论文标题
堆栈中永无止境的战争和ROP攻击的转世
The never ending war in the stack and the reincarnation of ROP attacks
论文作者
论文摘要
面向返回的编程(ROP)是一种技术,攻击者可以在不注射恶意代码的情况下诱导弱势程序中的任意行为。目前针对ROP的防御措施的持续失败再次使其成为最有力的内存腐败攻击之一。 ROP也被认为是最灵活的攻击之一,与其他代码重用攻击不同,其灵活性水平可以达到图灵的完整性。已经采取了一些努力来研究这一威胁并提出更好的防御机制(缓解或预防),但其中大多数没有得到深入审查,也没有正式实施。Furthermore表明,类似的研究表明,为防止基于ROP的利用而提出的技术通常会产生较高的虚假速率和更高的虚假速率率,而不是提出较高的虚假速率,而他们介绍了较高的效率,以提高这些计划的范围。这项研究工作的第一部分旨在对当前可用的反杆解决方案(已部署和拟议)进行深入分析,重点是检查其国防逻辑并总结其弱点和问题。这项工作的第二部分旨在引入我们提出的妥协指标(IOC),这些指标可用于提高ROP攻击的检测率。三个建议的指标可以在执行目标程序期间检查某些人工制品的存在,从而在运行时检测这些攻击。
Return Oriented Programming (ROP) is a technique by which an attacker can induce arbitrary behavior inside a vulnerable program without injecting a malicious code. The continues failure of the currently deployed defenses against ROP has made it again one of the most powerful memory corruption attacks. ROP is also considered as one of the most flexible attacks, its level of flexibility, unlike other code reuse attacks, can reach the Turing completeness. Several efforts have been undertaken to study this threat and to propose better defense mechanisms (mitigation or prevention), yet the majority of them are not deeply reviewed nor officially implemented.Furthermore, similar studies show that the techniques proposed to prevent ROP-based exploits usually yield a high false-negative rate and a higher false-positive rate, not to mention the overhead that they introduce into the protected program. The first part of this research work aims at providing an in-depth analysis of the currently available anti-ROP solutions (deployed and proposed), focusing on inspecting their defense logic and summarizing their weaknesses and problems. The second part of this work aims at introducing our proposed Indicators Of Compromise (IOCs) that could be used to improve the detection rate of ROP attacks. The three suggested indicators could detect these attacks at run-time by checking the presence of some artifacts during the execution of the targeted program.