| Current software attacks are usually built on vulnerabilities that undermine machine code execution. Implementing a basic security attribute check, performing a flow integrity check (CFI) can prevent such attacks. As CFI is relatively simple to implement, it is very practical; in addition it is compatible with the existing mainstream software platform,you can program the code on the platform to rewrite, to achieve the purpose of implementing CFI on the platform. CFI also provides a useful basis for implementing further security policies.In the process of implementing CFI, it is sometimes necessary to dynamically obtain the destination address when executing a jump (jmp)or calling a register (or using register indirect addressing), so that the cost of rewriting is large and the actual Application caused some difficulties.In order to solve the above research problems, we used CFG technology in protection applications based on the implementation of flow integrity checks. CFG is the abbreviation of Control Flow Guard, is the implementation of stream protection technology, it is a combination of compiler and operating system protection means, to prevent the unreliable indirect call.Debugging of memory while the program is running, such as stack smashing and code reuse attacks based on buffer overflows, are common in embedded systems. Implementing Flow Integrity Check (CFI) has been recognized as a promising way to prevent this run-time attack. However,the previous CFI achieves a problem of large granularity (and therefore can be circumvented by advanced attack models) and overhead.In order to implement the implementation of flow protection technology (CFI + CFG), the paper first proposed a method to implement fine-grained CFI at the basic block level, called the basic block CFI (BB-CFI) method, which can be defended The above attack. The key idea is to verify the destination address (TA) of the execution flow instruction (CFIN)(for example, call, ret and jmp) that can be modified by the opponent. BB-CFI consists of two phases:1) Extract the execution flow information by offline analysis of the program2) And perform a flow check while the program is running to achieve the purpose of authenticating the CFIN of the CFIN using the extracted execution flow information.The paper also deals with the anomalies found in complex binary files(for example, multithreading, C ++ exceptions, and longjump). In addition,the paper presents a framework for implementing a flow checker (CFC), in which the execution flow checker can monitor program execution in real time while the program is running, and can enforce BB-CFI at the same time. In order to verify the concept, we in the Linux platform to achieve a combination of CFC and CFG. Our method does not need to modify the source code or instruction set architecture. The experimental results show that BB-CFI is effective for run-time attacks with 100% verification accuracy. |
PDF Full Text Request