A Research On Code-reuse Attacks And Detection Techniques

In recent years,some security mechanisms for mitigating software vulnerability exploitations have been widely deployed.For instance,Data Execution Prevention(DEP)is deployed by mainstream operating systems including Windows and Linux to defeat traditional code injection attacks.DEP makes a memory page either non-executable or non-writable such that it prevents adversaries from injecting and then executing a piece of shellcode.As a result,modern vulnerability exploitations apply code-reuse techniques like Return-oriented programming(ROP)to circumvent DEP.Instead of injecting code from external,such techniques reuse the code snippets(called gadgets)already present in the address space of victim program to construct malicious code.Modern operating systems deploy Address Space Layout Randomization(ASLR)for defending.ASLR makes the addresses of existing code snippets unpredictable by loading a program module into a randomly selected address space.Therefore,it can effectively mitigate code-reuse attacks.In this thesis,we reveal two security threats posed by code-reuse attacks to modern operating systems,in spite of the widely de-ployment of DEP and ASLR.Meanwhile,we propose a practical scheme to mitigate code-reuse attacks.We carry out our work on Ubuntu system but the conclusions also hold on many other operating systems.Specifically,this thesis focuses on the topics listed as follows:·The universal availability of ROPTuring-Completeness.A big challenge for apply-ing ROP is to implement conditional jumps.Because conditional branch instruc-tions are abandoned as they were deemed no use for achieving this functionality,so existing works resort to some awkward methods for this purpose,which suf-fer from a high risk of failure.By analyzing the execution context of conditional branch instructions,we find that the traditional viewpoint on these instructions does not exactly reveal the truth.In fact,a few conditional branch instructions have two branches,each of which starts a reusable gadget and these two gadgets fetch the next gadget from different memory cells.Hence,the code snippets beginning with these conditional instructions can implement conditional jumps for ROP code.We name such a code snippet if-gadget.Evaluations show that if-gadgets are perva-sively available in daily used programs.Also,evaluations demonstrate that,while the traditional scheme fails,we can obtain Turing-completeness in daily used pro-grams with the help of if-gadget.On platforms such as Ubuntu,although shared libraries support ASLR,the executables do not by default.Therefore,adversaries may construct Turing-complete ROP code with gadgets found on these executables to mount an attack.·Using Javascript code blocks to inject gadgets into web browsers.Modern web browsers introduce just-in-time(JIT)compilation mechanism to improve their per-formance on executing Javascript applications.However,this mechanism has al-ready been abused by attackers to inject malicious code.For instance,as JIT com-pilers may place Javascript integers into code-cache in the form of operands of ma-chine instructions,attackers can inject ROP gadgets by crafting Javascript integers.Fortunately,integer-based injection attacks have already been mitigated by tech-niques such as constant blinding.In this work,we demonstrate that attackers can also inject ROP gadgets by using Javascript code blocks instead of integer values.The idea of this injection scheme is based on the observation that the dynamic code generated by JIT compilers for a given Javascript code snippet always have some immutable machine instruction sequences.The existence of these sequences is not affected by security mechanisms such as constant blinding and address randomiza-tion enforced by the browser.Moreover,these instruction sequences may contain ROP gadgets needed by attackers.In other words,attackers can use Javascript code blocks to inject gadgets for their attacks.Evaluations performed on Spider-Monkey and GoogleV8 demonstrate that attackers can use this scheme to inject Turing-complete ROP gadgets.·Hardware-assisted code-reuse attack detection.Code-reuse attacks use code snip-pets ending with indirect branch instructions to construct malicious code.There-fore,when protecting a program,we can detect the attacks by checking the execu-tion of every indirect branch instruction against the program's control-flow graph.This security mechanism can be implemented with the help of hardware-assisted control-flow monitoring.Unfortunately,existing hardware facilities have their own limitations.In this work,we conquer the limitations by creatively combing two dif-ferent CPU features together,and meanwhile propose a practical scheme named as CFIGuard to detect code-reuse attacks targeting user space applications.Briefly,CFIGuard traces every branch execution by leveraging hardware features of com-modity processors,and validates the traces on the fly according to fine-grained con-trol flow graphs.We have implemented a prototype of CFIGuard on Ubuntu and the experimental results show that CFIGuard can effectively detect attacks.Moreover,evaluations on a set of typical server applications show that CFIGuard only incurs an average runtime overhead around 2.9%.