基于gadget特征分析的软件多样性评估方法

doi:10.11959/j.issn.2096-109x.2023047

Abstract

Abstract:

Software diversity is commonly utilized in scenarios such as software distribution and operating systems to improves system resilience and security.However, existing software diversity evaluation methods are typically based on conventional code features and are relatively limited in scope, which can make it difficult to accurately reflect the security benefits of software diversity.To address this issue, a software diversity evaluation method was proposed from the perspective of ROP attack by analyzing the impact of software diversity on the difficulty of building a gadget attack chain, the attacker’s potentially available computing power, and the attacker’s cost of searching for gadgets in different variants.Metrics for the quality, practicability, and distribution of gadgets were integrated into this method.Testing was conducted using diversity technologies with different granularity.The evaluation results showed that the proposed method could accurately and comprehensively reflect the security gain brought by software diversity.It was observed that software diversity could relocate/modify/delete a large number of gadgets in the software, increasing the cost of attacking different software variants but also leading to different degrees of software expansion.Finally, an analysis and discussion of the advantages and disadvantages of existing diversity techniques were conducted based on the experimental results.

Key words: software diversity, code reuse attack, gadget feature, security gain

CLC Number:

TP309

Genlin XIE, Guozhen CHENG, Yawen WANG, Qingfeng WANG. Software diversity evaluating method based on gadget feature analysis[J]. Chinese Journal of Network and Information Security, 2023, 9(3): 161-173.

Figures/Tables 11

攻击类型	ROP	JOP	COP	平均质量变化率	平均绝对变化率
原始	1.5705	1.3994	1.6971	平均质量变化率	平均绝对变化率
寄存器随机化	1.4571 (- $7 . 22 %$ )	1.3005(- $7 . 07 %$ )	1.5501（- $8 . 66 %$ ）	-7.65%	7.65%
Nop插入	1.4164 (- $9 . 81 %$ )	1.6119(15.19%)	1.1296(- $33 . 44 %$ )	-9.35%	19.48%
指令替换	1.5124 (- $3 . 7 %$ )	1.2492(- $10 . 73 %$ )	1.6228(- $4 . 38 %$ )	-6.27%	6.27%
基本块分割	1.5751 (0.29%)	1.3562(- $3 . 09 %$ )	1.6837( $0 . 79 %$ )	-1.20%	1.39%
伪控制流	1.5785 (0.51%)	1.3305(- $4 . 92 %$ )	1.6654(- $1 . 87 %$ )	-2.09%	2.43%
栈布局随机化	1.5846 (0.90%)	1.2546(- $10 . 35 %$ )	1.6767(- $1 . 20 %$ )	-3.55%	4.15%
控制流扁平	1.6902 (7.62%)	1.2603(- $9 . 94 %$ )	1.742(2.65%)	0.11%	6.74%
函数随机化	1.5796 (0.58%)	1.3861(- $0 . 95 %$ )	1.7035(0.38%)	0.00%	0.64%

References 37

[1]	BIRMAN K P , SCHNEIDER F B . The monoculture risk put into context[J]. IEEE Security ＆ Privacy, 2009,7(1): 14-17.
[2]	SHACHAM H . The geometry of innocent flesh on the bone:return-into-libc without function calls (on the x86)[C]// Proceedings of the 14th ACM Conference on Computer and Communications Security. 2007: 552-561.
[3]	CARLINI N , WAGNER D . ROP is still dangerous:breaking modern defenses[C]// Proceedings of 23rd USENIX Security Symposium (USENIX Security 14). 2014: 385-399.
[4]	CHECKOWAY S , DAVI L , DMITRIENKO A ,et al. Return-oriented programming without returns[C]// Proceedings of the 17th ACM Conference on Computer and Communications Security- CCS '10. 2010: 559-572.
[5]	SNOW K Z , MONROSE F , DAVI L ,et al. Just-in-time code reuse:on the effectiveness of fine-grained address space layout randomization[C]// Proceedings of 2013 IEEE Symposium on Security and Privacy. 2013: 574-588.
[6]	LARSEN P , HOMESCU A , BRUNTHALER S ,et al. SoK:automated software diversity[C]// Proceedings of 2014 IEEE Symposium on Security and Privacy. 2014: 276-291.
[7]	BAUDRY B , MONPERRUS M . The multiple facets of software diversity[J]. ACM Computing Surveys, 2015,48(1): 1-26.
[8]	PAX T . PaX address space layout randomization (ASLR)[R]. 2003.
[9]	CRANE S , LIEBCHEN C , HOMESCU A ,et al. Readactor:practical code randomization resilient to memory disclosure[C]// Proceedings of 2015 IEEE Symposium on Security and Privacy. 2015: 763-780.
[10]	YAO D D , SHU X K , CHENG L ,et al. Anomaly detection as a service:challenges,advances,and opportunities[J]. Synthesis Lectures on Information Security,Privacy,and Trust, 2017,9(3): 1-173.
[11]	GRIER C , BALLARD L , CABALLERO J ,et al. Manufacturing compromise:the emergence of exploit-as-a-service[C]// Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012: 821-832.
[12]	GEARHART A S , HAMILTON P A , COFFMAN J . An analysis of automated software diversity using unstructured text analytics[C]// Proceedings of 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). 2018: 79-80.
[13]	LE Q , MIKOLOV T . Distributed representations of sentences and documents[C]// Proceedings of International Conference on Machine Learning. 2014: 1188-1196.
[14]	COFFMAN J , KELLY D M , WELLONS C C ,et al. ROP gadget prevalence and survival under compiler-based binary diversification schemes[C]// Proceedings of the 2016 ACM Workshop on Software PROtection. 2016: 15-26.
[15]	HOMESCU A , NEISIUS S , LARSEN P ,et al. Profile-guided automated software diversity[C]// Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO). 2013: 1-11.
[16]	熊浩, 晏海华, 郭涛 ,等. 代码相似性检测技术:研究综述[J]. 计算机科学, 2010,37(8): 9-14,76.
	XIONG H , YAN H H , GUO T ,et al. Code similarity detection:a survey[J]. Computer Science, 2010,37(8): 9-14,76.
[17]	KRINKE J . Identifying similar code with program dependence graphs[C]// Proceedings of Eighth Working Conference on Reverse Engineering. 2001: 301-309.
[18]	BAKER B S . A program for identifying duplicated code[J]. Computing Science and Statistics, 1993: 49-49.
[19]	ENGELS S , LAKSHMANAN V , CRAIG M . Plagiarism detection using feature-based neural networks[C]// Proceedings of the 38th SIGCSE Technical Symposium on Computer Science Education. 2007: 34-38.
[20]	ZHANG L , ZHUANG Y T , YUAN Z M . A program plagiarism detection model based on information distance and clustering[C]// Proceedings of 2007 International Conference on Intelligent Pervasive Computing (IPC 2007). 2007: 431-436.
[21]	PRIYADARSHAN S , NGUYEN H , SEKAR R . Practical fine-grained binary code randomization[C]// Proceedings of Annual Computer Security Applications Conference, 2020: 401-414.
[22]	刘镇武, 隋然, 张铮 ,等. 基于信息熵与软件复杂度的软件多样性评估方法[J]. 信息工程大学学报, 2020,21(2): 207-213.
	LIU Z W , SUI R , ZHANG Z ,et al. Software diversity evaluation method based on information entropy and software complexity[J]. Journal of Information Engineering University, 2020,21(2): 207-213.
[23]	BALACHANDRAN V , EMMANUEL S . Software protection with obfuscation and encryption[C]// Proceedings of Information Security Practice and Experience. 2013: 309-320.
[24]	BANESCU S , COLLBERG C , GANESH V ,et al. Code obfuscation against symbolic execution attacks[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. 2016: 189-200.
[25]	KELLY D M , WELLONS C C , COFFMAN J ,et al. Automatically validating the effectiveness of software diversity schemes[C]// Proceedings of 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks–Supplemental Volume (DSN-S). 2019: 1-2.
[26]	AHMED S , XIAO Y , SNOW K Z ,et al. Methodologies for quantifying (Re-) randomization security and timing under JIT-ROP[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020: 1803-1820.
[27]	FOLLNER A , BARTEL A , BODDEN E . Analyzing the gadgets[C]// Proceedings of International Symposium on Engineering Secure Software and Systems. 2016: 155-172.
[28]	ROEMER R , BUCHANAN E , SHACHAM H ,et al. Return-oriented programming:systems,languages,and applications[J]. ACM Transactions on Information and System Security, 2012,15(1): 1-34.
[29]	DAI Z D . Practical return-oriented programming[J]. Source Boston, 2010.
[30]	HOMESCU A , STEWART M , LARSEN P ,et al. Microgadgets:size does matter in turing-complete return-oriented programming[J]. WOOT, 2012,12: 64-76.
[31]	DOLAN S . MOV is turing-complete (2013)[EB].
[32]	HAWKINS W H , HISER J D , CO M ,et al. Zipr:efficient static binary rewriting for security[C]// Proceedings of 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 2017: 559-566.
[33]	KOO H , CHEN Y H , LU L ,et al. Compiler-assisted code randomization[C]// Proceedings of 2018 IEEE Symposium on Security and Privacy. 2018: 461-477.
[34]	CONTI M , CRANE S , FRASSETTO T ,et al. Selfrando:securing the tor browser against de-anonymization exploits[J]. Proc Priv Enhancing Technol, 2016(4): 454-469.
[35]	JUNOD P , RINALDINI J , WEHRLI J ,et al. Obfuscator-LLVM:software protection for the masses[C]// Proceedings of 2015 IEEE/ACM 1st International Workshop on Software Protection. 2015: 3-9.
[36]	PORTER C , MURURU G , BARUA P ,et al. BlankIt library debloating:getting what You want instead of cutting what you don’t[C]// Proceedings of PLDI 2020:Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation. 2020: 164-180.
[37]	MISHRA S , POLYCHRONAKIS M . Saffire:context-sensitive function specialization against code reuse attacks[C]// Proceedings of 2020 IEEE European Symposium on Security and Privacy (EuroS＆P). 2020: 17-33.

Metrics

Recommended 0

No Suggested Reading articles found!

无用指令描述	评分
在寄存器上，执行数据传送/算术/移位/循环移位操作	0.5
栈指针寄存器执行pop指令（仅ROP）	1
在gadget所操作的值目标寄存器上，执行数据传送或算术操作	1
在gadget所操作的值目标寄存器上，执行移位或循环移位操作	1.5
在栈指针寄存器上，执行数据传送或算术操作（仅ROP）	2
在间接跳转目标寄存器/间接调用目标寄存器上，执行数据传送/算术/交换操作（仅JOP/COP）	2
gadget中包含leave指令（仅ROP）/条件分支指令/栈顶指针偏移量为负（仅ROP）	2
在栈指针寄存器上，执行移位或循环移位操作（仅ROP）	3
在间接跳转目标寄存器/间接调用目标寄存器上，执行移位或循环移位操作（仅JOP/COP）	3
栈指针寄存器是传送指令（mov）或交换指令（xchg）的目标寄存器（仅ROP）	4

microgadget集合	Microgadget类别数量
no-ASLR	11
ASLR-proof	35
图灵完备microgadget集	17

gadget核心功能	gadget
寄存器赋值(由指定寄存器或立即数)	mov reg, reg/const
将某寄存器中的值存储至指定内存地址	mov[reg], reg
将某寄存器中的值或立即数存储至指定内存地址的offset偏移量处	mov[reg+offset], reg/const
将立即数存储至指定内存地址	mov[reg], const
将某内存地址中的值加载至指定寄存器	mov reg,[reg]
将某内存地址的offset偏移量中的值加载至指定寄存器	mov reg,[reg+offset]
调用系统内核函数	syscall

gadget类别	功能	gadget	图灵完备gadget集
加载寄存器操作	将某数值加载至指定寄存器中	pop reg; ret pop reg; pop reg	是
算术操作	执行寄存器与某常数值的加法运算	add reg, const	是
加载内存操作	将某内存地址中的值加载至指定寄存器	mov reg,[reg]; ret	是
无条件跳转操作	设置指令寄存器EIP，进行跳转	jmp reg	是
存储内存操作	将某寄存器中的值存储至指定内存地址	mov[reg], reg; ret	是
栈迁移操作	设置栈指针寄存器	xchg rsp, reg	否
逻辑操作	执行异或逻辑运算	xor reg, reg xor reg, const	是
寄存器赋值操作	通过其他寄存器/常数为指定寄存器赋值	mov reg, reg mov reg, const	是
函数调用操作	通过寄存器跳转至某函数	call reg mov reg, reg; call reg	是
系统调用操作	调用系统内核函数	syscall	是

应用程序（集）	应用描述
GNU coreutils 8.2	GNU操作系统的核心实用程序（101个应用程序）
bzip2 v1.0.8	压缩软件
nginx v1.8.1	Web服务器
hiawatha v9.0	Web服务器
mysql v5.5	数据库
mupdf v0.9	PDF阅读器

Software diversity evaluating method based on gadget feature analysis

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 37

Related Articles 2

Metrics

Recommended 0

[1]	Benwei HE, Yunfei GUO, Yawen WANG, Qingfeng WANG, Hongchao HU. Software diversification method based on binary rewriting [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 94-103.
[2]	Jianming FU, Chang LIU, Mengfei XIE, Chenke LUO. Survey of software anomaly detection based on deception [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 15-29.