基于二进制重写的软件多样化方法

doi:10.11959/j.issn.2096-109x.2023024

网络与信息安全学报 ›› 2023, Vol. 9 ›› Issue (2): 94-103.doi: 10.11959/j.issn.2096-109x.2023024

基于二进制重写的软件多样化方法

何本伟, 郭云飞, 王亚文, 王庆丰, 扈红超

信息工程大学，河南郑州 450001

修回日期:2023-03-02 出版日期:2023-04-25 发布日期:2023-04-01
作者简介:何本伟（1998- ），男，安徽滁州人，信息工程大学硕士生，主要研究方向为网络空间安全和软件多样化
郭云飞（1963- ），男，河南郑州人，信息工程大学教授、博士生导师，主要研究方向为网络空间安全、云安全和电信网安全
王亚文（1990- ），男，河南郑州人，信息工程大学助理研究员，主要研究方向为拟态防御和云计算
王庆丰（1995- ），男，河南周口人，信息工程大学助理研究员，主要研究方向为拟态防御和软件多样化
扈红超（1982- ），男，河南商丘人，信息工程大学研究员，主要研究方向为云计算和网络安全
基金资助:
国家重点研发计划(2021YFB1006200);国家重点研发计划(2021YFB1006201);国家自然科学基金(62072467)

Software diversification method based on binary rewriting

Benwei HE, Yunfei GUO, Yawen WANG, Qingfeng WANG, Hongchao HU

Information Engineering University, Zhengzhou 450001, China

Revised:2023-03-02 Online:2023-04-25 Published:2023-04-01
Supported by:
The National Key R＆D Program of China(2021YFB1006200);The National Key R＆D Program of China(2021YFB1006201);The National Natural Science Foundation of China(62072467)

摘要/Abstract

摘要：

软件多样化是应对代码重用攻击的有效方法，但现有软件多样化技术大多基于源代码实现，相比二进制文件，程序源代码并不容易获得。二进制文件难以做到精准拆卸、区分代码指针和数据常量，使得对二进制文件的多样化转换有限，难以产生足够高的随机化熵，容易被攻击者暴力破解。针对此问题，提出一种面向二进制文件的软件多样化方法，指令偏移随机化，该方法基于静态二进制重写技术在程序指令前以一定概率插入不同字节长度的无操作（NOP）指令，不仅能够减少程序中非预期的gadget数量，还使原指令地址发生随机偏移，打乱程序原有的内存布局，增加了代码重用攻击的成本。同时，针对所提方法设计了基于“热”代码的优化策略，通过动态插桩获得二进制文件中基本块的执行次数，以此调整每个基本块中NOP指令的插入概率，在执行频率更高的基本块中插入更少的NOP指令，可以保证较低性能开销的同时产生更高的随机化熵。实验部分使用SPEC基准测试程序，从性能开销、gadget存活率、文件大小等角度对优化后的方法进行实例测试，结果表明：当插入概率为 15%时效果最好，程序中 gadget 平均存活率趋于稳定且小于1.49%，增加攻击者重复利用相同gadget攻击链攻击难度的同时，该安全性下仅额外增加了4.1%的运行开销和7.7%的文件膨胀率。

关键词: 软件多样化, 二进制重写, NOP指令插入, 代码重用攻击

Abstract:

Software diversity is an effective defense against code-reuse attacks, but most existing software diversification technologies are based on source code.Obtaining program source code may be difficult, while binary files are challenging to disassemble accurately and distinguish between code pointers and data constants.This makes binary file diversification difficult to generate high levels of randomization entropy, and easily compromised by attackers.To overcome these challenges, a binary file oriented software diversification method was proposed based on static binary rewriting technology, namely instruction offset randomization.This method inserted NOP instructions of varying byte lengths before program instructions with a certain probability, reducing the number of unintended gadgets in the program and randomly offsetting the original instruction address.This disrupts the program’s original memory layout and increases the cost of code-reuse attacks.At the same time, an optimization strategy based on hot code was designed for this method.The execution times of basic blocks in binary files were obtained by dynamic pile insertion, so as to adjust the NOP instruction insertion probability in each basic block.The higher the execution frequency, the fewer NOP instructions were inserted into the basic block, which can ensure lower performance overhead and produce higher randomization entropy.In the experimental part, the SPEC benchmark program was used to test the optimized method from the aspects of performance overhead, gadget survival rate and file size.The results show that a 15% insertion probability achieves the best effect, with an average gadget survival rate of less than 1.49%, increasing attackers’ difficulty in reusing the same gadget attack chain.Furthermore, only a 4.1% operation overhead and 7.7% space overhead are added, maintaining high levels of security.

Key words: software diversity, binary rewriting, NOP insertion, code-reuse attack

中图分类号:

TP311.5

何本伟, 郭云飞, 王亚文, 王庆丰, 扈红超. 基于二进制重写的软件多样化方法[J]. 网络与信息安全学报, 2023, 9(2): 94-103.

Benwei HE, Yunfei GUO, Yawen WANG, Qingfeng WANG, Hongchao HU. Software diversification method based on binary rewriting[J]. Chinese Journal of Network and Information Security, 2023, 9(2): 94-103.

图/表 8

图1

表1

图2

图3

图4

表2

图5

图6

参考文献 30

[1]	FRANZ M , . E unibus pluram:massive-scale software diversity as a defense mechanism[C]// Proceedings of the 2010 New Security Paradigms Workshop. 2010: 7-16.
[2]	LARSEN P , HOMESCU A , Brunthaler S ,et al. SoK:automated software diversity[C]// Proceedings of 2014 IEEE Symposium on Security and Privacy. 2014: 276-291.
[3]	COHEN F B . Operating system protection through program evolution[J]. Comput Secur, 1993,12(6): 565-584.
[4]	MARCO-GISBERT H , RIPOLL I . On the effectiveness of full-ASLR on 64-bit Linux[C]// Proceedings of the In-Depth Security Conference. 2014.
[5]	JACKSON T , SALAMAT B , HOMESCU A ,et al. Compiler-generated software diversity[M]// Moving Target Defense. New York: Springer, 2011: 77-98.
[6]	HISER J , NGUYEN-TUONG A , CO M ,et al. ILR:where＇d my gadgets go[C]// Proceedings of 2012 IEEE Symposium on Security and Privacy. 2012: 571-585.
[7]	COFFMAN J , KELLY D M , WELLONS C C ,et al. ROP gadget prevalence and survival under compiler-based binary diversification schemes[C]// Proceedings of the 2016 ACM Workshop on Software PROtection. 2016: 15-26.
[8]	CONTI M , . Selfrando:securing the tor browser against de- anonymization exploits[C]// Proceedings of Priv Enhancing Technol. 2016: 454-469.
[9]	JUNOD P , RINALDINI J , WEHRLI J ,et al. Obfuscator-LLVM--software protection for the masses[C]// Proceedings of 2015 IEEE/ACM 1st International Workshop on Software Protection. 2015: 3-9.
[10]	BANESCU S , COLLBERG C , PRETSCHNER A . Predicting the resilience of obfuscated code against symbolic execution attacks via machine learning[C]// Proceedings of 26th USENIX Security Symposium (USENIX Security 17). 2017: 661-678.
[11]	WENZL M , MERZDOVNIK G , ULLRICH J ,et al. From hack to elaborate technique—a survey on binary rewriting[J]. ACM Computing Surveys （CSUR）, 2019,52(3): 1-37.
[12]	HOMESCU A , NEISIUS S , LARSEN P ,et al. Profile-guided automated software diversity[C]// Proceedings of the 2013 IEEE/ACM Interna-tional Symposium on Code Generation and Optimization (CGO). 2013: 1-11.
[13]	MURPHY M , LARSEN P , BRUNTHALER S ,et al. Software profiling options and their effects on security based diversification[C]// Proceedings of the First ACM Workshop on Moving Target Defense. 2014: 87-96.
[14]	HOMESCU A , JACKSON T , CRANE S ,et al. Large-scale automated software diversity-program evolution redux[J]. IEEE Transactions on Dependable and Secure Computing, 2015,14(2): 158-171.
[15]	KRAHMER S . x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique[R]. 2005.
[16]	彭国军, 梁玉, 张焕国 ,等. 软件二进制代码重用技术综述[J]. 软件学报, 2017,28(8): 2026-2045.
	PENG G J , LIANG Y , ZHANG H G ,et al. Survey on software binary code reuse technologies[J]. Journal of Software, 2017,28(8): 2026-2045.
[17]	DAVI L , SADEGHI A R . Building secure defenses against code-reuse attacks[M]. Berlin: Springer International Publishing, 2015.
[18]	柳童, 史岗, 孟丹 . 代码重用攻击与防御机制综述[J]. Journal of信息安全学报, 2016,1(2).
	LIU T , SHI G , MENG D . A survey of code reuse attack and defense mechanisms[J]. Journal of Cyber Security, 2016,1(2).
[19]	AHMED S , XIAO Y , SNOW K Z ,et al. Methodologies for quantifying (Re-) randomization security and timing under JIT-ROP[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 1803-1820.
[20]	侯宇 . 基于动态随机化和只可执行内存的JIT-ROP防御研究[D]. 南京:南京大学, 2016.
	HONG Y . Defence aginst JIT-ROP based on dynamic randomization and executable only memory[D]. Nanjing:Nanjing University, 2016.
[21]	WILLIAMS-KING D , KOBAYASHI H , WILLIAMS-KING K ,et al. Egalito:layout-agnostic binary recompilation[C]// Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. 2020: 133-147.
[22]	LUK C K , COHN R , MUTH R ,et al. Pin:building customized program analysis tools with dynamic instrumentation[J]. ACM Sigplan Notices, 2005,40(6): 190-200.
[23]	CHATTERJEE N , BOSE S , DAS P P . Dynamic weaving of aspects in C/C++ using PIN[C]// Proceedings of the International Conference on High Performance Compilation,Computing and Communications. 2017: 55-59.
[24]	陈小全, 薛锐 . 程序漏洞:原因,利用与缓解——以 C 和 C++语言为例[J]. 信息安全学报, 2017,2(4).
	CHEN X Q , XUE R . Cause,exploitation and mitigation of program vulnerability—C and C++ language as an example[J]. Journal of Cyber Security, 2017,2(4).
[25]	MARCO-GISBERT H , RIPOLL I . Address space layout randomization next generation[J]. Applied Sciences, 2019,9(14): 2928.
[26]	GUIDE P . Intel? 64 and ia-32 architectures software developer’s manual[J]. Volume 3B:System programming Guide,Part, 2011,2(11).
[27]	PRIYADARSHAN S , NGUYEN H , SEKAR R . Practical fine-grained binary code randomization[C]// Proceedings of Annual Computer Security Applications Conference. 2020: 401-414.
[28]	SALWAN J , WIRTH A . ROPGadget[EB].
[29]	COPPENS B , DE SUTTER B , DE BOSSCHERE K . Protecting your software updates[J]. IEEE Security ＆ Privacy, 2012,11(2): 47-54.
[30]	WARTELL R , MOHAN V , HAMLEN K W ,et al. Binary stirring:self-randomizing instruction addresses of legacy X86 binary code[C]// Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012: 157-168.

字节长度/byte	编码	指令
1	90	nop
2	66 90	xchg　%ax,%ax
3	0F 1F 00	nopl　（%rax）
4	0F 1F 40 00	nopl　0x0（%rax）
5	0F 1F 44 00 00	nopl　0x0（%rax,%rax,1）
6	66 0F 1F 44 00 00	nopw　0x0（%rax,%rax,1）
3	48 89 ed	mov　%rbp, %rbp
3	48 89 e4	mov　%rsp, %rsp
3	48 8d 36	lea　（%rsi）, %rsi
3	48 8d 3f	lea　（%rdi）, %rdi

软件名称	Gadger数量	gadget的存活率
软件名称	Gadger数量	10%	30%	50%	75%	100%
401.bzip2	3 111	2.16%	1.39%	1.41%	1.34%	1.49%
403.gcc	142 130	0.11%	0.09%	0.08%	0.09%	0.08%
433.milc	4 557	1.79%	1.84%	1.87%	1.58%	1.53%
444.namd	7 331	0.95%	0.88%	0.81%	0.89%	0.74%
445.gobmk	28 457	0.37%	0.33%	0.37%	0.35%	0.32%
456.hmmer	12 749	1.00%	0.99%	0.88%	0.88%	0.90%
458.sjeng	6 397	1.19%	1.20%	1.00%	1.21%	1.05%
462.libquantum	2 097	2.59%	2.58%	2.09%	2.65%	2.27%
464.h264ref	19 242	0.45%	0.45%	0.43%	0.39%	0.40%
470.lbm	502	10.74%	6.62%	7.91%	6.78%	6.93%
471.omnetpp	22 182	0.82%	0.68%	0.69%	0.64%	0.62%
473.astar	1 838	2.45%	2.99%	3.02%	2.46%	2.56%
482.sphinx3	6 844	1.50%	1.69%	1.72%	1.44%	1.51%
483.xalancbmk	155 397	0.29%	0.12%	0.12%	0.12%	0.11%

基于二进制重写的软件多样化方法

Software diversification method based on binary rewriting

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 30

相关文章 2

Metrics

推荐阅读 0

[1]	谢根琳, 程国振, 王亚文, 王庆丰. 基于gadget特征分析的软件多样性评估方法[J]. 网络与信息安全学报, 2023, 9(3): 161-173.
[2]	迟宇宁, 郭云飞, 王亚文, 扈红超. 基于ROP/JOP gadgets性质的软件多样化评估方法[J]. 网络与信息安全学报, 2022, 8(6): 135-145.