攻击网页浏览器:面向脚本代码块的ROP Gadget注入
作者:
作者单位:

作者简介:

袁平海(1982-),男,江西分宜人,博士,研究员,主要研究领域为软件安全,系统安全,区块链;张云剑(1991-),男,工程师,主要研究领域为信息安全;曾庆凯(1963-),男,博士,教授,博士生导师,CCF高级会员,主要研究领域为信息安全,分布计算;刘尧(1985-),男,博士,主要研究领域为信息安全,密码学.

通讯作者:

曾庆凯,E-mail:zqk@nju.edu.cn

中图分类号:

TP311

基金项目:

国家自然科学基金(61572248,61431008,61321491);国家科技支撑计划(2012BAK26B01)


Attacking Web Browser: ROP Gadget Injection by Using JavaScript Code Blocks
Author:
Affiliation:

Fund Project:

National Natural Science Foundation of China (61572248, 61431008, 61321491); National Key Technology Research and Development Program of China (2012BAK26B01)

  • 摘要
  • |
  • 图/表
  • |
  • 访问统计
  • |
  • 参考文献
  • |
  • 相似文献
  • |
  • 引证文献
  • |
  • 资源附件
  • |
  • 文章评论
    摘要:

    即时编译机制(just-in-time compilation)改善了网页浏览器执行JavaScript脚本的性能,同时也为攻击者向浏览器进程注入恶意代码提供了便利.借助即时编译器,攻击者可以将脚本中的整型常数放置到动态代码缓存区,以便注入二进制恶意代码片段(称为gadget).通过常数致盲等去毒化处理,基于常数的注入已经得到有效遏制.证实了不使用常数转而通过填充脚本代码块也能实施gadget注入,并实现图灵完备的计算功能.在编译一段给定的脚本代码时,即时编译器生成的动态代码中通常存在着一些固定的机器指令序列.这些指令序列的存在性不受常数致盲和地址空间布局随机化等安全机制的影响,同时,这些指令序列中可能蕴涵着攻击者期望的gadget.在实施攻击时,攻击者可以汇集特定的脚本代码块来构造一个攻击脚本,再借助即时编译器来注入gadget.在x86-64架构上评估了这种注入攻击在SpiderMonkey和GoogleV8这两个开源即时编译引擎上的可行性.通过给这两个引擎输入大量的JavaScript脚本,可以得到较为丰富的动态代码块.在这些动态代码块上的统计分析结果表明,这两个引擎生成的动态代码中都存在图灵完备的gadget集合.在实际攻击场景中,攻击者可以利用的脚本集合完全包含且远远多于实验用的脚本.因此,攻击者可以采用该方法注入需要的gadget,以便构造出实现任意功能的ROP(return-orientedprogramming)代码.

    Abstract:

    Modern Web browsers introduce just-in-time (JIT) compilation mechanism to improve their performance on executing JavaScript applications. However, this mechanism has already been abused by attackers to inject malicious code. For instance, as JIT compilers may place JavaScript integers into code-cache in the form of operands of machine instructions, attackers can inject return-oriented programming (ROP) gadgets by crafting JavaScript integers. Fortunately, integer-based injection attacks have already been mitigated by techniques such as constant blinding. This work demonstrates that attackers can also inject ROP gadgets by using JavaScript code blocks instead of integer values. The idea of this injection scheme is based on the observation that the dynamic code generated by JIT compilers for a given JavaScript code snippet always has some immutable machine instruction sequences. The existence of these sequences is not affected by security mechanisms including constant blinding and address randomization. Moreover, these instruction sequences may contain ROP gadgets needed by attackers. Therefore, attackers can use JavaScript code blocks to obtain these gadgets in their attacks. The proposed injection scheme on SpiderMonkey and GoogleV8 is evaluated by running on x86-64 architecture. These two JIT engines are fed with JavaScript applications from well-known benchmarks and got a great many of dynamic code blocks. Statistical results show that Turing-complete sets of gadgets can be got in these code blocks. In real word attack senarios, the available JavaScript applications can be used by an adversary contain and are far more than those from benchmarks. Therefore, an adversary can apply the proposed scheme to inject gadgets for constructing ROP code to conduct arbitrary computation.

    参考文献
    相似文献
    引证文献
引用本文

袁平海,曾庆凯,张云剑,刘尧.攻击网页浏览器:面向脚本代码块的ROP Gadget注入.软件学报,2020,31(2):247-265

复制
分享
文章指标
  • 点击次数:
  • 下载次数:
  • HTML阅读次数:
  • 引用次数:
历史
  • 收稿日期:2017-06-21
  • 最后修改日期:2017-09-05
  • 录用日期:
  • 在线发布日期: 2020-02-17
  • 出版日期: 2020-02-06
您是第位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号