ROP图灵完备的普遍可实现性
作者:
作者单位:

作者简介:

通讯作者:

中图分类号:

基金项目:

国家自然科学基金(61772266,61572248,61431008,61321491);国家科技支撑计划(2012BAK26B01)


Universal Availability of ROP-Based Turing-Complete Computation
Author:
Affiliation:

Fund Project:

National Natural Science Foundation of China (61772266, 61572248, 61431008, 61321491); National Key Technology R&D Program of China (2012BAK26B01)

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    返回导向编程(return-oriented programming,简称ROP)被广泛用于软件漏洞利用攻击中,用来构造攻击代码.通过更新ROP构造技术,证实了图灵完备的纯ROP攻击代码在软件模块中是普遍可实现的.ROP构造功能代码的难点是实现条件转移逻辑.通过深入分析条件转移机器指令的执行上下文发现,对这些指令的传统认知存在一定的局限性.事实上,在已有代码中存在少量的条件转移指令,它们的两个分支的开始部分都是可复用的代码片段(称为gadgets),而且这两个gadgets会从不同的内存单元中取得下一个gadget的地址,因此,以这些条件转移指令开始的代码片段可以帮助ROP实现条件转移逻辑.把这种代码片段称为if-gadget.在Linux和Windows系统上的实验结果表明,if-gadget普遍存在,即使在代码量很小的日常可执行程序中也存在.在Binutils程序集上的实验结果表明,引入if-gadget后,构造图灵完备的ROP代码要比用传统方法容易得多.在Ubuntu这样的主流操作系统上,由于可执行程序上默认没有实施防御ROP攻击的保护机制,因此,攻击者可以在这些软件模块中构造纯ROP攻击代码来发动攻击.由此可见,ROP对系统安全的威胁比原来认为的严重得多.

    Abstract:

    Return-Oriented programming (ROP) is widely applied in modern software vulnerability exploitations.This work demonstrates that Turing-complete ROP code is universally available in everyday software.A big challenge for applying ROP is to construct the functionality of conditional jumps.Because conditional branch instructions are abandoned as they are deemed no use for achieving this functionality, existing works resort to some awkward methods which suffer from high risk of failure.By analyzing the execution context of conditional branch instructions, this study finds that the traditional viewpoint on these instructions only partially reveals the truth.In fact, there are some conditional branch instructions in which two branches each starts a reusable gadget, and these two gadgets fetch the next gadget from different memory cells.Hence, the code snippets beginning at these conditional instructions can implement the conditional jumps for ROP code.Such a code snippet is named if-gadget.Experimental results show that if-gadgets are widely available in executables of Linux and Windows platforms.Evaluations on programs of Binutils demonstrate that, Turing complete ROP code can be achieved with the help of if-gadgets while existing techniques even fail to gather Turing complete gadgets.On platforms such as Ubuntu, because the executables running on them do not support ASLR by default, attackers can construct Turing-complete ROP code on these executables and then mount an attack.Therefore, ROP-based attacks pose a great threat to modern platforms, which is far more serious than originally thought.

    参考文献
    相似文献
    引证文献
引用本文

袁平海,曾庆凯. ROP图灵完备的普遍可实现性.软件学报,2017,28(10):2583-2598

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2017-01-20
  • 最后修改日期:2017-06-07
  • 录用日期:
  • 在线发布日期: 2017-09-30
  • 出版日期:
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号