Journal of the Korea Academia-Industrial cooperation Society (한국산학기술학회논문지)

The Korea Academia-Industrial cooperation Society (한국산학기술학회)
권호 표지
DOI QR코드

DOI QR Code

Detection Mechanism against Code Re-use Attack in Stack region

스택 영역에서의 코드 재사용 공격 탐지 메커니즘

  • Kim, Ju-Hyuk (Korea Local Information Research & Development Institute) ;
  • Oh, Soo-Hyun (Division of Information Security, Hoseo University)
  • Received : 2014.01.13
  • Accepted : 2014.05.08
  • Published : 2014.05.31
Download PDF
⟨ Previous Next ⟩

Abstract

Vulnerabilities related to memory have been known as major threats to the security of a computer system. Actually, the number of attacks using memory vulnerability has been increased. Accordingly, various memory protection mechanisms have been studied and implemented on operating system while new attack techniques bypassing the protection systems have been developed. Especially, buffer overflow attacks have been developed as Return-Oriented Programing(ROP) and Jump-Oriented Programming(JOP) called Code Re-used attack to bypass the memory protection mechanism. Thus, in this paper, I analyzed code re-use attack techniques emerged recently among attacks related to memory, as well as analyzed various detection mechanisms proposed previously. Based on the results of the analyses, a mechanism that could detect various code re-use attacks on a binary level was proposed. In addition, it was verified through experiments that the proposed mechanism could detect code re-use attacks effectively.

메모리 관련 취약점은 컴퓨터 시스템 상에서의 가장 위협적인 공격이며 메모리 취약점을 이용한 실제 공격의 또한 증가하고 있다. 따라서 다양한 메모리 보호 메커니즘이 연구되고 운영체제 상에서 구현되었지만, 보호 시스템들을 우회하기 위한 새로운 공격 기법들이 함께 발전하고 있다. 특히, 메모리 관련 공격 기법 중 버퍼 오버플로우 공격은 코드 재사용 공격이라 불리는 Return-Oriented Programming(ROP), Jump-Oriented Programming(JOP)등으로 발전하여 운영체제가 포함하는 메모리 보호 메커니즘을 우회하고 있다. 본 논문에서는 코드 재사용 공격 기법의 특징을 분석하고, 분석된 결과를 이용하여 바이너리 수준에서의 코드 재사용 공격을 탐지할 수 있는 메커니즘을 제안하며, 실험을 통해 제안하는 메커니즘이 코드 재사용 공격을 효율적으로 탐지할 수 있음을 증명한다.

Keywords

References

  1. Aleph. One. "Smashing The Stack For Fun And Profit", Phrack49, 1996
  2. Microsoft TechNet, "Data Execution Prevention", http://technet.microsoft.com/ko-kr/library/cc738483 (WS.10).aspxc0ntex, "Bypassing non-executable stack during exploitation using return-to-libc", http://www.infosecwriters.com/text/resources/pdf/ return-to-libc.pdf
  3. H. Shacham. "The Geometry of Innocent Flesh on the Bone: Return-Into-Libc without Function Calls (on the x86)", the 14th ACM Conference on Computer and Communications Security, 2007 DOI: http://dx.doi.org/10.1145/1315245.1315313
  4. Pax Project, "address space layout randomization", http://pax.grsecurity.net/docs/aslr.txt, 2003
  5. Ju-Hyuk Kim, Jin-Ho Choi, Yo-Ram Lee, Soo-Hyun Oh, "Study on Return-Oriented Programming in Mac OSX", CISC-W 2011, pp. 146-149, 2011
  6. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy, "Return-oriented programming without returns", CCS 2010, 2010
  7. T. Bletsch, X. Jiang, V. Freeh, "Jump-Oriented Programming: A New Class of Code-Reuse Attack", In CSC Technical Report TR-2010-8, NCSU, 2010
  8. Piotr Bania, "Security Mitigations for Return-Oriented Programming Attacks", http://piotrbania.com/all/articles/pbania_rop_mitigations2010.pdf, 2010
  9. Kaan Onarlioglu, Leyla Bilge, Andrea Lanzi, Davide Balzarotti, and Engin Kirda. G-Free : defeating return-oriented programming through gadget-less binaries. In ACSAC'10, Annual Computer Security Applications Conference, 2010.
  10. P. Chen, H. Xiao, X. Shen, X. Yin, B. Mao, and L. Xie. Drop: Detecting return-oriented programming malicious code. In Lecture Notes in Computer Science, 2009.
  11. Lucas Davi, Ahmad-Reza Sadeghi, Marcel Winandy, "ROPdefender: A Detection Tool to Defend Against Return-Oriented Programming Attacks", Technical Report HGI-TR-2010-001, 2010.
  12. Ju-Hyuk Kim, Yo-Ram Lee, Soo-Hyun Oh, "A detection mechanism for Jump-Oriented Programming at binary level", Journal of The Korea Institute of Information Securoty & Cryptography, vol. 22 No. 5, pp. 1069-1078, 2012.
  13. Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, GeoLowney, Steven Wallace, Vijay J. Reddi, and Kim Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In PLDI '05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, volume 40, pages 190-200, New York, NY, USA, 2005
  14. Mehmet Kayaalp, "Example Jump-Oriented Programming Attack", http://cs.binghamton.edu/-mkayaalp/jop.html, 2012