Code reuse attack-resisting work progress randomization method and system

Abstract

The invention discloses a code reuse attack-resisting work progress randomization method and system. The method comprises the following steps: 1, presetting a new progress, sharing memory space of the work progress to the new progress, initiating the new progress, disassembling all the code segments in the new progress and recording intermediate representation, recognizing function information in the code segments, and analyzing execution streams in the function information and dividing basic blocks; 2, randomizing the code segments according to the intermediate representation so as to generate new code segments, sending a signal interrupt instruction to the work progress by the new progress, carrying out state transition operation by the new progress when the new progress confirms that the work progress is interrupted and the work progress stores corresponding information, and deleting the code segments when the new progress confirms that the work progress starts to execute the new code segments after the state transition operation is finished; and 3, circularly executing the steps 1 to 2.

Description

technical field [0001] The invention relates to the technical fields of code generation and application software security and protection, in particular to a method and system for randomizing work processes against code reuse attacks. Background technique [0002] Attackers and defenders have always been in a competitive relationship. In order to resist code injection attacks (code injection), a data execution protection mechanism (data execution prevention, DEP) has been introduced into the computer system, and the attribute of any memory area is limited to W⊕X. The mechanism makes the malicious code (shellcode) uploaded by the attacker unable to execute. In response, the attacker proposes a code reuse attack (codereuse), which can effectively bypass the DEP mechanism. The attacker will first obtain the code layout of the target machine, and then pass Carefully construct the carrier (payload) to use the indirect jump (indirectjmp), indirect call (indirectcall) and function r...

AI Technical Summary

Problems solved by technology

[0009] The current defense against code reuse attacks that exploit memory leaks is either ineffective or very costly: XnR uses a sliding window method to defend against code reuse attacks, so there are still many memory pages within the sliding window that are both executable and executable. Read, if the attacker attacks within the sliding window, XnR cannot be defended. A major problem faced by HideM is that since 2008, the hardware CPU uses a shared second-level TLB, which means that both ITLB and DTLB will be from the common The mapping relationship is obtained in the second-level TLB. Due to the existence of the shared second-level TLB, there is no way for ITLB and DTLB to be out of sync. Therefore, HideM is no longer applicable. Readactor needs to recompile the source code to completely separate code and data, so legacy code It can not be well protected. Isomeron's execution flow diversification method is because the dice are rolled at the jump instruction to select the jump target, so one problem with this method is that the overhead is very high, and because Isomeron needs to perform dynamic instrumentation, Therefore, it will also destroy the DEP protection mechanism. CristianoGiuffrida's continuous randomization method cannot be deployed on existing operating systems because it needs to modify the kernel of the entire operating system to support its deployment of LLVM's JIT compiler, etc.

Images