Inferência Estática da Frequência Máxima de Instruções de Retorno para Detecção de Ataques ROP
Resumo
Programas que sofrem ataques baseados em Programação Orientada a Retorno (ROP) tendem a apresentar traços de execução com alta densidade de operações de retorno. A partir dessa observação, diversos pesquisadores propuseram formas de detectar ataques baseadas na monitoração da frequência de execução de instruções de retorno. Essas soluções utilizam limiares universais: a mesma densidade de retornos caracteriza ataques em diferentes aplicações. Este artigo mostra que limiares universais são fáceis de evadir. Como alternativa, apresenta-se um algoritmo que estima estaticamente a maior densidade de instruções de retorno possível durante a execução de um programa. Essa análise de código encontra limiares de detecção específicos para cada aplicação, dificultando assim, a realização de ataques baseados em ROP.
Referências
Aho, A. V., Lam, M. S., Sethi, R., and Ullman, J. D. (2006). Compilers: Principles, Techniques, and Tools (2nd Edition). Addison Wesley.
Callas, J. (2011). Smelling a RAT on duqu. On-line.
Carlini, N. and Wagner, D. (2014). ROP is still dangerous: Breaking modern defenses. In Security Symposium, pages 385–399. USENIX.
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. (2010). Return-oriented programming without returns. In CCS, pages 1–14. ACM.
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., and Xie, L. (2009). DROP: Detecting return-oriented programming malicious code. In ISS, pages 163–177. IEEE.
Cheng, Y., Zhou, Z., and Yu, M. (2014). ROPecker: A generic and practical approach for defending against ROP attacks. NDS.
Davi, L., Sadeghi, A., and Winandy, M. (2009). Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In WSTC, pages 49–54.
Eeckhoutte, P. V. (2014). Analyzing heap objects with mona.py. https://www.corelan.be/.
Göktas, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. (2014). Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Security Symposium, pages 417–432. USENIX.
Guha, A., Hiser, J. D., Kumar, N., Yang, J., Zhao, M., Zhou, A., Childers, B. R., Davidson, J. W., Hazelwood, K., and Soffa, M. L. (2007). Virtual execution environments: Support and tools. In Parallel and Distributed Processing Symposium, 2007. IPDPS 2007. IEEE International, pages 1–6. IEEE.
Han, Y. H., Park, D. S., Jia, W., and Yeo, S. S. (2013). Detecting return oriented programming by examining positions of saved return addresses. In LNEE, pages 3:1–3:18. Springer.
Jiang, J., Jia, X., Feng, D., Zhang, S., and Liu, P. (2011). HyperCrop: a hypervisor-based countermeasure for return oriented programming. In LNCS, pages 46–62. Springer.
Lattner, C. and Adve, V. (2004). Llvm: A compilation framework for lifelong program analysis & transformation. In Code Generation and Optimization, 2004. CGO 2004. International Symposium on, pages 75–86. IEEE.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In PLDI, pages 190–200. ACM.
Pappas, V., Polychronakis, M., and Keromytis, A. D. (2013). Transparent rop exploit mitigation using indirect branch tracing. In SEC, pages 447–462. USENIX.
PaX, T. (2003a). Non-executable pages design & implementation.
PaX, T. (2003b). PaX address space layout randomization (ASLR).
Schrijver, A. (2003). Combinatorial optimization: polyhedra and efficiency, volume 24. Springer Science & Business Media.
Shacham, H. (2007). The geometry of innocent flesh on the bone: returninto-libc without function calls (on the x86). In CCS, pages 552–561. ACM.
Tymburibá, M., Filho, A., and Feitosa, E. (2014). Controlando a Frequência de Desvios Indiretos para Bloquear Ataques ROP. In SBSeg, pages 223– 236. SBC.
Yuan, L., Xing, W., Chen, H., and Zang, B. (2011). Security breaches as pmu deviation: Detecting and identifying security attacks using performance counters. In APSys, pages 6:1–6:5. ACM.
Callas, J. (2011). Smelling a RAT on duqu. On-line.
Carlini, N. and Wagner, D. (2014). ROP is still dangerous: Breaking modern defenses. In Security Symposium, pages 385–399. USENIX.
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. (2010). Return-oriented programming without returns. In CCS, pages 1–14. ACM.
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., and Xie, L. (2009). DROP: Detecting return-oriented programming malicious code. In ISS, pages 163–177. IEEE.
Cheng, Y., Zhou, Z., and Yu, M. (2014). ROPecker: A generic and practical approach for defending against ROP attacks. NDS.
Davi, L., Sadeghi, A., and Winandy, M. (2009). Dynamic integrity measurement and attestation: Towards defense against return-oriented programming attacks. In WSTC, pages 49–54.
Eeckhoutte, P. V. (2014). Analyzing heap objects with mona.py. https://www.corelan.be/.
Göktas, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. (2014). Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Security Symposium, pages 417–432. USENIX.
Guha, A., Hiser, J. D., Kumar, N., Yang, J., Zhao, M., Zhou, A., Childers, B. R., Davidson, J. W., Hazelwood, K., and Soffa, M. L. (2007). Virtual execution environments: Support and tools. In Parallel and Distributed Processing Symposium, 2007. IPDPS 2007. IEEE International, pages 1–6. IEEE.
Han, Y. H., Park, D. S., Jia, W., and Yeo, S. S. (2013). Detecting return oriented programming by examining positions of saved return addresses. In LNEE, pages 3:1–3:18. Springer.
Jiang, J., Jia, X., Feng, D., Zhang, S., and Liu, P. (2011). HyperCrop: a hypervisor-based countermeasure for return oriented programming. In LNCS, pages 46–62. Springer.
Lattner, C. and Adve, V. (2004). Llvm: A compilation framework for lifelong program analysis & transformation. In Code Generation and Optimization, 2004. CGO 2004. International Symposium on, pages 75–86. IEEE.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In PLDI, pages 190–200. ACM.
Pappas, V., Polychronakis, M., and Keromytis, A. D. (2013). Transparent rop exploit mitigation using indirect branch tracing. In SEC, pages 447–462. USENIX.
PaX, T. (2003a). Non-executable pages design & implementation.
PaX, T. (2003b). PaX address space layout randomization (ASLR).
Schrijver, A. (2003). Combinatorial optimization: polyhedra and efficiency, volume 24. Springer Science & Business Media.
Shacham, H. (2007). The geometry of innocent flesh on the bone: returninto-libc without function calls (on the x86). In CCS, pages 552–561. ACM.
Tymburibá, M., Filho, A., and Feitosa, E. (2014). Controlando a Frequência de Desvios Indiretos para Bloquear Ataques ROP. In SBSeg, pages 223– 236. SBC.
Yuan, L., Xing, W., Chen, H., and Zang, B. (2011). Security breaches as pmu deviation: Detecting and identifying security attacks using performance counters. In APSys, pages 6:1–6:5. ACM.
Publicado
09/11/2015
Como Citar
EMÍLIO, Rubens; TYMBURIBÁ, Mateus; PEREIRA, Fernando Magno Quintão.
Inferência Estática da Frequência Máxima de Instruções de Retorno para Detecção de Ataques ROP. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 15. , 2015, Florianópolis.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2015
.
p. 2-15.
DOI: https://doi.org/10.5753/sbseg.2015.20081.
