Research On Detection Of Code Reuse Attack Based On Deep Learning

Code reuse attack(CRA)is a powerful attack that hijacks a program's control flow by exploiting a memory vulnerability.CRA completes attack by reusing existing code fragments(gadgets)in programs without injecting any code.CRA can bypass traditional defense mechanisms such as Data Execution Prevention(DEP)and Address Space Layout Randomization(ASLR),making existing defense mechanisms facing challenges.Control flow integrity(CFI)is considered as one of the promising defense methods.CFI calculates all possible normal execution paths of the target program through static analysis and dynamic analysis,to generate the control flow graph(CFG)of the target program.When the program is running,CFI compares the current program control flow with collected CFG to determine whether the program has been attacked.However,current CFI techniques suffer several practical issues such as modifying compiler,extending instruction se t architectures(ISA)and incurring unacceptable runtime overhead.So it is difficult to deploy into a real application.To address these issues,this paper proposes the first deep learning-based CFI technique.This mechanism uses Intel Processor Trace(IP T)to trace program control flow information,and build a high-precision CFG through dynamic and static combination.In addition,this paper proposes a CFG splitting algorithm,splitting CFG into chains for deep neural network training,to train neural network models to learn program control flow information.When the program is running,IPT collect s the branch information of the program in real time and deliver s it to the trained neural network model detection.Program interrupts are triggered when an att acker attempts to change program control flow.Our mechanism does not interrupt the application and has no runtime overhead.We designed the prototype of the defense mechanism on the Linux system,and tested the performance of the defense mechanism through real applications such as Firefox,Nginx,and Adobe flash.The experimental results showed that the average detection accuracy of this mechanism was up to 98.9%,the false positive rate was only 0.15%,and the false negative rate was 0.60%.We use 64 real ROP exploits created by ROPGadget and Ropper to further test its practicability,which shows that the detection success rate reaches 100%.