Defending Against ROP By Disturbing Register Context

Posted on:2017-05-12

Degree:Master

Type:Thesis

Country:China

Candidate:W H Tang

Full Text:PDF

GTID:2308330488478393

Subject:Computer Science and Technology

Abstract/Summary:

PDF Full Text Request

Attackers used memory disclose vulnerabilities to launch JIT-ROP which can attack vulnerable programs protected by fine-grained address space layout randomization. Researchers considered defending against JIT-ROP by disturbing the context of a program when it is running. Isomeron can defend against ROP/JIT-ROP in a high probability by disturbing the destination address of a program’s control flow transfer caused by return instructions. However, in order to introducing the disturbance, Isomeron needs to hook all call instructions and ret instructions to complex procedures to store and extract the result information of the disturbance respectively. This leads to a high runtime overhead. In order to decreasing the runtime overhead of Isomeron, we research for a method to defend against ROP/JIT-ROP with lower overhead in this thesis.The main work of this thesis is as follow:1) We analyzed a ROP/JIT-ROP defense called Isomeron, and then figured out that Isomeron leads to a high runtime overhead when used for defending against ROP. We also analyzed the cause which leads to the high runtime overhead. Isomeron needs to hook all call and ret instructions to complex procedures to realize the disturbance. So, this thesis researches for a new disturbing method to decrease the runtime overhead.2) We designed a method that disturbs a program’s register context when it is running. We chose the register context to be the target of the disturbing actions after we analyzed the conditions that attackers need to feed for launching ROP attacks. Due to the ABI on register usage, our method needs just few instructions to realize the disturbance. This leads to a lower runtime overhead.In order to realizing the disturbance on register context, we classified all the general registers according to the register usage, and then made different disturbing strategies for each category.3) We implemented a prototype tool (RSmasher) of our method based on a binary instrumentation framework. To evaluate our method, we designed experiments on evaluating effectiveness and efficiency respectively. The result showed that RSmasher can defend against ROP while introducing lower runtime overhead.

Keywords/Search Tags:

Address Space Layout Randomization, Return-Oriented Programming, Gadget, Application Binary Interface, Register Context, Dynamic Binary Instrumentation

PDF Full Text Request

Related items

1	A ROP Defense Solution Based On Memory Page Validation
2	Reserch On The Address Space Layout Randomization Technology Based On Windows Platform
3	Obfuscating Binary Code Via Return Oriented Programming
4	Research On Key Techniques Of Gadget Discovery And Semantic Analysis In Software Binary Code Reuse
5	Research Of Binary Program‘s Buffer Overflow Based On Dynamic Taint Analysis
6	Research On Detection Methods Of Multi-threaded Program Based On Dynamic Binary Instrumentation Tools2
7	Research On Key Technologies Of Extraction Of Binary Gadget Towards Malware Analysis
8	Analysis And Research On Privacy Leak Of Android Applications Based On Dynamic Binary Instrumentation Technology
9	The Research Of Defending ROP Attacks Using Basic Block Level Randomization
10	The Design And Implementation Of A Function Level Randomization Defensing Method Against ROP Attack