Detecção de ataques por ROP em tempo real assistida por hardware

  • Marcus Botacin Unicamp
  • Paulo Lício de Geus Unicamp
  • André Grégio UFPR

Resumo


A injeção de código foi um dos principais ataques contra sistemas computacionais. A adoção das páginas não-executáveis com apoio de hardware (NX/XD) e prevenção de execução de dados (DEP) eliminou o problema na prática. Entretanto, os atacantes passaram a desviar o fluxo de controle legítimo, encadeando blocos de código (gadgets) via instruções de retorno. Tal técnica, a Programação Orientada à Retorno (ROP), tornou-se o principal vetor de injeção. Recentemente, abordagens baseadas em integridade do fluxo de controle (CFI) e comprimento de gadgets surgiram para tratar tais ataques. Propomos aqui um sistema assistido por hardware, construído sobre sistemas Windows, que supera limitações de abordagens da literatura na detecção de ataques por ROP em tempo real.

Referências

Bangert, J., Bratus, S., Shapiro, R., and Smith, S. W. (2013). The page-fault weird machine: Lessons in instruction-less computation. In Proc. of the 7th USENIX Conf. on Offensive Technologies, WOOT’13, pages 13–13.

Bania, P. (2010). Security mitigations for return-oriented programming attacks. https://www.kryptoslogic.com/download/ROP_Whitepaper.pdf. Acesso em junho/2016.

Bletsch, T., Jiang, X., and Freeh, V. (2011a). Mitigating code-reuse attacks with control-flow locking. In Proc. of the 27th Annual Computer Security Applications Conf., ACSAC ’11, pages 353–362, New York, NY, USA. ACM.

Bletsch, T., Jiang, X., Freeh, V. W., and Liang, Z. (2011b). Jump-oriented programming: A new class of code-reuse attack. In Proc. of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS ’11, pages 30–40.

Carlini, N. and Wagner, D. (2014). Rop is still dangerous: Breaking modern defenses. In Proc. of the 23rd USENIX Conf. on Security Symposium, SEC’14, pages 385–399.

Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., and Xie, L. (2009). Drop: Detecting return-oriented programming malicious code. In Proc. of the 5th International Conf. on Information Systems Security, ICISS ’09, pages 163–177, Berlin, Heidelberg. Springer-Verlag.

Cheng, Y., Zhou, Z., Miao, Y., Ding, X., DENG, H., et al. (2014). Ropecker: A generic and practical approach for defending against rop attack. Network and Distributed System Security Symposium. CVE (2011). Cve-2011-0065. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0065. Acessado em junho/2016.

Davi, L., Sadeghi, A.-R., and Winandy, M. (2009). Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In Proc. of the 2009 ACM Workshop on Scalable Trusted Computing, STC ’09, pages 49–54, New York, NY, USA. ACM.

Ferreira, M. T., Filho, A. S., and Feitosa, E. (2014). Controlando a frequência de desvios indiretos para bloquear ataques rop. Anais do SBSEG 2014.

Fratric, I. (2012). Runtime prevention of return-oriented programming attacks. https://github.com/ivanfratric/ropguard/blob/master/doc/ropguard.pdf. Acessado em junho/2016.

Gökta¸s, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. (2014). Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In 23rd USENIX Security Symposium (USENIX Security 14), pages 417–432, San Diego, CA. USENIX Association.

Graziano, M., Balzarotti, D., and Zidouemba, A. (2016). ROPMEMU: A framework for the analysis of complex code-reuse attacks. In ASIACCS 2016, 11th ACM Asia Conference on Computer and Communications Security, May 30-June 3, 2016, Xi’ian, China.

Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., and Davidson, J. W. (2012). Ilr: Where’d my gadgets go? In Proc. of the 2012 IEEE Symposium on Security and Privacy, SP ’12, pages 571–585, Washington, DC, USA. IEEE Computer Society.

Intel (2013). Introduction to intel R memory protection extensions. [link]. Acessado em junho/2016.

Jiang, J., Jia, X., Feng, D., Zhang, S., and Liu, P. (2011). Hypercrop: A hypervisor-based countermeasure for return oriented programming. In Proc. of the 13th International Conf. on Information and Communications Security, ICICS’11, pages 360–373, Berlin, Heidelberg. Springer-Verlag.

Kompalli, S. (2014). Using existing hardware services for malware detection. In Security and Privacy Workshops (SPW), 2014 IEEE, pages 204–208.

Lan, B., Li, Y., Sun, H., Su, C., Liu, Y., and Zeng, Q. (2015). Loop-oriented programming: A new code reuse attack to bypass modern defenses. In Trustcom/BigDataSE/ISPA, 2015 IEEE, volume 1, pages 190–197.

Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In Proc. of the 2005 ACM SIGPLAN Conf. on Programming Language Design and Implementation, PLDI ’05, pages 190–200, New York, NY, USA. ACM.

Microsoft (2013). Introducing Enhanced Mitigation Experience Toolkit (EMET) 4.1. [link]. Acessado em junho/2016.

Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., and Kirda, E. (2010). G-free: Defeating return-oriented programming through gadget-less binaries. In Proc. of the 26th Annual Computer Security Applications Conf., ACSAC ’10, pages 49–58, New York, NY, USA. ACM.

Pappas, V., Polychronakis, M., and Keromytis, A. D. (2012). Smashing the gadgets: Hindering returnoriented programming using in-place code randomization. In Proc. of the 2012 IEEE Symposium on Security and Privacy, SP ’12, pages 601–615.

Pappas, V., Polychronakis, M., and Keromytis, A. D. (2013). Transparent rop exploit mitigation using indirect branch tracing. In Proc. of the 22Nd USENIX Conf. on Security, SEC’13, pages 447–462, Berkeley, CA, USA. USENIX Association.

Quinn, R. (2012). Detection of malware via side channel information. PhD thesis, Binghamton University. Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., and Holz, T. (2014). Evaluating the effectiveness of current anti-rop defenses. In Research in Attacks, Intrusions and Defenses: 17th International Symposium, RAID 2014, pages 88–108.

Shapiro, R., Bratus, S., and Smith, S. W. (2013). "weird machines"in elf: A spotlight on the underappreciated metadata. In Proc. of the 7th USENIX Conf. on Offensive Technologies, WOOT’13, pages 11–11.

Son, N. H. (2011). Rop chain for windows 8. http://security.bkav.com/home/-/blogs/rop-chain-for-windows-8/normal. Acessado em junho/2016.

Vanegue, J. (2014). The weird machines in proof-carrying code. In Security and Privacy Workshops (SPW), 2014 IEEE, pages 209–213.

Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. (2012). Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proc. of the 2012 ACM Conf. on Computer and Communications Security, CCS ’12, pages 157–168.

Yuan, L., Xing, W., Chen, H., and Zang, B. (2011). Security breaches as pmu deviation: Detecting and identifying security attacks using performance counters. In Proc. of the Second Asia-Pacific Workshop on Systems, APSys ’11, pages 6:1–6:5, New York, NY, USA. ACM.

Zhang, C.,Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., and Zou,W. (2013). Practical control flow integrity and randomization for binary executables. In Proc. of the 2013 IEEE Symposium on Security and Privacy, SP ’13, pages 559–573, Washington, DC, USA. IEEE Computer Society.
Publicado
07/11/2016
BOTACIN, Marcus; GEUS, Paulo Lício de; GRÉGIO, André. Detecção de ataques por ROP em tempo real assistida por hardware. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 16. , 2016, Niterói. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2016 . p. 324-337. DOI: https://doi.org/10.5753/sbseg.2016.19317.