• 综合性科技类中文核心期刊
    • 中国科技论文统计源期刊
    • 中国科学引文数据库来源期刊
    • 中国学术期刊文摘数据库(核心版)来源期刊
    • 中国学术期刊综合评价数据库来源期刊
ZHAN Jing, CHEN Peng, ZHANG Qian, LI Yongzhen, ZHAO Yong. Survey on Code Reuse Attack and Defense Technology Evolution[J]. Journal of Beijing University of Technology, 2024, 50(5): 632-650. DOI: 10.11936/bjutxb2022070008
Citation: ZHAN Jing, CHEN Peng, ZHANG Qian, LI Yongzhen, ZHAO Yong. Survey on Code Reuse Attack and Defense Technology Evolution[J]. Journal of Beijing University of Technology, 2024, 50(5): 632-650. DOI: 10.11936/bjutxb2022070008

Survey on Code Reuse Attack and Defense Technology Evolution

More Information
  • Received Date: July 13, 2022
  • Revised Date: September 26, 2022
  • Available Online: May 08, 2024
  • Most current surveys on code reuse attack conclude the status quo and trends from the perspective of one or several attack or defense technologies, lacking analysis of key features related to the attack or defense affects. To solve the above problems, the key characteristics that affect the results of classic code reuse attack were summarized, starting from the life cycle of the classic code reuse attack, i.e., return-oriented programing (ROP) attack. Based on the technology developing timeline and these characteristics, security and performance factors were comprehensively measured, and development rules and trends of code reuse attack and defense confrontation technologies were analyzed and summarized.

  • [1]
    SHACHAM H. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)[C]//Proceedings of 14th ACM Conference on Computer and Communications Security. New York: ACM, 2007: 552-561.
    [2]
    林志添. 一种不完全依赖栈的ROP攻击技术的研究[D]. 南京: 南京大学, 2015.

    LIN Z T. Abandoning the reliance on the stack: a new ROP attack technique[D]. Nanjing: Nanjing University, 2015. (in Chinese)
    [3]
    CHECKOWAY S, DAVI L, DMITRIENKO A, et al. Return-oriented programming without returns[C]//Proceedings of the 17th ACM Conference on Computer and Communications Security. New York: ACM, 2010: 559-572.
    [4]
    CHEN P, XING X, MAO B, et al. Return-oriented rootkit without returns (on the x86)[C]//Information and Communications Security: 12th International Conference. Berlin: Springer, 2010: 340-354.
    [5]
    BLETSCH T, JIANG X X, FREEH V W, et al. Jump-oriented programming: a new class of code-reuse attack[C]//Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. New York: ACM, 2011: 30-40.
    [6]
    邢骁, 陈平, 丁文彪, 等. BIOP: 自动构造增强型ROP攻击[J]. 计算机学报, 2014, 37(5): 1111-1123. https://www.cnki.com.cn/Article/CJFDTOTAL-JSJX201405012.htm

    XING X, CHEN P, DING W B, et al. BIOP: automatic construction of enhanced ROP attacks[J]. Chinese Journal of Computers, 2014, 37(5): 1111-1123. (in Chinese) https://www.cnki.com.cn/Article/CJFDTOTAL-JSJX201405012.htm
    [7]
    CARLINI N, WAGNER D. ROP is still dangerous: breaking modern defenses[C]//Proceedings of the 23rd USENIX Security Symposium. Berkeley, CA: USENIX Association, 2014: 385-399.
    [8]
    SADEGHI A, NIKSEFAT S, ROSTAMIPOUR M. Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions[J]. Journal of Computer Virology and Hacking Techniques, 2018, 14: 139-156. doi: 10.1007/s11416-017-0299-1
    [9]
    LAN B C, LI Y, SUN H, et al. Loop-oriented programming: a new code reuse attack to bypass modern defenses[C]//2015 IEEE Trustcom/BigDataSE/ISPA. Piscataway, NJ: IEEE, 2015: 190-197.
    [10]
    GUO Y J, CHEN L W, SHI G. Function-oriented programming: a new class of code reuse attack in C applications[C]//2018 IEEE Conference on Communications and Network Security. Piscataway, NJ: IEEE, 2018: 1-9.
    [11]
    SCHUSTER F, TENDYCK T, LIEBCHEN C, et al. Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications[C]//2015 IEEE Symposium on Security and Privacy. Piscataway, NJ: IEEE, 2015: 745-762.
    [12]
    PRANDINI M, RAMILLI M. Return-oriented programming[J]. IEEE Security & Privacy, 2012, 10(6): 84-87.
    [13]
    金红. ROP防御研究现状[J]. 计算机安全, 2013(5): 77-81. https://www.cnki.com.cn/Article/CJFDTOTAL-DZJC201305023.htm

    JIN H. The evolution of ROP and its defense research[J]. Computer Security, 2013(5): 77-81. (in Chinese) https://www.cnki.com.cn/Article/CJFDTOTAL-DZJC201305023.htm
    [14]
    RUAN Y F, KALYANASUNDARAM S, ZOU X K. Survey of return-oriented programming defense mechanisms[J]. Security and Communication Networks, 2016, 9(10): 1247-1265. doi: 10.1002/sec.1406
    [15]
    TSOUTSOS N G, MANIATAKOS M. Anatomy of memory corruption attacks and mitigations in embedded systems[J]. IEEE Embedded Systems Letters, 2018, 10(3): 95-98. doi: 10.1109/LES.2018.2829777
    [16]
    彭国军, 梁玉, 张焕国, 等. 软件二进制代码重用技术综述[J]. 软件学报, 2017, 28(8): 2026-2045. https://www.cnki.com.cn/Article/CJFDTOTAL-RJXB201708009.htm

    PENG G J, LIANG Y, ZHANG H G, et al. Survey on software binary code reuse technologies[J]. Journal of Software, 2017, 28(8): 2026-2045. (in Chinese) https://www.cnki.com.cn/Article/CJFDTOTAL-RJXB201708009.htm
    [17]
    LI J K, WANG Z, JIANG X X, et al. Defeating return-oriented rootkits with "return-less" kernels[C]//Proceedings of the 5th European Conference on Computer Systems. New York: ACM, 2010: 195-208.
    [18]
    ONARLIOGLU K, BILGE L, LANZI A, et al. G-Free: defeating return-oriented programming through gadget-less binaries[C]//Proceedings of the 26th Annual Computer Security Applications Conference. New York: ACM, 2010: 49-58.
    [19]
    USUI T, IKUSE T, OTSUKI Y, et al. ROPminer: learning-based static detection of ROP chain considering linkability of ROP gadgets[J]. IEICE Transactions on Information and Systems, 2020, 103(7): 1476-1492.
    [20]
    CHEN P, XIAO H, SHEN X B, et al. DROP: detecting return-oriented programming malicious code[C]//Information Systems Security: 5th International Conference. Berlin: Springer, 2009: 163-177.
    [21]
    PAPPAS V, POLYCHRONAKIS M, KEROMYTIS A D. Transparent ROP exploit mitigation using indirect branch tracing[C]//Proceedings of the 22nd USENIX Conference on Security Symposium. Berkeley, CA: USENIX Association, 2013: 447-462.
    [22]
    CHENG YQ, ZHOU Z W, YU M, et al. ROPecker: a generic and practical approach for defending against ROP attack[C]//NDSS Sysmposium 2014: Proceedings of the 21st Network and Distributed System Security Symposium. Resten: Internet Society, 2014: 1-14.
    [23]
    YAO F, CHEN J, VENKATARAMANI G. JOP-alarm: detecting jump-oriented programming-based anomalies in applications[C]//2013 IEEE 31st International Conference on Computer Design. Piscataway, NJ: IEEE, 2013: 467-470.
    [24]
    SI L, YU J, LUO L, et al. ROP-hunt: detecting return-oriented programming attacks in applications[C]//Security, Privacy and Anonymity in Computation, Communication and Storage: 9th International Conference. Berlin: Springer, 2016: 131-144.
    [25]
    GOKTAS E, ATHANASOPOULOS E, POLYCHRONAKIS M, et al. Size does matter: why using gadget-chain length to prevent code-reuse attacks is hard[C]//Proceedings of 23rd USENIX Security Symposium. Berkeley, CA: USENIX Association, 2014: 417-432.
    [26]
    曹嘉欣. 基于长指令序列的ROP攻击方案的研究[D]. 南京: 南京大学, 2014.

    CAO J X. Research on ROP exploits based on long instruction sequence[D]. Nanjing: Nanjing University, 2014. (in Chinese)
    [27]
    KAYAALP M, SCHMITT T, NOMANI J, et al. SCRAP: architecture for signature-based protection from code reuse attacks[C]//2013 IEEE 19th International Symposium on High Performance Computer Architecture. Piscataway, NJ: IEEE, 2013: 258-269.
    [28]
    SADEGHI A, AMINMANSOUR F, SHAHRIARIH R. Tiny jump-oriented programming attack (a class of code reuse attacks)[C]//2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology. Piscataway, NJ: IEEE, 2015: 52-57.
    [29]
    PAYER M. Too much PIE is bad for performance[R]. Zurich: ETH Zurich, 2012.
    [30]
    SHACHAM H, PAGE M, PFAFF B, et al. On the effectiveness of address-space randomization[C]//Proceedings of the 11th ACM Conference on Computer and Communications Security. New York: ACM, 2004: 298-307.
    [31]
    ROGLIA G F, MARTIGNONI L, PALEARI R, et al. Surgically returning to randomized lib (c)[C]//Computer Security Applications Conference. Piscataway, NJ: IEEE, 2009: 60-69.
    [32]
    KIL C, JUN J, BOOKHOLT C, et al. Address space layout permutation (ASLP): towards fine-grained randomization of commodity software[C]//2006 22nd Annual Computer Security Applications Conference. Piscataway, NJ: IEEE, 2006: 339-348.
    [33]
    PAPPAS V, POLYCHRONAKIS M, KEROMYTIS A D. Smashing the gadgets: hindering return-oriented programming using in-place code randomization[C]//2012 IEEE Symposium on Security and Privacy. Piscataway, NJ: IEEE, 2012: 601-615.
    [34]
    DAVIDSON J W, HALL M, CO M, et al. ILR: where'd my gadgets go?[C]//2012 IEEE Symposium on Security and Privacy. Piscataway, NJ: IEEE, 2012: 571-585.
    [35]
    WARTELL R, MOHAN V, HAMLEN K W, et al. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code[C]//Proceedings of the 2012 ACM Conference on Computer and Communications Security. New York: ACM, 2012: 157-168.
    [36]
    GUPTA A, KERR S, KIRKPATRICK M S, et al. Marlin: a fine grained randomization approach to defend against ROP attacks[C]//Network and System Security: 7th International Conference. Berlin: Springer, 2013: 293-306.
    [37]
    GUPTA A, HABIBI J, KIRKPATRICK M S, et al. Marlin: mitigating code reuse attacks using code randomization[J]. IEEE Transactions on Dependable and Secure Computing, 2014, 12(3): 326-337.
    [38]
    SZEKERES L, PAYER M, WEI T, et al. SoK: eternal war in memory[C]//2013 IEEE Symposium on Security and Privacy. Piscataway, NJ: IEEE, 2013: 48-62.
    [39]
    SNOW K Z, MONROSE F, DAVI L, et al. Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization[C]//2013 IEEE Symposium on Security and Privacy. Piscataway, NJ: IEEE, 2013: 574-588.
    [40]
    袁平海, 曾庆凯, 张云剑, 等. 攻击网页浏览器: 面向脚本代码块的ROP Gadget注入[J]. 软件学报, 2020, 31(2): 247-265. https://www.cnki.com.cn/Article/CJFDTOTAL-RJXB202002001.htm

    YUAN P H, ZENG Q K, ZHANG Y J, et al. Attack Web browser: ROP gadget injection by using JavaScript code blocks[J]. Journal of Software, 2020, 31(2): 247-265. (in Chinese) https://www.cnki.com.cn/Article/CJFDTOTAL-RJXB202002001.htm
    [41]
    BACKES M, HOLZ T, KOLLENDA B, et al. You can run but you can't read: preventing disclosure exploits in executable code[C]//Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2014: 1342-1353.
    [42]
    王烨, 李清宝, 曾光裕, 等. 基于代码防泄漏的代码复用攻击防御技术[J]. 计算机研究与发展, 2016, 53(10): 2277-2287. doi: 10.7544/issn1000-1239.2016.20160423

    WANG Y, LI Q B, ZENG G Y, et al. A code reuse attack protection technique based on code anti-leakage[J]. Journal of Computer Research and Development, 2016, 53(10): 2277-2287. (in Chinese) doi: 10.7544/issn1000-1239.2016.20160423
    [43]
    BACKES M, NVRNBERGER S. Oxymoron-making fine-grained memory randomization practical by allowing code sharing[C]//Proceedings of the 23rd USENIX Conference on Security Symposium. Berkeley, CA: USENIX Association, 2014: 433-447.
    [44]
    DAVI L, LIEBCHEN C, SADEGHI A R, et al. Isomeron: code randomization resilient to (just-in-time) return-oriented programming[C]//Network and Distributed System Security Symposium. Resten: Internet Society, 2015: 1-15.
    [45]
    BIGELOW D, HOBSON T, RUDD R, et al. Timely rerandomization for mitigating memory disclosures[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2015: 268-279.
    [46]
    CHEN X Q, XUE R, WU C K. Timely address space rerandomization for resisting code reuse attacks[J]. Concurrency and Computation: Practice and Experience, 2017, 29(16): e3965. doi: 10.1002/cpe.3965
    [47]
    侯宇. 基于动态随机化和只可执行内存的JIT-ROP防御研究[D]. 南京: 南京大学, 2016.

    HOU Y. Defence against JIT-ROP based on dynamic randomization and executable only memory[D]. Nanjing: Nanjing University, 2016. (in Chinese)
    [48]
    HAWKINS W, NGUYEN-TUONG A, HISER J D, et al. Mixr: flexible runtime rerandomization for binaries[C]//Proceedings of the Workshop on Moving Target Defense. New York: ACM, 2017: 27-37.
    [49]
    AHMED S, XIAO Y, SNOW K Z, et al. Methodologies for quantifying (re-)randomization security and timing under JIT-ROP[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2020: 1803-1820.
    [50]
    ABADI M, BUDIU M, ERLINGSSON U, et al. Control-flow integrity[C]//Proceedings of the 12th ACM Conference on Computer and Communications Security. New York: ACM, 2005: 340-353.
    [51]
    ZHANG C, WEI T, CHEN Z F, et al. Practical control flow integrity and randomization for binary executables[C]//2013 IEEE Symposium on Security and Privacy. Piscataway, NJ: IEEE, 2013: 559-573.
    [52]
    ZHANG M W, SEKAR R. Control flow integrity for COTS binaries[C]//Proceedings of 22nd USENIX Security Symposium. Berkeley, CA: USENIX Association, 2013: 337-352.
    [53]
    HUANG X, YAN F, ZHANG L Q, et al. Honeygadget: a deception based approach for detecting code reuse attacks[J]. Information Systems Frontiers, 2021, 23(2): 269-283. doi: 10.1007/s10796-020-10014-7
    [54]
    DAVI L, SADEGHI A R, WINANDY M. ROPdefender: a detection tool to defend against return-oriented programming attacks[C]//Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. New York: ACM, 2011: 40-51.
    [55]
    DANG T H Y, MANIATIS P, WAGNER D. The performance cost of shadow stacks and stack canaries[C]//Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. New York: ACM, 2015: 555-566.
    [56]
    黄韬. 一种绕过平行影子栈的ROP攻击方法的设计与实现[D]. 南京: 南京大学. 2016.

    HUANG T. The design and implementation of a ROP exploit schema bypassing parallel shadow stack[D]. Nanjing: Nanjing University, 2016. (in Chinese)
    [57]
    ZOU C W, WANG X D, GAO Y Q, et al. Buddy stacks: protecting return addresses with efficient thread-local storage and runtime re-randomization[J]. ACM Transactions on Software Engineering and Methodology, 2022, 32(2): 35e.
    [58]
    陈林博, 江建慧, 张丹青. 利用返回地址保护机制防御代码复用类攻击[J]. 计算机科学, 2013, 40(9): 93-98, 102. https://www.cnki.com.cn/Article/CJFDTOTAL-JSJA201309020.htm

    CHEN L B, JIANG J H, ZHANG D Q. Prevention of code reuse attacks through return address protection[J]. Computer Science, 2013, 40(9): 93-98, 102. (in Chinese) https://www.cnki.com.cn/Article/CJFDTOTAL-JSJA201309020.htm
    [59]
    COWAN C, PU C, MAIER D, et al. StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks[C]//Proceedings of the 7th Conference on USENIX Security Symposium. Berkeley, CA: USENIX Association, 1998: 63-78.
    [60]
    朱君. 基于Canary的增强型栈保护技术研究[D]. 南京: 南京大学, 2017.

    ZHU J. Research on the technology of enhanced canary-based protections[D]. Nanjing: Nanjing University, 2017. (in Chinese)
    [61]
    BITTAU A, BELAY A, MASHTIZADEH A, et al. Hacking blind[C]//2014 IEEE Symposium on Security and Privacy. Piscataway, NJ: IEEE, 2014: 227-242.
    [62]
    KAYAALP M, OZSOY M, ABU-GHAZALEH N, et al. Branch regulation: low-overhead protection from code reuse attacks[C]//39th Annual International Symposium on Computer Architecture. Piscataway, NJ: IEEE, 2012: 94-105.
    [63]
    XIA Y B, LIU Y T, CHEN H B, et al. CFIMon: detecting violation of control flow integrity using performance counters[C]//IEEE/IFIP International Conference on Dependable Systems and Networks. Piscataway, NJ: IEEE, 2012: 1-12.
    [64]
    KIM J, KIM I, MIN C, et al. Zero-sum defender: fast and space-efficient defense against return-oriented programming attacks[J]. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, 2014, 97(1): 303-305.
    [65]
    李威威, 马越, 王俊杰, 等. 基于硬件分支信息的ROP攻击检测方法[J]. 软件学报, 2020, 31(11): 3588-3602. https://www.cnki.com.cn/Article/CJFDTOTAL-RJXB202011018.htm

    LI W W, MA Y, WANG J J, et al. ROP attack detection approach based on hardware branch information[J]. Journal of Software, 2020, 31 (11): 3588-3602. (in Chinese) https://www.cnki.com.cn/Article/CJFDTOTAL-RJXB202011018.htm
    [66]
    ZHOU H W, WU X, SHI W C, et al. HDROP: detecting ROP attacks using performance monitoring counters[C]//Information Security Practice and Experience: 10th International Conference. Berlin: Springer, 2014: 172-186.
    [67]
    牛伟纳, 赵成洋, 张小松, 等. ROPDetector: 一种基于硬件性能计数器的ROP攻击实时检测方法[J]. 计算机学报, 2021, 44(4): 761-772. https://www.cnki.com.cn/Article/CJFDTOTAL-JSJX202104006.htm

    NIU W N, ZHAO C Y, ZHANG X S, et al. ROPDetector: a real-time detection method of ROP attack based on hardware performance counter[J]. Chinese Journal of Computers, 2021, 44(4): 761-772. (in Chinese) https://www.cnki.com.cn/Article/CJFDTOTAL-JSJX202104006.htm
    [68]
    PFAFF D, HACK S, HAMMER C. Learning how to prevent return-oriented programming efficiently[C]//Engineering Security Software and Systems: 7th International Symposium. Berlin: Springer, 2015: 68-85.
    [69]
    严飞, 彭慧容, 何凡, 等. HBROP: 基于硬件性能计数器的函数级ROP检测[J]. 武汉大学学报(理学版), 2017, 63(2): 109-116. https://www.cnki.com.cn/Article/CJFDTOTAL-WHDY201702003.htm

    YAN F, PENG H R, HE F, et al. HBROP: HPC-based function-level approach to detect ROP attack[J]. Journal of Wuhan University (Natural Science Edition), 2017, 63(2): 109-116. (in Chinese) https://www.cnki.com.cn/Article/CJFDTOTAL-WHDY201702003.htm
    [70]
    KUZNETZOV V, SZEKERES L, PAYER M, et al. Code-pointer integrity[C]//Proceedings of the 11th USENIX Conference on Operating Systems Design and Implementation. Berkeley, CA: USENIX Association, 2014: 147-163.
    [71]
    EVANS I, FINGERET S, GONZALEZ J, et al. Missing the point(er): on the effectiveness of code pointer integrity[C]//2015 IEEE Symposium on Security and Privacy(SP). Piscataway, NJ: IEEE, 2015: 781-796.
    [72]
    MASHTIZADEH A J, BITTAU A, BONEH D, et al. CCFI: cryptographically enforced control flow integrity[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2015: 941-951.
    [73]
    WANG Y, LI Q B, CHEN Z F, et al. BCI-CFI: a context-sensitive control-flow integrity method based on branch correlation integrity[J]. Information and Software Technology, 2021, 136: 106572.
    [74]
    RAMALINGAM G. The undecidability of aliasing[J]. ACM Transactions on Programming Languages and Systems, 1994, 16(5): 1467-1471
    [75]
    EVANS I, LONG F, OTGONBAATAR U, et al. Control jujutsu: on the weaknesses of fine-grained control flow integrity[C]//Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2015: 901-913.
    [76]
    LI Y, WANG M Z, ZHANG C, et al. Finding cracks in shields: on the security of control flow integrity mechanisms[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2020: 1821-1835.
    [77]
    CHEN S, XU J, SEZER E C, et al. Non-control-data attacks are realistic threats[C]//Proceedings of the 14th Conference on USENIX Security Symposium. Berkeley, CA: USENIX Association, 2005: 177-191.
    [78]
    HU H, SHINDE S, ADRIAN S, et al. Data-oriented programming: on the expressiveness of non-control data attacks[C]//2016 IEEE Symposium on Security and Privacy. Piscataway, NJ: IEEE, 2016: 969-986.
    [79]
    CHENG L, AHMED S, LILJESTRAND H, et al. Exploitation techniques for data-oriented attacks with existing and potential defense approaches[J]. ACM Transactions on Privacy and Security, 2021, 24(4): 26.
    [80]
    WANG Y, LI Q B, CHEN Z F, et al. Shapeshifter: intelligence-driven data plane randomization resilient to data-oriented programming attacks[J]. Computers & Security, 2020, 89: 101679.
    [81]
    ABERA T, ASOKAN N, DAVI L, et al. C-FLAT: control-flow attestation for embedded systems software[C]//Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2016: 743-754.
    [82]
    ZEITOUNI S, DESSOUKY G, ARIAS O, et al. ATRIUM: runtime attestation resilient under memory attacks[C]//2017 IEEE/ACM International Conference on Computer-Aided Design. New York: ACM, 2017: 384-391.
    [83]
    ZHAN J, LI Y Z, LIU Y F, et al. NSGA-Ⅱ-based granularity-adaptive control-flow attestation[J]. Security and Communication Networks, 2021, 2021: 1-16.

Catalog

    Article views PDF downloads Cited by()

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return