Controlando a Frequência de Desvios Indiretos para Bloquear Ataques ROP
Abstract
Because of its wide use in attacks against modern computing systems, protections against malicious codes based on the technique called Return-Oriented Programming (ROP) have been extensively studied. Nevertheless, it is not yet known a definitive solution. This article demonstrates that by controlling the frequency of indirect branch instructions it is possible to avoid the consolidation of ROP attacks. For this, we developed a prototype for Linux, Windows, OSX and Android environments. Experiments conducted with exploits confirmed the effectiveness of the proposed model at a comparable and, in some cases, lower computational cost than that achieved by related protections.References
Bania, P. (2010). Security mitigations for return-oriented programming attacks. CoRR, abs/1008.4099.
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. (2010). Return-oriented programming without returns. In Proceedings of the 17th ACM CCS, pages 559–572. ACM.
Checkoway, S., Feldman, A. J., Kantor, B., Halderman, J. A., Felten, E. W., and Shacham, H. (2009). Can dres provide long-lasting security? In Proceedings of the EVT/WOTE, pages 6–6. USENIX Association.
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., and Xie, L. (2009). Drop: Detecting return-oriented programming malicious code. In Information Systems Security, pages 163–177. Springer Berlin Heidelberg.
Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., and Yin, X. (2011). Automatic construction of jump-oriented programming shellcode (on the x86). In Proceedings of the ACM ASIACCS, pages 20–29. ACM.
D. Rosenberg (2011). Defeating windows 8 rop mitigation. http://goo.gl/2Ae7aN.
Davi, L., Sadeghi, A.-R., and Winandy, M. (2009). Dynamic integrity measurement and attestation. In Proceedings of the ACM STC, pages 49–54. ACM.
Ferreira, M. T., Rocha, T., Martins, G., Feitosa, E., and Souto, E. (2012). Analise de vulnerabilidades em sistemas computacionais modernos: Conceitos, exploits e protecoes. In Livro de Minicursos do XII SBSeg, pages 2–51. SBC.
Guha, A., Hiser, J. D., Kumar, N., Yang, J., Zhao, M., Zhou, S., Childers, B. R., Davidson, J. W., Hazelwood, K., and Soffa, M. L. (2007). Virtual execution environments: Support and tools. In NSF Next Generation Software Program Workshop, Long Beach, CA.
Hoglund, G. and McGraw, G. (2004). Exploiting Software: How to Break Code. Pearson Higher Education.
Intel (2014). Pin 2.13 user guide. http://goo.gl/xvsW6l.
J. Callas (2011). Smelling a rat on duqu. http://goo.gl/FTM1Jn.
J. McDonald (1999). Defeating solaris/sparc non-executable stack protection. http://goo.gl/fglJTX.
Jiang, J., Jia, X., Feng, D., Zhang, S., and Liu, P. (2011). Hypercrop: A hypervisorbased countermeasure for return oriented programming. In Proceedings of the 13th ICICS, pages 360–373, Berlin, Heidelberg. Springer-Verlag.
Li, T., Bhargava, R., and John, L. K. (2002). Rehashable btb: An adaptive branch target buffer to improve the target predictability of java code. In In The International Conference on High Performance Computing (HiPCP.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM SIGPLAN PLDI, pages 190–200. ACM.
Min, J.-W., Jung, S.-M., and Chung, T.-M. (2013). Detecting return oriented programming by examining positions of saved return addresses. In Ubiquitous Information Technologies and Applications, pages 791–798. Springer Netherlands.
N. H. Son (2011). Rop chain for windows 8. http://goo.gl/MAujbX.
S. Designer (1997). Getting around non-executable stack (and fix). http://goo.gl/XNEE7n.
S. Krahmer (2005). x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://goo.gl/5cN0Bm.
Shacham, H. (2007). The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM CCS, pages 552–561. ACM.
T. Newsham (1997). Re: Smashing the stack: prevention? http://goo.gl/fglJTX.
Universitet, S. (2014). Intel and att syntax. http://goo.gl/gkTvxL.
Wojtczuk, R. N. (2001). The advanced return-into-lib(c) exploits: PaX case study. Phrack, 11(58).
Yuan, L., Xing, W., Chen, H., and Zang, B. (2011). Security breaches as pmu deviation: Detecting and identifying security attacks using performance counters. In Proceedings of the Second APSys, pages 6:1–6:5. ACM.
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. (2010). Return-oriented programming without returns. In Proceedings of the 17th ACM CCS, pages 559–572. ACM.
Checkoway, S., Feldman, A. J., Kantor, B., Halderman, J. A., Felten, E. W., and Shacham, H. (2009). Can dres provide long-lasting security? In Proceedings of the EVT/WOTE, pages 6–6. USENIX Association.
Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., and Xie, L. (2009). Drop: Detecting return-oriented programming malicious code. In Information Systems Security, pages 163–177. Springer Berlin Heidelberg.
Chen, P., Xing, X., Mao, B., Xie, L., Shen, X., and Yin, X. (2011). Automatic construction of jump-oriented programming shellcode (on the x86). In Proceedings of the ACM ASIACCS, pages 20–29. ACM.
D. Rosenberg (2011). Defeating windows 8 rop mitigation. http://goo.gl/2Ae7aN.
Davi, L., Sadeghi, A.-R., and Winandy, M. (2009). Dynamic integrity measurement and attestation. In Proceedings of the ACM STC, pages 49–54. ACM.
Ferreira, M. T., Rocha, T., Martins, G., Feitosa, E., and Souto, E. (2012). Analise de vulnerabilidades em sistemas computacionais modernos: Conceitos, exploits e protecoes. In Livro de Minicursos do XII SBSeg, pages 2–51. SBC.
Guha, A., Hiser, J. D., Kumar, N., Yang, J., Zhao, M., Zhou, S., Childers, B. R., Davidson, J. W., Hazelwood, K., and Soffa, M. L. (2007). Virtual execution environments: Support and tools. In NSF Next Generation Software Program Workshop, Long Beach, CA.
Hoglund, G. and McGraw, G. (2004). Exploiting Software: How to Break Code. Pearson Higher Education.
Intel (2014). Pin 2.13 user guide. http://goo.gl/xvsW6l.
J. Callas (2011). Smelling a rat on duqu. http://goo.gl/FTM1Jn.
J. McDonald (1999). Defeating solaris/sparc non-executable stack protection. http://goo.gl/fglJTX.
Jiang, J., Jia, X., Feng, D., Zhang, S., and Liu, P. (2011). Hypercrop: A hypervisorbased countermeasure for return oriented programming. In Proceedings of the 13th ICICS, pages 360–373, Berlin, Heidelberg. Springer-Verlag.
Li, T., Bhargava, R., and John, L. K. (2002). Rehashable btb: An adaptive branch target buffer to improve the target predictability of java code. In In The International Conference on High Performance Computing (HiPCP.
Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V. J., and Hazelwood, K. (2005). Pin: Building customized program analysis tools with dynamic instrumentation. In Proceedings of the ACM SIGPLAN PLDI, pages 190–200. ACM.
Min, J.-W., Jung, S.-M., and Chung, T.-M. (2013). Detecting return oriented programming by examining positions of saved return addresses. In Ubiquitous Information Technologies and Applications, pages 791–798. Springer Netherlands.
N. H. Son (2011). Rop chain for windows 8. http://goo.gl/MAujbX.
S. Designer (1997). Getting around non-executable stack (and fix). http://goo.gl/XNEE7n.
S. Krahmer (2005). x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://goo.gl/5cN0Bm.
Shacham, H. (2007). The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM CCS, pages 552–561. ACM.
T. Newsham (1997). Re: Smashing the stack: prevention? http://goo.gl/fglJTX.
Universitet, S. (2014). Intel and att syntax. http://goo.gl/gkTvxL.
Wojtczuk, R. N. (2001). The advanced return-into-lib(c) exploits: PaX case study. Phrack, 11(58).
Yuan, L., Xing, W., Chen, H., and Zang, B. (2011). Security breaches as pmu deviation: Detecting and identifying security attacks using performance counters. In Proceedings of the Second APSys, pages 6:1–6:5. ACM.
Published
2014-11-03
How to Cite
FERREIRA, Mateus Tymburibá; SANTOS FILHO, Ailton; FEITOSA, Eduardo.
Controlando a Frequência de Desvios Indiretos para Bloquear Ataques ROP. In: BRAZILIAN SYMPOSIUM ON INFORMATION AND COMPUTATIONAL SYSTEMS SECURITY (SBSEG), 14. , 2014, Belo Horizonte.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2014
.
p. 223-236.
DOI: https://doi.org/10.5753/sbseg.2014.20133.
