- Volume 41 Issue 12
DOI QR Code
Design and Implementation of Efficient Mitigation against Return-oriented Programming
반환 지향 프로그래밍 공격에 대한 효율적인 방어 기법 설계 및 구현
- Kim, Jeehong (Sungkyunkwan Univ.) ;
- Kim, Inhyeok (Sungkyunkwan Univ.) ;
- Min, Changwoo (Sungkyunkwan Univ.) ;
- Eom, Young Ik (Sungkyunkwan Univ.)
- Received : 2014.08.12
- Accepted : 2014.09.22
- Published : 2014.12.15
An ROP attack creates gadget sequences which consist of existing code snippets in a program, and hijacks the control flow of a program by chaining and executing gadget sequences consecutively. Existing defense schemes have limitations in that they cause high execution overhead, an increase in the binary size overhead, and a low applicability. In this paper, we solve these problems by introducing zero-sum defender, which is a fast and space-efficient mitigation scheme against ROP attacks. We find a fundamental property of gadget execution in which control flow starts in the middle of a function without a call instruction and ends with a return instruction. So, we exploit this property by monitoring whether the execution is abused by ROP attacks. We achieve a very low runtime overhead with a very small increase in the binary size. In our experimental results, we verified that our defense scheme prevents real world ROP attacks, and we showed that there is only a 2% performance overhead and a 1% binary size increase overhead in several benchmarks.
Supported by : 한국연구재단
- Aleph One, "Smashing the Stack for Fun and Profit," Phrack Magazine, Vol. 49, No. 1, pp. 14-16, Aug. 1996.
- Blexim, "Basic Integer Overflows," Phrack Magazine, Vol. 60, No. 10, pp. 10-16, Dec. 2002.
- gera and riq, "Advances in Format String Exploitation," Phrack Magazine, Vol. 59, No. 7, pp. 7-18 Jul. 2002.
- Microsoft. (2006, Nov. 20). Data Execution Prevention (DEP) [Online]. Avaliable: http://support.microsoft.com/kb/875352
- PaX Team. (2003. May. 1). PaX Non-Executable Page Design & Implementation [Online]. Avaliable: http://pax.grsecurity.net
- Solar designer. (1997. Aug, 10). Getting around Non-Executable Stack (and Fix) [Online]. Avaliable: http://seclists.org/bugtraq/1997/Aug/63
- H. Shacham, "The Geometry of Innocent Flesh on the Bone: Return-Into-Libc without Function Calls (on the x86)," Proc. of ACM Conference on Computer and Communications Security, pp. 552-561, 2007.
- jduck. (2010. Mar, 18). The Latest Adobe Exploit and Session Upgrading [Online]. Avaliable: https://community.rapid7.com/community/metasploit/blog/2010/03/18/the-latest-adobe-exploit-and-session-upgrading
- D. Goodin. (2010. Aug, 30). Apple QuickTime Backdoor Creates Code-Execution Peril [Online]. Avaliable: http://www.theregister.co.uk/2010/08/30/apple_quicktime_critical_vuln/
- J. Halliday. (2010. Aug, 2). JailbreakMe Released for Apple Devices [Online]. Avaliable: http://www.guardian.co.uk/technology/blog/2010/aug/02/jailbreakme-released-apple-devices-legal
- R. Hund, T. Holz, and F. C. Freiling, "Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms," Proc. of USENIX Security Symposium, pp. 1-16, 2009.
- L. Davi, A. R. Sadeghi, and M. Winandy, "ROPdefender: A Detection Tool to Defend against Return-Oriented Programming Attacks," Proc. of ACM Symposium on Information, Computer and Communications Security, pp. 40-51, 2011.
- S. Bhatkar, R. Sekar, and D. C. DuVarney, "Efficient Techniques for Comprehensive Protection from Memory Error Exploits," Proc. of USENIX Security Symposium, pp. 271-286, 2005.
- J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davison, "ILR: Where'd My Gadgets Go?," Proc. IEEE Symposium on Security and Privacy, pp. 571-585, 2012.
- R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin, "Binary Stirring: Self-Randomizing Instruction Addresses of Legacy x86 Binary Code," Proc. ACM Conference on Computer and Communications Security, pp. 157-168, 2012.
- E. Shioji, Y. Kawakoya, M. Iwamura, and T. Hariu, "Code Shredding: Byte-Granular Randomization of Program Layout for Detecting Code-Reuse Attacks," Proc. Annual Computer Security Applications Conference, pp. 309-318, 2012.
- V. Pappas, M. Polychronakis, and A. D, Keromytis, "Transparent ROP Exploit Mitigation Using Indirect Branch Tracing," Proc. of USENIX Security Symposium, pp. 447-462, 2013.
- M. Kayaalp, M. Ozsoy, N. B. Abu-Ghazaleh, and D. Ponomarev, "Efficiently Securing Systems from Code Reuse Attack," IEEE Transactions on Computers, Vol. 63, No. 5, pp. 1144-1156, 2014. https://doi.org/10.1109/TC.2012.269
- M. Kayaalp, T. Schmitt, J. Nomani, N. Abu-Ghazaleh, and D. Ponomarev, "Signatrue-Based Protection form Code Reuse Attacks," IEEE Transactions on Computers, 2014. (To appear)
- S. Park, C. Pyo, S. Kim, and G. Lee, "An Implementation of Program Counter Encoding with TPM," Journal of KIISE: Computing Practices and Letters, Vol. 17, No. 1, pp. 13-19, Jan. 2011. (in Korean)
- M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, "Control-Flow Integrity," Proc. ACM Conference on Computer and Communications Security, pp. 340-353, 2005.
- K. Onariloglu, L. Bilge, A. Lanzi, D. Balzarotti, and E, Kirda, "G-Free: Defeating Return-Oriented Programming through Gadget-Less Binaries," Proc. Annual Computer Security Applications Conference, pp. 49-58, 2010.
- J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram, "Defeating Return-Oriented Programming through Gadget-Less Kernels," Proc. European Conference on Computer Systems, pp. 195-208, 2010.
- K. Kim, C. Pyo, S. Kim, and G. Le, "Dual-Encoding of Return Addresses for Detection and Defense against Stack Attacks," Journal of KIISE: Computing Practices and Letters, Vol. 17, No. 3, pp. 159- 164, Mar. 2011. (in Korean)
- K. Kim, T. Kim, C. Pyo, and G. Lee, "A Method Protecting Contfol Flow by Indirect Branch Monitoring and Program Counter Encoding," Journal of KIISE: Computing Practices and Letters, Vol. 20, No. 7, pp. 392-397, Jul. 2014. (in Korean)
- J. Kim, I. Kim, C. Min, and Y. I. Eom, "Zero-Sum Defender: Fast and Space-Efficient Defense against Return-Oriented Programming Attacks," IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences, Vol. E97-A, No. 1, pp. 303-305, Jan. 2014. https://doi.org/10.1587/transfun.E97.A.303
- S. McCamant and G. Morrisett, "Evaluating SFI for a CISC Architecture," Proc. of USENIX Security Symposium, pp. 1-16, 2006.
- B. Yee, D. Sehr, G. Dardyk, J. Bradley Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar, "Native Client: A Sandbox for Portable, Untrusted x86 Native Code," Proc. IEEE Symposium on Security and Privacy, pp. 79-93, 2009.
- L. Le, "Payload already Inside: Deta Re-Use for ROP Exploits," Blackhat USA, pp. 1-21, 2010.
- S. Checoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy, "Return-Oriented Programming without Returns," Proc. ACM Conference on Computer and Communications Security, pp. 559-572, 2010.
- T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang, "Jump-Oriented Programming: A New Class of Code-Reuse Attack," Proc. Annual Computer Security Applications Conference, pp. 30-40, 2011.