Controlando a Frequência de Desvios Indiretos para Bloquear Ataques ROP
Resumo
Em função de seu vasto emprego em investidas contra sistemas computacionais modernos, proteções contra códigos maliciosos baseados na técnica denominada Return-Oriented Programming (ROP) têm sido extensamente estudadas. Apesar disso, ainda não se conhece uma solução definitiva. Este artigo demonstra que, através do controle da frequência de instruções de desvio indireto, é possível evitar a consolidação de ataques ROP. Para isso, foi desenvolvido um protótipo destinado a ambientes Linux, Windows, Android e OSX. Experimentos realizados com exploits confirmaram a eficácia do modelo proposto a um custo computacional comparável e, em alguns casos, inferior àquele alcançado por proteções correlatas.Referências
Bania, P. (2010). Security mitigations for return-oriented programming attacks. CoRR, abs/1008.4099.
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. (2010). Return-oriented programming without returns. In Proceedings of the 17th ACM CCS, pages 559–572. ACM.
Checkoway, S., Feldman, A. J., Kantor, B., Halderman, J. A., Felten, E. W., and Shacham, H. (2009). Can dres provide long-lasting security? In Proceedings of the EVT/WOTE, pages 6–6. USENIX Association.
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., and Xie, L. (2009). Drop: Detecting return-oriented programming malicious code. In Information Systems Security, pages 163–177. Springer Berlin Heidelberg.
Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., and Yin, X. (2011). Automatic construction of jump-oriented programming shellcode (on the x86). In Proceedings of the ACM ASIACCS, pages 20–29. ACM.
D. Rosenberg (2011). Defeating windows 8 rop mitigation. http://goo.gl/2Ae7aN.
Davi, L., Sadeghi, A.-R., and Winandy, M. (2009). Dynamic integrity measurement and attestation. In Proceedings of the ACM STC, pages 49–54. ACM.
Ferreira, M. T., Rocha, T., Martins, G., Feitosa, E., and Souto, E. (2012). Analise de vulnerabilidades em sistemas computacionais modernos: Conceitos, exploits e protecoes. In Livro de Minicursos do XII SBSeg, pages 2–51. SBC.
Guha, A., Hiser, J. D., Kumar, N., Yang, J., Zhao, M., Zhou, S., Childers, B. R., Davidson, J. W., Hazelwood, K., and Soffa, M. L. (2007). Virtual execution environments: Support and tools. In NSF Next Generation Software Program Workshop, Long Beach, CA.
Hoglund, G. and McGraw, G. (2004). Exploiting Software: How to Break Code. Pearson Higher Education.
Intel (2014). Pin 2.13 user guide. http://goo.gl/xvsW6l.
J. Callas (2011). Smelling a rat on duqu. http://goo.gl/FTM1Jn.
J. McDonald (1999). Defeating solaris/sparc non-executable stack protection. http://goo.gl/fglJTX.
Jiang, J., Jia, X., Feng, D., Zhang, S., and Liu, P. (2011). Hypercrop: A hypervisorbased countermeasure for return oriented programming. In Proceedings of the 13th ICICS, pages 360–373, Berlin, Heidelberg. Springer-Verlag.
Li, T., Bhargava, R., and John, L. K. (2002). Rehashable btb: An adaptive branch target buffer to improve the target predictability of java code. In In The International Conference on High Performance Computing (HiPCP.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM SIGPLAN PLDI, pages 190–200. ACM.
Min, J.-W., Jung, S.-M., and Chung, T.-M. (2013). Detecting return oriented programming by examining positions of saved return addresses. In Ubiquitous Information Technologies and Applications, pages 791–798. Springer Netherlands.
N. H. Son (2011). Rop chain for windows 8. http://goo.gl/MAujbX.
S. Designer (1997). Getting around non-executable stack (and fix). http://goo.gl/XNEE7n.
S. Krahmer (2005). x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://goo.gl/5cN0Bm.
Shacham, H. (2007). The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM CCS, pages 552–561. ACM.
T. Newsham (1997). Re: Smashing the stack: prevention? http://goo.gl/fglJTX.
Universitet, S. (2014). Intel and att syntax. http://goo.gl/gkTvxL.
Wojtczuk, R. N. (2001). The advanced return-into-lib(c) exploits: PaX case study. Phrack, 11(58).
Yuan, L., Xing, W., Chen, H., and Zang, B. (2011). Security breaches as pmu deviation: Detecting and identifying security attacks using performance counters. In Proceedings of the Second APSys, pages 6:1–6:5. ACM.
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. (2010). Return-oriented programming without returns. In Proceedings of the 17th ACM CCS, pages 559–572. ACM.
Checkoway, S., Feldman, A. J., Kantor, B., Halderman, J. A., Felten, E. W., and Shacham, H. (2009). Can dres provide long-lasting security? In Proceedings of the EVT/WOTE, pages 6–6. USENIX Association.
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., and Xie, L. (2009). Drop: Detecting return-oriented programming malicious code. In Information Systems Security, pages 163–177. Springer Berlin Heidelberg.
Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., and Yin, X. (2011). Automatic construction of jump-oriented programming shellcode (on the x86). In Proceedings of the ACM ASIACCS, pages 20–29. ACM.
D. Rosenberg (2011). Defeating windows 8 rop mitigation. http://goo.gl/2Ae7aN.
Davi, L., Sadeghi, A.-R., and Winandy, M. (2009). Dynamic integrity measurement and attestation. In Proceedings of the ACM STC, pages 49–54. ACM.
Ferreira, M. T., Rocha, T., Martins, G., Feitosa, E., and Souto, E. (2012). Analise de vulnerabilidades em sistemas computacionais modernos: Conceitos, exploits e protecoes. In Livro de Minicursos do XII SBSeg, pages 2–51. SBC.
Guha, A., Hiser, J. D., Kumar, N., Yang, J., Zhao, M., Zhou, S., Childers, B. R., Davidson, J. W., Hazelwood, K., and Soffa, M. L. (2007). Virtual execution environments: Support and tools. In NSF Next Generation Software Program Workshop, Long Beach, CA.
Hoglund, G. and McGraw, G. (2004). Exploiting Software: How to Break Code. Pearson Higher Education.
Intel (2014). Pin 2.13 user guide. http://goo.gl/xvsW6l.
J. Callas (2011). Smelling a rat on duqu. http://goo.gl/FTM1Jn.
J. McDonald (1999). Defeating solaris/sparc non-executable stack protection. http://goo.gl/fglJTX.
Jiang, J., Jia, X., Feng, D., Zhang, S., and Liu, P. (2011). Hypercrop: A hypervisorbased countermeasure for return oriented programming. In Proceedings of the 13th ICICS, pages 360–373, Berlin, Heidelberg. Springer-Verlag.
Li, T., Bhargava, R., and John, L. K. (2002). Rehashable btb: An adaptive branch target buffer to improve the target predictability of java code. In In The International Conference on High Performance Computing (HiPCP.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM SIGPLAN PLDI, pages 190–200. ACM.
Min, J.-W., Jung, S.-M., and Chung, T.-M. (2013). Detecting return oriented programming by examining positions of saved return addresses. In Ubiquitous Information Technologies and Applications, pages 791–798. Springer Netherlands.
N. H. Son (2011). Rop chain for windows 8. http://goo.gl/MAujbX.
S. Designer (1997). Getting around non-executable stack (and fix). http://goo.gl/XNEE7n.
S. Krahmer (2005). x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://goo.gl/5cN0Bm.
Shacham, H. (2007). The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM CCS, pages 552–561. ACM.
T. Newsham (1997). Re: Smashing the stack: prevention? http://goo.gl/fglJTX.
Universitet, S. (2014). Intel and att syntax. http://goo.gl/gkTvxL.
Wojtczuk, R. N. (2001). The advanced return-into-lib(c) exploits: PaX case study. Phrack, 11(58).
Yuan, L., Xing, W., Chen, H., and Zang, B. (2011). Security breaches as pmu deviation: Detecting and identifying security attacks using performance counters. In Proceedings of the Second APSys, pages 6:1–6:5. ACM.
Publicado
03/11/2014
Como Citar
FERREIRA, Mateus Tymburibá; SANTOS FILHO, Ailton; FEITOSA, Eduardo.
Controlando a Frequência de Desvios Indiretos para Bloquear Ataques ROP. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 14. , 2014, Belo Horizonte.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2014
.
p. 223-236.
DOI: https://doi.org/10.5753/sbseg.2014.20133.
