, "Payload already Inside: Deta Re-Use for ROP Exploits," Blackhat USA, pp. 1-21, 2010.
  30. S. Checoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy, "Return-Oriented Programming without Returns," Proc. ACM Conference on Computer and Communications Security, pp. 559-572, 2010.
  31. T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang, "Jump-Oriented Programming: A New Class of Code-Reuse Attack," Proc. Annual Computer Security Applications Conference, pp. 30-40, 2011.