面向进程控制流劫持攻击的拟态防御方法

为了防御进程控制流劫持攻击,从漏洞利用的角度对攻击过程建立了威胁模型,提出了截断关键漏洞利用环节的“要塞”防御。在研究拟态防御原理的基础上提出了进程的拟态执行模型,并对该模型进行了分析与有效性证明,拟态执行能够有效截断控制流劫持的攻击实施过程;实现了拟态执行的原型系统MimicBox,并对MimicBox进行了有效性验证实验、性能测试和对比评估。有效性验证实验表明,MimicBox可以有效防御绝大部分基于已知类型二进制漏洞的控制流劫持攻击;性能评估结果表明,MimicBox对CPU密集型程序带来的额外性能开销不会超过13%;对比评估结果表明,拟态执行相对于控制流完整性防御来说,是一种较有效实用的主动防御方案。

Method against process control-flow hijacking based on mimic defense

To defeat the attack of process control flow hijacking,a threat model was established from the point of vulnerability utilization,and the fortress defense to cut off the key vulnerability utilization path was proposed.On the basis of studying the principle of mimic defense,a threat model of process mimic execution was proposed,and the threat model was analyzed and proved to be effective.Mimic execution could effectively cut off the attack path of control flow hijacking.The ptototype of mimic execution,MimicBox,was implemented.The validation experiment shows that MimicBox can effectively defend against most control flow hijacking attacks based on known binary vulnerabilities.The performance evaluation result shows that the overhead MimicBox lead to is less than 13%on CPU-intensive programs.The Comparative evaluation result shows that mimic execution is a more effective and practical active defense method compared with control flow integrity.