ROPDetector:一种基于硬件性能计数器的ROP攻击实时检测方法

面向返回编程(Return-Oriented Programming,ROP)是针对软件漏洞利用最广泛的攻击技术之一,能够绕过数据执行保护、地址空间布局随机化等防御机制.本文提出了一种基于硬件的ROP攻击实时检测方法,在不需要任何边缘信息(如源代码、编译器支持)和二进制重写的情况下,利用现代CPU中的硬件性能计数器监控目标程序执行过程,提取ROP攻击发生时底层硬件事件特征来实时检测ROP攻击.然后,在32位Linux实验环境下实现了原型系统ROPDetector,使用真实的ROP攻击与漏洞进行实验,并与同类方法进行了对比实验,最后评估了系统的性能消耗.实验结果表明,该方法能有效地检测真实的ROP攻击,在分别以6次和9次错误预测返回指令为检测周期时,系统性能消耗仅有5.05%和5.25%,磁盘I/O性能消耗仅有0.94%和2%,网络I/O性能消耗仅有0.06%和0.78%.

ROPDetector:A Real-time Detection Method of ROP Attack Based on Hardware Performance Counter

Return-oriented programming(ROP) is one of the most common attack techniques for software vulnerabilities.Attackers can use this attack technique to tamper with the program execution flow to run malicious code.ROP attack is a generalization of the ret-to-lib attack.In the ret-to-lib attack,the attacker reuses the entire libc library.While in the ROP attack,the attacker chains available gadgets to form a spiteful attack chain to carry out the attack,which can bypass the data execution protection,address space layout randomization defense mechanism,and ultimately destroy the user-level and kernel-level software modules.Among them,gadget refers to the instruction fragment ending with the return instruction in the target program or the library function called by the target program.A series of special registers for recording the number of hardware-related activities built into the CPU of modern computers are called hardware performance counters(HPCs),which is designed for performance debugging of complex software systems.Developers can configure the HPC to monitor the execution of the target program.As with traditional software analysis tools,they can collect detailed performance information about the target program.It is helpful to understand program behavior at runtime and optimize their performance.In response to the threat of ROP attacks,a large number of researchers at home and abroad have invested in the research of ROP defense mechanisms,and have proposed a series of defense or detection methods.However,some existing defense techniques can be overcome by attackers,or suffer from high performance overhead.In this paper,we observed anomalies in exceptional underlying hardware events when the ROP attack was happening.Due to it,we proposed a real-time detection approach based on hardware without any side information(e.g.,source code,compiler support),which used hardware performance counters in modern CPU to monitor target program execution process and extracted the low-level feature of hardware events against ROP attack in runtime.Then,we implemented a prototype on x86-based Linux platform called ROPDetector.We found a tiny program with buffer overflow vulnerability,and used ROPGadget to construct 40 real ROP payloads.We reproduced other method which is also based on hardware performance counters for comparative experiments and utilized real exploits which are found on the open source exploitation platform to verify feasibility of ROPDetector.The experimental results showed that our approach could efficiently detect real ROP attack with a higher detection rate.At last,we evaluated the performance overhead of our method through UnixBench,the disk I/O performance overhead of our method through Bonnie ++,and the network I/O performance overhead of our method through the Apache web server httpd-2.4.41.When the detection interval T of ROPDetector is 6 mis-predicted return instruction events,the overall system performance drops by 5.05%,the disk I/O performance drops by 0.94%,and the network I/O performance drops by 0.06%.When the detection interval T of ROPDetector is 9 mis-predicted return instruction events,the overall system performance drops by 5.05%,the disk I/O performance drops by 0.94%,and the network I/O performance drops by 0.06%.