19 research outputs found
ΠΠΎΠΌΠΏΠ»Π΅ΠΊΡΠ½Π°Ρ ΡΠΈΡΡΠ΅ΠΌΠ° Π·Π°ΡΠΈΡΡ ΠΎΡ ΡΡΠ·Π²ΠΈΠΌΠΎΡΡΠ΅ΠΉ, ΠΎΡΠ½ΠΎΠ²Π°Π½Π½ΡΡ Π½Π° Π²ΠΎΠ·Π²ΡΠ°ΡΠ½ΠΎ-ΠΎΡΠΈΠ΅Π½ΡΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠΌ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠΈΡΠΎΠ²Π°Π½ΠΈΠΈ
It is difficult or impossible to develop software without included errors. Errors can lead to an abnormal order of machine code execution during data transmission to a program. Program splitting into routines causes possible attacks by using return instructions from these routines. Most of existing security tools need to apply program source codes to protect against such attacks. The proposed defensive method is intended to a comprehensive solution to the problem. Firstly, it makes it difficult for an attacker to gain control over program execution, and secondly, the number of program routines, which can be used during the attack, decreases. Specific security code insertion is used at the beginning and end of the routines to make it complicated to gain control over the program execution. The return address is kept secure during a call of the protected routine, and the protected routine is restored after its execution if it was damaged by the attacker. To reduce the number of suitable routines for attacks, it was suggested to use synonymous substitutions of instructions that contain dangerous values. It should be mentioned that proposed defensive measures do not affect the original application`s algorithm. To confirm the effectiveness of the described defensive method, software implementation and its testing were accomplished. Acknowledging controls were conducted using synthetic tests, performance tests and real programs. Results of testing have demonstrated the reliability of the proposed measures. It ensures the elimination of program routines suitable for attacks and ensures the impossibility of using standard return instructions for conducting attacks. Performance tests have shown a 14 % drop in the operating speed, which approximately matches the level of the nearest analogues. The application of the proposed solution declines the number of possible attack scenarios, and its applicability level is higher in comparison with analogues.ΠΠ°ΡΡΡΠ΄Π½ΠΈΡΠ΅Π»ΡΠ½ΠΎ ΠΈΠ»ΠΈ Π½Π΅Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎ ΡΠΎΠ·Π΄Π°ΡΡ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ΅ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΠ΅, Π½Π΅ ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΠ΅Π΅ ΠΎΡΠΈΠ±ΠΎΠΊ. ΠΡΠΈΠ±ΠΊΠΈ ΠΌΠΎΠ³ΡΡ ΠΏΡΠΈΠ²ΠΎΠ΄ΠΈΡΡ ΠΊ ΡΠΎΠΌΡ, ΡΡΠΎ ΠΏΠ΅ΡΠ΅Π΄Π°Π½Π½ΡΠ΅ Π² ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ Π΄Π°Π½Π½ΡΠ΅ Π²ΡΠ·ΡΠ²Π°ΡΡ Π½Π΅ΡΡΠ°ΡΠ½ΡΠΉ ΠΏΠΎΡΡΠ΄ΠΎΠΊ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π΅Π΅ ΠΌΠ°ΡΠΈΠ½Π½ΠΎΠ³ΠΎ ΠΊΠΎΠ΄Π°. Π Π°Π·Π±ΠΈΠ΅Π½ΠΈΠ΅ Π½Π° ΠΏΠΎΠ΄ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ ΠΏΡΠΈΠ²ΠΎΠ΄ΠΈΡ ΠΊ ΡΠΎΠΌΡ, ΡΡΠΎ ΠΈΠ½ΡΡΡΡΠΊΡΠΈΠΈ Π²ΠΎΠ·Π²ΡΠ°ΡΠ° ΠΈΠ· ΠΏΠΎΠ΄ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌ ΠΌΠΎΠ³ΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ Π΄Π»Ρ ΠΏΡΠΎΠ²Π΅Π΄Π΅Π½ΠΈΡ Π°ΡΠ°ΠΊΠΈ. Π‘ΡΡΠ΅ΡΡΠ²ΡΡΡΠΈΠ΅ ΡΡΠ΅Π΄ΡΡΠ²Π° Π·Π°ΡΠΈΡΡ Π² ΠΎΡΠ½ΠΎΠ²Π½ΠΎΠΌ ΡΡΠ΅Π±ΡΡΡ Π½Π°Π»ΠΈΡΠΈΡ ΠΈΡΡ
ΠΎΠ΄Π½ΡΡ
ΡΠ΅ΠΊΡΡΠΎΠ² Π΄Π»Ρ ΠΏΡΠ΅Π΄ΠΎΡΠ²ΡΠ°ΡΠ΅Π½ΠΈΡ ΡΠ°ΠΊΠΈΡ
Π°ΡΠ°ΠΊ. ΠΡΠ΅Π΄Π»Π°Π³Π°Π΅ΠΌΠ°Ρ ΠΌΠ΅ΡΠΎΠ΄ΠΈΠΊΠ° Π·Π°ΡΠΈΡΡ Π½Π°ΠΏΡΠ°Π²Π»Π΅Π½Π° Π½Π° ΠΊΠΎΠΌΠΏΠ»Π΅ΠΊΡΠ½ΠΎΠ΅ ΡΠ΅ΡΠ΅Π½ΠΈΠ΅ ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ. ΠΠΎ-ΠΏΠ΅ΡΠ²ΡΡ
, Π·Π°ΡΡΡΠ΄Π½ΡΠ΅ΡΡΡ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΠ΅ Π°ΡΠ°ΠΊΡΡΡΠΈΠΌ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π½Π°Π΄ ΠΈΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ΠΌ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ, Π° Π²ΠΎ-Π²ΡΠΎΡΡΡ
, ΡΠ½ΠΈΠΆΠ°Π΅ΡΡΡ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ ΡΡΠ°ΡΡΠΊΠΎΠ² ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½Ρ Π² Ρ
ΠΎΠ΄Π΅ Π°ΡΠ°ΠΊΠΈ. ΠΠ»Ρ Π·Π°ΡΡΡΠ΄Π½Π΅Π½ΠΈΡ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π½Π°Π΄ ΠΈΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ΠΌ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΡΡΡ Π²ΡΡΠ°Π²ΠΊΠ° Π·Π°ΡΠΈΡΠ½ΠΎΠ³ΠΎ ΠΊΠΎΠ΄Π° Π² Π½Π°ΡΠ°Π»ΠΎ ΠΈ ΠΊΠΎΠ½Π΅Ρ ΠΏΠΎΠ΄ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌ. ΠΡΠΈ Π²ΡΠ·ΠΎΠ²Π΅ Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΠΉ ΠΏΠΎΠ΄ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΡΡ Π·Π°ΡΠΈΡΠ° Π°Π΄ΡΠ΅ΡΠ° Π²ΠΎΠ·Π²ΡΠ°ΡΠ°, Π° ΠΏΡΠΈ Π·Π°Π²Π΅ΡΡΠ΅Π½ΠΈΠΈ β Π²ΠΎΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½ΠΈΠ΅ β ΠΏΡΠΈ ΡΡΠ»ΠΎΠ²ΠΈΠΈ ΠΎΡΡΡΡΡΡΠ²ΠΈΡ ΠΏΠΎΠ²ΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΡ Π΅Π³ΠΎ Π°ΡΠ°ΠΊΡΡΡΠΈΠΌ. ΠΠ»Ρ ΡΠ½ΠΈΠΆΠ΅Π½ΠΈΡ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²Π° ΠΏΡΠΈΠ³ΠΎΠ΄Π½ΡΡ
Π΄Π»Ρ Π°ΡΠ°ΠΊ ΡΡΠ°ΡΡΠΊΠΎΠ² ΠΏΡΠΈΠΌΠ΅Π½ΡΡΡΡΡ ΡΠΈΠ½ΠΎΠ½ΠΈΠΌΠΈΡΠ½ΡΠ΅ Π·Π°ΠΌΠ΅Π½Ρ ΠΈΠ½ΡΡΡΡΠΊΡΠΈΠΉ, ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΠΈΠ΅ ΠΎΠΏΠ°ΡΠ½ΡΠ΅ Π·Π½Π°ΡΠ΅Π½ΠΈΡ. ΠΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Π½ΡΠ΅ ΠΌΠ΅ΡΡ Π½Π΅ ΠΈΠ·ΠΌΠ΅Π½ΡΡΡ Π°Π»Π³ΠΎΡΠΈΡΠΌ ΡΠ°Π±ΠΎΡΡ ΠΈΡΡ
ΠΎΠ΄Π½ΠΎΠ³ΠΎ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΡ. ΠΠ»Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΠΎΠΏΠΈΡΠ°Π½Π½ΡΡ
ΡΠ΅ΡΠ΅Π½ΠΈΠΉ Π±ΡΠ»Π° Π²ΡΠΏΠΎΠ»Π½Π΅Π½Π° ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½Π°Ρ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΡ ΠΈ ΠΏΡΠΎΠ²Π΅Π΄Π΅Π½ΠΎ Π΅Π΅ ΡΠ΅ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ ΡΠΈΠ½ΡΠ΅ΡΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΠ΅ΡΡΠΎΠ², ΡΠ΅ΡΡΠΎΠ² ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΠ΅Π»ΡΠ½ΠΎΡΡΠΈ ΠΈ ΡΠ΅Π°Π»ΡΠ½ΡΡ
ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌ. Π’Π΅ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΠΏΠΎΠΊΠ°Π·Π°Π»ΠΎ ΠΏΡΠ°Π²ΠΈΠ»ΡΠ½ΠΎΡΡΡ ΠΏΡΠΈΠ½ΡΡΡΡ
ΡΠ΅ΡΠ΅Π½ΠΈΠΉ, ΡΡΠΎ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°Π΅Ρ ΡΡΡΡΠ°Π½Π΅Π½ΠΈΠ΅ ΠΏΡΠΈΠ³ΠΎΠ΄Π½ΡΡ
Π΄Π»Ρ Π°ΡΠ°ΠΊ ΡΡΠ°ΡΡΠΊΠΎΠ² ΠΈ Π½Π΅Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ ΡΡΠ°ΡΠ½ΡΡ
ΠΈΠ½ΡΡΡΡΠΊΡΠΈΠΉ Π²ΠΎΠ·Π²ΡΠ°ΡΠ° Π΄Π»Ρ ΠΏΡΠΎΠ²Π΅Π΄Π΅Π½ΠΈΡ Π°ΡΠ°ΠΊ. Π’Π΅ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΠ΅Π»ΡΠ½ΠΎΡΡΠΈ ΠΏΠΎΠΊΠ°Π·Π°Π»ΠΎ 14 % ΠΏΠ°Π΄Π΅Π½ΠΈΡ ΡΠΊΠΎΡΠΎΡΡΠΈ ΡΠ°Π±ΠΎΡΡ, ΡΡΠΎ Π½Π°Ρ
ΠΎΠ΄ΠΈΡΡΡ Π½Π° ΡΡΠΎΠ²Π½Π΅ Π±Π»ΠΈΠΆΠ°ΠΉΡΠΈΡ
Π°Π½Π°Π»ΠΎΠ³ΠΎΠ². Π‘ΡΠ°Π²Π½Π΅Π½ΠΈΠ΅ Ρ Π°Π½Π°Π»ΠΎΠ³Π°ΠΌΠΈ ΠΏΠΎΠΊΠ°Π·Π°Π»ΠΎ, ΡΡΠΎ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ ΡΠ΅Π°Π»ΠΈΠ·ΡΠ΅ΠΌΡΡ
ΡΡΠ΅Π½Π°ΡΠΈΠ΅Π² Π°ΡΠ°ΠΊΠΈ Π΄Π»Ρ ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Π½ΠΎΠ³ΠΎ ΡΠ΅ΡΠ΅Π½ΠΈΡ ΠΌΠ΅Π½ΡΡΠ΅, Π° ΠΏΡΠΈΠΌΠ΅Π½ΠΈΠΌΠΎΡΡΡ Π²ΡΡΠ΅
ΠΠΎΠΌΠΏΠ»Π΅ΠΊΡΠ½Π°Ρ ΡΠΈΡΡΠ΅ΠΌΠ° Π·Π°ΡΠΈΡΡ ΠΎΡ ΡΡΠ·Π²ΠΈΠΌΠΎΡΡΠ΅ΠΉ, ΠΎΡΠ½ΠΎΠ²Π°Π½Π½ΡΡ Π½Π° Π²ΠΎΠ·Π²ΡΠ°ΡΠ½ΠΎ-ΠΎΡΠΈΠ΅Π½ΡΠΈΡΠΎΠ²Π°Π½Π½ΠΎΠΌ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠΈΡΠΎΠ²Π°Π½ΠΈΠΈ
ΠΠ°ΡΡΡΠ΄Π½ΠΈΡΠ΅Π»ΡΠ½ΠΎ ΠΈΠ»ΠΈ Π½Π΅Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎ ΡΠΎΠ·Π΄Π°ΡΡ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ΅ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΠ΅, Π½Π΅ ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΠ΅Π΅ ΠΎΡΠΈΠ±ΠΎΠΊ. ΠΡΠΈΠ±ΠΊΠΈ ΠΌΠΎΠ³ΡΡ ΠΏΡΠΈΠ²ΠΎΠ΄ΠΈΡΡ ΠΊ ΡΠΎΠΌΡ, ΡΡΠΎ ΠΏΠ΅ΡΠ΅Π΄Π°Π½Π½ΡΠ΅ Π² ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ Π΄Π°Π½Π½ΡΠ΅ Π²ΡΠ·ΡΠ²Π°ΡΡ Π½Π΅ΡΡΠ°ΡΠ½ΡΠΉ ΠΏΠΎΡΡΠ΄ΠΎΠΊ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ Π΅Π΅ ΠΌΠ°ΡΠΈΠ½Π½ΠΎΠ³ΠΎ ΠΊΠΎΠ΄Π°. Π Π°Π·Π±ΠΈΠ΅Π½ΠΈΠ΅ Π½Π° ΠΏΠΎΠ΄ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ ΠΏΡΠΈΠ²ΠΎΠ΄ΠΈΡ ΠΊ ΡΠΎΠΌΡ, ΡΡΠΎ ΠΈΠ½ΡΡΡΡΠΊΡΠΈΠΈ Π²ΠΎΠ·Π²ΡΠ°ΡΠ° ΠΈΠ· ΠΏΠΎΠ΄ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌ ΠΌΠΎΠ³ΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ Π΄Π»Ρ ΠΏΡΠΎΠ²Π΅Π΄Π΅Π½ΠΈΡ Π°ΡΠ°ΠΊΠΈ. Π‘ΡΡΠ΅ΡΡΠ²ΡΡΡΠΈΠ΅ ΡΡΠ΅Π΄ΡΡΠ²Π° Π·Π°ΡΠΈΡΡ Π² ΠΎΡΠ½ΠΎΠ²Π½ΠΎΠΌ ΡΡΠ΅Π±ΡΡΡ Π½Π°Π»ΠΈΡΠΈΡ ΠΈΡΡ
ΠΎΠ΄Π½ΡΡ
ΡΠ΅ΠΊΡΡΠΎΠ² Π΄Π»Ρ ΠΏΡΠ΅Π΄ΠΎΡΠ²ΡΠ°ΡΠ΅Π½ΠΈΡ ΡΠ°ΠΊΠΈΡ
Π°ΡΠ°ΠΊ. ΠΡΠ΅Π΄Π»Π°Π³Π°Π΅ΠΌΠ°Ρ ΠΌΠ΅ΡΠΎΠ΄ΠΈΠΊΠ° Π·Π°ΡΠΈΡΡ Π½Π°ΠΏΡΠ°Π²Π»Π΅Π½Π° Π½Π° ΠΊΠΎΠΌΠΏΠ»Π΅ΠΊΡΠ½ΠΎΠ΅ ΡΠ΅ΡΠ΅Π½ΠΈΠ΅ ΠΏΡΠΎΠ±Π»Π΅ΠΌΡ. ΠΠΎ-ΠΏΠ΅ΡΠ²ΡΡ
, Π·Π°ΡΡΡΠ΄Π½ΡΠ΅ΡΡΡ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΠ΅ Π°ΡΠ°ΠΊΡΡΡΠΈΠΌ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π½Π°Π΄ ΠΈΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ΠΌ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ, Π° Π²ΠΎ-Π²ΡΠΎΡΡΡ
, ΡΠ½ΠΈΠΆΠ°Π΅ΡΡΡ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ ΡΡΠ°ΡΡΠΊΠΎΠ² ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌ, ΠΊΠΎΡΠΎΡΡΠ΅ ΠΌΠΎΠ³ΡΡ Π±ΡΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½Ρ Π² Ρ
ΠΎΠ΄Π΅ Π°ΡΠ°ΠΊΠΈ. ΠΠ»Ρ Π·Π°ΡΡΡΠ΄Π½Π΅Π½ΠΈΡ ΠΏΠΎΠ»ΡΡΠ΅Π½ΠΈΡ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π½Π°Π΄ ΠΈΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ΠΌ ΠΏΡΠΈΠΌΠ΅Π½ΡΠ΅ΡΡΡ Π²ΡΡΠ°Π²ΠΊΠ° Π·Π°ΡΠΈΡΠ½ΠΎΠ³ΠΎ ΠΊΠΎΠ΄Π° Π² Π½Π°ΡΠ°Π»ΠΎ ΠΈ ΠΊΠΎΠ½Π΅Ρ ΠΏΠΎΠ΄ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌ. ΠΡΠΈ Π²ΡΠ·ΠΎΠ²Π΅ Π·Π°ΡΠΈΡΠ΅Π½Π½ΠΎΠΉ ΠΏΠΎΠ΄ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΡΡ Π·Π°ΡΠΈΡΠ° Π°Π΄ΡΠ΅ΡΠ° Π²ΠΎΠ·Π²ΡΠ°ΡΠ°, Π° ΠΏΡΠΈ Π·Π°Π²Π΅ΡΡΠ΅Π½ΠΈΠΈ β Π²ΠΎΡΡΡΠ°Π½ΠΎΠ²Π»Π΅Π½ΠΈΠ΅ β ΠΏΡΠΈ ΡΡΠ»ΠΎΠ²ΠΈΠΈ ΠΎΡΡΡΡΡΡΠ²ΠΈΡ ΠΏΠΎΠ²ΡΠ΅ΠΆΠ΄Π΅Π½ΠΈΡ Π΅Π³ΠΎ Π°ΡΠ°ΠΊΡΡΡΠΈΠΌ. ΠΠ»Ρ ΡΠ½ΠΈΠΆΠ΅Π½ΠΈΡ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²Π° ΠΏΡΠΈΠ³ΠΎΠ΄Π½ΡΡ
Π΄Π»Ρ Π°ΡΠ°ΠΊ ΡΡΠ°ΡΡΠΊΠΎΠ² ΠΏΡΠΈΠΌΠ΅Π½ΡΡΡΡΡ ΡΠΈΠ½ΠΎΠ½ΠΈΠΌΠΈΡΠ½ΡΠ΅ Π·Π°ΠΌΠ΅Π½Ρ ΠΈΠ½ΡΡΡΡΠΊΡΠΈΠΉ, ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΠΈΠ΅ ΠΎΠΏΠ°ΡΠ½ΡΠ΅ Π·Π½Π°ΡΠ΅Π½ΠΈΡ. ΠΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Π½ΡΠ΅ ΠΌΠ΅ΡΡ Π½Π΅ ΠΈΠ·ΠΌΠ΅Π½ΡΡΡ Π°Π»Π³ΠΎΡΠΈΡΠΌ ΡΠ°Π±ΠΎΡΡ ΠΈΡΡ
ΠΎΠ΄Π½ΠΎΠ³ΠΎ ΠΏΡΠΈΠ»ΠΎΠΆΠ΅Π½ΠΈΡ. ΠΠ»Ρ ΠΏΡΠΎΠ²Π΅ΡΠΊΠΈ ΠΎΠΏΠΈΡΠ°Π½Π½ΡΡ
ΡΠ΅ΡΠ΅Π½ΠΈΠΉ Π±ΡΠ»Π° Π²ΡΠΏΠΎΠ»Π½Π΅Π½Π° ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½Π°Ρ ΡΠ΅Π°Π»ΠΈΠ·Π°ΡΠΈΡ ΠΈ ΠΏΡΠΎΠ²Π΅Π΄Π΅Π½ΠΎ Π΅Π΅ ΡΠ΅ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ Ρ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ ΡΠΈΠ½ΡΠ΅ΡΠΈΡΠ΅ΡΠΊΠΈΡ
ΡΠ΅ΡΡΠΎΠ², ΡΠ΅ΡΡΠΎΠ² ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΠ΅Π»ΡΠ½ΠΎΡΡΠΈ ΠΈ ΡΠ΅Π°Π»ΡΠ½ΡΡ
ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌ. Π’Π΅ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΠΏΠΎΠΊΠ°Π·Π°Π»ΠΎ ΠΏΡΠ°Π²ΠΈΠ»ΡΠ½ΠΎΡΡΡ ΠΏΡΠΈΠ½ΡΡΡΡ
ΡΠ΅ΡΠ΅Π½ΠΈΠΉ, ΡΡΠΎ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠΈΠ²Π°Π΅Ρ ΡΡΡΡΠ°Π½Π΅Π½ΠΈΠ΅ ΠΏΡΠΈΠ³ΠΎΠ΄Π½ΡΡ
Π΄Π»Ρ Π°ΡΠ°ΠΊ ΡΡΠ°ΡΡΠΊΠΎΠ² ΠΈ Π½Π΅Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎΡΡΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ ΡΡΠ°ΡΠ½ΡΡ
ΠΈΠ½ΡΡΡΡΠΊΡΠΈΠΉ Π²ΠΎΠ·Π²ΡΠ°ΡΠ° Π΄Π»Ρ ΠΏΡΠΎΠ²Π΅Π΄Π΅Π½ΠΈΡ Π°ΡΠ°ΠΊ. Π’Π΅ΡΡΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΠΈΡΠ΅Π»ΡΠ½ΠΎΡΡΠΈ ΠΏΠΎΠΊΠ°Π·Π°Π»ΠΎ 14 % ΠΏΠ°Π΄Π΅Π½ΠΈΡ ΡΠΊΠΎΡΠΎΡΡΠΈ ΡΠ°Π±ΠΎΡΡ, ΡΡΠΎ Π½Π°Ρ
ΠΎΠ΄ΠΈΡΡΡ Π½Π° ΡΡΠΎΠ²Π½Π΅ Π±Π»ΠΈΠΆΠ°ΠΉΡΠΈΡ
Π°Π½Π°Π»ΠΎΠ³ΠΎΠ². Π‘ΡΠ°Π²Π½Π΅Π½ΠΈΠ΅ Ρ Π°Π½Π°Π»ΠΎΠ³Π°ΠΌΠΈ ΠΏΠΎΠΊΠ°Π·Π°Π»ΠΎ, ΡΡΠΎ ΠΊΠΎΠ»ΠΈΡΠ΅ΡΡΠ²ΠΎ ΡΠ΅Π°Π»ΠΈΠ·ΡΠ΅ΠΌΡΡ
ΡΡΠ΅Π½Π°ΡΠΈΠ΅Π² Π°ΡΠ°ΠΊΠΈ Π΄Π»Ρ ΠΏΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Π½ΠΎΠ³ΠΎ ΡΠ΅ΡΠ΅Π½ΠΈΡ ΠΌΠ΅Π½ΡΡΠ΅, Π° ΠΏΡΠΈΠΌΠ΅Π½ΠΈΠΌΠΎΡΡΡ Π²ΡΡΠ΅
Sprobes: Enforcing Kernel Code Integrity on the TrustZone Architecture
Many smartphones now deploy conventional operating systems, so the rootkit
attacks so prevalent on desktop and server systems are now a threat to
smartphones. While researchers have advocated using virtualization to detect
and prevent attacks on operating systems (e.g., VM introspection and trusted
virtual domains), virtualization is not practical on smartphone systems due to
the lack of virtualization support and/or the expense of virtualization.
Current smartphone processors do have hardware support for running a protected
environment, such as the ARM TrustZone extensions, but such hardware does not
control the operating system operations sufficiently to enable VM
introspection. In particular, a conventional operating system running with
TrustZone still retains full control of memory management, which a rootkit can
use to prevent traps on sensitive instructions or memory accesses necessary for
effective introspection. In this paper, we present SPROBES, a novel primitive
that enables introspection of operating systems running on ARM TrustZone
hardware. Using SPROBES, an introspection mechanism protected by TrustZone can
instrument individual operating system instructions of its choice, receiving an
unforgeable trap whenever any SPROBE is executed. The key challenge in
designing SPROBES is preventing the rootkit from removing them, but we identify
a set of five invariants whose enforcement is sufficient to restrict rootkits
to execute only approved, SPROBE-injected kernel code. We implemented a
proof-of-concept version of SPROBES for the ARM Fast Models emulator,
demonstrating that in Linux kernel 2.6.38, only 12 SPROBES are sufficient to
enforce all five of these invariants. With SPROBES we show that it is possible
to leverage the limited TrustZone extensions to limit conventional kernel
execution to approved code comprehensively.Comment: In Proceedings of the Third Workshop on Mobile Security Technologies
(MoST) 2014 (http://arxiv.org/abs/1410.6674
Signature-Based Protection from Code Reuse Attacks
AbstractβCode Reuse Attacks (CRAs) recently emerged as a new class of security exploits. CRAs construct malicious programs out of small fragments (gadgets) of existing code, thus eliminating the need for code injection. Existing defenses against CRAs often incur large performance overheads or require extensive binary rewriting and other changes to the system software. In this paper, we examine a signature-based detection of CRAs, where the attack is detected by observing the behavior of programs and detecting the gadget execution patterns. We first demonstrate that naive signature-based defenses can be defeated by introducing special βdelay gadgets β as part of the attack. We then show how a software-configurable signature-based approach can be designed to defend against such stealth CRAs, including the attacks that manage to use longer-length gadgets. The proposed defense (called SCRAP) can be implemented entirely in hardware using simple logic at the commit stage of the pipeline. SCRAP is realized with minimal performance cost, no changes to the software layers and no implications on binary compatibility. Finally, we show that SCRAP generates no false alarms on a wide range of applications.
Out Of Control: Overcoming Control-Flow Integrity
As existing defenses like ASLR, DEP, and stack cookies are not sufficient to stop determined attackers from exploiting our software, interest in Control Flow Integrity (CFI) is growing. In its ideal form, CFI prevents flows of control that were not intended by the original program, effectively putting a stop to exploitation based on return oriented programming (and many other attacks besides). Two main problems have prevented CFI from being deployed in practice. First, many CFI implementations require source code or debug information that is typically not available for commercial software. Second, in its ideal form, the technique is very expensive. It is for this reason that current research efforts focus on making CFI fast and practical. Specifically, much of the work on practical CFI is applicable to binaries, and improves performance by enforcing a looser notion of control flow integrity. In this paper, we examine the security implications of such looser notions of CFI: are they still able to prevent code reuse attacks, and if not, how hard is it to bypass its protection? Specifically, we show that with two new types of gadgets, return oriented programming is still possible. We assess the availability of our gadget sets, and demonstrate the practicality of these results with a practical exploit against Internet Explorer that bypasses modern CFI implementations
G-free: Defeating return-oriented programming through gadget-less binaries
Despite the numerous prevention and protection mechanisms that have been introduced into modern operating systems, the exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks. A recent exploitation technique, called Return-Oriented Programming (ROP), has lately attracted a considerable attention from academia. Past research on the topic has mostly focused on refining the original attack technique, or on proposing partial solutions that target only particular variants of the attack. In this paper, we present G-Free, a compiler-based approach that represents the first practical solution against any possible form of ROP. Our solution is able to eliminate all unaligned free-branch instructions inside a binary executable, and to protect the aligned free-branch instructions to prevent them from being misused by an attacker. We developed a prototype based on our approach, and evaluated it by compiling GNU libc and a number of real-world applications. The results of the experiments show that our solution is able to prevent any form of return-oriented programming. Β© 2010 ACM
ROPecker: A Generic and Practical Approach For Defending Against ROP Attack
AbstractβReturn-Oriented Programming (ROP) is a sophis-ticated exploitation technique that is able to drive target applica-tions to perform arbitrary unintended operations by constructing a gadget chain reusing existing small code sequences (gadgets). Existing defense mechanisms either only handle specific types of gadgets, require access to source code and/or a customized compiler, break the integrity of application binary, or suffer from high performance overhead. In this paper, we present a novel system, ROPecker, to efficiently and effectively defend against ROP attacks withou