进程控制流劫持攻击与防御技术综述

doi:10.11959/j.issn.2096-109x.2019058

摘要/Abstract

摘要：

控制流劫持攻击是一种常见的针对计算机软件的攻击，给计算机软件安全带来了巨大的危害，是信息安全领域的研究热点。首先，从攻击代码的来源角度出发，阐述了进程控制流劫持攻击的相关研究；其次，根据控制流劫持攻击技术的发展现状，基于不同防御思想介绍了近年来国内外的相关防御技术；最后对控制流劫持攻防技术发展趋势进行总结和展望。

关键词: 软件安全, 控制流劫持攻击, 控制流完整性, 随机化

Abstract:

Control flow hijacking attack is a common attack against computer software,which brings great harm to computer software security and is a research hotspot in the field of information security.Firstly,from the perspective of the source of attack code,the related research was expounded on process’s control flow hijacking attack.Secondly,according to the newest development status of control flow hijacking attack technology,the related defense technologies at home and abroad were introduced based on different defense ideas.Finally,the development trend of control flow hijacking offensive and defensive technology were summarized.

Key words: software security, control flow hijacking attacks, control flow integrity, randomization

中图分类号:

TP309.2

王丰峰,张涛,徐伟光,孙蒙. 进程控制流劫持攻击与防御技术综述[J]. 网络与信息安全学报, 2019, 5(6): 10-20.

Fengfeng WANG,Tao ZHANG,Weiguang XU,Meng SUN. Overview of control-flow hijacking attack and defense techniques for process[J]. Chinese Journal of Network and Information Security, 2019, 5(6): 10-20.

图/表 7

图1

图2

表1

图3

图4

表2

表3

参考文献 52

[1]	邵思豪, 高庆, 马森 ,等. 缓冲区溢出漏洞分析技术研究进展[J]. 软件学报, 2018,29(5): 1179-1198.
	SHAO S H , GAO Q , MA S ,et al. Progress in research on buffer overflow vulnerability analysis technologies[J]. Journal of Software, 2018,29(5): 1179-1198
[2]	张超 . 针对控制流劫持攻击的软件安全防护技术研究[D]. 北京:北京大学, 2013.
	ZHANG C . Research on software security defense against control-flow hijacking attacks[D]. Beijing:Beijing University, 2013.
[3]	ROEMER R , BUCHANAN E , SHACHAM H ,et al. Return-oriented programming:systems,languages,and applications[J]. ACM Transactions on Information ＆ System Security, 2012,15(1): 1-34.
[4]	乔向东, 郭戎潇, 赵勇 . 代码复用对抗技术研究进展[J]. 网络与信息安全学报, 2018,4(3): 1-12.
	QIAO X D , GUO R X , ZHAO Y . Research progress in code reuse attacking and defending[J]. Chinese Journal of Network and Information Security, 2018,4(3): 1-12.
[5]	DAVI L , SADEGHI A R , WINANDY M . ROPdefender:a detection tool to defend against return-oriented programming attacks[C]// The 6th ACM Symposium on Information,Computer and Communications Security. 2011: 40-51.
[6]	BLETSCH T , JIANG X , FREEH V W ,et al. Jump-oriented programming:a new class of code-reuse attack[C]// The 6th ACM Symposium on Information,Computer and Communications Security. 2011: 30-40.
[7]	CHECKOWAY S , DAVI L , DMITRIENKO A ,et al. Return-oriented programming without returns[C]// ACM Conference on Computer ＆ Communications Security. 2010: 559-572.
[8]	钱逸 . 基于 ARM 架构的 ROP 攻击与防御技术研究[D]. 上海:上海交通大学, 2012.
	QIAN Y . ROP attack and defense technology based on ARM[D]. Shanghai:Shanghai Jiaotong University, 2012.
[9]	BUCHANAN E , ROEMER R , SHACHAM H ,et al. When good instructions go bad:Generalizing return-oriented programming to RISC[C]// The 15th ACM Conference on Computer and Communications Security. 2008: 27-38.
[10]	DAVI L , DMITRIENKO A , SADEGHI A ,et al. Return-oriented programming without returns on ARM[R]. Ruhr-University Bochum, 2010.
[11]	KORNAU T . Return oriented programming for the ARM architecture[D]. Ruhr:Ruhr-Universit?t Bochum, 2010.
[12]	DULLIEN T , PORST S . REIL:a platform-independent intermediate representation of disassembled code for static code analysis[J]. Cansecwest, 2009.
[13]	DULLIEN T , KORNAU T , WEINMANN R . A framework for automated architecture independent gadget search[C]// Usenix Conference on Offensive Technologies. 2010:1.
[14]	PaX team:PaX address space layout randomization (ASLR)[EB].
[15]	SNOW K Z , MONROSE F , DAVI L ,et al. Just-in-time code reuse:on the effectiveness of fine-grained address space layout randomization[C]// 2013 IEEE Symposium on Security and Privacy. 2013: 574-588.
[16]	BITTAU A , BELAY A , MASHTIZADEH A ,et al. Hacking blind[C]// 2014 IEEE Symposium on Security and Privacy. 2014: 227-242.
[17]	COWAN C , PU C , MAIER D ,et al. StackGuard:automatic adaptive detection and prevention of buffer-overflow attacks[C]// USENIX Security Symposium. 1998:98 63-78.
[18]	TSAI T , SINGH N . Libsafe:transparent system-wide protection against buffer overflow attacks[C]// International Conference on Dependable Systems and Networks. IEEE, 2002:541.
[19]	COWAN C , BARRINGER M , BEATTIE S ,et al. FormatGuard:automatic protection from printf format string vulnerabilities[C]// USENIX Security Symposium. 2001,91.
[20]	MARTíN A , BUDIU M , ERLINGSSON , úLFAR . Control-flow integrity[C]// ACM Conference on Computer ＆ Communications Security. 2005:340.
[21]	武成岗, 李建军 . 控制流完整性的发展历程[J]. 中国教育网络, 2016(4): 52-55.
	WU C G , LI J J . The evolution of control flow integrity[J]. China Education Network, 2016(4): 52-55.
[22]	MASHTIZADEH A J , BITTAU A , MAZIERES D ,et al. Cryptographically enforced control flow integrity[J]. arXiv preprint arXiv:1408.1451, 2014.
[23]	CRISWELL J , DAUTENHAHN N , ADVE V . KCoFI:complete control-flow integrity for commodity operating system kernels[C]// 2014 IEEE Symposium on Security and Privacy. 2014: 292-307.
[24]	ZHANG C , WEI T , CHEN Z ,et al. Practical control flow integrity and randomization for binary executables[J]. IEEE Symposium on Security ＆ Privacy, 2013: 559-573.
[25]	ZHANG M , SEKAR R . Control Flow Integrity for {COTS} Binaries[C]// Presented as part of the 22nd Security Symposium. 2013: 337-352.
[26]	G?KTAS E , ATHANASOPOULOS E , BOS H ,et al. Out of control:overcoming control-flow integrity[J]. Security ＆ Privacy, 2014: 575-589.
[27]	CONTI M , CRANE S , DAVI L ,et al. Losing control:on the effectiveness of control-flow integrity under stack attacks[C]// The 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 952-963.
[28]	CARLINI N , BARRESI N , MATHIAS P ,et al. Control-flow bending:on the effectiveness of control-flow integrity[C]// Usenix Conference on Security Symposium. 2015: 161-176.
[29]	OTGONBAATAR U . Evaluating modern defenses against control flow hijacking[D]. Massachusetts:Massachusetts Institute of Technology, 2015.
[30]	PAPPAS V , POLYCHRONAKIS M , KEROMYTIS A D . Transparent {ROP} exploit mitigation using indirect branch tracing[C]// Presented as Part of the 22nd {USENIX} Security Symposium ({USENIX} Security 13). 2013: 447-462.
[31]	QIU P , LYU Y , ZHANG J ,et al. Control flow integrity based on lightweight encryption architecture[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2018,37(7): 1358-1369.
[32]	ZHANG J , QI B , QIN Z ,et al. HCIC:Hardware-assisted control-flow integrity checking[J]. IEEE Internet of Things Journal, 2018,6(1): 458-471.
[33]	蔡桂林, 王宝生, 王天佐 ,等. 移动目标防御技术研究进展[J]. 计算机研究与发展, 2016,53(5): 968-987.
	CAI G L , WANG B S , WANG T Z ,et al. Research and development of moving target defense technology[J]. Journal of Computer Research and Development, 2016,53(5): 968-987.
[34]	FORREST S , SOMAYAJI A , ACKLEY D H . Building diverse computer systems[C]// The Sixth Workshop on Hot Topics in Operating Systems (Cat.No.97TB100133). 1997: 67-72.
[35]	SHACHAM H , PAGE M , PFAFF B ,et al. On the effectiveness of address-space randomization[C]// The 11th ACM Conference on Computer and Communications Security. 2004: 298-307.
[36]	KIL C , JUN J , BOOKHOLT C ,et al. Address space layout permutation (ASLP):towards fine-grained randomization of commodity software[C]// 2006 22nd Annual Computer Security Applications Conference (ACSAC'06). 2006: 339-348.
[37]	HISER J , NGUYEN-TUONG A ,et al. ILR:Where'd my gadgets go[C]// 2012 IEEE Symposium on Security and Privacy. 2012: 571-585.
[38]	IYER V , KANITKAR A , DASGUPTA P ,et al. Preventing overflow attacks by memory randomization[C]// 2010 IEEE 21st International Symposium on Software Reliability Engineering. 2010: 339-347.
[39]	BHATKAR S , DUVARNEY D C , SEKAR R . Address obfuscation:an efficient approach to combat a broad range of memory error exploits[C]// USENIX Security Symposium. 200312(2): 291-301.
[40]	BHATKAR S , DUVARNEY D C , SEKAR R . efficient techniques for comprehensive protection from memory error exploits[C]// USENIX Security Symposium. 2005:17.
[41]	BACKES M AND , NURNBERGER S , . Oxymoron:making fine-grained memory randomization practical by allowing code sharing[C]// Usenix Conference on Security Symposium. 2014: 433-447.
[42]	GIUFFRIDA C , KUIJSTEN A , TANENBAUM A S . Enhanced operating system security through efficient and fine-grained address space randomization[C]// Presented as Part of the 21st {USENIX}Security Symposium ({USENIX} Security 12). 2012: 475-490.
[43]	CHEN X , XUE R , Wu C . Timely address space rerandomization for resisting code reuse attacks[J]. Concurrency and Computation:Practice and Experience, 2017,29(16):e3965.
[44]	侯宇 . 基于动态随机化和只可执行内存的JIT-ROP防御研究[D]. 南京:南京大学, 2016.
	HOU Y . Defence against JIT-ROP based on dynamic randomization and executable only memory[D]. Nanjing:Nanjing University, 2016
[45]	CHEN Y , WANG Z , WHALLEY D ,et al. Remix:on-demand live randomization[C]// The sixth ACM Conference on Data and Application Security and Privacy. 2016: 50-61.
[46]	HAWKINS W , NGUYEN-TUONG A , HISER J D ,et al. Mixr:flexible runtime rerandomization for binaries[C]// The 2017 Workshop on Moving Target Defense. 2017: 27-37.
[47]	BIGELOW D , HOBSON T , RUDD R ,et al. Timely rerandomization for mitigating memory disclosures[C]// ACM Sigsac Conference on Computer ＆ Communications Security, 2015: 268-279.
[48]	雷啸 . 内存信息泄露的运行中随机化防御方法的研究与改进[D]. 南京:南京大学, 2017.
	LEI X . Research and improvement of runtime randomization defense method against memory information leakage[D]. Nanjing:Nanjing University, 2017.
[49]	MORTON M , KOO H , LI F ,et al. Defeating zombie gadgets by re-randomizing code upon disclosure[C]// International Symposium on Engineering Secure Software and Systems. 2017: 143-160.
[50]	LU K , NURNBERGER S , BACKES M ,et al. How to make ASLR win the clone wars:runtime re-randomization[C]// Network ＆ Distributed System Security Symposium. 2016.
[51]	DAVI L , LIEBCHEN C , SADEGHI A R ,et al. Isomeron:code randomization resilient to (just-in-time) return-oriented programming[C]// Network ＆ Distributed System Security Symposium. 2015.
[52]	WILLIAMS-KING D , GOBIESKI G , WILLIAMS-KING K . Shuffler:fast and deployable continuous code re-randomization[C]// 12th {USENIX} Symposium on Operating Systems Design and Implementation ({OSDI} 16). 2016: 367-382.

分类	名称	技术特点	安全性评价	性能损耗	存在问题
细粒度CFI	CFI	比对间接转移指令，确保控制流在合理CFG中	能有效抵御控制流劫持攻击，但存在因CFG构造不完善而被攻击者攻击的风险	SPEC CPU 2000基准平均开销约16%	对转移指令进行精细检查带来巨大性能开销
	CCFI	计算影响控制流对象的消息认证码，并加密		SPEC CPU 2006基准平均开销约52%
	KCoFI	验证进程控制流并加强对关键数据结构的保护		LMbench基准130%～150%开销
粗粒度CFI	CCFIRbinCFI	利用具体方案，将同类转移指令归纳到一起，减少对转移指令的精细检查	相对于细粒度 CFI，安全性有所下降	SPEC CPU 2006 基准平均开销约3.68%SPECCPU2006 基准平均开销约4.29%	粗粒度 CFI会导致系统抵御攻击的能力下降
基于硬件的CFI	kBouncer	利用寄存器来监视跳转指令，以实现CFI	能抵御多种溢出攻击，但LBR只有16条记录，因此攻击者可能寻找更长路径进行攻击	Wine测试基准，平均开销约为1%	需要特定硬件支持，同时需要减少漏报和误报。针对kBouncer，攻击者可能寻找更长路径进行攻击
	LEA-AES	基于 LEA-AES 进行完整性验证	减少攻击者用来组织ROP攻击的gadget平均约88.93%	以12种开源程序为基准，平均性能开销约3.19%
	HCIC	利用HCIC技术实现低开销的CFI	在不泄露密钥的情况下，能抵御ROP攻击，漏报率低，无误报	多个测试基准，平均性能开销约0.95%

分类	名称	技术特点	安全性评价	性能损耗	存在问题
基于时间	JIT-ASR	利用虚拟内存管理实现内存布局随机化	随机化间隔足够小时，能有效抵御控制流劫持攻击	SPEC CPU 2006 基准平均开销约1.2%	无法消除安全性与性能开销之间的矛盾， Chameleon、Remix、Mixr开销过高，JIT-ASR需要额外寄存器辅助实现
	Chame-leon	结合取指异或进行内存布局随机化		SPEC CPU 2006基准，不同随机化频率，开销不同，范围大致10%~20% SPEC CPU 2006基准，不同随机化频率，开销不同，大部分频率开销小于5%
	Remix	随机化函数基本块
	Mixr	修改二进制文件实现内存随机化		SPEC CPU 2006基准，平均开销约60%
基于风险	TASR	当进程存在风险操作时触发内存布局随机化，雷啸对TASR做出了改进	能抵御通过 I/O进行的攻击，但不能保护动态生成的代码	SPEC CPU 2006 基准平均开销约2.1%，进程 I/O 密集时超过 50%，雷啸改进后 TASR 部署在 I/O 密集进程中时，开销基本小于10%	依赖源代码，同时无法有效保护动态生成的代码
	Runtime-ASLR	利用动态信息流追踪，对子进程进行内存随机化操作	能有效抵御BROP攻击	SPEC CPU 2006基准，nginx启动延迟约35 s，子进程无性能开销	父进程开销过大，存在一定指针误报
运行路径随机化	Ismeron	加载多个进程映像并在运行时进行随机切换	能有效抵御控制流劫持攻击，尤其是依赖长ROP链的攻击	SPEC CPU 2006 基准平均开销约19%	空间开销大，攻击者可能会攻击执行分配器
	Shuffler			SPEC CPU 2006基准，每50 ms随机化一次，平均开销约15%

防御技术名称	思想基础	基本原理	有效性分析	性能损耗	典型技术代表	主要问题
控制流完整性	可信计算、正确性	限制程序中的控制流转移，从而使进程运行时控制流只在其原有控制流图所限定的范围内，保证进程运行过程可信	粗粒度CFI抵御攻击的安全性有限，细粒度CFI也存在被攻克的可能性，无法阻碍攻击的扩散	性能开销普遍较大	CFI、CCFI、binCFI…	无法完全正确地刻画程序控制流图，性能开销普遍较大，存在被攻击者攻击的风险
运行时再随机化	主动变换防御、概率论	通过不断改变进程内存布局，实现攻击面的动态变换，从而增加攻击者攻击成功的代价和复杂性，降低其攻击成功的概率，提高系统的稳健性	消除攻击者积累的关于软件内存布局的知识，大幅降低攻击者攻击成功的概率，同时能阻碍攻击的扩散	性能开销普遍较大	TASR、Chameleon、Remix、RuntimeASLR…	存在误报可能性，性能开销普遍较大