基於堆疊的緩衝區溢位(Stack-based Buffer overflow)攻擊一直是 CVE[43]的常 客,各種各樣的系統、軟體等都曾被發現有這樣弱點(Vulnerability),雖然現在 已經有很多的緩解策略(Mitigation)及強固化政策(Hardening policy),試圖去抑制 弱點(Vulnerability)的存在或是降低其可被利用性(Exploitable),但仍是無法的完 全制止類似攻擊的發生。
本論文所提出的概念與基於編譯器的緩解策略實作,利用修改LLVM 的方 式達到加入額外組合語言程式碼的目的,並搭配解編碼機制來抑制攻擊的產 生,縱使弱點(Vulnerability)確實存在,也無法被利用(Exploit)來對系統做進一步 的危害,而是會自然的引發程序錯誤而中斷執行。
是優點也是缺點,中斷軟體執行的確中斷了攻擊者的攻擊流程,卻也阻斷 了正常程式的運行,理想的安全策略不應該影響發開、維運的正常執行,在4.2 也提出了一個可行的解決辦法,雖然並不是完美的解決方案,卻也是可行的方 法之一。一個好的安全策略,不僅要照顧到安全性的提升,更要兼顧效能與程 式本身的正確性,於此在確保程式正確性的方面是CFI(Control Flow
Integrity)[37]等類似方法的主要方向之一,但在實作效能上以目前的運算能力來 說仍在無法普及化的範疇,需透過輕量化或是降低粒度(Granularity)的方式來達 到目標。整體而言此方法雖然不是最好,卻是一個有效可用的解決方法。
32
參考文獻
[1] C. Cowan, P. Wagle, C. Pu, S. Beatte, J. Walpole., “Buffer overflows: Attacks and Defenses for the Vulnerability of the Decade., available via
https://css.csail.mit.edu/6.858/2012/readings/buffer-overflows.pdf, DARPA Information Survivability Conference and Exposition, 2000, view in 2017.
[2] Haroon Meer, “Memory Corruption Attacks The (almost) Complete History”
available via ,
https://media.blackhat.com/bh-us-10/whitepapers/Meer/BlackHat-USA-2010-Meer-History-of-Memory-Corruption-Attacks-wp.pdf, Black Hat 2010 USA., view in 2017.
[3] PaX-Team, “PaX ASLR(Address Space Layout Randomization)” available via https://pax.grsecurity.net/docs/aslr.txt, 2003, view in 2017.
[4] Perry Wagle, Crispin Cowan “StackGuard: Simple Stack Smash Protection for GCC” available via,
https://ece.uwaterloo.ca/~vganesh/TEACHING/S2014/ECE458/Stackguard.pdf, Immunix Inc., 2003, view in 2017.
[5] PaX-Team, “PaX non-executable pages” available via https://pax.grsecurity.net/docs/noexec.txt, view in 2017.
[6] Aleph One, “Smashing The Stack For Fun And Profit” available via
http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf, Phrack Magazine, vol.7 no.49, 1996.
[7] Wikipedia, “calling convention” available via
https://www.wikiwand.com/en/X86_calling_conventions, view in 2017.
[8] Wikipedia, “Prologue”, available via
33
https://en.wikipedia.org/wiki/Prologue, view in 2017.
[9] Wikipedia, “Epilogue”, available via
https://en.wikipedia.org/wiki/Epilogue, view in 2017.
[10] Gustavo, “anatomy of a program in memory”, available via
http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/, view in 2017.
[11] Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham, “Return-oriented Programming Exploitation without Code Injection” available via
https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf, Black Hat 2008 USA., view in 2017.
[12] Nergal, “The advanced return-into-lib(c) Exploits: PaX case study”, available via http://phrack.org/issues/58/4.html#article, Phrack, vol. 11 no. 58, 2001, view in 2017.
[13] H. Shacham, “The geometry of innocent flesh on the bone: return-into-libc without function calls”, available via
https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf, ACM CCS, 2007, view in 2017.
[14] Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy, “Return-Oriented Programming without Returns”, available via
https://www2.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf, ACM CCS, 2010, view in 2017.
[15] Minh Tran, Mark Etheridge, Tyler Bletsch, Xuxian Jiang, Vincent Freeh, Peng Ning, “On the expressiveness of return-into-libc attacks”, available via
34
https://astojanov.files.wordpress.com/2011/09/tran_raid11.pdf, RAID’11, 2013, view in 2017.
[16] Ryan Roemer, Erik Buchanan, Hovav Shacham, Stefan Savage, “Return-Oriented Programming: Systems, Languages, and Applications”, available via https://cseweb.ucsd.edu/~hovav/dist/rop.pdf, Manuscript, 2009, view in 2017.
[17] Remi Mabon, “Sigreturn Oriented Programming is a real Threat”, available via http://cs.emis.de/LNI/Proceedings/Proceedings259/2077.pdf, Lecture Notes in Informatics, Gesellschaft fr Informatik, Boon, 2016, view in 2017.
[18] Tyler Bletsch, Xuxian Jiang, Vice w. Freeh, Zhenkai Liang, “Jump-Oriented Programming: A New Class of Code-Reuse Attack”, available via
https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf, ACM Symp.
Computer and Communications Security, 2011, view 2017.
[19] Mathias Payer, “String Oriented Programming – Circumventing ASLR, DEP and Other Guards”, available via
https://nebelwelt.net/publications/files/1128c3.pdf, Chaos Community Congress, 2011, view in 2017.
[20] Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song., “SoK: Eternal War in memory”, available via
https://nebelwelt.net/publications/files/13Oakland.pdf, IEEE International Symposium on Security and Privacy, 2013, view in 2017.
[21] Hector Marco-Gisbert, Ripoll, “On the Effectiveness of Full-ASLR on 64-bit Linux, available via
https://cybersecurity.upv.es/attacks/offset2lib/offset2lib-paper.pdf, DeepSec, 2014, view 2017.
[22] P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive
35
“detection and prevention of buffer-overflow attacks”, available via
https://www.usenix.org/legacy/publications/library/proceedings/sec98/full_paper s/cowan/cowan.pdf, USENIX Security Symposium, 1998, view in 2017.
[23] Linux manual, “Linux Programmer’s Manual - Fork”, available via http://man7.org/linux/man-pages/man2/fork.2.html, view 2017.
[24] Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazieres, Dan Boneh,
“Hacking Blind”, available via
http://www.scs.stanford.edu/brop/bittau-brop.pdf, Security and Privacy (SP), 2014 IEEE Symposium, view in 2017.
[25] Koike Yuki, “Hunting Birds”, available via
https://www.npca.jp/works/magazine/2015_1/, Code Blue, 2015, view in 2017.
[26] Wikipedia, “W^X”, available via
http://en.wikipedia.org/wiki/W∧X, view in 2017.
[27] Maythias Payer, “Too much PIE is bad for performance”, available via https://nebelwelt.net/publications/files/12TRpie.pdf, ETH Zurich Technical Report, 2012, view in 2017.
[28] 俞甲子, 石凡, 潘愛民, “程式設計師的自我修養 – 連結. 載入. 程式庫”, 碁峰資訊股份有限公司, 2009.
[29] A. D. Federico, A. Cama, Y. Shoshitaishvili, C. Kruegel, G. Vigna. “How the elf ruined Christmas”, available via
https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/di-frederico, 24th USENIX Security Symposium, 2015, view 2017.
[30] Redhat, “Enhance application security with FORTIFY_SOURCE”, available via https://access.redhat.com/blogs/766093/posts/1976213, view in 2017.
36
[31] Fedora,”Compiler Time Buffer Checks (FORTIFY_SOURCE)”, available via https://fedoraproject.org/wiki/Security_Features?rd=Security/Features#Compile_
Time_Buffer_Checks_.28FORTIFY_SOURCE.29, view in 2017.
[32] Linux manual, “FEATURE_TEST_MACROS(7)” available via
http://man7.org/linux/man-pages/man7/feature_test_macros.7.html, view in 2017.
[33] Clang Project. Clang – A C Language Family Frontend for LLVM, view in 2017.
[34] Low-Level Virtual Machine Project. “LLVM”, available via http://llvm.org/, view in 2017.
[35] Jannik Pewny, Thorsten Holz, “Control-Flow Restrictor: Compiler-based CFI for iOS”, available via
https://hgi.rub.de/media/emma/veroeffentlichungen/2013/10/02/CFI-compiler-acsac13.pdf, Annual Computer Security Applications Conference, 2013, view in 2017.
[36] Kuznetsov, V., Payer, M., Szekerrs, L., Candea, G., Sekar, R., Song, D., “Code-Pointer Integrity”, available via
http://dslab.epfl.ch/pubs/cpi.pdf, OSDI, 2014, view in 2017.
[37] M. Zhang, R. Sekar, “Control flow integrity for COTS binaries”, available via http://seclab.cs.sunysb.edu/seclab/pubs/usenix13.pdf, USENIX Security Symposium, 2013, view in 2017.
[38] LLVM Project., “the-mc-layer”, available via
http://llvm.org/docs/CodeGenerator.html#the-mc-layer, view in 2017.
[39] Kaan Onarlioglu, Leyla Bilge, Andrea Lanzi, “G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries”, available via
http://www.s3.eurecom.fr/docs/acsac10_gfree.pdf, 26th ACSAC, 2010, view in
37
2017.
[40] LLVM Project., “using-the-machineinstrbuilder”, available via
http://llvm.org/docs/CodeGenerator.html#using-the-machineinstrbuilder-h-functions, view in 2017.
[41] LLVM Project, “Prologue/Epilogue Code Insertion”, available via
http://llvm.org/docs/CodeGenerator.html#prolog-epilog-code-insertion, view 2017.
[42] Michal Matz, Jan Hubicka, Andreas Jaeger, Mark Mitchell, “System V
Application Binary Interface AMD64 Architecture Processor Supplement Draft”, available via https://uclibc.org/docs/psABI-x86_64.pdf, 2014, view in 2017.
[43] CVE, “Common Vulnerabilities and Exposures”, available via https://cve.mitre.org/index.html, view 2017.