Comprehensive Defense System against Vulnerabilities Based on Return-Oriented Programming

Cover Page

Cite item

Full Text

Abstract

It is difficult or impossible to develop software without included errors. Errors can lead to an abnormal order of machine code execution during data transmission to a program. Program splitting into routines causes possible attacks by using return instructions from these routines. Most of existing security tools need to apply program source codes to protect against such attacks. The proposed defensive method is intended to a comprehensive solution to the problem. Firstly, it makes it difficult for an attacker to gain control over program execution, and secondly, the number of program routines, which can be used during the attack, decreases. Specific security code insertion is used at the beginning and end of the routines to make it complicated to gain control over the program execution. The return address is kept secure during a call of the protected routine, and the protected routine is restored after its execution if it was damaged by the attacker. To reduce the number of suitable routines for attacks, it was suggested to use synonymous substitutions of instructions that contain dangerous values. It should be mentioned that proposed defensive measures do not affect the original application`s algorithm. To confirm the effectiveness of the described defensive method, software implementation and its testing were accomplished. Acknowledging controls were conducted using synthetic tests, performance tests and real programs. Results of testing have demonstrated the reliability of the proposed measures. It ensures the elimination of program routines suitable for attacks and ensures the impossibility of using standard return instructions for conducting attacks. Performance tests have shown a 14 % drop in the operating speed, which approximately matches the level of the nearest analogues. The application of the proposed solution declines the number of possible attack scenarios, and its applicability level is higher in comparison with analogues.

About the authors

I. A Lubkin

Reshetnev Siberian State University of Science and Technology

Email: lubkin@rambler.ru
newspaper Krasnoyarskiy rabochiy Ave. 48Б

V. V Zolotarev

Reshetnev Siberian State University of Science and Technology

Email: zolotarev@sibsau.ru
newspaper Krasnoyarskiy rabochiy Ave. 48Б

References

  1. Гласс, Р. Факты и заблуждения профессионального программирования // СПб.: Символ-Плюс. 2007. 240 с.
  2. Вишняков А.В. Классификация ROP-гаджетов // Труды ИСП РАН. 2016. Т. 28. Вып. 6, с. 27–36. doi: 10.15514/ISPRAS-2016-28(6)-2
  3. Vedvyas Shanbhogue, Deepak Gupta, and Ravi Sahita. Security Analysis of Processor Instruction Set Architecture for Enforcing Control-Flow Integrity // Proceedings of the 8th International Workshop on Hardware and Architectural Support for Security and Privacy (HASP '19). Association for Computing Machinery, New York, NY, USA. 2019. Article 8, 1–11. DOI: https://doi.org/10.1145/3337167.3337175
  4. Intel 64 and IA-32 Architectures Software Developer’s Manual Combined Volumes: 1, 2A, 2B, 2C, 2D, 3A, 3B, 3C, 3D, and 4 // https://software.intel.com/content/dam/develop/external/us/en/documents-tps/325462-sdm-vol-1-2abcd-3abcd.pdf
  5. Intel Launches World’s Best Processor for Thin-and-Light Laptops: 11th Gen Intel Core // https://www.intel.com/content/www/us/en/newsroom/news/11th-gen-tiger-lake-evo.html
  6. RAP: RIP ROP 2015 // https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf
  7. Koo, Z.Z., Ayop, Zakiah, Abidin, Z.Z. Analysis of ROP attack on grsecurity / PaX linux kernel security variables // International Journal of Applied Engineering Research. 2017. no. 12. pp. 13179–13185.
  8. Иванников В., Курмангалеев Ш., Белеванцев А., Нурмухаметов А., Савченко В., Матевосян Р., Аветисян А. Реализация запутывающих преобразований в компиляторной инфраструктуре LLVM // Труды ИСП РАН. 2014. Т. 26. Вып. 1. С. 327–342.
  9. Нурмухаметов А.Р., Курмангалеев Ш.Ф., Каушан В.В., Гайсарян С.С. Применение компиляторных преобразований для противодействия эксплуатации уязвимостей программного обеспечения // Труды ИСП РАН. 2014. Т. 26. Вып. 3. С. 113–126. doi: 10.15514/ISPRAS-2014-26(3)-6.
  10. ИСП Обфускатор. Технология запутывания кода для защиты от эксплуатации уязвимостей // https://www.ispras.ru /technologies/isp_obfuscator/
  11. Нурмухаметов А.Р., Жаботинский Е.А., Курмангалеев Ш.Ф., Гайсарян С.С., Вишняков А.В. Мелкогранулярная рандомизация адресного пространства программы при запуске // Труды ИСП РАН. 2017. Т. 29. Вып. 6. С. 163–182. doi: 10.15514/ISPRAS-2017-29(6)-9.
  12. S. Crane, A. Homescu, P. Larsen. Code randomization: Haven’t we solved this problem yet? Cybersecurity Development (SecDev), IEEE. 2016.
  13. M. Conti, S. Crane, T. Frassetto et al. Selfrando: Securing the tor browser against de-anonymization exploits // PoPETs. 2016. no. 4. pp. 454–469.
  14. D. Williams-King, G. Gobieski, K. Williams-King et al. Shuffler: Fast and deployable continuous code re-randomization // Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation. 2016. pp. 367–382.
  15. Kangjie Lu, Stefan Nürnberger, Michael Backes, Wenke Lee. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization // Proceedings of the 23rd Annual Network and Distributed System Security Symposium. 2016.
  16. Onarlioglu K., Bilge L., Lanzi A., Balzarotti D., Kidra E. G-Free: Defeating return-oriented programming through gadget-less binaries // Proceedings of ACSAC: M. Franz and J. McDermott, Eds. ACM Press. 2010. pp. 49–58.
  17. Jinku Li, Zhi Wang, Xuxian Jiang, Mike Grace, Sina Bahram. Defeating return-oriented rootkits with «return-less» kernels. // Proceedings of EuroSys. 2010, edited by G. Muller. ACM Press. pp. 195–208.
  18. Dean Sullivan, Orlando Arias, David Gens, Lucas Davi, Ahmad-Reza Sadeghi, Yier Jin. 2017. Execution Integrity with In-Place Encryption. arXiv preprint ar-Xiv:1703.02698 (2017).
  19. Lubkin I.A., Subbotin N.A. Technique of verified program module modification with algorithm preservation // IEEE Xplore Digital Library. 2017. 11th International IEEE scientific and technical conference "Dynamics of systems, mechanisms and machines" (Dynamics), 2017. pp. 1–5.
  20. Lubkin I.A., Bazhenov I. O. Methodology of software code decomposition analysis // Dynamics of systems, mechanisms and machines. Omsk. 2018. pp. 1–5.
  21. Hovav Shacham. The Geometry of Innocent Flash on the Bone: Return-into-libc without Function Calls (on the x86). 2007. ACM Conference on Computer and Communications Security (CCS), Proceedings of CCS, 2007. pp. 552–561.
  22. Статья Permutation conditions. URL: https://z0mbie.dreamhosters.com/pcond.txt (дата обращения 01.09.2021).
  23. Репозиторий с исходным кодом библиотеки eXtended Disassembler Engine (version 1.02). URL: https://github.com/nimrood/xde (дата обращения 01.09.2021).
  24. AMD64 Architecture Processor Supplement Draft Version 0.99.7 // https://www.uclibc.org/docs/psABI-x86_64.pdf
  25. Инструмент ROPgadget. Репозиторий с исходным кодом. URL: https://github.com/JonathanSalwan/ROPgadget (дата обращения 01.09.2021).
  26. Coremark. Программа оценки производительности. URL: https://github.com/eembc/coremark (дата обращения 01.09.2021).

Supplementary files

Supplementary Files
Action
1. JATS XML
Download

Согласие на обработку персональных данных

 

Используя сайт https://journals.rcsi.science, я (далее – «Пользователь» или «Субъект персональных данных») даю согласие на обработку персональных данных на этом сайте (текст Согласия) и на обработку персональных данных с помощью сервиса «Яндекс.Метрика» (текст Согласия).