软件二进制代码重用技术综述

doi:10.13328/j.cnki.jos.005270

微信服务号

微信订阅号

2025年3月31日 10:22 星期一

首页 > 过刊浏览>2017年第28卷第8期 >2026-2045. DOI:10.13328/j.cnki.jos.005270

PDF HTML阅读 XML下载导出引用引用提醒

软件二进制代码重用技术综述
DOI:
                        10.13328/j.cnki.jos.005270
                    
CSTR:
                        
                    
作者:
                        彭国军彭国军
空天信息安全与可信计算教育部重点实验室(武汉大学), 湖北 武汉 430072;武汉大学 计算机学院, 湖北 武汉 430072
在期刊界中查找
在百度中查找
在本站中查找
梁玉梁玉
空天信息安全与可信计算教育部重点实验室(武汉大学), 湖北 武汉 430072;武汉大学 计算机学院, 湖北 武汉 430072;深信服科技股份有限公司, 广东 深圳 518055
在期刊界中查找
在百度中查找
在本站中查找
张焕国张焕国
空天信息安全与可信计算教育部重点实验室(武汉大学), 湖北 武汉 430072;武汉大学 计算机学院, 湖北 武汉 430072
在期刊界中查找
在百度中查找
在本站中查找
傅建明傅建明
空天信息安全与可信计算教育部重点实验室(武汉大学), 湖北 武汉 430072;武汉大学 计算机学院, 湖北 武汉 430072
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:
通讯作者:
中图分类号:
基金项目:NSFC-通用技术基础研究联合基金（U1636107）；国家自然科学基金（61332019，61202387，61373168）；国家重点基础研究发展计划（973）（2014CB340600）

Survey on Software Binary Code Reuse Technologies

Author:

PENG Guo-Jun
PENG Guo-Jun
Key Laboratory of Aerospace Information Security and Trust Computing(Wuhan University), Ministry of Education, Wuhan 430072, China;School of Computer, Wuhan University, Wuhan 430072, China
在期刊界中查找
在百度中查找
在本站中查找
LIANG Yu
LIANG Yu
Key Laboratory of Aerospace Information Security and Trust Computing(Wuhan University), Ministry of Education, Wuhan 430072, China;School of Computer, Wuhan University, Wuhan 430072, China;Sangfor Technologies Inc., Shenzhen 518055, China
在期刊界中查找
在百度中查找
在本站中查找
ZHANG Huan-Guo
ZHANG Huan-Guo
Key Laboratory of Aerospace Information Security and Trust Computing(Wuhan University), Ministry of Education, Wuhan 430072, China;School of Computer, Wuhan University, Wuhan 430072, China
在期刊界中查找
在百度中查找
在本站中查找
FU Jian-Ming
FU Jian-Ming
Key Laboratory of Aerospace Information Security and Trust Computing(Wuhan University), Ministry of Education, Wuhan 430072, China;School of Computer, Wuhan University, Wuhan 430072, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

United Basic Research Foundation of NSFC-General Technology (U1636107); National Natural Science Foundation of China (61332019, 61202387, 61373168); National Basic Research Program of China (973) (2014CB340600)

摘要

图/表

访问统计

参考文献 [102]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

在当前的计算机系统架构和软件生态环境下，ROP（return-oriented programming）等基于二进制代码重用的攻击技术被广泛用于内存漏洞利用.近年来，网络空间安全形势愈加严峻，学术界、工业界分别从攻击和防护的角度对二进制代码重用技术开展了大量研究.首先介绍了二进制代码重用技术的基础.然后分析了二进制代码重用攻击技术的演变和典型攻击向量.同时，对基于控制流完整性和随机化的防护方法进行了讨论，对工业界最新的二进制代码重用防护机制CET（control-flow enforcement technology）和CFG（control flow guard）进行了剖析.最后讨论了二进制代码重用技术今后的发展方向，包括潜在的攻击面和防御机制增强的思路.

关键词:信息安全;信息系统安全;软件安全;二进制代码重用;内存漏洞利用

Abstract:

Within the current commercial system achitecture and software ecosystem, code reuse techniques, such as ROP (return-oriented programming), are widely adopted to exploit memory vulnerabilities. Driven by the serve situation of cyberspace security, academical and industrial communities have carried out a great amount of research on binary code reuse from both defensive and offsensive perspevtives. This paper discusses the essence and basics of binary code reuse, along with an analysis of its technique roadmap and typical attack vectors. Corresponding defences and mitigations based on control flow integrity and memory randomization are analyzed as well. Dissections on CET (control flow enforcement technology) and CFG (control flow guard), two latest industrial techniques for binary code reuse mitigation, are presented. The future of binary code reuse, including protential attack vectors and possible mitigation strategies, is also discussed at the end of this paper.

Key words:information security;information system security;software security;binary code reuse;vulnerability exploitation

参考文献

[1] Mei H, Wang QX, Zhang L, Wang J. Software analysis:A road map. Chinese Journal of Computers, 2009,32(9):1697-1710(in Chinese with English abstract). http://cjc.ict.ac.cn/quanwenjiansuo/2009-9/mh.pdf[doi:10.3724/SP.J.1016.2009.01697]

[2] Chen X, Gu Q, Liu SW, Liu SL, Ni C. Survey of static software defect prediction. Ruan Jian Xue Bao/Journal of Software, 2016, 27(1):1-25(in Chinese with English abstract). http://www.jos.org.cn/1000-9825/4923.htm[doi:10.13328/j.cnki.jos.004923]

[3] Wang T. Research on binary-executable-oriented software vulnerability detection[Ph.D. Thesis]. Beijing:Peking University, 2011(in Chinese with English abstract). http://d.wanfangdata.com.cn/Thesis/Y2024928

[4] Zhang HG, Han WB, Lai XJ, Lin DD, Ma JF, Li JH. Survey on cyberspace security. Scientica Sinica Informationis, 2016,46(2):125-164(in Chinese).[doi:10.1360/N112015-00176]

[5] Zhang HG, Han WB, Lai XJ, Lin DD, Ma JF, Li JH. Survey on cyberspace security. Science China:Information Sciences, 2015, 58(11):1-43.[doi:10.1007/s11432-015-5433-4]

[6] Liang Y. Research on key techniques of software binary code reuse[Ph.D. Thesis]. Wuhan:Wuhan University, 2016(in Chinese with English abstract).

[7] Spafford EH. The Internet worm program:An analysis. ACM SIGCOMM Computer Communication Review, 1989,19(1):17-57.[doi:10.1145/66093.66095]

[8] Wei Q, Wei T, Wang JJ. The evolution of exploitation and exploit mitigation. Journal of Tsinghua University (Science and Technology), 2011,51(10):1274-1280(in Chinese with English abstract).[doi:10.16511/j.cnki.qhdxxb.2011.10.015]

[9] APPLE. iOS security guide. 2015. https://www.apple.com/business/docs/iOS_Security_Guide.pdf

[10] Miller C, Blazakis D, Daizovi D, Esser S, Lozz V, Weinmann RP. iOS Hacker's Handbook. Indianapolis:Wiley, 2012.

[11] Schwartz EJ, Avgerinos T, Brumley D. Q:Exploit hardening made easy. In:Proc. of the 20th USENIX Conf. on Security. Berkeley:USENIX Association, 2011. 25-25. http://dl.acm.org/citation.cfm?id=2028067.2028092

[12] Wkipedia. Return-Oriented programming. 2015. https://en.wikipedia.org/w/index.php?title=Return-oriented_programming&oldid=669727753

[13] Shacham H. The geometry of innocent flesh on the bone:Return-into-libc without function calls (on the x86). In:Proc. of the 14th ACM Conf. on Computer and Communications Security (CCS 2007). New York:ACM Press, 2007. 552-561.[doi:10.1145/1315245.1315313]

[14] Bletsch T, Jiang X, Freeh VW, Liang ZK. Jump-Oriented programming:A new class of code-reuse attack. In:Proc. of the 6th ACM Symp. on Information, Computer and Communications Security (ASIACCS 2011). New York:ACM Press, 2011. 30-40.[doi:10.1145/1966913.1966919]

[15] Checkoway S, Davi L, Dmitrienko A, Sadeghi AR, Shacham H, Winandy M. Return-Oriented programming without returns. In:Proc. of the 17th ACM Conf. on Computer and Communications Security (CCS 2010). New York:ACM Press, 2010. 559-572.[doi:10.1145/1866307.1866370]

[16] Salwan J. ROPgadget. 2015. https://github.com/JonathanSalwan/ROPgadget

[17] Le L. Payload already inside:Data re-use for ROP exploits. In:Proc. of the BlackHat USA 2010. Las Vegas, 2010. https://media.blackhat.com/bh-us-10/whitepapers/Le/BlackHat-USA-2010-Le-Paper-Payload-already-inside-data-reuse-for-ROP-exploits-wp.pdf

[18] Ropshell. Free online ROP gadgets search. 2016. http://2www.ropshell.com/

[19] Chen P, Xiao X, Bing M, Li X, Shen X, Yin X. Automatic construction of jump-oriented programming shellcode (on the x86). In:Proc. of the 6th ACM Symp. on Information, Computer and Communications Security (ASIACCS 2011). New York:ACM Press, 2011. 20-29.[doi:10.1145/1966913.1966918]

[20] Davi L, Alexandra D, Sadeghi AR, Winandy M. Return-Oriented programming without returns on ARM. Bochum:Ruhr University Bochum, 2010. http://www.trust.informatik.tu-darmstadt.de/fileadmin/user_upload/Group_TRUST/PubsPDF/ROP-without-Returns-on-ARM.pdf

[21] Kornau T. Return oriented programming for the ARM architecture[MS. Thesis]. Bochum:Ruhr-Universität Bochum, 2010. https://www.zynamics.com/downloads/kornau-tim-diplomarbeit-rop.pdf

[22] Buchanan E, Roemer R, Savage S, Shacham H. Return-Oriented programming:Exploits without code injection. In:Proc. of the BlackHat USA 2008. Las Vegas, 2008. https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf

[23] Roemer RG. Finding the bad in good code:Automated return-oriented programming exploit discovery[MS. Thesis]. San Diego:University of California, 2009. http://www.cs.ucsd.edu/~rroemer/doc/thesis.pdf

[24] Dullien T, Kornau T, Weinmann RP. A framework for automated architecture-independent gadget search. In:Proc. of the 4th USENIX Conf. on Offensive Technologies (WOOT 2010). Berkeley:USENIX Association, 2010. 1-10. http://www.cs.ucsd.edu/~rroemer/doc/thesis.pdf

[25] Flanagan C, Saxe JB. Avoiding exponential explosion:Generating compact verification conditions. In:Proc. of the 28th ACM SIGPLAN-SIGACT Symp. on Principles of Programming Languages. New York:ACM Press, 2001. 193-205.[doi:10.1145/360204.360220]

[26] Solar D. Bugtraq:Getting around non-executable stack (and fix). 1997. http://seclists.org/bugtraq/1997/Aug/63

[27] Mcdonald J. Defeating solaris/SPARC non-executable stack protection. 1999. https://www.thc.org/root/docs/exploit_writing/sol-ne-stack.html

[28] Nergal. The advanced return-into-lib(c) exploits (PaX case study). Phrack Magazine, 2001,58(4). http://phrack.org/issues/58/4.html

[29] Krahmerk S. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique. 2005. http://users.suse.com/~krahmer/no-nx.pdf

[30] Buchanan E, Roemer R, Shacham H, Savage S. When good instructions go bad:Generalizing return-oriented programming to RISC. In:Proc. of the 15th ACM Conf. on Computer and Communications Security (CCS 2008). New York:ACM Press, 2008. 27-38.[doi:10.1145/1455770.1455776]

[31] Qian Y. ROP attack and defense technology based on ARM[MS. Thesis]. Shanghai:Shanghai Jiaotong University, 2012(in Chinese with English abstract). http://cdmd.cnki.com.cn/Article/CDMD-10248-1013022062.htm

[32] Xing T, Chen P, Ding WB. BIOP:Automatic construction of enhanced ROP attack. Chinese Journal of Computers, 2014,37(5):1111-1123(in Chinese with English abstract). http://d.wanfangdata.com.cn/Periodical/jsjxb201405012[doi:10.3724/SP.J.1016. 2014.01111]

[33] Snow KZ, Monrose F, Davi L, Dmitrienko A, Liebchen C, Sadeghi A. Just-in-Time code reuse:On the effectiveness of fine-grained address space layout randomization. In:Proc. of the 2013 IEEE Symp. on Security and Privacy (SP). 2013. 574-588.[doi:10.1109/SP.2013.45]

[34] Snow KZ, Davi L. Just in time code reuse. In:Proc. of the Blackhat USA 2013. Las Vegas, 2013. http://media.blackhat.com/us-13/US-13-Snow-Just-In-Time-Code-Reuse-Slides.pdf

[35] Bittau A, Belay A, Mashtizadeh A, Mazières D, Boneh D. Hacking blind. In:Proc. of the 2014 IEEE Symp. on Security and Privacy (SP). 2014. 227-42.[doi:10.1109/SP.2014.22]

[36] Athanasakis M, Elias A, Michalis P, Georgios P, Sotiris I. The devil is in the constants:Bypassing defenses in browser JIT engines. In:Proc. of the 2015 Network and Distributed System Security Symp. (NDSS 2015). 2015.[doi:10.14722/ndss.2015.23209]

[37] Qian Y, Wang YJ, Xue Z. ROP attack and defense technology based on ARM. Information Security and Communications Privacy, 2012,(10):75-77(in Chinese with English abstract).[doi:10.3969/j.issn.1009-8054.2012.10.036]

[38] Xia Y, Liu Y, Chen H, Zang B. CFIMon:Detecting violation of control flow integrity using performance counters. In:Proc. of the IEEE/IFIP Int'l Conf. on Dependable Systems and Networks (DSN 2012). Boston:IEEE, 2012. 1-12.[doi:10.1109/DSN.2012. 6263958]

[39] Carlini N, Wagner D. ROP is still dangerous:Breaking modern defenses. In:Proc. of the 23rd USENIX Security Symp. (USENIX Security 2014). San Diego:USENIX Association, 2014. 385-399. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/carlini

[40] Carlini N, Barresi A, Mayer M, Wagner D, Gross TR. Control-Flow bending:On the effectiveness of control-flow integrity. In:Proc. of the 24th USENIX Security Symp. (USENIX Security 2015). Washington:USENIX Association, 2015. 161-176. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/carlini

[41] Cheng YQ, Zhou ZW, Yu M, Ding XH, Deng RH. ROPecker:A generic and practical approach for defending against ROP attacks. In:Proc. of the 2014 Network and Distributed System Security Symp. (NDSS 2014). 2014.[doi:10.14722/ndss.2014.23156]

[42] Qiao R, Zhang MW, Sekar R. A principled approach for ROP defense. In:Proc. of the 31st Annual Computer Security Applications Conf. (ACSAC 2015). New York:ACM Press, 2015. 101-110.[doi:10.1145/2818000.2818021]

[43] Szekeres, L, Payer M, Wei T, Song D. SoK:Eternal war in memory. In:Proc. of the 2013 IEEE Symp. on Security and Privacy (SP). San Francisco:IEEE Computer Society, 2013. 48-62.[doi:10.1109/SP.2013.13]

[44] Schuster F, Tendyck T, Liebchen C, Davi L, Sadeghi AR, Holz T. Counterfeit object-oriented programming:On the difficulty of preventing code reuse attacks in C++ applications. In:Proc. of the 2015 IEEE Symp. on Security and Privacy (SP). 2015. 745-62.[doi:10.1109/SP.2015.51]

[45] Liang Y, Peng GJ, Luo Y, Zhang HG. Mitigating ROP attacks via ARM-specific in-place instruction randomization. China Communications, 2016,13(9):208-826.[doi:10.1109/CC.2016.7582313]

[46] Abadi M, Budiu M, Erlingsson Ú, Ligatti J. Control-Flow integrity. In:Proc. of the 12th ACM Conf. on Computer and Communications Security (CCS 2005). New York:ACM Press, 2005. 340-353.[doi:10.1145/1102120.1102165]

[47] Abadi M, Budiu M, Erlingsson Ú, Ligatti J. Control-Flow integrity principles, implementations, and applications. ACM Trans. on Information and System Security, 2009,13(1):4:1-4:40.[doi:10.1145/1609956.1609960]

[48] Wu CG, Li JJ. The evolution of control flow integrity. 2016(in Chinese). http://www.inforsec.org/wp/?p=495

[49] Abadi M, Budiu M, Erlingsson Ú, Ligatti J. A theory of secure control flow. In:Lau KK, Banach R, eds. Proc. of 7th Int'l Conf. on Formal Engineering Methods (ICFEM 2005). Berlin, Heidelberg:Springer-Verlag, 2005. 11-24.[doi:10.1007/11576280_9]

[50] Arden O, George MD, Liu J, Vikram K, Askarov A, Myers AC. Sharing mobile code securely with information flow control. In:Proc. of the 2012 IEEE Symp. on Security and Privacy (SP). 2012. 191-205.[doi:10.1109/SP.2012.22]

[51] Zhang C, Wei T, Chen ZF, Duan L, Szekeres L, McCamant S, Song D, Zou W. Practical control flow integrity and randomization for binary executables. In:Proc. of the 2013 IEEE Symp. on Security and Privacy (SP). 2013. 559-73.[doi:10.1109/SP.2013.44]

[52] Zhang M, Sekar R. Control flow integrity for COTS binaries. In:Proc. of the 22nd USENIX Security Symp. (USENIX Security 2013). Washington:USENIX Association, 2013. 337-352.[doi:10.1145/2818000.2818016]

[53] Goktas E, Athanasopoulos E, Bos H, Portokalidis G. Out of control:Overcoming control-flow integrity. In:Proc. of the 2014 IEEE Symp. on Security and Privacy (SP). 2014. 575-89.[doi:10.1109/SP.2014.43]

[54] Niu B, Tan G. Modular control-flow integrity. In:Proc. of the 35th ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI 2014). New York:ACM Press, 2014. 577-587.[doi:10.1145/2594291.2594295]

[55] Niu B, Tan G. RockJIT:Securing just-in-time compilation using modular control-flow integrity. In:Proc. of the 2014 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2014). New York:ACM Press, 2014. 1317-28.[doi:10.1145/2660267.2660281]

[56] Mohan V, Larsen P, Brunthaler S, Hamlen K, Franz M. Opaque control-flow integrity. In:Proc. of the 2015 Network and Distributed System Security Symp. (NDSS 2015). 2015.[doi:10.14722/ndss.2015.23271]

[57] Davi L, Koeberl P, Sadeghi AR. Hardware-Assisted fine-grained control-flow integrity:Towards efficient protection of embedded systems against software exploitation. In:Proc. of the 51st Annual Design Automation Conf. (DAC 2014). New York:ACM Press, 2014. 133:1-133:6.[doi:10.1145/2593069.2596656]

[58] Pewny J, Holz T. Control-Flow restrictor:Compiler-based CFI for iOS. In:Proc. of the 29th Annual Computer Security Applications Conf. (ACSAC 2013). New York:ACM Press, 2013. 309-318.[doi:10.1145/2523649.2523674]

[59] Chiueh TC, Hsu FH. RAD:A compile-time solution to buffer overflow attacks. In:Proc. of the 21st Int'l Conf. on Distributed Computing Systems. Mesa:IEEE, 2001. 409-417.[doi:10.1109/ICDSC.2001.918971]

[60] Davi L, Sadeghi AR, Winandy M. ROPdefender:A detection tool to defend against return-oriented programming attacks. In:Proc. of the 6th ACM Symp. on Information, Computer and Communications Security (ASIACCS 2011). New York:ACM Press, 2011. 40-51.[doi:10.1145/1966913.1966920]

[61] Frantzen M, Shuey M. StackGhost:Hardware facilitated stack protection-Vol.10. In:Proc. of the 10th Conf. on USENIX Security Symp. (SSYM 2001). Berkeley:USENIX Association, 2001. 5-5. http://dl.acm.org/citation.cfm?id=1267612.1267617

[62] Sinnadurai S, Zhao Q, Wong W. Transparent runtime shadow stack:Protection against malicious return address modifications. 2014. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.120.5702

[63] Iintel. Pin-A dynamic binary instrumentation tool. https://software.intel.com/en-us/articles/pintool

[64] PAX team. Address space layout raondomization (ASLR). 2001. https://pax.grsecurity.net/docs/aslr.txt

[65] Ubuntu. Ubuntu security features-Address space layout randomisation (ASLR). Ubuntu Wiki:2016, https://wiki.ubuntu.com/Security/Features#Address_Space_Layout_Randomisation_.28ASLR.29

[66] Schulz P. Android security analysis challenge:Tampering dalvik bytecode during runtime. Bluebox Security, 2013, https://bluebox.com/android-security-analysis-challenge-tampering-dalvik-bytecode-during-runtime/

[67] Liang Y, Ma X, Wu D, Tang X, Gao D, Peng G, Jia C, Zhang H. Stack layout randomization with minimal rewriting of Android binaries. In:Kwon S, Yun A, eds. Proc. of the Information Security and Cryptology (ICISC 2015). LNCS 9558, Cham:Springer Int'l Publishing, 2016. 229-45.[doi:10.1007/978-3-319-30840-1_15]

[68] Lee B, Lu L, Wang T, Kim T, Lee W. From zygote to morula:Fortifying weakened ASLR on Android. In:Proc. of the 2014 IEEE Symp. on Security and Privacy (SP). 2014. 424-439.[doi:10.1109/SP.2014.34]

[69] Hiser J, Nguyen-Tuong A, Co M, Hall M, Davidson JW. ILR:Where'd my gadgets go? In:Proc. of the 2012 IEEE Symp. on Security and Privacy (SP). 2012. 571-85.[doi:10.1109/SP.2012.39]

[70] Wartell R, Mohan V, Hamlen KW, Lin Z. Binary stirring:Self-randomizing instruction addresses of legacy x86 binary code. In:Proc. of the 2012 ACM Conf. on Computer and Communications Security (CCS 2012). New York:ACM Press, 2012. 157-168.[doi:10.1145/2382196.2382216]

[71] Pappas V, Polychronakis M, Keromytis AD. Smashing the gadgets:Hindering return-oriented programming using in-place code randomization. In:Proc. of the 2012 IEEE Symp. on Security and Privacy (SP). 2012. 601-615.[doi:10.1109/SP.2012.41]

[72] Chen Y. A survey of address space layout randomization (ASLR) enforcement. 2016(in Chinese). http://www.inforsec.org/wp/?p=1009

[73] Backes M, Nürnberger S. Oxymoron:Making fine-grained memory randomization practical by allowing code sharing. In:Proc. of the 23rd USENIX Security Symp. (USENIX Security 14). San Diego:USENIX Association, 2014. 433-447. https://www.usenix.org/node/184466

[74] Davi L, Christopher L, Sadeghi AR, Snow KZ, Monrose F. Isomeron:Code randomization resilient to (just-in-time) return-oriented programming. In:Proc. of the 2015 Network and Distributed System Security Symp. (NDSS 2015). 2015.[doi:10.14722/ndss.2015. 23262]

[75] Lu K, Nurnberger S, Backes M, Lee W. How to make ASLR win the clone wars:Runtime re-randomization. In:Proc. of the 2016 Network and Distributed System Security Symp. (NDSS 2016). 2016. http://www.cc.gatech.edu/~klu38/publications/runtimeaslr-ndss16.pdf

[76] Backes M, Holz T, Kollenda B, Koppe P, Nürnberger S, Pewny J. You can run but you can't read:Preventing disclosure exploits in executable code. In:Proc. of the 2014 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2014). New York:ACM Press, 2014. 1342-1353.[doi:10.1145/2660267.2660378]

[77] Crane S, Liebchen C, Homescu A, Davi L, Larsen P, Sadeghi AR, Brunthaler S, Franz M. Readactor:Practical code randomization resilient to memory disclosure. In:Proc. of the 2015 IEEE Symp. on Security and Privacy (SP). 2015. 763-80.[doi:10.1109/SP. 2015.52]

[78] Pappas V, Polychronakis M, Keromytis AD. Transparent ROP exploit mitigation using indirect branch tracing. In:Proc. of the 22nd USENIX Security Symp. (USENIX Security 2013). Berkeley:USENIX Association, 2013. 447-462. http://dl.acm.org/citation.cfm?id=2534766.2534805

[79] Göktaş E, Athanasopoulos E, Polychronakis M, Bos H, Portokalidis G. Size does matter:Why using gadget-chain length to prevent code-reuse attacks is hard. In:Proc. of the 23rd USENIX Security Symp. (USENIX Security 2014). San Diego:USENIX Association, 2014. 417-432. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/goktas

[80] Liang Y, Fu J, Peng G, Peng B. S-Tracker:Attribution of shellcode exploiting stack. Journal of Huazhong University of Science and Technology (Natural Science Edition), 2014,42(11):39-46(in Chinese with English abstract).[doi:10.13245/j.hust.141108]

[81] Prakash A, Yin H. Defeating ROP through denial of stack pivot. In:Proc. of the 31st Annual Computer Security Applications Conf. (ACSAC 2015). New York:ACM Press, 2015. 111-120.[doi:10.1145/2818000.2818023]

[82] Tang J. Exploring control flow guard in Windows 10. 2015. http://documents.trendmicro.com/assets/wp/exploring-control-flow-guard-in-windows10.pdf

[83] Tencent PC Manager. Security features of Windows 10:The enforcement of exection flow. 2015(in Chinese). http://www.freebuf.com/articles/security-management/58373.html

[84] Dang T, Maniatis P, Wagner D. The performance cost of shadow stacks and stack canaries. In:Proc. of the 10th ACM Symp. on Information, Computer and Communications Security (ASIA CCS 2015). New York:ACM Press, 2015. 555-566.[doi:10.1145/2714576.2714635]

[85] Lu K, Xiong S, Gao D. RopSteg:Program steganography with return oriented programming. In:Proc. of the 4th ACM Conf. on Data and Application Security and Privacy (CODASPY 2014). New York:ACM Press, 2014. 265-272.[doi:10.1145/2557547. 2557572]

[86] Tang X, Liang Y, Ma X, Lin Y, Gao D. On the effectiveness of code-reuse based Android application obfuscation. In:Hong S, Park J, eds. Proc. of the Information Security and Cryptology (ICISC 2016). LNCS 10157, Cham:Springer-Verlag, 2017. 333-349.[doi:10.1007/978-3-319-53177-9_18]

[87] Wu J. Mimic defense in cyberspace. Secrecy Science and Technology, 2014,(10):4-9(in Chinese with English abstract). http://www.cnki.com.cn/Article/CJFDTotal-BMKJ201410001.htm

附中文参考文献:

[1] 梅宏,王千祥,张路,王戟.软件分析技术进展.计算机学报,2009,32(9):1697-1710. http://cjc.ict.ac.cn/quanwenjiansuo/2009-9/mh.pdf[doi:10.3724/SP.J.1016.2009.01697]

[2] 陈翔,顾庆,刘望舒,刘树龙,倪超.静态软件缺陷预测方法研究.软件学报,2016,27(1):1-25. http://www.jos.org.cn/1000-9825/4923.htm[doi:10.13328/j.cnki.jos.004923]

[3] 王铁磊.面向二进制程序的漏洞挖掘关键技术研究[博士学位论文].北京:北京大学,2011. http://d.wanfangdata.com.cn/Thesis/Y2024928

[4] 张焕国,韩文报,来学嘉,林东岱,马建峰,李建华.网络空间安全综述.中国科学:信息科学,2016,46(2):125-164.[doi:10.1360/N112015-00176]

[6] 梁玉.软件二进制代码重用关键技术研究[博士学位论文].武汉:武汉大学,2016.

[8] 魏强,韦韬,王嘉捷.软件漏洞利用缓解及其对抗技术演化.清华大学学报:自然科学版,2011,51(10):1274-1280.[doi:10.16511/j. cnki.qhdxxb.2011.10.015]

[31] 钱逸.基于ARM架构的ROP攻击与防御技术研究[硕士学位论文].上海:上海交通大学,2012. http://cdmd.cnki.com.cn/Article/CDMD-10248-1013022062.htm

[32] 邢骁,陈平,丁文彪,茅兵,谢立.BIOP:自动构造增强型ROP攻击.计算机学报,2014,37(5):1111-1123. http://d.wanfangdata.com.cn/Periodical/jsjxb201405012[doi:10.3724/SP.J.1016.2014.01111]

[37] 钱逸,王轶骏,薛质.基于ARM平台的ROP攻击及防御技术.信息安全与通信保密,2012,(10):75-77.[doi:10.3969/j.issn.1009-8054.2012.10.036]

[48] 武成岗,李建军.控制流完整性的发展历程.2016. http://www.inforsec.org/wp/?p=495

[72] Chen Y.地址空间布局随机化(ASLR)增强研究综述.2016. http://www.inforsec.org/wp/?p=1009

[80] 梁玉,傅建明,彭国军,等.S-Tracker:基于栈异常的shellcode检测方法.华中科技大学学报(自然科学版),2014,42(11):39-46.[doi:10.13245/j.hust.141108]

[83] 腾讯电脑管家.Win10安全特性之执行流保护.2015. http://www.freebuf.com/articles/security-management/58373.html

[87] 邬江兴.网络空间拟态安全防御.保密科学技术,2014,(10):4-9. http://www.cnki.com.cn/Article/CJFDTotal-BMKJ201410001.htm

引用本文

彭国军,梁玉,张焕国,傅建明.软件二进制代码重用技术综述.软件学报,2017,28(8):2026-2045

复制

文章指标

点击次数:4661
下载次数: 9527
HTML阅读次数: 4500
引用次数: 0

历史

收稿日期:2016-08-31
最后修改日期:2016-11-04
录用日期:
在线发布日期: 2017-08-15
出版日期:

微信服务号

微信订阅号

引用本文

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码