Research On Intel MPX Based ROP Defense

Together with the boost on computer technology,threat on operating systems and applications grows.Armed with the ability to perform malicious computation with just code segments in target application,Return-oriented Programming(ROP)is still at large.For the reason that ROP relays no on malicious code injection,traditional protection strategies based on static chain of trust cannot help on ROP's defense.As a consequence,enhancing dynamic of trust of operating system has become the hotspot and difficult issues in trusted computing.Aimed to enhance the dynamic of trust of operating system,Intel promoted Memory Protection e Xtensions(MPX)in 2013.MPX performs bounds checking of code pointers based on a newly introduced set of customized bound registers and bound checking instructions.Compared with other pointer bound checking schemes based on software,the customized bound registers introduced by MPX reduce competitions on general purpose registers,and saves a cycle and adds no pressure on branch predictor of CPU,validates checking of pointer bounds with high efficiency.In the meanwhile,among those software-based ROP defense strategies,researchers always have to make a balance between the effectiveness and performance.Therefore,the research on MPX based ROP defense can bring the advantage on hardware brought by MPX into play and reduce the performance overehead on ROP defense.In addition,it can enhance the security level of applications and operating systems,protection the dynamic of trust of operating system.The research is given full study significance.Meanwhile,on desiging Intel MPX,ROP is not taken into consideration,which makes the protection plane of MPX incomplete while facing with ROP.Adversaries can leverage temporal errors such as Use-After-Free vulnerabilities to bypass MPX.Based on difficulties mentioned above,in this paper,we propose an improved realization on MPX named EMPX.By introducing an extra metadata on temporal check,a shadow memory-based metadata management and a shadow call stack-based metadata garbage collection mechanism,EMPX can effectively recognize temporal errors.We realized an EMPX prototype based on LLVM.Our evaluation results prove that EMPX can effectively detect spatial errors and temporal errors,which makes it fail to satisfy the prerequisites of ROP attack.Thus,EMPX can successfully defense ROP attack.The main contributions of this paper are:1.In this paper,we performed MPX defense study based on address space layout randomization.We proposed a transparent method on code pointer extraction,which reduce the overhead brought by instrumentation.Besides,we give out a MPX-based strategy on bound computation,bound narrowing and bound checking.2.In this paper,we did a MPX study on defensing memory temporal errors,and proposed an improved realization on MPX named EMPX.We analyzed the effectiveness of MPX on facing memory temporal error and designed a metadata structure to fit into temporal checks.Besides,EMPX introduced a shadow memory-based metadata management and a shadow call stack-based metadata garbage collection mechanism to replace the ones in MPX.3.In this paper,we leveraged LLVM to realize a prototype of EMPX.Evaluaion results based on POC and security test bed RIPE proved that EMPX can effectively check memory spatial errors and temporal errors and stop ROP attacks.Although EMPX realized a comprehensive protection,our further evaluation and discussions suggest that it still remains to make further consideration on designing defense strategy and realization.