基于二进制重写的软件多样化方法

doi:10.11959/j.issn.2096-109x.2023024

Abstract

Abstract:

Software diversity is an effective defense against code-reuse attacks, but most existing software diversification technologies are based on source code.Obtaining program source code may be difficult, while binary files are challenging to disassemble accurately and distinguish between code pointers and data constants.This makes binary file diversification difficult to generate high levels of randomization entropy, and easily compromised by attackers.To overcome these challenges, a binary file oriented software diversification method was proposed based on static binary rewriting technology, namely instruction offset randomization.This method inserted NOP instructions of varying byte lengths before program instructions with a certain probability, reducing the number of unintended gadgets in the program and randomly offsetting the original instruction address.This disrupts the program’s original memory layout and increases the cost of code-reuse attacks.At the same time, an optimization strategy based on hot code was designed for this method.The execution times of basic blocks in binary files were obtained by dynamic pile insertion, so as to adjust the NOP instruction insertion probability in each basic block.The higher the execution frequency, the fewer NOP instructions were inserted into the basic block, which can ensure lower performance overhead and produce higher randomization entropy.In the experimental part, the SPEC benchmark program was used to test the optimized method from the aspects of performance overhead, gadget survival rate and file size.The results show that a 15% insertion probability achieves the best effect, with an average gadget survival rate of less than 1.49%, increasing attackers’ difficulty in reusing the same gadget attack chain.Furthermore, only a 4.1% operation overhead and 7.7% space overhead are added, maintaining high levels of security.

Key words: software diversity, binary rewriting, NOP insertion, code-reuse attack

CLC Number:

TP311.5

Benwei HE, Yunfei GUO, Yawen WANG, Qingfeng WANG, Hongchao HU. Software diversification method based on binary rewriting[J]. Chinese Journal of Network and Information Security, 2023, 9(2): 94-103.

Figures/Tables 8

References 30

[1]	FRANZ M , . E unibus pluram:massive-scale software diversity as a defense mechanism[C]// Proceedings of the 2010 New Security Paradigms Workshop. 2010: 7-16.
[2]	LARSEN P , HOMESCU A , Brunthaler S ,et al. SoK:automated software diversity[C]// Proceedings of 2014 IEEE Symposium on Security and Privacy. 2014: 276-291.
[3]	COHEN F B . Operating system protection through program evolution[J]. Comput Secur, 1993,12(6): 565-584.
[4]	MARCO-GISBERT H , RIPOLL I . On the effectiveness of full-ASLR on 64-bit Linux[C]// Proceedings of the In-Depth Security Conference. 2014.
[5]	JACKSON T , SALAMAT B , HOMESCU A ,et al. Compiler-generated software diversity[M]// Moving Target Defense. New York: Springer, 2011: 77-98.
[6]	HISER J , NGUYEN-TUONG A , CO M ,et al. ILR:where＇d my gadgets go[C]// Proceedings of 2012 IEEE Symposium on Security and Privacy. 2012: 571-585.
[7]	COFFMAN J , KELLY D M , WELLONS C C ,et al. ROP gadget prevalence and survival under compiler-based binary diversification schemes[C]// Proceedings of the 2016 ACM Workshop on Software PROtection. 2016: 15-26.
[8]	CONTI M , . Selfrando:securing the tor browser against de- anonymization exploits[C]// Proceedings of Priv Enhancing Technol. 2016: 454-469.
[9]	JUNOD P , RINALDINI J , WEHRLI J ,et al. Obfuscator-LLVM--software protection for the masses[C]// Proceedings of 2015 IEEE/ACM 1st International Workshop on Software Protection. 2015: 3-9.
[10]	BANESCU S , COLLBERG C , PRETSCHNER A . Predicting the resilience of obfuscated code against symbolic execution attacks via machine learning[C]// Proceedings of 26th USENIX Security Symposium (USENIX Security 17). 2017: 661-678.
[11]	WENZL M , MERZDOVNIK G , ULLRICH J ,et al. From hack to elaborate technique—a survey on binary rewriting[J]. ACM Computing Surveys （CSUR）, 2019,52(3): 1-37.
[12]	HOMESCU A , NEISIUS S , LARSEN P ,et al. Profile-guided automated software diversity[C]// Proceedings of the 2013 IEEE/ACM Interna-tional Symposium on Code Generation and Optimization (CGO). 2013: 1-11.
[13]	MURPHY M , LARSEN P , BRUNTHALER S ,et al. Software profiling options and their effects on security based diversification[C]// Proceedings of the First ACM Workshop on Moving Target Defense. 2014: 87-96.
[14]	HOMESCU A , JACKSON T , CRANE S ,et al. Large-scale automated software diversity-program evolution redux[J]. IEEE Transactions on Dependable and Secure Computing, 2015,14(2): 158-171.
[15]	KRAHMER S . x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique[R]. 2005.
[16]	彭国军, 梁玉, 张焕国 ,等. 软件二进制代码重用技术综述[J]. 软件学报, 2017,28(8): 2026-2045.
	PENG G J , LIANG Y , ZHANG H G ,et al. Survey on software binary code reuse technologies[J]. Journal of Software, 2017,28(8): 2026-2045.
[17]	DAVI L , SADEGHI A R . Building secure defenses against code-reuse attacks[M]. Berlin: Springer International Publishing, 2015.
[18]	柳童, 史岗, 孟丹 . 代码重用攻击与防御机制综述[J]. Journal of信息安全学报, 2016,1(2).
	LIU T , SHI G , MENG D . A survey of code reuse attack and defense mechanisms[J]. Journal of Cyber Security, 2016,1(2).
[19]	AHMED S , XIAO Y , SNOW K Z ,et al. Methodologies for quantifying (Re-) randomization security and timing under JIT-ROP[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 1803-1820.
[20]	侯宇 . 基于动态随机化和只可执行内存的JIT-ROP防御研究[D]. 南京:南京大学, 2016.
	HONG Y . Defence aginst JIT-ROP based on dynamic randomization and executable only memory[D]. Nanjing:Nanjing University, 2016.
[21]	WILLIAMS-KING D , KOBAYASHI H , WILLIAMS-KING K ,et al. Egalito:layout-agnostic binary recompilation[C]// Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems. 2020: 133-147.
[22]	LUK C K , COHN R , MUTH R ,et al. Pin:building customized program analysis tools with dynamic instrumentation[J]. ACM Sigplan Notices, 2005,40(6): 190-200.
[23]	CHATTERJEE N , BOSE S , DAS P P . Dynamic weaving of aspects in C/C++ using PIN[C]// Proceedings of the International Conference on High Performance Compilation,Computing and Communications. 2017: 55-59.
[24]	陈小全, 薛锐 . 程序漏洞:原因,利用与缓解——以 C 和 C++语言为例[J]. 信息安全学报, 2017,2(4).
	CHEN X Q , XUE R . Cause,exploitation and mitigation of program vulnerability—C and C++ language as an example[J]. Journal of Cyber Security, 2017,2(4).
[25]	MARCO-GISBERT H , RIPOLL I . Address space layout randomization next generation[J]. Applied Sciences, 2019,9(14): 2928.
[26]	GUIDE P . Intel? 64 and ia-32 architectures software developer’s manual[J]. Volume 3B:System programming Guide,Part, 2011,2(11).
[27]	PRIYADARSHAN S , NGUYEN H , SEKAR R . Practical fine-grained binary code randomization[C]// Proceedings of Annual Computer Security Applications Conference. 2020: 401-414.
[28]	SALWAN J , WIRTH A . ROPGadget[EB].
[29]	COPPENS B , DE SUTTER B , DE BOSSCHERE K . Protecting your software updates[J]. IEEE Security ＆ Privacy, 2012,11(2): 47-54.
[30]	WARTELL R , MOHAN V , HAMLEN K W ,et al. Binary stirring:self-randomizing instruction addresses of legacy X86 binary code[C]// Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012: 157-168.

Metrics

Recommended 0

No Suggested Reading articles found!

字节长度/byte	编码	指令
1	90	nop
2	66 90	xchg　%ax,%ax
3	0F 1F 00	nopl　（%rax）
4	0F 1F 40 00	nopl　0x0（%rax）
5	0F 1F 44 00 00	nopl　0x0（%rax,%rax,1）
6	66 0F 1F 44 00 00	nopw　0x0（%rax,%rax,1）
3	48 89 ed	mov　%rbp, %rbp
3	48 89 e4	mov　%rsp, %rsp
3	48 8d 36	lea　（%rsi）, %rsi
3	48 8d 3f	lea　（%rdi）, %rdi

软件名称	Gadger数量	gadget的存活率
软件名称	Gadger数量	10%	30%	50%	75%	100%
401.bzip2	3 111	2.16%	1.39%	1.41%	1.34%	1.49%
403.gcc	142 130	0.11%	0.09%	0.08%	0.09%	0.08%
433.milc	4 557	1.79%	1.84%	1.87%	1.58%	1.53%
444.namd	7 331	0.95%	0.88%	0.81%	0.89%	0.74%
445.gobmk	28 457	0.37%	0.33%	0.37%	0.35%	0.32%
456.hmmer	12 749	1.00%	0.99%	0.88%	0.88%	0.90%
458.sjeng	6 397	1.19%	1.20%	1.00%	1.21%	1.05%
462.libquantum	2 097	2.59%	2.58%	2.09%	2.65%	2.27%
464.h264ref	19 242	0.45%	0.45%	0.43%	0.39%	0.40%
470.lbm	502	10.74%	6.62%	7.91%	6.78%	6.93%
471.omnetpp	22 182	0.82%	0.68%	0.69%	0.64%	0.62%
473.astar	1 838	2.45%	2.99%	3.02%	2.46%	2.56%
482.sphinx3	6 844	1.50%	1.69%	1.72%	1.44%	1.51%
483.xalancbmk	155 397	0.29%	0.12%	0.12%	0.12%	0.11%

Software diversification method based on binary rewriting

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 8

References 30

Related Articles 1

Metrics

Recommended 0