DOI QR코드

DOI QR Code

Detection Mechanism against Code Re-use Attack in Stack region

스택 영역에서의 코드 재사용 공격 탐지 메커니즘

  • Kim, Ju-Hyuk (Korea Local Information Research & Development Institute) ;
  • Oh, Soo-Hyun (Division of Information Security, Hoseo University)
  • Received : 2014.01.13
  • Accepted : 2014.05.08
  • Published : 2014.05.31

Abstract

Vulnerabilities related to memory have been known as major threats to the security of a computer system. Actually, the number of attacks using memory vulnerability has been increased. Accordingly, various memory protection mechanisms have been studied and implemented on operating system while new attack techniques bypassing the protection systems have been developed. Especially, buffer overflow attacks have been developed as Return-Oriented Programing(ROP) and Jump-Oriented Programming(JOP) called Code Re-used attack to bypass the memory protection mechanism. Thus, in this paper, I analyzed code re-use attack techniques emerged recently among attacks related to memory, as well as analyzed various detection mechanisms proposed previously. Based on the results of the analyses, a mechanism that could detect various code re-use attacks on a binary level was proposed. In addition, it was verified through experiments that the proposed mechanism could detect code re-use attacks effectively.

Acknowledgement

Supported by : 한국연구재단

References

  1. Aleph. One. "Smashing The Stack For Fun And Profit", Phrack49, 1996
  2. Microsoft TechNet, "Data Execution Prevention", http://technet.microsoft.com/ko-kr/library/cc738483 (WS.10).aspxc0ntex, "Bypassing non-executable stack during exploitation using return-to-libc", http://www.infosecwriters.com/text/resources/pdf/ return-to-libc.pdf
  3. H. Shacham. "The Geometry of Innocent Flesh on the Bone: Return-Into-Libc without Function Calls (on the x86)", the 14th ACM Conference on Computer and Communications Security, 2007 DOI: http://dx.doi.org/10.1145/1315245.1315313 https://doi.org/10.1145/1315245.1315313
  4. Pax Project, "address space layout randomization", http://pax.grsecurity.net/docs/aslr.txt, 2003
  5. Ju-Hyuk Kim, Jin-Ho Choi, Yo-Ram Lee, Soo-Hyun Oh, "Study on Return-Oriented Programming in Mac OSX", CISC-W 2011, pp. 146-149, 2011
  6. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy, "Return-oriented programming without returns", CCS 2010, 2010
  7. T. Bletsch, X. Jiang, V. Freeh, "Jump-Oriented Programming: A New Class of Code-Reuse Attack", In CSC Technical Report TR-2010-8, NCSU, 2010
  8. Piotr Bania, "Security Mitigations for Return-Oriented Programming Attacks", http://piotrbania.com/all/articles/pbania_rop_mitigations2010.pdf, 2010
  9. Kaan Onarlioglu, Leyla Bilge, Andrea Lanzi, Davide Balzarotti, and Engin Kirda. G-Free : defeating return-oriented programming through gadget-less binaries. In ACSAC'10, Annual Computer Security Applications Conference, 2010.
  10. P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. Drop: Detecting return-oriented programming malicious code. In Lecture Notes in Computer Science, 2009.
  11. Lucas Davi, Ahmad-Reza Sadeghi, Marcel Winandy, "ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks", Technical Report HGI-TR-2010-001, 2010.
  12. Ju-Hyuk Kim, Yo-Ram Lee, Soo-Hyun Oh, "A detection mechanism for Jump-Oriented Programming at binary level", Journal of The Korea Institute of Information Securoty & Cryptography, vol. 22 No. 5, pp. 1069-1078, 2012.
  13. Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, GeoLowney, Steven Wallace, Vijay J. Reddi, and Kim Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In PLDI '05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, volume 40, pages 190-200, New York, NY, USA, 2005
  14. Mehmet Kayaalp, "Example Jump-Oriented Programming Attack", http://cs.binghamton.edu/-mkayaalp/jop.html, 2012