|
|
- 2018
面向云平台的硬件辅助ROP检测方法
|
Abstract:
针对现有面向返回编程(return oriented programming,ROP)攻击检测方案难以满足云计算平台下要求部署灵活、可移植性强、检测透明的特点,该文提出一种基于硬件辅助的ROP攻击实时检测方法,利用Intel最后分支记录器(last branch record,LBR)可以记录客户虚拟机间接分支跳转信息的硬件特性,在虚拟机监视器中实现快速的ROP配件攻击链检测,使用虚拟机自省(virtual machine introspection,VMI)技术在特权域Dom0中完成间接分支跳转的合法性验证,达到保护客户虚拟机进程空间中共享链接库控制流完整性的目的。结果表明:该方法能有效地检测ROP攻击,引入的平均性能开销低于7%。
Abstract:Existing detection approaches of return oriented programming (ROP) attacks cannnot simultaneously provide flexible deployment, allow portability, and allow transparent detection in the cloud environment. A hardware-assisted method was developed to detect ROP attacks in real time using the hardware features of the Intel last branch record (LBR) to record indirect branch information of a guest virtual machine (VM) to achieve rapid detection of gadget attack chains in the hypervisor. In the privileged domain, the method takes advantage of the virtual machine introspection (VMI) technology to validate the legitimacy of indirect branches to guarantee the control flow integrity of the shared link library in the process address space of the guest VM. Tests show that this demonstrate method can detect ROP attacks with an average run-time overhead of less than 7%.
| [1] | PAPPAS V, POLYCHRONAKIS M, KEROMYTIS A D. Transparent ROP exploit mitigation using indirect branch tracing[C]//Proceedings of the 22nd USENIX Security Symposium. Washington DC, USA:USENIX, 2013:447-462. |
| [2] | CHENG Y Q, ZHOU Z W, MIAO Y, et al. ROPecker:A generic and practical approach for defending against ROP attack[C]//Proceedings of the 21th Annual Network and Distributed System Security symposium. San Diego, USA:NDSS, 2014:1-14. |
| [3] | G?KTA?E, ATHANASOPOULOS E, POLYCHRONAKIS M, et al. Size does matter:Why using gadget-chain length to prevent code-reuse attacks is hard[C]//Proceedings of the 23rd USENIX Security Symposium. San Diego, USA:USENIX, 2014:417-432. |
| [4] | BLETSCH T, JIANG X X, FREEH V W, et al. Jump-oriented programming:A new class of code-reuse attack[C]//Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. Hong Kong, China:ACM, 2011:30-40. |
| [5] | SNOW K Z, MONROSE F, DAVI L, et al. Just-in-time code reuse:On the effectiveness of fine-grained address space layout randomization[C]//Proceedings of 2013 IEEE Symposium on Security and Privacy. Berkeley, USA:IEEE, 2013:574-588. |
| [6] | VAN DER VEEN V, ANDRIESSE D, G?KTA?E, et al. Practical context-sensitive CFI[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Denver, USA:ACM, 2015:927-940. |
| [7] | TICE C, ROEDER T, COLLINGBOURNE P, et al. Enforcing forward-edge control-flow integrity in GCC & LLVM[C]//Proceedings of the 23rd USENIX Security Symposium. San Diego, USA:USENIX, 2014:941-955. |
| [8] | MASHTIZADEH A J, BITTAU A, BONEH D. CCFI:Cryptographically enforced control flow integrity[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. Denver, USA:ACM, 2015:941-951. |
| [9] | JIA X Q, WANG R, JIANG J, et al. Defending return-oriented programming based on virtualization techniques[J]. Security and Communication Networks, 2013, 6(10):1236-1249. |
| [10] | WANG X Y, BACKER J. SIGDROP:Signature-based ROP detection using hardware performance counters[EB/OL].[2017-05-30]. https://arxiv.org/pdf/1609.02667.pdf. |
| [11] | LE L. Payload already inside:Datafire-use for ROP exploits[C]//Proceedings of Black Hat USA 2010. Las Vegas, USA, 2010:49-54. |
| [12] | EXPLOIT D. Archived shellcode for various operating systems and architectures[EB/OL].[2017-05-30]. https://www.exploit-db.com/shellcode/?order_by=title&order=asc&p=Lin_x86. |
| [13] | CARLINI N, WAGNER D. ROP is still dangerous:Breaking modern defenses[C]//Proceedings of the 23rd USENIX Security Symposium. San Diego, USA:USENIX, 2014:385-399. |
| [14] | DAVI L, SADEGHI A R, LEHMANN D, et al. Stitching the gadgets:On the ineffectiveness of coarse-grained controlflowintegrity protection[C]//Proceedings of the 23rd USENIX Security Symposium. San Diego, USA:USENIX, 2014:401-416. |
