基于ROP/JOP gadgets性质的软件多样化评估方法

doi:10.11959/j.issn.2096-109x.2022086

Abstract

Abstract:

In order to reduce the risk of rapid spread of homogeneous attacks in network systems, and enhance network and software security, software diversification technologies are applied widely nowadays.Software diversification aims to generate functionally equivalent but internally changed program variants, thereby alter a single operating environment and mitigating homogenization attacks.The existing diversified technical evaluation index ROP gadgets survival rate is difficult to directly reflect the safety impact and the evaluation method is single.In order to evaluate the effectiveness of the diversification method more comprehensively and effectively, a software diversification evaluation method based on the properties of ROP/JOP gadgets is proposed, by analyzing common code reuse attacks, and turns abstract quantification into concrete indicators evaluates the security gain and effect of diversified methods from three aspects of space, time and quality.The method first discusses how diversification techniques affect ROP/JOP attacks according to the three properties of gadgets similarity, damage degree and availability.Nine kinds of diversification methods, such as instruction replacement, NOP insertion, and control flow flattening, are used to diversify the GNU coreutils assembly to generate diversification assembly.Experiments based on the property of gadgets are carried out on the diverse assemblies, and the effectiveness of different diversification methods and the impact on attacks are evaluated according to the experimental results.The experimental results show that this method can accurately evaluate the security gain of software diversification methods, the diversification technology will lead to the increase of the attack chain space required by the ROP/JOP attack, the longer time to construct the attack chain and the lower the attack success rate.The effects of different diversification methods are different, it has a guiding role for the follow-up research on diversified technologies with higher safety gains.

Key words: software diversification, ROP/JOP attack, gadgets properties, safety gain evaluation

CLC Number:

TP393

Yuning CHI, Yunfei GUO, Yawen WANG, Hongchao HU. Software diversity evaluation method based on the properties of ROP/JOP gadgets[J]. Chinese Journal of Network and Information Security, 2022, 8(6): 135-145.

Figures/Tables 10

References 26

[1]	LITCHFIELD D . Buffer Underruns,DEP,ASLR and improving the exploitation prevention mechanisms (XPMs) on the Windows platform[EB].
[2]	ABADI M , BUDIU M H , ERLINGSSON ú ,et al. Control-flow integrity[C]// Proceedings of the 12th ACM conference on Computer and Communications Security CCS '05. 2005: 340-353.
[3]	LIVSHITS V B , LAM M S . Finding security vulnerabilities in Java applications with static analysis[J]. 14th USENIX Security Symposium, 2005: 271-286.
[4]	姚东, 张铮, 张高斐 ,等. 多变体执行安全防御技术研究综述[J]. 信息安全学报, 2020,5(5): 77-94.
	YAO D , ZHANG Z , ZHANG G F ,et al. A survey on multi-variant execution security defense technology[J]. Journal of Cyber Security, 2020,5(5): 77-94.
[5]	GIUFFRIDA C , KUIJSTEN A , TANENBAUM A S . Enhanced operating system security through efficient and fine-grained address space randomization[C]// Proceedings of the 21st USENIX Conference on Security symposium. 2012:40.
[6]	HISER J , NGUYEN-TUONG A , CO M ,et al. ILR:where'd my gadgets go[C]// Proceedings of 2012 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2012: 571-585.
[7]	刘镇武, 隋然, 张铮 ,等. 基于信息熵与软件复杂度的软件多样性评估方法[J]. 信息工程大学学报, 2020,21(2): 207-213.
	LIU Z W , SUI R , ZHANG Z ,et al. Software diversity evaluation method based on information entropy and software complexity[J]. Journal of Information Engineering University, 2020,21(2): 207-213.
[8]	HERNANDEZ-CASTRO J , ROSSMAN J . Measuring software diversity,with applications to security[J]. arXiv:1310.3307, 2013.
[9]	SHANNON C E . A mathematical theory of communication[J]. Bell System Technical Journal, 1948,27(3): 379-423.
[10]	COHEN F B . Operating system protection through program evolution[J]. Computers ＆ Security, 1993,12(6): 565-584.
[11]	COFFMAN J , KELLY D M , WELLONS C C ,et al. ROP gadget prevalence and survival under compiler-based binary diversification schemes[C]// Proceedings of the 2016 ACM Workshop on Software Protection. 2016: 15-26.
[12]	COPPENS B , DE SUTTER B , MAEBE J . Feedback-driven binary code diversification[J]. ACM Transactions on Architecture and Code Optimization, 2013,9(4): 1-26.
[13]	BRUMLEY D , POOSANKAM P , SONG D ,et al. Automatic patch-based exploit generation is possible:techniques and implications[C]// Proceedings of 2008 IEEE Symposium on Security and Privacy. 2008: 143-157.
[14]	SEBASTIAN B , CHRISTIAN C , VIJAY G ,et al. Code obfuscation against symbolic execution attacks[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications (ACSAC ’16). 2016: 189-200.
[15]	SEBASTIAN B , CHRISTIAN C , AND ALEXANDER P . Predicting the resilience of obfuscated code against symbolic execution attacks via machine learning[C]// Proceedings of the 26th USENIX Security Symposium. 2017: 661-678.
[16]	FABIO P , MATTEO D’A , DAVIDE B . Beyond precision and recall:understanding uses (and misuses) of similarity hashes in binary analysis[C]// Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy (CODASPY ’18). 2018: 354-365.
[17]	COFFMAN J , CHAKRAVARTY A , RUSSO J A ,et al. Quantifying the effectiveness of software diversity using near-duplicate detection algorithms[C]// Proceedings of the 5th ACM Workshop on Moving Target Defense. 2018: 1-10.
[18]	HOMESCU A , NEISIUS S , LARSEN P ,et al. Profile-guided automated software diversity[C]// Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO). Piscataway:IEEE Press, 2013: 1-11.
[19]	ROEMER R , BUCHANAN E , SHACHAM H ,et al. Return-oriented programming[J]. ACM Transactions on Information and System Security, 2012,15(1): 1-34.
[20]	BLETSCH T , JIANG X X , FREEH V W ,et al. Jump-oriented programming:a new class of code-reuse attack[C]// Proceedings of the 6th ACM Symposium on Information,Computer and Communications Security - ASIACCS '11. 2011: 30-40.
[21]	COHEN F B . Operating system protection through program evolution[J]. Computers ＆ Security, 1993,12(6): 565-584.
[22]	CRANE S , LIEBCHEN C , HOMESCU A ,et al. Readactor:practical code randomization resilient to memory disclosure[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2015: 763-780.
[23]	JUNOD P , RINALDINI J , WEHRLI J ,et al. Obfuscator-LLVM:software protection for the masses[C]// Proceedings of 2015 IEEE/ACM 1st International Workshop on Software Protection. 2015: 3-9.
[24]	LáSZLó T , KISS á . Obfuscating C++ programs via control flow flattening[C]// Processing of Annales Universitatis Scientarum 25 Budapestinensis de Rolando E¨otv¨os Nominatae,Sectio. 2009.
[25]	COLLBERG C , THOMBORSON C , LOW D . Manufacturing cheap,resilient,and stealthy opaque constructs[C]// Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages - POPL '98. 1998: 184-196.
[26]	AHMED S , XIAO Y , SNOW K Z ,et al. Methodologies for quantifying (re-) randomization security and timing under JIT-ROP[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 1803-1820.

Metrics

Recommended 0

No Suggested Reading articles found!

数据集	版本	文件数	KLOC	指令数
GNU coreutils	8.3	100	60.1	700

gadget类型	描述	形式	示例
移动寄存器MR	将a寄存器参数赋给b寄存器	mov reg1, reg2	mov rax, edx
加载寄存器LR	将参数加载进寄存器	pop reg	pop r15
加载内存LM	将内存存放的参数给寄存器	mov reg1,[reg2]	mov eax,[rax]
存储内存SM	将寄存器参数存入内存	mov[reg1], reg2	mov[rax], esi
		add reg1, reg2	add ebx, rsi
算术操作AM	两个寄存器之间的算术运算/加载存储	add[reg1], reg2	add[rcx], al
		add reg, const	add eax, 0x208d8e
栈操作SP	设置栈顶指针	xchg rsp, reg	xchg rsp, rax
跳转操作JMP	设置指令指针	jmp reg	jmp qword ptr[rsi+0x41]
函数调用CALL	通过寄存器跳转到某函数	call reg	call qword ptr[rsi+0x20]

变体生成技术	Gadgets相似度		Gadgets损坏率		Gadgets收集效率（个/s）
变体生成技术	ROP	JOP	ROP	JOP	ROP	JOP
CFF	6.73%	6.66%	34%	28%	35.9	46.7
NI	4.56%	5.23%	31%	26%	22.5	26.7
FCF	7.63%	8.56%	23%	20%	51.2	50.4
GVS	7.69%	8.50%	28%	18%	52.8	50.0
IR	7.75%	8.69%	25%	19%	51.4	52.5
FR	7.38%	8.51%	23%	21%	54.0	53.7
RS	7.91%	9.02%	14%	10%	54.1	50.4
FS	7.96%	8.71%	18%	11%	50.4	50.5
ESH	7.82%	8.79%	21%	12%	51.0	52.5
Normal	—	—	4%	3%	62.6	43.8

Software diversity evaluation method based on the properties of ROP/JOP gadgets

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 26

Related Articles 15

Metrics

Recommended 0

[1]	Xianyi CHEN, Jun GU, Kai YAN, Dong JIANG, Linfeng XU, Zhangjie FU. Double adversarial attack against license plate recognition system [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 16-27.
[2]	Tianpeng YE, Xiang LIN, Jianhua LI, Xuankai ZHANG, Liwen XU. Personalized lightweight distributed network intrusion detection system in fog computing [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 28-37.
[3]	Lijun ZU, Yalin CAO, Xiaohua MEN, Zhihui LYU, Jiawei YE, Hongyi LI, Liang ZHANG. Adaptive selection method of desensitization algorithm based on privacy risk assessment [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 49-59.
[4]	Ruiqi XIA, Manman LI, Shaozhen CHEN. Identification on the structures of block ciphers using machine learning [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 79-89.
[5]	Jingyi YUAN, Zichuan LI, Guojun PENG. EN-Bypass: a security assessment method on e-mail user interface notification [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 90-101.
[6]	Feng YU, Qingxin LIN, Hui LIN, Xiaoding WANG. Privacy-enhanced federated learning scheme based on generative adversarial networks [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 113-122.
[7]	Chuntao ZHU, Chengxi YIN, Bolin ZHANG, Qilin YIN, Wei LU. Forgery face detection method based on multi-domain temporal features mining [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 123-134.
[8]	Xiaomeng LI, Daidou GUO, Xunfang ZHUO, Heng YAO, Chuan QIN. Carrier-independent screen-shooting resistant watermarking based on information overlay superimposition [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 135-149.
[9]	Zhao CAI, Tao JING, Shuang REN. Survey on Ethereum phishing detection technology [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 21-32.
[10]	Yan PAN, Wei LIN, Yuefei ZHU. Progressive active inference method of protocol state machine [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 81-93.
[11]	Pan YANG, Fei KANG, Hui SHU, Yuyao HUANG, Xiaoshao LYU. Binary program taint analysis optimization method based on function summary [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 115-131.
[12]	Tian XIAO, Zhihao JIANG, Peng TANG, Zheng HUANG, Jie GUO, Weidong QIU. High-performance directional fuzzing scheme based on deep reinforcement learning [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 132-142.
[13]	Chenghao YUAN, Yong LI, Shuang REN. Dynamic multi-keyword searchable encryption scheme [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 143-153.
[14]	Zezhou HOU, Jiongjiong REN, Shaozhen CHEN. Security evaluation for parameters of SIMON-like cipher based on neural network distinguisher [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 154-163.
[15]	Xuejing GUO, Yixiang FANG, Yi ZHAO, Tianzhu ZHANG, Wenchao ZENG, Junxiang WANG. Traditional guidance mechanism based deep robust watermarking [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 175-183.