DOI QR코드

DOI QR Code

Design and Implementation of Efficient Mitigation against Return-oriented Programming

반환 지향 프로그래밍 공격에 대한 효율적인 방어 기법 설계 및 구현

  • 김지홍 (성균관대학교 정보통신대학) ;
  • 김인혁 (성균관대학교 정보통신대학) ;
  • 민창우 (성균관대학교 정보통신대학) ;
  • 엄영익 (성균관대학교 정보통신대학)
  • Received : 2014.08.12
  • Accepted : 2014.09.22
  • Published : 2014.12.15

Abstract

An ROP attack creates gadget sequences which consist of existing code snippets in a program, and hijacks the control flow of a program by chaining and executing gadget sequences consecutively. Existing defense schemes have limitations in that they cause high execution overhead, an increase in the binary size overhead, and a low applicability. In this paper, we solve these problems by introducing zero-sum defender, which is a fast and space-efficient mitigation scheme against ROP attacks. We find a fundamental property of gadget execution in which control flow starts in the middle of a function without a call instruction and ends with a return instruction. So, we exploit this property by monitoring whether the execution is abused by ROP attacks. We achieve a very low runtime overhead with a very small increase in the binary size. In our experimental results, we verified that our defense scheme prevents real world ROP attacks, and we showed that there is only a 2% performance overhead and a 1% binary size increase overhead in several benchmarks.

반환 지향 프로그래밍 공격(ROP)은 프로그램에 존재하는 반환 명령어로 끝나는 코드 조각들을 조합하여 가젯을 만들고, 연속적으로 실행하여 스택의 내용을 조작함으로써 프로그램의 제어권을 가져오는 공격이다. 이에 대한 기존 방어기법은 높은 실행 오버헤드와 바이너리 증가 오버헤드를 갖거나, 적용 범위의 제한이 있는 문제점이 있다. 본 논문에서는 기존 기법의 문제점을 갖지 않으면서 성능 및 바이너리 크기 증가 측면에서 효율적인 방어 기법인 zero-sum defender를 제안한다. 반환 지향 프로그래밍 공격은 정상적인 프로그램의 흐름과 다르게, 함수 호출 명령어가 실행되지 않고 여러 반환 명령어가 실행되는 실행 특성을 가진다. 제안 기법은 이러한 특성을 이용하여 프로그램 실행 흐름이 반환 지향 프로그래밍 공격에 의해 오용되는지 모니터링하여 방어 기능을 수행한다. 실제 공격 모델에 대한 실험을 통해 방어 기법의 효용성을 확인하였고, 벤치마크 실험을 통해 약 2%의 성능 오버헤드와 약 1%의 바이너리 크기 증가만으로 방어가 이루어짐을 확인하였다.

Keywords

Acknowledgement

Supported by : 한국연구재단

References

  1. Aleph One, "Smashing the Stack for Fun and Profit," Phrack Magazine, Vol. 49, No. 1, pp. 14-16, Aug. 1996.
  2. Blexim, "Basic Integer Overflows," Phrack Magazine, Vol. 60, No. 10, pp. 10-16, Dec. 2002.
  3. gera and riq, "Advances in Format String Exploitation," Phrack Magazine, Vol. 59, No. 7, pp. 7-18 Jul. 2002.
  4. Microsoft. (2006, Nov. 20). Data Execution Prevention (DEP) [Online]. Avaliable: http://support.microsoft.com/kb/875352
  5. PaX Team. (2003. May. 1). PaX Non-Executable Page Design & Implementation [Online]. Avaliable: http://pax.grsecurity.net
  6. Solar designer. (1997. Aug, 10). Getting around Non-Executable Stack (and Fix) [Online]. Avaliable: http://seclists.org/bugtraq/1997/Aug/63
  7. H. Shacham, "The Geometry of Innocent Flesh on the Bone: Return-Into-Libc without Function Calls (on the x86)," Proc. of ACM Conference on Computer and Communications Security, pp. 552-561, 2007.
  8. jduck. (2010. Mar, 18). The Latest Adobe Exploit and Session Upgrading [Online]. Avaliable: https://community.rapid7.com/community/metasploit/blog/2010/03/18/the-latest-adobe-exploit-and-session-upgrading
  9. D. Goodin. (2010. Aug, 30). Apple QuickTime Backdoor Creates Code-Execution Peril [Online]. Avaliable: http://www.theregister.co.uk/2010/08/30/apple_quicktime_critical_vuln/
  10. J. Halliday. (2010. Aug, 2). JailbreakMe Released for Apple Devices [Online]. Avaliable: http://www.guardian.co.uk/technology/blog/2010/aug/02/jailbreakme-released-apple-devices-legal
  11. R. Hund, T. Holz, and F. C. Freiling, "Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms," Proc. of USENIX Security Symposium, pp. 1-16, 2009.
  12. L. Davi, A. R. Sadeghi, and M. Winandy, "ROPdefender: A Detection Tool to Defend against Return-Oriented Programming Attacks," Proc. of ACM Symposium on Information, Computer and Communications Security, pp. 40-51, 2011.
  13. S. Bhatkar, R. Sekar, and D. C. DuVarney, "Efficient Techniques for Comprehensive Protection from Memory Error Exploits," Proc. of USENIX Security Symposium, pp. 271-286, 2005.
  14. J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davison, "ILR: Where'd My Gadgets Go?," Proc. IEEE Symposium on Security and Privacy, pp. 571-585, 2012.
  15. R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin, "Binary Stirring: Self-Randomizing Instruction Addresses of Legacy x86 Binary Code," Proc. ACM Conference on Computer and Communications Security, pp. 157-168, 2012.
  16. E. Shioji, Y. Kawakoya, M. Iwamura, and T. Hariu, "Code Shredding: Byte-Granular Randomization of Program Layout for Detecting Code-Reuse Attacks," Proc. Annual Computer Security Applications Conference, pp. 309-318, 2012.
  17. V. Pappas, M. Polychronakis, and A. D, Keromytis, "Transparent ROP Exploit Mitigation Using Indirect Branch Tracing," Proc. of USENIX Security Symposium, pp. 447-462, 2013.
  18. M. Kayaalp, M. Ozsoy, N. B. Abu-Ghazaleh, and D. Ponomarev, "Efficiently Securing Systems from Code Reuse Attack," IEEE Transactions on Computers, Vol. 63, No. 5, pp. 1144-1156, 2014. https://doi.org/10.1109/TC.2012.269
  19. M. Kayaalp, T. Schmitt, J. Nomani, N. Abu-Ghazaleh, and D. Ponomarev, "Signatrue-Based Protection form Code Reuse Attacks," IEEE Transactions on Computers, 2014. (To appear)
  20. S. Park, C. Pyo, S. Kim, and G. Lee, "An Implementation of Program Counter Encoding with TPM," Journal of KIISE: Computing Practices and Letters, Vol. 17, No. 1, pp. 13-19, Jan. 2011. (in Korean)
  21. M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti, "Control-Flow Integrity," Proc. ACM Conference on Computer and Communications Security, pp. 340-353, 2005.
  22. K. Onariloglu, L. Bilge, A. Lanzi, D. Balzarotti, and E, Kirda, "G-Free: Defeating Return-Oriented Programming through Gadget-Less Binaries," Proc. Annual Computer Security Applications Conference, pp. 49-58, 2010.
  23. J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram, "Defeating Return-Oriented Programming through Gadget-Less Kernels," Proc. European Conference on Computer Systems, pp. 195-208, 2010.
  24. K. Kim, C. Pyo, S. Kim, and G. Le, "Dual-Encoding of Return Addresses for Detection and Defense against Stack Attacks," Journal of KIISE: Computing Practices and Letters, Vol. 17, No. 3, pp. 159- 164, Mar. 2011. (in Korean)
  25. K. Kim, T. Kim, C. Pyo, and G. Lee, "A Method Protecting Contfol Flow by Indirect Branch Monitoring and Program Counter Encoding," Journal of KIISE: Computing Practices and Letters, Vol. 20, No. 7, pp. 392-397, Jul. 2014. (in Korean)
  26. J. Kim, I. Kim, C. Min, and Y. I. Eom, "Zero-Sum Defender: Fast and Space-Efficient Defense against Return-Oriented Programming Attacks," IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences, Vol. E97-A, No. 1, pp. 303-305, Jan. 2014. https://doi.org/10.1587/transfun.E97.A.303
  27. S. McCamant and G. Morrisett, "Evaluating SFI for a CISC Architecture," Proc. of USENIX Security Symposium, pp. 1-16, 2006.
  28. B. Yee, D. Sehr, G. Dardyk, J. Bradley Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar, "Native Client: A Sandbox for Portable, Untrusted x86 Native Code," Proc. IEEE Symposium on Security and Privacy, pp. 79-93, 2009.
  29. L. Le, "Payload already Inside: Deta Re-Use for ROP Exploits," Blackhat USA, pp. 1-21, 2010.
  30. S. Checoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy, "Return-Oriented Programming without Returns," Proc. ACM Conference on Computer and Communications Security, pp. 559-572, 2010.
  31. T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang, "Jump-Oriented Programming: A New Class of Code-Reuse Attack," Proc. Annual Computer Security Applications Conference, pp. 30-40, 2011.