基于gadget特征分析的软件多样性评估方法

doi:10.11959/j.issn.2096-109x.2023047

摘要/Abstract

摘要：

软件多样性能够有效提升系统弹性和安全性，广泛应用于软件分发、操作系统等场景，但现有软件多样性评估方法普遍基于常规代码特征进行度量且较为单一，难以准确反映软件多样性带来的安全增益。针对此问题，以ROP（return-oriented programming）攻击视角出发，通过分析软件多样性对代码重用攻击过程中各阶段的影响，提出了一种综合 gadget 质量、实用性和分布指标的软件多样性评估方法，通过度量软件多样性对构建gadget攻击链的难度、攻击者潜在可获得的计算能力和攻击者在不同变体中搜索gadget成本的影响程度对其进行安全性评估。利用不同粒度的多样化技术进行实验，结果表明，所提方法能够准确全面地反映软件多样性带来的安全增益，细粒度的多样化技术能使软件中大量的 gadget 重定位/修改/移除，增加攻击软件变体的成本，但部分多样化技术会导致不同程度的软件膨胀等问题。最后，依据不同度量指标下得到的结果对现有软件多样化技术的优势与不足进行分析和讨论。

关键词: 软件多样性, 代码重用攻击, gadget特征, 安全增益

Abstract:

Software diversity is commonly utilized in scenarios such as software distribution and operating systems to improves system resilience and security.However, existing software diversity evaluation methods are typically based on conventional code features and are relatively limited in scope, which can make it difficult to accurately reflect the security benefits of software diversity.To address this issue, a software diversity evaluation method was proposed from the perspective of ROP attack by analyzing the impact of software diversity on the difficulty of building a gadget attack chain, the attacker’s potentially available computing power, and the attacker’s cost of searching for gadgets in different variants.Metrics for the quality, practicability, and distribution of gadgets were integrated into this method.Testing was conducted using diversity technologies with different granularity.The evaluation results showed that the proposed method could accurately and comprehensively reflect the security gain brought by software diversity.It was observed that software diversity could relocate/modify/delete a large number of gadgets in the software, increasing the cost of attacking different software variants but also leading to different degrees of software expansion.Finally, an analysis and discussion of the advantages and disadvantages of existing diversity techniques were conducted based on the experimental results.

Key words: software diversity, code reuse attack, gadget feature, security gain

中图分类号:

TP309

谢根琳, 程国振, 王亚文, 王庆丰. 基于gadget特征分析的软件多样性评估方法[J]. 网络与信息安全学报, 2023, 9(3): 161-173.

Genlin XIE, Guozhen CHENG, Yawen WANG, Qingfeng WANG. Software diversity evaluating method based on gadget feature analysis[J]. Chinese Journal of Network and Information Security, 2023, 9(3): 161-173.

图/表 11

图1

图2

表1

表2

表3

表4

表5

图3

表6

不同多样化技术处理下ROP/JOP/COP gadget质量分数及变化率Table 6 Quality score and change rate of ROP/JOP/COP gadget under different diversity technology"

攻击类型	ROP	JOP	COP	平均质量变化率	平均绝对变化率
原始	1.5705	1.3994	1.6971	平均质量变化率	平均绝对变化率
寄存器随机化	1.4571 (- $7 . 22 %$ )	1.3005(- $7 . 07 %$ )	1.5501（- $8 . 66 %$ ）	-7.65%	7.65%
Nop插入	1.4164 (- $9 . 81 %$ )	1.6119(15.19%)	1.1296(- $33 . 44 %$ )	-9.35%	19.48%
指令替换	1.5124 (- $3 . 7 %$ )	1.2492(- $10 . 73 %$ )	1.6228(- $4 . 38 %$ )	-6.27%	6.27%
基本块分割	1.5751 (0.29%)	1.3562(- $3 . 09 %$ )	1.6837( $0 . 79 %$ )	-1.20%	1.39%
伪控制流	1.5785 (0.51%)	1.3305(- $4 . 92 %$ )	1.6654(- $1 . 87 %$ )	-2.09%	2.43%
栈布局随机化	1.5846 (0.90%)	1.2546(- $10 . 35 %$ )	1.6767(- $1 . 20 %$ )	-3.55%	4.15%
控制流扁平	1.6902 (7.62%)	1.2603(- $9 . 94 %$ )	1.742(2.65%)	0.11%	6.74%
函数随机化	1.5796 (0.58%)	1.3861(- $0 . 95 %$ )	1.7035(0.38%)	0.00%	0.64%

表6

图4

图5

参考文献 37

[1]	BIRMAN K P , SCHNEIDER F B . The monoculture risk put into context[J]. IEEE Security ＆ Privacy, 2009,7(1): 14-17.
[2]	SHACHAM H . The geometry of innocent flesh on the bone:return-into-libc without function calls (on the x86)[C]// Proceedings of the 14th ACM Conference on Computer and Communications Security. 2007: 552-561.
[3]	CARLINI N , WAGNER D . ROP is still dangerous:breaking modern defenses[C]// Proceedings of 23rd USENIX Security Symposium (USENIX Security 14). 2014: 385-399.
[4]	CHECKOWAY S , DAVI L , DMITRIENKO A ,et al. Return-oriented programming without returns[C]// Proceedings of the 17th ACM Conference on Computer and Communications Security- CCS '10. 2010: 559-572.
[5]	SNOW K Z , MONROSE F , DAVI L ,et al. Just-in-time code reuse:on the effectiveness of fine-grained address space layout randomization[C]// Proceedings of 2013 IEEE Symposium on Security and Privacy. 2013: 574-588.
[6]	LARSEN P , HOMESCU A , BRUNTHALER S ,et al. SoK:automated software diversity[C]// Proceedings of 2014 IEEE Symposium on Security and Privacy. 2014: 276-291.
[7]	BAUDRY B , MONPERRUS M . The multiple facets of software diversity[J]. ACM Computing Surveys, 2015,48(1): 1-26.
[8]	PAX T . PaX address space layout randomization (ASLR)[R]. 2003.
[9]	CRANE S , LIEBCHEN C , HOMESCU A ,et al. Readactor:practical code randomization resilient to memory disclosure[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. 2015: 763-780.
[10]	YAO D D , SHU X K , CHENG L ,et al. Anomaly detection as a service:challenges,advances,and opportunities[J]. Synthesis Lectures on Information Security,Privacy,and Trust, 2017,9(3): 1-173.
[11]	GRIER C , BALLARD L , CABALLERO J ,et al. Manufacturing compromise:the emergence of exploit-as-a-service[C]// Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012: 821-832.
[12]	GEARHART A S , HAMILTON P A , COFFMAN J . An analysis of automated software diversity using unstructured text analytics[C]// Proceedings of 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). 2018: 79-80.
[13]	LE Q , MIKOLOV T . Distributed representations of sentences and documents[C]// Proceedings of International Conference on Machine Learning. 2014: 1188-1196.
[14]	COFFMAN J , KELLY D M , WELLONS C C ,et al. ROP gadget prevalence and survival under compiler-based binary diversification schemes[C]// Proceedings of the 2016 ACM Workshop on Software PROtection. 2016: 15-26.
[15]	HOMESCU A , NEISIUS S , LARSEN P ,et al. Profile-guided automated software diversity[C]// Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO). 2013: 1-11.
[16]	熊浩, 晏海华, 郭涛 ,等. 代码相似性检测技术:研究综述[J]. 计算机科学, 2010,37(8): 9-14,76.
	XIONG H , YAN H H , GUO T ,et al. Code similarity detection:a survey[J]. Computer Science, 2010,37(8): 9-14,76.
[17]	KRINKE J . Identifying similar code with program dependence graphs[C]// Proceedings of Eighth Working Conference on Reverse Engineering. 2001: 301-309.
[18]	BAKER B S . A program for identifying duplicated code[J]. Computing Science and Statistics, 1993: 49-49.
[19]	ENGELS S , LAKSHMANAN V , CRAIG M . Plagiarism detection using feature-based neural networks[C]// Proceedings of the 38th SIGCSE Technical Symposium on Computer Science Education. 2007: 34-38.
[20]	ZHANG L , ZHUANG Y T , YUAN Z M . A program plagiarism detection model based on information distance and clustering[C]// Proceedings of 2007 International Conference on Intelligent Pervasive Computing (IPC 2007). 2007: 431-436.
[21]	PRIYADARSHAN S , NGUYEN H , SEKAR R . Practical fine-grained binary code randomization[C]// Proceedings of Annual Computer Security Applications Conference, 2020: 401-414.
[22]	刘镇武, 隋然, 张铮 ,等. 基于信息熵与软件复杂度的软件多样性评估方法[J]. 信息工程大学学报, 2020,21(2): 207-213.
	LIU Z W , SUI R , ZHANG Z ,et al. Software diversity evaluation method based on information entropy and software complexity[J]. Journal of Information Engineering University, 2020,21(2): 207-213.
[23]	BALACHANDRAN V , EMMANUEL S . Software protection with obfuscation and encryption[C]// Proceedings of Information Security Practice and Experience. 2013: 309-320.
[24]	BANESCU S , COLLBERG C , GANESH V ,et al. Code obfuscation against symbolic execution attacks[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. 2016: 189-200.
[25]	KELLY D M , WELLONS C C , COFFMAN J ,et al. Automatically validating the effectiveness of software diversity schemes[C]// Proceedings of 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks–Supplemental Volume (DSN-S). 2019: 1-2.
[26]	AHMED S , XIAO Y , SNOW K Z ,et al. Methodologies for quantifying (Re-) randomization security and timing under JIT-ROP[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 1803-1820.
[27]	FOLLNER A , BARTEL A , BODDEN E . Analyzing the gadgets[C]// Proceedings of International Symposium on Engineering Secure Software and Systems. 2016: 155-172.
[28]	ROEMER R , BUCHANAN E , SHACHAM H ,et al. Return-oriented programming:systems,languages,and applications[J]. ACM Transactions on Information and System Security, 2012,15(1): 1-34.
[29]	DAI Z D . Practical return-oriented programming[J]. Source Boston, 2010.
[30]	HOMESCU A , STEWART M , LARSEN P ,et al. Microgadgets:size does matter in turing-complete return-oriented programming[J]. WOOT, 2012,12: 64-76.
[31]	DOLAN S . MOV is turing-complete (2013)[EB].
[32]	HAWKINS W H , HISER J D , CO M ,et al. Zipr:efficient static binary rewriting for security[C]// Proceedings of 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 2017: 559-566.
[33]	KOO H , CHEN Y H , LU L ,et al. Compiler-assisted code randomization[C]// Proceedings of 2018 IEEE Symposium on Security and Privacy. 2018: 461-477.
[34]	CONTI M , CRANE S , FRASSETTO T ,et al. Selfrando:securing the tor browser against de-anonymization exploits[J]. Proc Priv Enhancing Technol, 2016(4): 454-469.
[35]	JUNOD P , RINALDINI J , WEHRLI J ,et al. Obfuscator-LLVM:software protection for the masses[C]// Proceedings of 2015 IEEE/ACM 1st International Workshop on Software Protection. 2015: 3-9.
[36]	PORTER C , MURURU G , BARUA P ,et al. BlankIt library debloating:getting what You want instead of cutting what you don’t[C]// Proceedings of PLDI 2020:Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation. 2020: 164-180.
[37]	MISHRA S , POLYCHRONAKIS M . Saffire:context-sensitive function specialization against code reuse attacks[C]// Proceedings of 2020 IEEE European Symposium on Security and Privacy (EuroS＆P). 2020: 17-33.

无用指令描述	评分
在寄存器上，执行数据传送/算术/移位/循环移位操作	0.5
栈指针寄存器执行pop指令（仅ROP）	1
在gadget所操作的值目标寄存器上，执行数据传送或算术操作	1
在gadget所操作的值目标寄存器上，执行移位或循环移位操作	1.5
在栈指针寄存器上，执行数据传送或算术操作（仅ROP）	2
在间接跳转目标寄存器/间接调用目标寄存器上，执行数据传送/算术/交换操作（仅JOP/COP）	2
gadget中包含leave指令（仅ROP）/条件分支指令/栈顶指针偏移量为负（仅ROP）	2
在栈指针寄存器上，执行移位或循环移位操作（仅ROP）	3
在间接跳转目标寄存器/间接调用目标寄存器上，执行移位或循环移位操作（仅JOP/COP）	3
栈指针寄存器是传送指令（mov）或交换指令（xchg）的目标寄存器（仅ROP）	4

microgadget集合	Microgadget类别数量
no-ASLR	11
ASLR-proof	35
图灵完备microgadget集	17

gadget核心功能	gadget
寄存器赋值(由指定寄存器或立即数)	mov reg, reg/const
将某寄存器中的值存储至指定内存地址	mov[reg], reg
将某寄存器中的值或立即数存储至指定内存地址的offset偏移量处	mov[reg+offset], reg/const
将立即数存储至指定内存地址	mov[reg], const
将某内存地址中的值加载至指定寄存器	mov reg,[reg]
将某内存地址的offset偏移量中的值加载至指定寄存器	mov reg,[reg+offset]
调用系统内核函数	syscall

gadget类别	功能	gadget	图灵完备gadget集
加载寄存器操作	将某数值加载至指定寄存器中	pop reg; ret pop reg; pop reg	是
算术操作	执行寄存器与某常数值的加法运算	add reg, const	是
加载内存操作	将某内存地址中的值加载至指定寄存器	mov reg,[reg]; ret	是
无条件跳转操作	设置指令寄存器EIP，进行跳转	jmp reg	是
存储内存操作	将某寄存器中的值存储至指定内存地址	mov[reg], reg; ret	是
栈迁移操作	设置栈指针寄存器	xchg rsp, reg	否
逻辑操作	执行异或逻辑运算	xor reg, reg xor reg, const	是
寄存器赋值操作	通过其他寄存器/常数为指定寄存器赋值	mov reg, reg mov reg, const	是
函数调用操作	通过寄存器跳转至某函数	call reg mov reg, reg; call reg	是
系统调用操作	调用系统内核函数	syscall	是

应用程序（集）	应用描述
GNU coreutils 8.2	GNU操作系统的核心实用程序（101个应用程序）
bzip2 v1.0.8	压缩软件
nginx v1.8.1	Web服务器
hiawatha v9.0	Web服务器
mysql v5.5	数据库
mupdf v0.9	PDF阅读器