| With the rapid development of information technology and computer network, software systems are more and more important in social life. Albeit many protection mechanisms are deployed widely with the rapid development of software security technology, however, software exploits, such as buffer overflows and string format vulnerabilities, remain quite common. Attacks can hijack control flow to execute injected malicious code with the help of these exploits.In order to defend code injection attacks modern operating systems introduce W (?) X mechanism which prevents the execution of injected code, however, return-into-libc attacks and various forms of return-oriented programming (ROP) attacks get around W(?) X by using already existed code in the program. ROP attacks make use of short instruction sequences that end with "ret" to construct gadget, and combining gadgets could launch the attack. What’s more, the gadgets are proved to be Turing-complete and have the ability of arbitrary computation.Various kinds of detecting and defensing methods was proposed by industry and academia. Among them, because of the effectiveness and the universality, address space layout randomization become the most important defending method to ROP. However, although the implementation in modern operating systems, ASLR, could defend ROP attack to some extent, ASLR can only randomize 16 bits of the base address of the code segment. So ALSR cannot provide enough entropy and the fact that the relative address offset between instructions remains unchanged makes the mechanism vulnerable to brute-force attack and information leakage attack.In order to make up the weakness of ALSR, we propose a more fine-grained randomization method at the basic block level. Our method random permutated the basic blocks in code segments to make the address of every instruction changed to achieve enough entropy to defend ROP attacks. And in order to keep the correctness, we should fix the relation between the basic blocks after the randomization. The biggest obstacle in the address space randomization based on the static analysis of binary code is the targets of indirect branch instructions. Our technique makes use of the best static analysis approach to analyze the possible targets of indirect branch instructions and inserts a "translator" before an indirect branch to maintain the relation between basic block to make sure the correctness.We propose the theory and solution of our basic block level address space randomization technique, and implement a prototype randomization system on Linux which can randomize ELF binary files. At last, we evaluate the defending effectiveness of our technique and both the space and time efficiency. |
PDF Full Text Request