面向进程控制流劫持攻击的拟态防御方法

doi:10.11959/j.issn.1000-436x.2021013

Abstract

Abstract:

To defeat the attack of process control flow hijacking, a threat model was established from the point of vulnerability utilization, and the fortress defense to cut off the key vulnerability utilization path was proposed.On the basis of studying the principle of mimic defense, a threat model of process mimic execution was proposed, and the threat model was analyzed and proved to be effective.Mimic execution could effectively cut off the attack path of control flow hijacking.The ptototype of mimic execution, MimicBox, was implemented.The validation experiment shows that MimicBox can effectively defend against most control flow hijacking attacks based on known binary vulnerabilities.The performance evaluation result shows that the overhead MimicBox lead to is less than 13% on CPU-intensive programs.The Comparative evaluation result shows that mimic execution is a more effective and practical active defense method compared with control flow integrity.

Key words: control-flow hijacking, mimic defense, mimic execution, prototype, evaluation

CLC Number:

TP393.0

Chuanxing PAN, Zheng ZHANG, Bolin MA, Yuan YAO, Xinsheng JI. Method against process control-flow hijacking based on mimic defense[J]. Journal on Communications, 2021, 42(1): 37-47.

Figures/Tables 12

References 30

[1]	COWAN C , WAGLE P , PU C ,et al. Buffer overflows:attacks and defenses for the vulnerability of the decade[C]// DARPA Information Survivablity Conference and Exception. Piscataway:IEEE Press, 2000: 119-129.
[2]	王丰峰, 张涛, 徐伟光 ,等. 进程控制流劫持攻击与防御技术综述[J]. 信息安全学报, 2019,5(6): 10-20.
	WANG F F , ZHANG T , XU W G ,et al. Overview of control-flow hijacking attack and defense techniques for process[J]. Chinese Journal of Network and Information Security, 2019,5(6): 10-20.
[3]	MITRE. 2020 CWE top 25 most dangerous software errors[R].(2020-08-20) [2020-08-26]
[4]	VEN A . New security enhancements in red hat enterprise linux v.3,update 3[R]. 2004.
[5]	COWAN C , PU C , MAIER D ,et al. Stackguard:automatic adaptive detection and prevention of buffer-overflow attacks[J]. Usenix Security, 1998,98: 63-78.
[6]	PaX Team. PaX ASLR[R]. 2003.
[7]	ROEMER R , BUCHANAN E , SHACHAM H ,et al. Return-oriented programming:systems,languages,and applications[J]. ACM Transactions on Information and System Security, 2012,15(1): 1-34.
[8]	乔向东, 郭戎潇, 赵勇 . 代码复用对抗技术研究进展[J]. 网络与信息安全学报, 2018,4(3): 1-12.
	QIAO X D , GUO R X , ZHAO Y . Research progress in code reuse attacking and defending[J]. Chinese Journal of Network and Information Security, 2018,4(3): 1-12.
[9]	邢骁, 陈平, 丁文彪 ,等. BIOP:自动构造增强型ROP攻击[J]. 计算机学报, 2014,37(5): 1111-1123.
	XING X , CHENG P , DING W B ,et al. BIOP:automatic construction of enhanced ROP attack[J]. Chinese Journal of Computers, 2014,37(5): 1111-1123.
[10]	陈振伟, 孙歆 . 使用ROP技术突破Linux的NX防护研究[J]. 网络空间安全, 2018,9(2): 64-69.
	CHEN Z W , SUN X . Research on bypassing the NX protection of Linux with ROP[J]. Cyberspace Security, 2018,9(2): 64-69.
[11]	EVTYUSHKIN D , PONOMAREV D , ABU-GHAZALEH N . Jump over ASLR:attacking branch predictors to bypass ASLR[C]// IEEE/ACM International Symposium on Microarchitecture. New York:ACM Press, 2016: 1-13.
[12]	武成岗, 李建军 . 控制流完整性的发展历程[J]. 中国教育网络, 2016(4): 52-55.
	WU C C , LI J J . The evolution of control flow integrity[J]. China Education Network, 2016(4): 52-55.
[13]	SAYEED S , MARCO-GISBERT H . On the effectiveness of control-flow integrity against modern attack techniques[M]. Berlin: Springer, 2019.
[14]	HU H , SHINDE S , ADRIAN S ,et al. Data-oriented programming:on the expressiveness of non-control data attacks[C]// 2016 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2016: 969-986.
[15]	邬江兴 . 网咯空间内生安全——拟态防御与广义鲁棒控制（上册）[M]. 北京: 科学出版社, 2020.
	WU J X . Endogenous security of cyber space:mimic defense and generalized robust control (volume 1)[M]. Beijing: Science Press, 2020.
[16]	邬江兴 . 网咯空间内生安全——拟态防御与广义鲁棒控制（下册）[M]. 北京: 科学出版社, 2020.
	WU J X . Endogenous security of cyber space:mimic defense and generalized robust control (volume 2)[M]. Beijing: Science Press, 2020.
[17]	邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10.
	WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10.
[18]	仝青, 张铮, 张为华 ,等. 拟态防御 Web 服务器设计与实现[J]. 软件学报, 2017,28(4): 883-897.
	TONG Q , ZHANG Z , ZHANG W H ,et al. Design and implemention of mimic defense Web server[J]. Journal of Software, 2017,28(4): 883-897.
[19]	张铮, 马博林, 邬江兴 . Web 服务器拟态防御原理验证系统测试与分析[J]. 信息安全学报, 2016,2(1): 13-28.
	ZHANG Z , MA B L , WU J X . The test and analysis of prototype of mimic defense in Web servers[J]. Journal of Cyber Security, 2017,2(1): 13-28.
[20]	曾永瑞, 李喆 . Linux 二进制漏洞利用——突破系统防御的关键技术[J]. 信息安全研究, 2018,4(9): 806-818.
	ZENG Y R , LI Z . Linux binary exploit——The key technology of breaking through the system defense[J]. Journal of Information Security Research, 2018,4(9): 806-818.
[21]	裴中煜, 张超, 段海新 . Glibc堆利用的若干方法[J]. 信息安全学报, 2018,3(1): 1-15.
	PEI Z Y , ZHANG C , DUAN H X . Serval methods of exploiting glic heap[J]. Journal of Cyber Security, 2018,3(1): 1-15.
[22]	第三届“强网”拟态防御国际精英挑战赛在南京开幕[N]. 2020-06-19.
	The 3rd “strong net” mimic defense international elite challenge opens in Nanjing[N]. 2020-06-19.
[23]	邬江兴 . 加快推进网络安全学科竞赛创新发展[N]. 解放军报, 2020-06-19.
	WU J X . Accelerate the innovation and development of cybersecurity discripline competition[N]. PLA Daily, 2020-06-19.
[24]	MARTN A , . Control-flow integrity[C]// Proceedings of the 12th ACM Conference on Computer and Communications Security. New York:ACM Press, 2005: 340-353.
[25]	PAPPAS V , POLYCHRONAKIS M , KEROMYTIS A D . Transparent ROP exploit mitigation using indirect branch tracing[C]// Usenix Conference on Security. Berkeley:USENIX Association, 2013: 447-462.
[26]	COUDRAY T , FONTAINE A , CHIFFLIER P . PICON:control flow integrity on LLVM IR[C]// Symposium on Security of Information on and Communication Technology.[S.n.:s.l.], 2015: 1-6.
[27]	帕尔哈提江·斯迪克, 马建峰, 孙聪 . 一种面向二进制的细粒度控制流完整性方法[J]. 计算机科学, 2019,46(S2): 417-420,432.
	SIDIKE PA-ER H T J , MA J F , SUN C . Fine-graine control flow integrity method on binaries[J]. Computer Science, 2019,46(S2): 417-420,432.
[28]	CHENG Y , ZHOU Z , MIAO Y ,et al. ROPecker:a generic and practical approach for defending against ROP attack[C]// Network and Distributed System Security Symposium.[S.n.:s.l.], 2014: 1-14.
[29]	FENG L , HUANG J , HU J ,et al. FastCFI:real-time control flow integrity using FPGA without code instrumentation[C]// International Conference on Runtime Verification. Berlin:Springer, 2019: 221-238.
[30]	KAWADA T , HONDA S , MATSUBARA Y ,et al. TZmCFI:RTOS-aware control-flow integrity using trustzone for Armv8-M[J]. International Journal of Parallel Programming, 2019,doi:10.1007/s10766-020-00673-z.

Metrics

Recommended 0

No Suggested Reading articles found!

攻击类型	利用方式	Pwn题目名称	题目出处	异构方式	冗余度	能否防御
	ret2text	ret2text	Bamboofox ctf	ASLR+PIE	2	√
栈攻击	ret2libc	ret2libc	Bamboofox ctf	ASLR+Canary	2	√
	ret2syscall	ret2syscall	Bamboofoxv ctf	ASLR+PIE	2	√
	Ret2_dll_runtime_resolve	Pwn200	XDCTF 2015	ASLR+PIE+Canary	2	√
	Use after free	Lab 10 hacknote	HITCON-training	ASLR+PIE	2	√
	堆溢出	stkof	2014 HITCON	ASLR+PIE	2	√
	Unlink attack	Note2	2016 ZCTF	ASLR+PIE	2	√
	Fastbin attack	Oreo	2014 hack.lu	ASLR+PIE	2	√
堆攻击	House of einherjar	Tinypad	2016 Seccon	ASLR+PIE	2	√
	House of Roman		Romanking98	ASLR+PIE	2	√
	House of force	Bcloud	2016 BCTF	ASLR+PIE	2	√
	House of orange		CTF wiki	ASLR+PIE	2	√
	House of lore		CTF wiki	ASLR+PIE	2	√
	House of rabbit		CTF wiki	ASLR+PIE	2	√
I/O文件攻击	Vtable劫持	Pwn450	东华杯2016	ASLR+PIE	2	√

题目名称	题目类型	包含漏洞	异构方法	MimicBox保护	突破队伍数目
easy-stack	基础	格式化字符串、栈溢出	ASLR+PIE+Canary	否	38
newpad	基础	House of einherjar	ASLR+PIE+Canary	否	32
Advanced easy-stack	进阶	格式化字符串、栈溢出	ASLR+PIE+Canary	是	0
Advanced newpad	进阶	House of einherjar	ASLR+PIE+Canary	是	0

条目	参数
CPU型号	Intel(R) Xeon? CPU E5-2603 v4@1.70 GHz 6 cores
内存大小	32 GB
操作系统	CentOS 7.3
Linux kernel版本	3.10.0-1127.10.1.el7.x86_64

Benchmark样本	n=1	n=2	n=3	n=4	n=5
401.bzip2	0.06%	1.03%	2.18%	4.34%	10.11%
403.gcc	1.08%	8.17%	16.78%	26.87%	41.57%
445.gobmk	0.09%	1.39%	2.50%	5.02%	13.19%
458.sjeng	0.08%	0.70%	1.17%	2.20%	7.75%
464.h264ref	0.07%	0.89%	1.25%	3.03%	10.52%
471.omnetpp	0.79%	12.51%	22.27%	33.67%	49.48%
473.astar	0.17%	4.35%	8.72%	15.32%	26.50%
483.xalancbmk	0.79%	12.36%	24.58%	38.57%	57.52%

Method against process control-flow hijacking based on mimic defense

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 30

Related Articles 15

Metrics

Recommended 0

[1]	Jin ZHANG, Qiang GE, Weihai XU, Yiming JIANG, Hailong MA, Hongtao YU. Design, implementation and formal verification of BGP proxy for mimic router [J]. Journal on Communications, 2023, 44(3): 33-44.
[2]	Dacheng ZHOU, Hongchang CHEN, Guozhen CHENG, Weizhen HE, Ke SHANG, Hongchao HU. Design and implementation of adaptive mimic voting device oriented to persistent connection [J]. Journal on Communications, 2022, 43(6): 71-84.
[3]	Wenlong KOU, Yuyang ZHANG, Fenghua LI, Xiaogang CAO, Jiamin LI, Zhu WANG, Kui GENG. On-demand and efficient scheduling scheme for cryptographic service resource [J]. Journal on Communications, 2022, 43(6): 108-118.
[4]	Hongyong JIA, Yunfei PAN, Wenhe LIU, Junjie ZENG, Jianhui ZHANG. Executive dynamic scheduling algorithm based on high-order heterogeneity [J]. Journal on Communications, 2022, 43(3): 233-245.
[5]	Zhengbin ZHU, Qinrang LIU, Dongpei LIU, Chong WANG. Research progress of mimic multi-execution scheduling algorithm [J]. Journal on Communications, 2021, 42(5): 179-190.
[6]	Ting WU, Chengnan HU, Qingnan CHEN, Anbang CHEN, Qiuhua ZHENG. Defense-enhanced dynamic heterogeneous redundancy architecture based on executor partition [J]. Journal on Communications, 2021, 42(3): 122-134.
[7]	Wennai WANG, Yanhe ZHANG, Wei WU, Chen BAI, Bin WANG. Depth first traversal algorithm for the back-off tree of distributed queuing [J]. Journal on Communications, 2021, 42(2): 72-80.
[8]	Haitao ZHAO,Shishun GAO,Haijun WANG,Ting YONG,Jibo WEI. Evaluation method for autonomous communication and networking capability of UAV [J]. Journal on Communications, 2020, 41(8): 87-98.
[9]	Shaohu DING,Ning QI,Yiwei GUO. Evaluation of mimic defense strategy based on M-FlipIt game model [J]. Journal on Communications, 2020, 41(7): 186-194.
[10]	Qinglei ZHOU,Shaohuan BAN,Yingjie HAN,Feng FENG. Mimic defense authentication method for physical access control [J]. Journal on Communications, 2020, 41(6): 80-87.
[11]	Ke SONE,Qinrang LIU,Shuai WEI,Wenjian ZHANG,Libo TAN. Endogenous security architecture of Ethernet switch based on mimic defense [J]. Journal on Communications, 2020, 41(5): 18-26.
[12]	Yuan YAO,Chuanxing PAN,Zheng ZHANG,Gaofei ZHANG. Method of quantitative assessment for diversified software system [J]. Journal on Communications, 2020, 41(3): 120-125.
[13]	Yuan YANG,Mingwei XU,Hao CHEN. Analysis and modeling of Internet backbone traffic with 5G/B5G [J]. Journal on Communications, 2019, 40(8): 36-44.
[14]	WU Chensi,XIE Weiqiang,JI Yixiao,YANG Su,JIA Ziyi,ZHAO Song,ZHANG Yuqing. Survey on network system security metrics [J]. Journal on Communications, 2019, 40(6): 14-31.
[15]	Fenghua LI,Yongjun LI,Zhengkun YANG,Han ZHANG,Lingcui ZHANG. Fuzzy evaluation for response effectiveness in cases of incomplete information [J]. Journal on Communications, 2019, 40(4): 117-127.