面向二进制代码的细粒度软件多样化方法

doi:10.19678/j.issn.1000-3428.0066174

摘要/Abstract

摘要：

现有软件多样化方法大多需要源代码，基于编译器生成变体二进制，而对二进制代码直接进行转换时由于缺乏调试信息导致难以正确逆向，且易造成高额的性能开销。为此，提出一种面向二进制代码的细粒度软件多样化方法。通过静态二进制重写技术以函数块为单位进行重排序，随机化函数在代码段中的原始位置，同时使程序的内存片段gadgets位置发生改变，使得攻击者对程序的先验知识失效，以防御大规模代码重用攻击。为了进一步提高攻击者破解难度，对基本块内的指令进行依赖性分析，实现基本块内指令随机化，同时使得随机化后基本块的原始语义不变。性能测试结果表明，函数重排序对gadgets存活率的影响大于基本块内指令重排序，两者同时使用时程序的gadgets平均存活率为5.71%；模糊哈希算法Tlsh比较结果显示，该方法能够有效躲避同源性检测；使用工具Bindiff进行测试的结果表明，多样化后基本块内指令重排序的异构度大于函数重排序，且在基准测试集SPEC CPU2006上函数重排序和指令重排序同时使用时平均运行开销仅为3.1%，具有良好的实用性。

关键词: 软件多样化, 代码重用攻击, 二进制重写, 代码随机化, 数据依赖性

Abstract:

Most software diversification methods require source codes and generate variant binaries based on the compilers used. However, when converting binary codes directly, reversing them correctly is difficult owing to insufficient debugging information, and high performance overheads can be generated easily.Hence, a fine-grained software diversification method for binary codes is proposed herein. Using static binary rewriting technology to reorder function blocks, randomizing the original position of functions in code snippets, and changing the position of a program's memory segment gadgets, attackers lose their prior knowledge regarding the program to defend against large-scale code reuse attacks. To further increase the difficulty of cracking by attackers, dependency analysis is performed on the instructions within the basic block, and the instructions within the basic block are randomized while maintaining the original semantics of the randomized basic block. Performance test results show that the effect of function reordering on the survival rate of gadgets is greater than that of instruction reordering within the basic block. When both are performed simultaneously, the average survival rate of gadgets in the program is 5.71%. Comparison based on the fuzzy hash algorithm Tlsh show that this method can effectively avoid homology detection. Test results obtained using the tool Bindiff show that the heterogeneity of instruction reordering within the basic block after diversification is greater than that of function reordering. Moreover, on the benchmark test set SPEC CPU2006, when both function reordering and instruction reordering are performed simultaneously, the average operating cost is only 3.1%, thus indicating good practicality.

Key words: software diversification, code-reuse attacks, binary rewriting, code randomization, data dependency

何本伟, 郭云飞, 梁浩, 王庆丰. 面向二进制代码的细粒度软件多样化方法[J]. 计算机工程, 2024, 50(1): 138-144.

Benwei HE, Yunfei GUO, Hao LIANG, Qingfeng WANG. Binary Code-Oriented Fine-Grained Software Diversification Method[J]. Computer Engineering, 2024, 50(1): 138-144.

https://www.ecice06.com/CN/Y2024/V50/I1/138

图/表 9

图1 本文软件多样化方法总体架构

Fig.1 The overall architecture of the software diversification method in this paper

图2 函数重排序对gadgets的影响示例

Fig.2 Example of the impact of function reorder on gadgets

图3 指令重排序消除非预期gadgets的示例

Fig.3 Example of instruction reorder eliminating unintended gadgets

图4 指令重排序流程

Fig.4 The process of instruction reorder

图5 多样化方法对软件性能的影响

Fig.5 The impact of diversification methods on software performance

图6 多样化转换后函数、基本块和指令的异构度

Fig.6 Heterogeneity of functions, basic blocks and instructions after diversification transform

参考文献 25

1	FRANZ M. E unibus pluram: massive-scale software diversity as a defense mechanism[C]//Proceedings of 2010 New Security Paradigms Workshop. New York, USA: ACM Press, 2010: 7-16.
2	LARSEN P, HOMESCU A, BRUNTHALER S, et al. SoK: automated software diversity[C]//Proceedings of 2014 IEEE Symposium on Security and Privacy. Washington D. C., USA: IEEE Press, 2014: 276-291.
3	COHEN F B. Operating system protection through program evolution. Computers & Security, 1993, 12(6): 565- 584.
4	蒋楚, 王永杰. 一种基于表达式树的gadget语义分析技术. 计算机工程, 2021, 47(1): 109- 116. URL
	JIANG C, WANG Y J. A technique of gadget semantic analysis based on expression tree. Computer Engineering, 2021, 47(1): 109- 116. URL
5	LUO L, SHAO X H, LING Z, et al. fASLR: function-based ASLR via TrustZone-M and MPU for resource-constrained IoT systems. IEEE Internet of Things Journal, 2022, 9(18): 17120- 17135. doi: 10.1109/JIOT.2022.3190374
6	LU H, JIN C J, HELU X H, et al. Research on intelligent detection of command level stack pollution for binary program analysis. Mobile Networks and Applications, 2021, 26(4): 1723- 1732. doi: 10.1007/s11036-019-01507-0
7	WARTELL R, MOHAN V, HAMLEN K W, et al. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code[C]//Proceedings of 2012 ACM Conference on Computer and Communications Security. New York, USA: ACM Press, 2012: 157-168.
8	BHATTACHARYYA A, MARIN A S, KORUYEH E M, et al. SpecROP: speculative exploitation of ROP chains[EB/OL]. [2022-10-05]. https://www.usenix.org/system/files/raid20-bhattacharyya.pdf.
9	COFFMAN J, KELLY D M, WELLONS C C, et al. ROP gadget prevalence and survival under compiler-based binary diversification schemes[C]//Proceedings of 2016 ACM Workshop on Software Protection. New York, USA: ACM Press, 2016: 15-26.
10	ROGLIA G F, MARTIGNONI L, PALEARI R, et al. Surgically returning to randomized lib(c)[C]//Proceedings of 2009 Annual Computer Security Applications Conference. Washington D. C., USA: IEEE Press, 2009: 60-69.
11	MURPHY M, LARSEN P, BRUNTHALER S, et al. Software profiling options and their effects on security based diversification[C]//Proceedings of the 1st ACM Workshop on Moving Target Defense. New York, USA: ACM Press, 2014: 87-96.
12	HOMESCU A, JACKSON T, CRANE S, et al. Large-scale automated software diversity—program evolution redux. IEEE Transactions on Dependable and Secure Computing, 2017, 14(2): 158- 171. doi: 10.1109/TDSC.2015.2433252
13	HOMESCU A, NEISIUS S, LARSEN P, et al. Profile-guided automated software diversity[C]//Proceedings of 2013 IEEE/ACM International Symposium on Code Generation and Optimization. Washington D. C., USA: IEEE Press, 2013: 1-11.
14	XU H, ZHOU Y F, KANG Y, et al. Manufacturing resilient bi-opaque predicates against symbolic execution[C]//Proceedings of the 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. Washington D. C., USA: IEEE Press, 2018: 666-677.
15	PRIYADARSHAN S, NGUYEN H, SEKAR R. Practical fine-grained binary code randomization[C]//Proceedings of the 36th Annual Computer Security Applications Conference. New York, USA: ACM Press, 2020: 401-414.
16	ZHAO Y, TANG Z, YE G, et al. Semantics-aware obfuscation scheme prediction for binary. Computers & Security, 2020, 99, 102072.
17	CHEN Y, WANG Z, WHALLEY D, et al. Remix: on-demand live randomization[C]//Proceedings of the 6th ACM Conference on Data and Application Security and Privacy. New York, USA: ACM Press, 2016: 50-61.
18	PAPPAS V, POLYCHRONAKIS M, KEROMYTIS A D. Smashing the gadgets: hindering return-oriented programming using in-place code randomization[C]//Proceedings of 2012 IEEE Symposium on Security and Privacy. Washington D. C., USA: IEEE Press, 2012: 601-615.
19	张贵民, 李清宝, 曾光裕, 等. 运行时代码随机化防御代码复用攻击. 软件学报, 2019, 30(9): 2772- 2790.
	ZHANG G M, LI Q B, ZENG G Y, et al. Defensing code reuse attacks using live code randomization. Journal of Software, 2019, 30(9): 2772- 2790.
20	HISER J, NGUYEN-TUONG A, CO M, et al. ILR: where'd my gadgets go?[C]//Proceedings of 2012 IEEE Symposium on Security and Privacy. Washington D. C., USA: IEEE Press, 2012: 571-585.
21	WILLIAMS-KING D, KOBAYASHI H, WILLIAMS-KING K, et al. Egalito: layout-agnostic binary recompilation[C]//Proceedings of the 25th International Conference on Architectural Support for Programming Languages and Operating Systems. New York, USA: ACM Press, 2020: 133-147.
22	AZAB A, LAYTON R, ALAZAB M, et al. Mining malware to detect variants[C]//Proceedings of 2014 Cybercrime and Trustworthy Computing Conference. Washington D. C., USA: IEEE Press, 2014: 44-53.
23	肖睿卿, 费金龙, 祝跃飞, 等. 基于社团检测算法的固件二进制比对技术. 计算机研究与发展, 2022, 59(1): 209- 235.
	XIAO R Q, FEI J L, ZHU Y F, et al. Firmware binary comparison technology based on community detection algorithm. Journal of Computer Research and Development, 2022, 59(1): 209- 235.
24	GIONTA J, ENCK W, NING P. HideM: protecting the contents of userspace memory in the face of disclosure vulnerabilities[C]//Proceedings of the 5th ACM Conference on Data and Application Security and Privacy. New York, USA: ACM Press, 2015: 325-336.
25	OLIVER J, FORMAN S, CHENG C. Using randomization to attack similarity digests[EB/OL]. [2022-10-05]. https://documents.trendmicro.com/assets/wp/wp-using-randomization-to-attack-similarity-digests.pdf.

[1]	蒋楚, 王永杰. 一种基于表达式树的gadget语义分析技术[J]. 计算机工程, 2021, 47(1): 109-116.
[2]	李扬, 戴紫彬, 李军伟. 面向RISC处理器的控制流认证方案[J]. 计算机工程, 2019, 45(12): 134-140,146.

选择文件类型/文献管理软件名称

选择包含的内容