###
Journal of Software:2020.31(11):3588-3602

基于硬件分支信息的ROP攻击检测方法
李威威,马越,王俊杰,高伟毅,杨秋松,李明树
(中国科学院 软件研究所 基础软件国家工程研究中心, 北京 100190;中国科学院大学, 北京 100049)
ROP Attack Detection Approach Based on Hardware Branch Information
LI Wei-Wei,MA Yue,WANG Jun-Jie,GAO Wei-Yi,YANG Qiu-Song,LI Ming-Shu
(National Engineering Research Center of Fundamental Software, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China;University of Chinese Academy of Sciences, Beijing 100049, China)
Abstract
Chart / table
Reference
Similar Articles
Article :Browse 53   Download 44
Received:July 14, 2018    Revised:November 06, 2018
> 中文摘要: 控制流完整性保护技术(control flow integrity,简称CFI)是防御面向返回编程攻击(return-oriented programming,简称ROP)的一种有效途径.针对现有CFI中存在的四大问题:性能开销大、依赖程序代码信息、容易遭受历史刷新攻击以及规避攻击,提出了基于硬件分支信息的ROP攻击检测方法——MIBChecker (mispredicted indirect branch checker).该方法实时地利用硬件性能管理单元(performance monitor unit,简称PMU)的事件触发机制,针对每个预测失败的间接分支进行ROP攻击检测,规避了历史刷新攻击的可能,同时提出基于敏感系统调用参数的新型检测方法来检测短攻击链(称为gadgets-chain) ROP攻击.实验结果表明,MIBChecker能够不受历史刷新攻击的影响进行ROP短指令片段(称为gadget)检测,可有效地检测出常规ROP攻击和规避攻击,并仅引入5.7%的性能开销.
Abstract:Control flow integrity (CFI) is an effective method to defend against return-oriented programming (ROP) attack. To address the four drawbacks of current CFI approaches, i.e., high performance overhead, relying on software code information, subject to history flushing attack, and evasion attack, this study proposed an ROP attack detection approach based on hardware branch information—mispredicted indirect branch checker, called MIBChecker. It performs real time ROP detection on every mispredicted indirect branch via events triggered by performance monitor unit, and produces a new critical syscall data detection approach to defend against ROP attacks using short gadgets-chain. Experiments show that MIBChecker can detect gadgets which is not affected by history flushing attack, and can effectively detect common ROP attack and evasion attack with only 5.7% performance overhead.
文章编号:     中图分类号:TP309    文献标志码:
基金项目:“核高基”国家科技重大专项(2014ZX01029101-002);中国科学院战略性先导科技专项(XDA-Y01-01) “核高基”国家科技重大专项(2014ZX01029101-002);中国科学院战略性先导科技专项(XDA-Y01-01)
Foundation items:National Science and Technology Major Program for Core Electronic Device, High-end Chip, and Basic Software Product (2014ZX01029101-002); Strategic Priority Research Program of Chinese Academy of Sciences (XDA-Y01-01)
Reference text:

李威威,马越,王俊杰,高伟毅,杨秋松,李明树.基于硬件分支信息的ROP攻击检测方法.软件学报,2020,31(11):3588-3602

LI Wei-Wei,MA Yue,WANG Jun-Jie,GAO Wei-Yi,YANG Qiu-Song,LI Ming-Shu.ROP Attack Detection Approach Based on Hardware Branch Information.Journal of Software,2020,31(11):3588-3602