网络与信息安全学报 ›› 2019, Vol. 5 ›› Issue (6): 10-20.doi: 10.11959/j.issn.2096-109x.2019058
修回日期:
2019-03-19
出版日期:
2019-12-15
发布日期:
2019-12-14
作者简介:
王丰峰(1994- ),男,江苏昆山人,陆军工程大学硕士生,主要研究方向为系统安全|张涛(1973- ),男,甘肃泾川人,博士,陆军工程大学教授,主要研究方向为操作系统安全、数据库安全、智能终端软件安全等|徐伟光(1984- ),男,安徽宿州人,博士,陆军工程大学讲师,主要研究方向为移动目标防御、密码学、区块链等|孙蒙(1984- ),男,山东齐河人,博士,陆军工程大学副教授,主要研究方向为网络安全与机器学习、智能语音处理等
基金资助:
Fengfeng WANG(),Tao ZHANG,Weiguang XU,Meng SUN
Revised:
2019-03-19
Online:
2019-12-15
Published:
2019-12-14
Supported by:
摘要:
控制流劫持攻击是一种常见的针对计算机软件的攻击,给计算机软件安全带来了巨大的危害,是信息安全领域的研究热点。首先,从攻击代码的来源角度出发,阐述了进程控制流劫持攻击的相关研究;其次,根据控制流劫持攻击技术的发展现状,基于不同防御思想介绍了近年来国内外的相关防御技术;最后对控制流劫持攻防技术发展趋势进行总结和展望。
中图分类号:
王丰峰,张涛,徐伟光,孙蒙. 进程控制流劫持攻击与防御技术综述[J]. 网络与信息安全学报, 2019, 5(6): 10-20.
Fengfeng WANG,Tao ZHANG,Weiguang XU,Meng SUN. Overview of control-flow hijacking attack and defense techniques for process[J]. Chinese Journal of Network and Information Security, 2019, 5(6): 10-20.
表1
控制流完整性防御技术对比"
分类 | 名称 | 技术特点 | 安全性评价 | 性能损耗 | 存在问题 |
细粒度CFI | CFI | 比对间接转移指令,确保控制流在合理CFG中 | 能有效抵御控制流劫持攻击,但存在因CFG构造不完善而被攻击者攻击的风险 | SPEC CPU 2000基准平均开销约16% | 对转移指令进行精细检查带来巨大性能开销 |
CCFI | 计算影响控制流对象的消息认证码,并加密 | SPEC CPU 2006基准平均开销约52% | |||
KCoFI | 验证进程控制流并加强对关键数据结构的保护 | LMbench基准130%~150%开销 | |||
粗粒度CFI | CCFIRbinCFI | 利用具体方案,将同类转移指令归纳到一起,减少对转移指令的精细检查 | 相对于细粒度 CFI,安全性有所下降 | SPEC CPU 2006 基准平均开销约3.68%SPECCPU2006 基准平均开销约4.29% | 粗粒度 CFI会导致系统抵御攻击的能力下降 |
基于硬件的CFI | kBouncer | 利用寄存器来监视跳转指令,以实现CFI | 能抵御多种溢出攻击,但LBR只有16条记录,因此攻击者可能寻找更长路径进行攻击 | Wine测试基准,平均开销约为1% | 需要特定硬件支持,同时需要减少漏报和误报。针对kBouncer,攻击者可能寻找更长路径进行攻击 |
LEA-AES | 基于 LEA-AES 进行完整性验证 | 减少攻击者用来组织ROP攻击的gadget平均约88.93% | 以12种开源程序为基准,平均性能开销约3.19% | ||
HCIC | 利用HCIC技术实现低开销的CFI | 在不泄露密钥的情况下,能抵御ROP攻击,漏报率低,无误报 | 多个测试基准,平均性能开销约0.95% |
表2
进程运行时再随机化技术对比"
分类 | 名称 | 技术特点 | 安全性评价 | 性能损耗 | 存在问题 |
基于时间 | JIT-ASR | 利用虚拟内存管理实现内存布局随机化 | 随机化间隔足够小时,能有效抵御控制流劫持攻击 | SPEC CPU 2006 基准平均开销约1.2% | 无法消除安全性与性能开 销 之 间 的 矛 盾, Chameleon、Remix、Mixr开销过高,JIT-ASR需要额外寄存器辅助实现 |
Chame-leon | 结合取指异或进行内存布局随机化 | SPEC CPU 2006基准,不同随机化频率,开销不同,范围大致10%~20% SPEC CPU 2006基准,不同随机化频率,开销不同,大部分频率开销小于5% | |||
Remix | 随机化函数基本块 | ||||
Mixr | 修改二进制文件实现内存随机化 | SPEC CPU 2006基准,平均开销约60% | |||
基于风险 | TASR | 当进程存在风险操作时触发内存布局随机化,雷啸对TASR做出了改进 | 能抵御通过 I/O进行的攻击,但不能保护动态生成的代码 | SPEC CPU 2006 基准平均开销约2.1%,进程 I/O 密集时超过 50%,雷啸改进后 TASR 部署在 I/O 密集进程中时,开销基本小于10% | 依赖源代码,同时无法有效保护动态生成的代码 |
Runtime-ASLR | 利用动态信息流追踪,对子进程进行内存随机化操作 | 能有效抵御BROP攻击 | SPEC CPU 2006基准,nginx启动延迟约35 s,子进程无性能开销 | 父进程开销过大,存在一定指针误报 | |
运行路径随机化 | Ismeron | 加载多个进程映像并在运行时进行随机切换 | 能有效抵御控制流劫持攻击,尤其是依赖长ROP链的攻击 | SPEC CPU 2006 基准平均开销约19% | 空间开销大,攻击者可能会攻击执行分配器 |
Shuffler | SPEC CPU 2006基准,每50 ms随机化一次,平均开销约15% |
表3
进程运行时动态防御技术对比"
防御技术名称 | 思想基础 | 基本原理 | 有效性分析 | 性能损耗 | 典型技术代表 | 主要问题 |
控制流完整性 | 可信计算、正确性 | 限制程序中的控制流转移,从而使进程运行时控制流只在其原有控制流图所限定的范围内,保证进程运行过程可信 | 粗粒度CFI抵御攻击的安全性有限,细粒度CFI也存在被攻克的可能性,无法阻碍攻击的扩散 | 性能开销普遍较大 | CFI、CCFI、binCFI… | 无法完全正确地刻画程序控制流图,性能开销普遍较大,存在被攻击者攻击的风险 |
运行时再随机化 | 主动变换防御、概率论 | 通过不断改变进程内存布局,实现攻击面的动态变换,从而增加攻击者攻击成功的代价和复杂性,降低其攻击成功的概率,提高系统的稳健性 | 消除攻击者积累的关于软件内存布局的知识,大幅降低攻击者攻击成功的概率,同时能阻碍攻击的扩散 | 性能开销普遍较大 | TASR、Chameleon、Remix、RuntimeASLR… | 存在误报可能性,性能开销普遍较大 |
[1] | 邵思豪, 高庆, 马森 ,等. 缓冲区溢出漏洞分析技术研究进展[J]. 软件学报, 2018,29(5): 1179-1198. |
SHAO S H , GAO Q , MA S ,et al. Progress in research on buffer overflow vulnerability analysis technologies[J]. Journal of Software, 2018,29(5): 1179-1198 | |
[2] | 张超 . 针对控制流劫持攻击的软件安全防护技术研究[D]. 北京:北京大学, 2013. |
ZHANG C . Research on software security defense against control-flow hijacking attacks[D]. Beijing:Beijing University, 2013. | |
[3] | ROEMER R , BUCHANAN E , SHACHAM H ,et al. Return-oriented programming:systems,languages,and applications[J]. ACM Transactions on Information & System Security, 2012,15(1): 1-34. |
[4] | 乔向东, 郭戎潇, 赵勇 . 代码复用对抗技术研究进展[J]. 网络与信息安全学报, 2018,4(3): 1-12. |
QIAO X D , GUO R X , ZHAO Y . Research progress in code reuse attacking and defending[J]. Chinese Journal of Network and Information Security, 2018,4(3): 1-12. | |
[5] | DAVI L , SADEGHI A R , WINANDY M . ROPdefender:a detection tool to defend against return-oriented programming attacks[C]// The 6th ACM Symposium on Information,Computer and Communications Security. 2011: 40-51. |
[6] | BLETSCH T , JIANG X , FREEH V W ,et al. Jump-oriented programming:a new class of code-reuse attack[C]// The 6th ACM Symposium on Information,Computer and Communications Security. 2011: 30-40. |
[7] | CHECKOWAY S , DAVI L , DMITRIENKO A ,et al. Return-oriented programming without returns[C]// ACM Conference on Computer & Communications Security. 2010: 559-572. |
[8] | 钱逸 . 基于 ARM 架构的 ROP 攻击与防御技术研究[D]. 上海:上海交通大学, 2012. |
QIAN Y . ROP attack and defense technology based on ARM[D]. Shanghai:Shanghai Jiaotong University, 2012. | |
[9] | BUCHANAN E , ROEMER R , SHACHAM H ,et al. When good instructions go bad:Generalizing return-oriented programming to RISC[C]// The 15th ACM Conference on Computer and Communications Security. 2008: 27-38. |
[10] | DAVI L , DMITRIENKO A , SADEGHI A ,et al. Return-oriented programming without returns on ARM[R]. Ruhr-University Bochum, 2010. |
[11] | KORNAU T . Return oriented programming for the ARM architecture[D]. Ruhr:Ruhr-Universit?t Bochum, 2010. |
[12] | DULLIEN T , PORST S . REIL:a platform-independent intermediate representation of disassembled code for static code analysis[J]. Cansecwest, 2009. |
[13] | DULLIEN T , KORNAU T , WEINMANN R . A framework for automated architecture independent gadget search[C]// Usenix Conference on Offensive Technologies. 2010:1. |
[14] | PaX team:PaX address space layout randomization (ASLR)[EB]. |
[15] | SNOW K Z , MONROSE F , DAVI L ,et al. Just-in-time code reuse:on the effectiveness of fine-grained address space layout randomization[C]// 2013 IEEE Symposium on Security and Privacy. 2013: 574-588. |
[16] | BITTAU A , BELAY A , MASHTIZADEH A ,et al. Hacking blind[C]// 2014 IEEE Symposium on Security and Privacy. 2014: 227-242. |
[17] | COWAN C , PU C , MAIER D ,et al. StackGuard:automatic adaptive detection and prevention of buffer-overflow attacks[C]// USENIX Security Symposium. 1998:98 63-78. |
[18] | TSAI T , SINGH N . Libsafe:transparent system-wide protection against buffer overflow attacks[C]// International Conference on Dependable Systems and Networks. IEEE, 2002:541. |
[19] | COWAN C , BARRINGER M , BEATTIE S ,et al. FormatGuard:automatic protection from printf format string vulnerabilities[C]// USENIX Security Symposium. 2001,91. |
[20] | MARTíN A , BUDIU M , ERLINGSSON , úLFAR . Control-flow integrity[C]// ACM Conference on Computer & Communications Security. 2005:340. |
[21] | 武成岗, 李建军 . 控制流完整性的发展历程[J]. 中国教育网络, 2016(4): 52-55. |
WU C G , LI J J . The evolution of control flow integrity[J]. China Education Network, 2016(4): 52-55. | |
[22] | MASHTIZADEH A J , BITTAU A , MAZIERES D ,et al. Cryptographically enforced control flow integrity[J]. arXiv preprint arXiv:1408.1451, 2014. |
[23] | CRISWELL J , DAUTENHAHN N , ADVE V . KCoFI:complete control-flow integrity for commodity operating system kernels[C]// 2014 IEEE Symposium on Security and Privacy. 2014: 292-307. |
[24] | ZHANG C , WEI T , CHEN Z ,et al. Practical control flow integrity and randomization for binary executables[J]. IEEE Symposium on Security & Privacy, 2013: 559-573. |
[25] | ZHANG M , SEKAR R . Control Flow Integrity for {COTS} Binaries[C]// Presented as part of the 22nd Security Symposium. 2013: 337-352. |
[26] | G?KTAS E , ATHANASOPOULOS E , BOS H ,et al. Out of control:overcoming control-flow integrity[J]. Security & Privacy, 2014: 575-589. |
[27] | CONTI M , CRANE S , DAVI L ,et al. Losing control:on the effectiveness of control-flow integrity under stack attacks[C]// The 22nd ACM SIGSAC Conference on Computer and Communications Security. 2015: 952-963. |
[28] | CARLINI N , BARRESI N , MATHIAS P ,et al. Control-flow bending:on the effectiveness of control-flow integrity[C]// Usenix Conference on Security Symposium. 2015: 161-176. |
[29] | OTGONBAATAR U . Evaluating modern defenses against control flow hijacking[D]. Massachusetts:Massachusetts Institute of Technology, 2015. |
[30] | PAPPAS V , POLYCHRONAKIS M , KEROMYTIS A D . Transparent {ROP} exploit mitigation using indirect branch tracing[C]// Presented as Part of the 22nd {USENIX} Security Symposium ({USENIX} Security 13). 2013: 447-462. |
[31] | QIU P , LYU Y , ZHANG J ,et al. Control flow integrity based on lightweight encryption architecture[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2018,37(7): 1358-1369. |
[32] | ZHANG J , QI B , QIN Z ,et al. HCIC:Hardware-assisted control-flow integrity checking[J]. IEEE Internet of Things Journal, 2018,6(1): 458-471. |
[33] | 蔡桂林, 王宝生, 王天佐 ,等. 移动目标防御技术研究进展[J]. 计算机研究与发展, 2016,53(5): 968-987. |
CAI G L , WANG B S , WANG T Z ,et al. Research and development of moving target defense technology[J]. Journal of Computer Research and Development, 2016,53(5): 968-987. | |
[34] | FORREST S , SOMAYAJI A , ACKLEY D H . Building diverse computer systems[C]// The Sixth Workshop on Hot Topics in Operating Systems (Cat.No.97TB100133). 1997: 67-72. |
[35] | SHACHAM H , PAGE M , PFAFF B ,et al. On the effectiveness of address-space randomization[C]// The 11th ACM Conference on Computer and Communications Security. 2004: 298-307. |
[36] | KIL C , JUN J , BOOKHOLT C ,et al. Address space layout permutation (ASLP):towards fine-grained randomization of commodity software[C]// 2006 22nd Annual Computer Security Applications Conference (ACSAC'06). 2006: 339-348. |
[37] | HISER J , NGUYEN-TUONG A ,et al. ILR:Where'd my gadgets go[C]// 2012 IEEE Symposium on Security and Privacy. 2012: 571-585. |
[38] | IYER V , KANITKAR A , DASGUPTA P ,et al. Preventing overflow attacks by memory randomization[C]// 2010 IEEE 21st International Symposium on Software Reliability Engineering. 2010: 339-347. |
[39] | BHATKAR S , DUVARNEY D C , SEKAR R . Address obfuscation:an efficient approach to combat a broad range of memory error exploits[C]// USENIX Security Symposium. 200312(2): 291-301. |
[40] | BHATKAR S , DUVARNEY D C , SEKAR R . efficient techniques for comprehensive protection from memory error exploits[C]// USENIX Security Symposium. 2005:17. |
[41] | BACKES M AND , NURNBERGER S , . Oxymoron:making fine-grained memory randomization practical by allowing code sharing[C]// Usenix Conference on Security Symposium. 2014: 433-447. |
[42] | GIUFFRIDA C , KUIJSTEN A , TANENBAUM A S . Enhanced operating system security through efficient and fine-grained address space randomization[C]// Presented as Part of the 21st {USENIX}Security Symposium ({USENIX} Security 12). 2012: 475-490. |
[43] | CHEN X , XUE R , Wu C . Timely address space rerandomization for resisting code reuse attacks[J]. Concurrency and Computation:Practice and Experience, 2017,29(16):e3965. |
[44] | 侯宇 . 基于动态随机化和只可执行内存的JIT-ROP防御研究[D]. 南京:南京大学, 2016. |
HOU Y . Defence against JIT-ROP based on dynamic randomization and executable only memory[D]. Nanjing:Nanjing University, 2016 | |
[45] | CHEN Y , WANG Z , WHALLEY D ,et al. Remix:on-demand live randomization[C]// The sixth ACM Conference on Data and Application Security and Privacy. 2016: 50-61. |
[46] | HAWKINS W , NGUYEN-TUONG A , HISER J D ,et al. Mixr:flexible runtime rerandomization for binaries[C]// The 2017 Workshop on Moving Target Defense. 2017: 27-37. |
[47] | BIGELOW D , HOBSON T , RUDD R ,et al. Timely rerandomization for mitigating memory disclosures[C]// ACM Sigsac Conference on Computer & Communications Security, 2015: 268-279. |
[48] | 雷啸 . 内存信息泄露的运行中随机化防御方法的研究与改进[D]. 南京:南京大学, 2017. |
LEI X . Research and improvement of runtime randomization defense method against memory information leakage[D]. Nanjing:Nanjing University, 2017. | |
[49] | MORTON M , KOO H , LI F ,et al. Defeating zombie gadgets by re-randomizing code upon disclosure[C]// International Symposium on Engineering Secure Software and Systems. 2017: 143-160. |
[50] | LU K , NURNBERGER S , BACKES M ,et al. How to make ASLR win the clone wars:runtime re-randomization[C]// Network & Distributed System Security Symposium. 2016. |
[51] | DAVI L , LIEBCHEN C , SADEGHI A R ,et al. Isomeron:code randomization resilient to (just-in-time) return-oriented programming[C]// Network & Distributed System Security Symposium. 2015. |
[52] | WILLIAMS-KING D , GOBIESKI G , WILLIAMS-KING K . Shuffler:fast and deployable continuous code re-randomization[C]// 12th {USENIX} Symposium on Operating Systems Design and Implementation ({OSDI} 16). 2016: 367-382. |
[1] | 张宝, 田有亮, 高胜. 基于博弈论抗共谋攻击的全局随机化共识算法[J]. 网络与信息安全学报, 2022, 8(4): 98-109. |
[2] | 傅建明, 刘畅, 解梦飞, 罗陈可. 基于诱捕的软件异常检测综述[J]. 网络与信息安全学报, 2022, 8(1): 15-29. |
[3] | 乔向东, 郭戎潇, 赵勇. 代码复用对抗技术研究进展[J]. 网络与信息安全学报, 2018, 4(3): 1-12. |
[4] | 许团,屈蕾蕾,石文昌. 基于结构特征的二进制代码安全缺陷分析模型[J]. 网络与信息安全学报, 2017, 3(9): 31-39. |
[5] | 杜三,舒辉,康绯. 基于硬件的动态指令集随机化框架的设计与实现[J]. 网络与信息安全学报, 2017, 3(11): 29-39. |
[6] | 乐德广,章亮,龚声蓉,郑力新,吴少刚. 面向RTF的OLE对象漏洞分析研究[J]. 网络与信息安全学报, 2016, 2(1): 34-45. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|