DMROP:deception-based Moving Target ROP Defense

With the widespread adoption of Data Execution Prevention,traditional code injection and code reuse techniques such as ret2Libc are severely constrained.Shacham et al.proposed the Return Oriented Programming(ROP)attack which reuse short instruction sequence(gadget)in code segment and its dependent dynamic link library.ROP attack payload structure is simple,aggressive,so it's a serious threat to system security.The existing three types of defense mechanism are randomization,control flow integrity(CFI)and run-time monitoring.Randomization changes the application information,making the gadget which attacker obtain invalid,but it can be bypassed through violence and memory Leakage;CFI ensures that the program does not deviate from the normal execution of the flow,but it is difficult to achieve safety and performance balance;run-time monitoring whether there is a ROP attack characteristics of the instruction sequence,the method usually need to rely on dynamic instrument tools,performance costs larger.And the defense is disadvantage,only passive waiting for an attack,and then to repair it.In order to solve this passive situation of defense,this paper proposes a deception moving target ROP defense(DMROP)based on the solution of Internet security.First at the program compilation phase,DMROP construct different types of deceptive gadget,and analyze the structure of the program to determine its insertion position,to ensure that the program can be implemented normally.In order to increase the difficulty of attackers recognizing real gadgets and deceptive gadgets,the number of spoofed gadgets is moved by inserting a random number of NOP instructions,and the number of NOP instructions inserted is dynamically adjusted based on the configuration file to reduce performance loss.Finally,based on the run-time detection of the LBR mechanism,the kernel module monitors the execution of the program.Before calling the sensitive system function,the interrupt program retrieves whether the 16 entries of the LBR contain the spoofed gadget.There is only a deceptive gadget in the ROP payload chain,DMROP can successfully detect the attack,so DMROP occurs high accuracy.