面向进程控制流劫持攻击的拟态防御方法

doi:10.11959/j.issn.1000-436x.2021013

通信学报 ›› 2021, Vol. 42 ›› Issue (1): 37-47.doi: 10.11959/j.issn.1000-436x.2021013

面向进程控制流劫持攻击的拟态防御方法

潘传幸¹, 张铮¹, 马博林², 姚远¹, 季新生²

¹ 数学工程与先进计算国家重点实验室，河南郑州 450001
² 国家数字交换系统工程技术研究中心，河南郑州 450002

修回日期:2020-11-05 出版日期:2021-01-25 发布日期:2021-01-01
作者简介:潘传幸（1996- ），男，山东梁山人，信息工程大学博士生，主要研究方向为主动防御、拟态防御等。
张铮（1975- ），男，湖北黄冈人，博士，信息工程大学教授，主要研究方向为高性能计算、拟态防御等。
马博林（1993- ），男，山东青岛人，信息工程大学博士生，主要研究方向为主动防御、多变体执行技术、拟态防御等。
姚远（1972- ），男，湖北武汉人，博士，信息工程大学教授，主要研究方向为先进计算、并行处理等。
季新生（1968- ），男，江苏南通人，博士，国家数字交换系统工程技术研究中心教授、博士生导师，主要研究方向为移动通信网络、拟态安全等。
基金资助:
国家自然科学基金资助项目(61521003);国家重点研发计划基金资助项目(2018YFB0804003)

Method against process control-flow hijacking based on mimic defense

Chuanxing PAN¹, Zheng ZHANG¹, Bolin MA², Yuan YAO¹, Xinsheng JI²

¹ State Key Laboratory of Mathmatical Engineering and Advanced Computing, Zhengzhou 450001, China
² National Digital Switching System Engineering ＆ Technological Research Center, Zhengzhou 450002, China

Revised:2020-11-05 Online:2021-01-25 Published:2021-01-01
Supported by:
The National Natural Science Foundation of China(61521003)

摘要/Abstract

摘要：

为了防御进程控制流劫持攻击，从漏洞利用的角度对攻击过程建立了威胁模型，提出了截断关键漏洞利用环节的“要塞”防御。在研究拟态防御原理的基础上提出了进程的拟态执行模型，并对该模型进行了分析与有效性证明，拟态执行能够有效截断控制流劫持的攻击实施过程；实现了拟态执行的原型系统 MimicBox，并对MimicBox进行了有效性验证实验、性能测试和对比评估。有效性验证实验表明，MimicBox可以有效防御绝大部分基于已知类型二进制漏洞的控制流劫持攻击；性能评估结果表明，MimicBox对CPU密集型程序带来的额外性能开销不会超过13%；对比评估结果表明，拟态执行相对于控制流完整性防御来说，是一种较有效实用的主动防御方案。

关键词: 控制流劫持, 拟态防御, 拟态执行, 原型系统, 评估测试

Abstract:

To defeat the attack of process control flow hijacking, a threat model was established from the point of vulnerability utilization, and the fortress defense to cut off the key vulnerability utilization path was proposed.On the basis of studying the principle of mimic defense, a threat model of process mimic execution was proposed, and the threat model was analyzed and proved to be effective.Mimic execution could effectively cut off the attack path of control flow hijacking.The ptototype of mimic execution, MimicBox, was implemented.The validation experiment shows that MimicBox can effectively defend against most control flow hijacking attacks based on known binary vulnerabilities.The performance evaluation result shows that the overhead MimicBox lead to is less than 13% on CPU-intensive programs.The Comparative evaluation result shows that mimic execution is a more effective and practical active defense method compared with control flow integrity.

Key words: control-flow hijacking, mimic defense, mimic execution, prototype, evaluation

中图分类号:

TP393.0

潘传幸, 张铮, 马博林, 姚远, 季新生. 面向进程控制流劫持攻击的拟态防御方法[J]. 通信学报, 2021, 42(1): 37-47.

Chuanxing PAN, Zheng ZHANG, Bolin MA, Yuan YAO, Xinsheng JI. Method against process control-flow hijacking based on mimic defense[J]. Journal on Communications, 2021, 42(1): 37-47.

图/表 12

图1

图2

图3

图4

图5

图6

图7

表1

表2

表3

图8

表4

参考文献 30

[1]	COWAN C , WAGLE P , PU C ,et al. Buffer overflows:attacks and defenses for the vulnerability of the decade[C]// DARPA Information Survivablity Conference and Exception. Piscataway:IEEE Press, 2000: 119-129.
[2]	王丰峰, 张涛, 徐伟光 ,等. 进程控制流劫持攻击与防御技术综述[J]. 信息安全学报, 2019,5(6): 10-20.
	WANG F F , ZHANG T , XU W G ,et al. Overview of control-flow hijacking attack and defense techniques for process[J]. Chinese Journal of Network and Information Security, 2019,5(6): 10-20.
[3]	MITRE. 2020 CWE top 25 most dangerous software errors[R].(2020-08-20) [2020-08-26]
[4]	VEN A . New security enhancements in red hat enterprise linux v.3,update 3[R]. 2004.
[5]	COWAN C , PU C , MAIER D ,et al. Stackguard:automatic adaptive detection and prevention of buffer-overflow attacks[J]. Usenix Security, 1998,98: 63-78.
[6]	PaX Team. PaX ASLR[R]. 2003.
[7]	ROEMER R , BUCHANAN E , SHACHAM H ,et al. Return-oriented programming:systems,languages,and applications[J]. ACM Transactions on Information and System Security, 2012,15(1): 1-34.
[8]	乔向东, 郭戎潇, 赵勇 . 代码复用对抗技术研究进展[J]. 网络与信息安全学报, 2018,4(3): 1-12.
	QIAO X D , GUO R X , ZHAO Y . Research progress in code reuse attacking and defending[J]. Chinese Journal of Network and Information Security, 2018,4(3): 1-12.
[9]	邢骁, 陈平, 丁文彪 ,等. BIOP:自动构造增强型ROP攻击[J]. 计算机学报, 2014,37(5): 1111-1123.
	XING X , CHENG P , DING W B ,et al. BIOP:automatic construction of enhanced ROP attack[J]. Chinese Journal of Computers, 2014,37(5): 1111-1123.
[10]	陈振伟, 孙歆 . 使用ROP技术突破Linux的NX防护研究[J]. 网络空间安全, 2018,9(2): 64-69.
	CHEN Z W , SUN X . Research on bypassing the NX protection of Linux with ROP[J]. Cyberspace Security, 2018,9(2): 64-69.
[11]	EVTYUSHKIN D , PONOMAREV D , ABU-GHAZALEH N . Jump over ASLR:attacking branch predictors to bypass ASLR[C]// IEEE/ACM International Symposium on Microarchitecture. New York:ACM Press, 2016: 1-13.
[12]	武成岗, 李建军 . 控制流完整性的发展历程[J]. 中国教育网络, 2016(4): 52-55.
	WU C C , LI J J . The evolution of control flow integrity[J]. China Education Network, 2016(4): 52-55.
[13]	SAYEED S , MARCO-GISBERT H . On the effectiveness of control-flow integrity against modern attack techniques[M]. Berlin: Springer, 2019.
[14]	HU H , SHINDE S , ADRIAN S ,et al. Data-oriented programming:on the expressiveness of non-control data attacks[C]// 2016 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2016: 969-986.
[15]	邬江兴 . 网咯空间内生安全——拟态防御与广义鲁棒控制（上册）[M]. 北京: 科学出版社, 2020.
	WU J X . Endogenous security of cyber space:mimic defense and generalized robust control (volume 1)[M]. Beijing: Science Press, 2020.
[16]	邬江兴 . 网咯空间内生安全——拟态防御与广义鲁棒控制（下册）[M]. 北京: 科学出版社, 2020.
	WU J X . Endogenous security of cyber space:mimic defense and generalized robust control (volume 2)[M]. Beijing: Science Press, 2020.
[17]	邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10.
	WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10.
[18]	仝青, 张铮, 张为华 ,等. 拟态防御 Web 服务器设计与实现[J]. 软件学报, 2017,28(4): 883-897.
	TONG Q , ZHANG Z , ZHANG W H ,et al. Design and implemention of mimic defense Web server[J]. Journal of Software, 2017,28(4): 883-897.
[19]	张铮, 马博林, 邬江兴 . Web 服务器拟态防御原理验证系统测试与分析[J]. 信息安全学报, 2016,2(1): 13-28.
	ZHANG Z , MA B L , WU J X . The test and analysis of prototype of mimic defense in Web servers[J]. Journal of Cyber Security, 2017,2(1): 13-28.
[20]	曾永瑞, 李喆 . Linux 二进制漏洞利用——突破系统防御的关键技术[J]. 信息安全研究, 2018,4(9): 806-818.
	ZENG Y R , LI Z . Linux binary exploit——The key technology of breaking through the system defense[J]. Journal of Information Security Research, 2018,4(9): 806-818.
[21]	裴中煜, 张超, 段海新 . Glibc堆利用的若干方法[J]. 信息安全学报, 2018,3(1): 1-15.
	PEI Z Y , ZHANG C , DUAN H X . Serval methods of exploiting glic heap[J]. Journal of Cyber Security, 2018,3(1): 1-15.
[22]	第三届“强网”拟态防御国际精英挑战赛在南京开幕[N]. 2020-06-19.
	The 3rd “strong net” mimic defense international elite challenge opens in Nanjing[N]. 2020-06-19.
[23]	邬江兴 . 加快推进网络安全学科竞赛创新发展[N]. 解放军报, 2020-06-19.
	WU J X . Accelerate the innovation and development of cybersecurity discripline competition[N]. PLA Daily, 2020-06-19.
[24]	MARTN A , . Control-flow integrity[C]// Proceedings of the 12th ACM Conference on Computer and Communications Security. New York:ACM Press, 2005: 340-353.
[25]	PAPPAS V , POLYCHRONAKIS M , KEROMYTIS A D . Transparent ROP exploit mitigation using indirect branch tracing[C]// Usenix Conference on Security. Berkeley:USENIX Association, 2013: 447-462.
[26]	COUDRAY T , FONTAINE A , CHIFFLIER P . PICON:control flow integrity on LLVM IR[C]// Symposium on Security of Information on and Communication Technology.[S.n.:s.l.], 2015: 1-6.
[27]	帕尔哈提江·斯迪克, 马建峰, 孙聪 . 一种面向二进制的细粒度控制流完整性方法[J]. 计算机科学, 2019,46(S2): 417-420,432.
	SIDIKE PA-ER H T J , MA J F , SUN C . Fine-graine control flow integrity method on binaries[J]. Computer Science, 2019,46(S2): 417-420,432.
[28]	CHENG Y , ZHOU Z , MIAO Y ,et al. ROPecker:a generic and practical approach for defending against ROP attack[C]// Network and Distributed System Security Symposium.[S.n.:s.l.], 2014: 1-14.
[29]	FENG L , HUANG J , HU J ,et al. FastCFI:real-time control flow integrity using FPGA without code instrumentation[C]// International Conference on Runtime Verification. Berlin:Springer, 2019: 221-238.
[30]	KAWADA T , HONDA S , MATSUBARA Y ,et al. TZmCFI:RTOS-aware control-flow integrity using trustzone for Armv8-M[J]. International Journal of Parallel Programming, 2019,doi:10.1007/s10766-020-00673-z.

攻击类型	利用方式	Pwn题目名称	题目出处	异构方式	冗余度	能否防御
	ret2text	ret2text	Bamboofox ctf	ASLR+PIE	2	√
栈攻击	ret2libc	ret2libc	Bamboofox ctf	ASLR+Canary	2	√
	ret2syscall	ret2syscall	Bamboofoxv ctf	ASLR+PIE	2	√
	Ret2_dll_runtime_resolve	Pwn200	XDCTF 2015	ASLR+PIE+Canary	2	√
	Use after free	Lab 10 hacknote	HITCON-training	ASLR+PIE	2	√
	堆溢出	stkof	2014 HITCON	ASLR+PIE	2	√
	Unlink attack	Note2	2016 ZCTF	ASLR+PIE	2	√
	Fastbin attack	Oreo	2014 hack.lu	ASLR+PIE	2	√
堆攻击	House of einherjar	Tinypad	2016 Seccon	ASLR+PIE	2	√
	House of Roman		Romanking98	ASLR+PIE	2	√
	House of force	Bcloud	2016 BCTF	ASLR+PIE	2	√
	House of orange		CTF wiki	ASLR+PIE	2	√
	House of lore		CTF wiki	ASLR+PIE	2	√
	House of rabbit		CTF wiki	ASLR+PIE	2	√
I/O文件攻击	Vtable劫持	Pwn450	东华杯2016	ASLR+PIE	2	√

题目名称	题目类型	包含漏洞	异构方法	MimicBox保护	突破队伍数目
easy-stack	基础	格式化字符串、栈溢出	ASLR+PIE+Canary	否	38
newpad	基础	House of einherjar	ASLR+PIE+Canary	否	32
Advanced easy-stack	进阶	格式化字符串、栈溢出	ASLR+PIE+Canary	是	0
Advanced newpad	进阶	House of einherjar	ASLR+PIE+Canary	是	0

条目	参数
CPU型号	Intel(R) Xeon? CPU E5-2603 v4@1.70 GHz 6 cores
内存大小	32 GB
操作系统	CentOS 7.3
Linux kernel版本	3.10.0-1127.10.1.el7.x86_64

Benchmark样本	n=1	n=2	n=3	n=4	n=5
401.bzip2	0.06%	1.03%	2.18%	4.34%	10.11%
403.gcc	1.08%	8.17%	16.78%	26.87%	41.57%
445.gobmk	0.09%	1.39%	2.50%	5.02%	13.19%
458.sjeng	0.08%	0.70%	1.17%	2.20%	7.75%
464.h264ref	0.07%	0.89%	1.25%	3.03%	10.52%
471.omnetpp	0.79%	12.51%	22.27%	33.67%	49.48%
473.astar	0.17%	4.35%	8.72%	15.32%	26.50%
483.xalancbmk	0.79%	12.36%	24.58%	38.57%	57.52%

面向进程控制流劫持攻击的拟态防御方法

Method against process control-flow hijacking based on mimic defense

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 12

参考文献 30

相关文章 12

Metrics

推荐阅读 0

[1]	张进, 葛强, 徐伟海, 江逸茗, 马海龙, 于洪涛. 拟态路由器BGP代理的设计实现与形式化验证[J]. 通信学报, 2023, 44(3): 33-44.
[2]	周大成, 陈鸿昶, 程国振, 何威振, 商珂, 扈红超. 面向持久性连接的自适应拟态表决器设计与实现[J]. 通信学报, 2022, 43(6): 71-84.
[3]	贾洪勇, 潘云飞, 刘文贺, 曾俊杰, 张建辉. 基于高阶异构度的执行体动态调度算法[J]. 通信学报, 2022, 43(3): 233-245.
[4]	黄桦烽, 苏璞睿, 杨轶, 贾相堃. 可控内存写漏洞自动利用生成方法[J]. 通信学报, 2022, 43(1): 83-95.
[5]	朱正彬, 刘勤让, 刘冬培, 王崇. 拟态多执行体调度算法研究进展[J]. 通信学报, 2021, 42(5): 179-190.
[6]	吴铤, 胡程楠, 陈庆南, 陈安邦, 郑秋华. 基于执行体划分的防御增强型动态异构冗余架构[J]. 通信学报, 2021, 42(3): 122-134.
[7]	丁绍虎,齐宁,郭义伟. 基于M-FlipIt博弈模型的拟态防御策略评估[J]. 通信学报, 2020, 41(7): 186-194.
[8]	周清雷,班绍桓,韩英杰,冯峰. 针对物理访问控制的拟态防御认证方法[J]. 通信学报, 2020, 41(6): 80-87.
[9]	宋克,刘勤让,魏帅,张文建,谭力波. 基于拟态防御的以太网交换机内生安全体系结构[J]. 通信学报, 2020, 41(5): 18-26.
[10]	姚远,潘传幸,张铮,张高斐. 多样化软件系统量化评估方法[J]. 通信学报, 2020, 41(3): 120-125.
[11]	张兴明,顾泽宇,魏帅,沈剑良. 拟态防御马尔可夫博弈模型及防御策略选择[J]. 通信学报, 2018, 39(10): 143-154.
[12]	周敏,陈鸣,邢长友,蒋培成. HIPSCS：基于HIP的安全IP通信系统[J]. 通信学报, 2012, 33(Z2): 270-275.