Research On Code Reuse Attack And Its Detection?Defense

Due to the limitations of code injection attacks,code reuse attacks with more applicability become a hot point in system security research field.ROP(Return-oriented programming)attack can be deployed on different platforms,especially on the android system,which results in huge threat to user's data and system.While code reuse attacks continue evolving,there is huge challenge on its detection and prevention.In this thesis,based on the analysis of code reuse attack's capability,we designed a better ROP construction method with aggressive attack capability,then improved a code reuse attack detection method.1)Based on the analysis of the characteristics of code reuse,we summarized and classified existing defense and detection methods.2)According to the characteristics of the code reuse attack,we analyzed and improved MIT security evaluation model.We added factor refelcting conditions of environmental dependences to make different defenses and detection methods could be compared using this model.We also refined the code division multiplexing signatures to enhance its evaluation capability.Using this model,we analyzed different code reuse attack methods including ROP and JOP(Jump-oriented programming)etc,and summarized the disadvantage of existing defense and detection methods,which provided a basis for the following work.3)We proposed a code reuse attack model with the high ability of evading.This model exploited gadgets with indirect call in loop structures.As it could mimic the execution of normal function,this method could effectively bypass existing control flow integrity protection techniques.Experiments showed that this attack model could effectively eliminate some essential characteristics of tranditional ROP attack,such as mismatch of"call/ret",continuous running code snippets ended with "ret "instruction,executing "unintended gadget".At the same time,if the gadgets used in this model were library functions or normal functions of the program,this attack model could mimic normal function,and evaded existing CFI based protecting methods.4)We improved a ROP attack detection method by exploiting BTS hardware facility provided by most commercial processors to improve the effectiveness and efficiency of control flow integrity protection.We made experiments to evaluate our method on a large number of programs consisting of legal and malicious programs.The experimental results showed that our system could effectively detect ROP,JOP attacks with the low overhead.