A ROP Defense Solution Based On Memory Page Validation

With the rapid development of network and information technology, computer software systems play an increasingly important role in social life. At the same time, as some high-level language do not do bounds checking for efficiency, it is difficult for software developers to write software without volnerability. All kinds of bugs are still very common, particularly in legacy software systems. Through these vulnerabilities, an attacker can hijack the normal flow of control system software and thus attack.Common code reuse attack relies on absolute address of resident code in memory. Against this adversary, there are several defense solutions, including address space layout randomization. Along with the appearance of Just-in-Time ROP, original randomization protections face serious challenges. For preventing the behavior of peeping memory information caused by malicious code, XnR implements software-level read-protection on both Linux and Windows platforms. However, under protection of this technique, possibility of being attacked still exists.Just-in-Time code reuse attack is aimed at address space layout randomization. There are several solutions against this attack. XnR is one of the solutions which completely implemented by software. Because of the excellent performance of XnR in defending ROP, it is an effective method to construct a Just-in-Time ROP defense scheme by improving XnR. This paper firstly introduces the research progress of the address space layout randomization, and expounds the background of Just-in-Time ROP and XnR. Then we present improvement strategies based on XnR technique: validation of the memory page flow. Since the ROP attack search memory resident code and build gadget sequence, control flow may have to jump across multiple pages. Drawing CFI control flow verification thoughts, this pager check program running order with the original code page flow for comparison, and monitor illegal flows of page.To achieve memory pages legality verification flow based on the kernel, there are two technical difficulties:First, the analysis of the destination address of the indirect branch instruction; the second is the runtime page flow recording. For the analysis of indirect branch instructions, we should get the code dependencies between instructions, and then get the original legitimate program run flow. Based on SSA intermediate forms expression prorogation and value set analysis, this paper improve s the existing control flow analysis, do cross-process back trace destination address indirect branch instruction. In order to record runtime flow of the program, this paper transforms sliding window of XnR. It will write information on the disk, as a basis for comparison later analysis.Through experiments, our prototype has been proved to improve the ability of control flow analysis, and monitor just-in-time ROP. Even if the window size is only 6 pages, the average cost of the program has only increased by 5.1%.The realization of the prototype has been shown to be more effective in analyzing program control flow diagrams through experiments, and is capable of monitoring the real-time ROP attack. In future research, we will continue to improve the defense program, and realize the hardware architecture with read protection. With the hardware-software solution, we can solve the problem of the current XnR.