정보처리학회논문지:컴퓨터 및 통신 시스템 (KIPS Transactions on Computer and Communication Systems)

  • 제2권5호
  • /
  • Pages.217-222
  • /
  • 2013
  • /
  • 2287-5891(pISSN)
  • /
  • 2734-049X(eISSN)
한국정보처리학회 (Korea Information Processing Society)
권호 표지
DOI QR코드

DOI QR Code

Return-Oriented Programming 공격 방어를 위한 간접 분기 목적 주소 검증 기법

Indirect Branch Target Address Verification for Defense against Return-Oriented Programming Attacks

  • 박수현 (홍익대학교 컴퓨터공학과) ;
  • 김선일 (홍익대학교 컴퓨터공학과)
  • 투고 : 2013.01.14
  • 심사 : 2013.03.28
  • 발행 : 2013.05.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

Return-Oriented Programming(ROP)는 기존 return-to-libc의 발전된 형태로 프로그램의 코드 영역에 있는 가젯을 조합하여 공격자가 원하는 모든 기능을 수행할 수 있는 코드 재사용 공격 기법이다. ROP 공격을 방어하는 기존 방어 기법들은 동적 실행 흐름 분석으로 인한 높은 성능 부하를 보이거나 ROP 공격에 대한 부분적인 방어만 가능하였다. 본 논문에서 제시하는 간접 분기 목적 주소 검증 기법(Indirect Branch Target Address Verification)은 간접 분기문의 목적 주소가 유효한지 검사해서 ROP 공격을 탐지하며, ROP 공격의 대부분을 방어할 수 있다. 또한 동적 실행 흐름 분석이 필요 없기 때문에 낮은 성능 부담을 보인다. SPEC CPU 2006 벤치마크를 대상으로 한 성능평가에서 15%보다 적은 성능 부하를 보였다.

Return-Oriented Programming(ROP) is an advanced code-reuse attack like a return-to-libc attack. ROP attacks combine gadgets in program code area and make functions like a Turing-complete language. Some of previous defense methods against ROP attacks show high performance overhead because of dynamic execution flow analysis and can defend against only certain types of ROP attacks. In this paper, we propose Indirect Branch Target Address Verification (IBTAV). IBTAV detects ROP attacks by checking if target addresses of indirect branches are valid. IBTAV can defends against almost all ROP attacks because it verifies a target address of every indirect branch instruction. Since IBTAV does not require dynamic execution flow analysis, the performance overhead of IBTAV is relatively low. Our evaluation of IBTAV on SPEC CPU 2006 shows less than 15% performance overhead.

키워드

참고문헌

  1. Roemer, R.; Buchanan, E.; Shacham, H. and Savage, S. "Return-oriented programming: Systems, languages, and applications", ACM Transactions on Information and System Security (TISSEC), ACM, 2012.
  2. c0ntex, "Bypassing non-executable-stack during exploitation using return-to-libc", "http://www.infosecwriters.com/text_ resources/pdf/return-to-libc.pdf"
  3. Theo de Raadt, "i386 W^X", "http://marc.info/ ?l=openbsdmisc& m=105056000801065"
  4. Aleph One, "Smashing The Stack For Fun And Profit", Phrack, 7(49), 1996.
  5. Abadi, M.; Budiu, M.; Erlingsson, &U. and Ligatti, J., "Control-flow integrity principles, implementations, and applications", ACM Trans. Inf. Syst. Secur., ACM, 2009.
  6. Bletsch, T.; Jiang, X. and Freeh, V., "Mitigating code-reuse attacks with control-flow locking.", Proceedings of the 27th Annual Computer Security Applications Conference, pp.353-362, 2011.
  7. Zeng, B.; Tan, G. and Morrisett, G., "Combining control-flow integrity and static analysis for efficient and validated data sandboxing", Proceedings of the 18th ACM conference on Computer and communications security, pp.29-40, 2011.
  8. Visual Studio .Net 2003, "Introduction to Instrumentation and Tracing", http://msdn.microsoft.com/en-us/library/aa983649 (VS.71).aspx
  9. C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood.., "Pin: Building customized program analysis tools with dynamic instrumentation.", Proceedings of PLDI 2005, pp.190-200, ACM, 2005.
  10. Francillon, A., Perito D. and Castelluccia, C.,"Defending embedded systems against control flow attacks.", Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode 2009, pp.19-26, ACM, 2009.
  11. Davi, L.; Sadeghi, A. and Winandy, M., "ROPdefender: A detection tool to defend against return-oriented programming attacks.", Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp.40-51, ACM, 2011.
  12. Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B. and Xie, L., "DROP: Detecting return-oriented programming malicious code", Information Systems Security, pp.163-177, Springer, 2009.
  13. Checkoway, S.; Davi, L.; Dmitrienko, A.; Sadeghi, A.; Shacham, H. and Winandy, M., "Return-oriented programming without returns", Proceedings of the 17th ACM conference on Computer and communications security, pp.559-572, ACM, 2010.
  14. Bletsch, T., Jiang, X., Freeh, V. and Liang, Z., "Jump-oriented programming: A new class of code-reuse attack", Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp.30-40, ACM, 2011.
  15. Pappas, V., Polychronakis, M. and Keromytis, A., "Smashing the gadgets: Hindering return-oriented programming using in-place code randomization.", Security and Privacy (SP), 2012 IEEE Symposium on, pp.601-615, IEEE, 2012.
  16. Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D. and Kirda, E., "G-Free: defeating return-oriented programming through gadget-less binaries.", Proceedings of the 26th Annual Computer Security Applications Conference, pp.49-68, USENIX, 2010.
  17. Tools Interface Standards - TIS: Executable and Linkable Format(ELF), version 1.2. Portable formats specications (1995)
  18. Standard performance Evaluation Corporation. http://www.spec.org/benchmarks.html
  19. Jonathan Salwan, "ROPgadget Tool", http://shell-storm.org/project/ROPgadget