基于ROP/JOP gadgets性质的软件多样化评估方法

doi:10.11959/j.issn.2096-109x.2022086

摘要/Abstract

摘要：

为应对信息化生活中的网络攻击及威胁，降低网络系统中同质化攻击快速蔓延的风险，增强网络和软件的安全性，软件多样化技术被应用到系统中。软件多样化旨在生成功能等价但内部发生变化的程序变体，从而改变单一的运行环境，缓解同质化攻击。现有的多样化技术的评估指标 ROP（return-oriented programming）gadgets 幸存率难以直接体现安全性影响且评估方法单一，为了更加全面有效地评估软件多样化方法的有效性，提出基于ROP/JOP（jump-oriented programming）gadgets性质的软件多样化评估方法，通过分析常见的代码重用攻击，将抽象的量化转为具象的指标，从空间、时间及质量3个方面评估多样化方法的安全增益及效果。该方法根据gadgets的相似性、损坏度和可用性3个性质探讨软件多样化技术如何影响ROP/JOP攻击。用指令替换、NOP插入、控制流平坦等9种多样化方法对GNU coreutils程序集进行多样化编译生成多样化程序集。对多样化程序集进行基于 gadgets 性质的实验，根据实验结果评估不同多样化方法的有效性及对攻击造成的影响。实验结果表明，该方法能够对软件多样化方法的安全增益进行准确评估，多样化技术会导致 ROP/JOP 攻击所需的攻击链空间增大，构造攻击链的时间变长且攻击成功率降低。不同的多样化方法产生的效果高低不一，对后续研究具有更高安全增益的多样化技术有指导作用。

关键词: 软件多样化, ROP/JOP攻击, gadgets性质, 安全增益评估

Abstract:

In order to reduce the risk of rapid spread of homogeneous attacks in network systems, and enhance network and software security, software diversification technologies are applied widely nowadays.Software diversification aims to generate functionally equivalent but internally changed program variants, thereby alter a single operating environment and mitigating homogenization attacks.The existing diversified technical evaluation index ROP gadgets survival rate is difficult to directly reflect the safety impact and the evaluation method is single.In order to evaluate the effectiveness of the diversification method more comprehensively and effectively, a software diversification evaluation method based on the properties of ROP/JOP gadgets is proposed, by analyzing common code reuse attacks, and turns abstract quantification into concrete indicators evaluates the security gain and effect of diversified methods from three aspects of space, time and quality.The method first discusses how diversification techniques affect ROP/JOP attacks according to the three properties of gadgets similarity, damage degree and availability.Nine kinds of diversification methods, such as instruction replacement, NOP insertion, and control flow flattening, are used to diversify the GNU coreutils assembly to generate diversification assembly.Experiments based on the property of gadgets are carried out on the diverse assemblies, and the effectiveness of different diversification methods and the impact on attacks are evaluated according to the experimental results.The experimental results show that this method can accurately evaluate the security gain of software diversification methods, the diversification technology will lead to the increase of the attack chain space required by the ROP/JOP attack, the longer time to construct the attack chain and the lower the attack success rate.The effects of different diversification methods are different, it has a guiding role for the follow-up research on diversified technologies with higher safety gains.

Key words: software diversification, ROP/JOP attack, gadgets properties, safety gain evaluation

中图分类号:

TP393

迟宇宁, 郭云飞, 王亚文, 扈红超. 基于ROP/JOP gadgets性质的软件多样化评估方法[J]. 网络与信息安全学报, 2022, 8(6): 135-145.

Yuning CHI, Yunfei GUO, Yawen WANG, Hongchao HU. Software diversity evaluation method based on the properties of ROP/JOP gadgets[J]. Chinese Journal of Network and Information Security, 2022, 8(6): 135-145.

图/表 10

表1

图1

表2

图2

图3

图4

图5

图6

图7

表3

参考文献 26

[1]	LITCHFIELD D . Buffer Underruns,DEP,ASLR and improving the exploitation prevention mechanisms (XPMs) on the Windows platform[EB].
[2]	ABADI M , BUDIU M H , ERLINGSSON ú ,et al. Control-flow integrity[C]// Proceedings of the 12th ACM conference on Computer and Communications Security CCS '05. 2005: 340-353.
[3]	LIVSHITS V B , LAM M S . Finding security vulnerabilities in Java applications with static analysis[J]. 14th USENIX Security Symposium, 2005: 271-286.
[4]	姚东, 张铮, 张高斐 ,等. 多变体执行安全防御技术研究综述[J]. 信息安全学报, 2020,5(5): 77-94.
	YAO D , ZHANG Z , ZHANG G F ,et al. A survey on multi-variant execution security defense technology[J]. Journal of Cyber Security, 2020,5(5): 77-94.
[5]	GIUFFRIDA C , KUIJSTEN A , TANENBAUM A S . Enhanced operating system security through efficient and fine-grained address space randomization[C]// Proceedings of the 21st USENIX Conference on Security symposium. 2012:40.
[6]	HISER J , NGUYEN-TUONG A , CO M ,et al. ILR:where'd my gadgets go[C]// Proceedings of 2012 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2012: 571-585.
[7]	刘镇武, 隋然, 张铮 ,等. 基于信息熵与软件复杂度的软件多样性评估方法[J]. 信息工程大学学报, 2020,21(2): 207-213.
	LIU Z W , SUI R , ZHANG Z ,et al. Software diversity evaluation method based on information entropy and software complexity[J]. Journal of Information Engineering University, 2020,21(2): 207-213.
[8]	HERNANDEZ-CASTRO J , ROSSMAN J . Measuring software diversity,with applications to security[J]. arXiv:1310.3307, 2013.
[9]	SHANNON C E . A mathematical theory of communication[J]. Bell System Technical Journal, 1948,27(3): 379-423.
[10]	COHEN F B . Operating system protection through program evolution[J]. Computers ＆ Security, 1993,12(6): 565-584.
[11]	COFFMAN J , KELLY D M , WELLONS C C ,et al. ROP gadget prevalence and survival under compiler-based binary diversification schemes[C]// Proceedings of the 2016 ACM Workshop on Software Protection. 2016: 15-26.
[12]	COPPENS B , DE SUTTER B , MAEBE J . Feedback-driven binary code diversification[J]. ACM Transactions on Architecture and Code Optimization, 2013,9(4): 1-26.
[13]	BRUMLEY D , POOSANKAM P , SONG D ,et al. Automatic patch-based exploit generation is possible:techniques and implications[C]// Proceedings of 2008 IEEE Symposium on Security and Privacy. 2008: 143-157.
[14]	SEBASTIAN B , CHRISTIAN C , VIJAY G ,et al. Code obfuscation against symbolic execution attacks[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC ’16). 2016: 189-200.
[15]	SEBASTIAN B , CHRISTIAN C , AND ALEXANDER P . Predicting the resilience of obfuscated code against symbolic execution attacks via machine learning[C]// Proceedings of the 26th USENIX Security Symposium. 2017: 661-678.
[16]	FABIO P , MATTEO D’A , DAVIDE B . Beyond precision and recall:understanding uses (and misuses) of similarity hashes in binary analysis[C]// Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy (CODASPY ’18). 2018: 354-365.
[17]	COFFMAN J , CHAKRAVARTY A , RUSSO J A ,et al. Quantifying the effectiveness of software diversity using near-duplicate detection algorithms[C]// Proceedings of the 5th ACM Workshop on Moving Target Defense. 2018: 1-10.
[18]	HOMESCU A , NEISIUS S , LARSEN P ,et al. Profile-guided automated software diversity[C]// Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO). Piscataway:IEEE Press, 2013: 1-11.
[19]	ROEMER R , BUCHANAN E , SHACHAM H ,et al. Return-oriented programming[J]. ACM Transactions on Information and System Security, 2012,15(1): 1-34.
[20]	BLETSCH T , JIANG X X , FREEH V W ,et al. Jump-oriented programming:a new class of code-reuse attack[C]// Proceedings of the 6th ACM Symposium on Information,Computer and Communications Security - ASIACCS '11. 2011: 30-40.
[21]	COHEN F B . Operating system protection through program evolution[J]. Computers ＆ Security, 1993,12(6): 565-584.
[22]	CRANE S , LIEBCHEN C , HOMESCU A ,et al. Readactor:practical code randomization resilient to memory disclosure[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2015: 763-780.
[23]	JUNOD P , RINALDINI J , WEHRLI J ,et al. Obfuscator-LLVM:software protection for the masses[C]// Proceedings of 2015 IEEE/ACM 1st International Workshop on Software Protection. 2015: 3-9.
[24]	LáSZLó T , KISS á . Obfuscating C++ programs via control flow flattening[C]// Processing of Annales Universitatis Scientarum 25 Budapestinensis de Rolando E¨otv¨os Nominatae,Sectio. 2009.
[25]	COLLBERG C , THOMBORSON C , LOW D . Manufacturing cheap,resilient,and stealthy opaque constructs[C]// Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - POPL '98. 1998: 184-196.
[26]	AHMED S , XIAO Y , SNOW K Z ,et al. Methodologies for quantifying (re-) randomization security and timing under JIT-ROP[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 1803-1820.

数据集	版本	文件数	KLOC	指令数
GNU coreutils	8.3	100	60.1	700

gadget类型	描述	形式	示例
移动寄存器MR	将a寄存器参数赋给b寄存器	mov reg1, reg2	mov rax, edx
加载寄存器LR	将参数加载进寄存器	pop reg	pop r15
加载内存LM	将内存存放的参数给寄存器	mov reg1,[reg2]	mov eax,[rax]
存储内存SM	将寄存器参数存入内存	mov[reg1], reg2	mov[rax], esi
		add reg1, reg2	add ebx, rsi
算术操作AM	两个寄存器之间的算术运算/加载存储	add[reg1], reg2	add[rcx], al
		add reg, const	add eax, 0x208d8e
栈操作SP	设置栈顶指针	xchg rsp, reg	xchg rsp, rax
跳转操作JMP	设置指令指针	jmp reg	jmp qword ptr[rsi+0x41]
函数调用CALL	通过寄存器跳转到某函数	call reg	call qword ptr[rsi+0x20]

变体生成技术	Gadgets相似度		Gadgets损坏率		Gadgets收集效率（个/s）
变体生成技术	ROP	JOP	ROP	JOP	ROP	JOP
CFF	6.73%	6.66%	34%	28%	35.9	46.7
NI	4.56%	5.23%	31%	26%	22.5	26.7
FCF	7.63%	8.56%	23%	20%	51.2	50.4
GVS	7.69%	8.50%	28%	18%	52.8	50.0
IR	7.75%	8.69%	25%	19%	51.4	52.5
FR	7.38%	8.51%	23%	21%	54.0	53.7
RS	7.91%	9.02%	14%	10%	54.1	50.4
FS	7.96%	8.71%	18%	11%	50.4	50.5
ESH	7.82%	8.79%	21%	12%	51.0	52.5
Normal	—	—	4%	3%	62.6	43.8