Research On Active Defense Method Against Code Reuse Attack Based On Memory Leakage

The attack and defense of Code Reuse Attack is one of the important research fields of software security,and has been widely discussed by scholars.The code reuse attack is accomplished by reusing the existing code in the program and hijacking the control flow to the reuse code.Currently,randomization methods increase the entropy of the target program,hence the attacker cannot directly construct the attack based on the target snippets(named gadgets)position obtained by offline analysis.Therefore,the attacker uses the memory leakage to obtain the actual code position after randomization,thereby correcting the positions of gadget or directly searching for the gadgets in memory.Memory leakage-assisted code reuse attack schemes have become more and more perfect.Although scholars have proposed many defense methods for the scheme,they cannot be used in actual industrial scenarios because of the high cost and inconvenient deployment.This paper introduces the current research progress of code reuse attacks in detail,and analyzes the required code gadgets.This paper also analyzes the current memory leakage process for gadgets search,and introduces the current popular read-based and execution-based memory leakage.This article analyzes the open source software,and experiments show that only through memory leakage,the attacker can search for enough gadgets to complete the attack.In view of the characteristics of code reuse attack and memory leak,this paper proposes a function randomization and control flow integrity protection scheme and a code honeypotbased deceptive active defense scheme.The function-level randomization and control flow integrity protection schemes change the relative position of the function by function-level randomization,and construct the control flow integrity scheme inside the function by using the stack pointer and the function return address as the random number seed.This method protects against control flow hijacking caused by modifying the return address or stack frame value,as well as the execution of all gadgets not starting from the function header.The method of this paper can be applied to practical industrial scenarios based on the overhead imposed by the industry's acceptable defenses.According to the memory leakage,the data pointer and the direct control flow transfer instruction are used to locate the code location.The code honeypot-based deceptive active defense scheme proposed by this paper inserts the transfer instruction and the data pointer conforming to the program semantics to lure the attacker falling into the controlled area to capture the attack behavior.This paper proposes three active defense strategies for different memory leakage.After experimental verification,they all have strong defense capabilities and acceptable overhead.