| In recent years, code reuse attack techniques attract the researchers'attention. There are several new code reuse techniques, including Return-Oriented Program-ming(ROP), JIT Spraying. Different from the traditional code injection attack, code reuse attack does not need to introduce the malicious code from the outside, instead, it leverages the existing binary code(e.g., executable code and library code) to construct the attack. Researchers have proven the functionality of the code reuse attack is Tur-ing complete. Code reuse attack breaks the assumption that the traditional defense techniques are based on:the inner code of the program can not perform the malicious behavior and the malicious behavior will be introduced from the outside. This work tries to study the improved code reuse attack and construct a defense system against the code reuse attack.The research in this dissertation includes the following contents:research on the new code reuse technique with the purpose of understanding the feature of the code reuse attack; research on the defenses that aim at the different condition of the code reuse attack uses, all the defenses contribute the integrity system that can be used to efficiently defend the code reuse attack. More specifically, the main contributions of the work in this dissertation are as follows.· In order to study the code reuse attack, we first study the method of code reuse attack, and propose the enhanced code reuse techniques-Jump-Oriented Pro-gramming(JOP). In addition, we construct the JOP Rootkit. Based on the con-struction of the code reuse attack, we can better understand the fundamental principle and characteristic feature of the code reuse techniques. · For the source units of the code reuse attack-the existing code in the pro-gram, we propose the compiler based randomization to obfuscate register ar-rangement in the executable code and JIT VM based randomization to obfuscate the immediate value in JITed code respectively. During compiling time, our ap-proach rearranges the registers at function granularity, splits the immediate value and replaces the instruction. It makes the attacker harder to leverage the existing code to construct the attack.· Suppose the attacker can still extract the existing code based on the reverse engi-neering techniques, we propose the data structure randomization techniques to prevent the attacker reusing the data structure object to construct the code reuse attack, including the static method that modifies the data structure definition and the dynamic method that modifies the data structure memory layout at runtime. On the one hand, it prevents the attacker reusing the data structure and its op-erations to construct the attack, such as Rootkit and Blue Pill attack. On the other hand, it prevents the attacker camouflaging the data structure to achieve the malicious purpose, for example, the control flow attack and non-control flow attack.· After the code and data obfuscation, it is difficult for the attacker to reuse the existing code to construct the code reuse attack. However, it is still possible for the attacker to reuse the data structure operation(or even the code that is used for the data structure obfuscation) to construct the attack. In order to further prevent the possible code reuse attack, we analyze the difference between the control flow of the code reuse attack and normal program and propose the function gran-ularity control flow anomaly detection techniques. In addition, we propose the instruction sequence anomaly detection method to detect the code reuse attack based on the study of the instruction sequence difference between code reuse at-tack and normal program. The two runtime anomaly detection methods provide the compensation to the previous software obfuscation techniques(code obfusca-tion and data obfuscation). To combine all the above techniques together, we can prevent the code reuse attack at different stages, including the known and unknown code reuse attack techniques.
|
PDF Full Text Request