| Code reuse attack has been the prominent exploit technology. However, current attacks have abnormal control flow for construction and execution, and they can be defended by control-flow integrity (CFI). In this thesis, the control flow of the new code reuse attack follows the form of function call in order to bypass defenses. Moreover, address space layout randomization (ASLR) is under the threat of JIT-ROP attack. Current defenses are unable to defend the indirect JIT-ROP, or they need the source code and modification of compiler. In this thesis, the new defense with branch instruction hidden and static binary rewriting can improve the security and compatibility.The main work is as follows:(1) By analyzing and summarizing the existing defense strategy of control-flow integrity protection and shadow stack which is security-enhanced protection, we can draw a conclusion that the combination of coarse-grained CFI and shadow stack is effective defense against attacks. By analyzing the abnormal control flow of current code reuse attacks further, we find that they cannot bypass existing defenses. In this thesis, a new kind of code reuse attack named LOP (loop-oriented programming) is constructed. The control flow of LOP follows the form of function call and the call instruction in LOP matches with the return instruction, thus bypassing CFI defenses.(2) LOP includes the modules of loop gadget and functional gadget. Since loop gadget contains a special loop structure and functional gadget is entire function body, the control flow of LOP follows the form of function call and thus LOP can bypass defenses. In addition, the universality of loop gadget and Turing-complete of functional gadget make LOP cross-platform and versatile. Moreover, a successful attack is conducted on IE browser vulnerability, so LOP is effective.(3) By analyzing and summarizing the principle of JIT-ROP and relevant defenses, we draw a conclusion that current defenses just consider the traditional direct attack instead of the latest indirect attack. And they also need the source code and modify compiler and operating system, which is difficult to apply to commercial software. In this thesis, a new kind of defense named BIHide (Branch Instruction Hide) is proposed to hide the branch instruction and perform static binary rewriting. BIHide hides all the direct and indirect branch instructions and guarantees the security. BIHide uses the relocation table on Windows to rewrite binary statically and guarantees the compatibility and practicality.(4) Combined with fined-grained ASLR, BIHide rewrites the branch instruction with binary. Experimental results show that all the branch instructions are hidden and the overhead of time and space is reasonable. Finally, we analyze the ability of BIHide to defend against different kinds of code reuse attacks. |
PDF Full Text Request