Research On Stack Pointer Integrity Based ROP Defense

In the game of attack and defense in cyberspace,exploiting software vulnerabilities is a common and critical technology.The deployment of defenses such as Data Execution Protection(DEP)and Address Space Randomization(ASLR)has stimulated the enhancement of attack techniques.Skills for attack have been improved from code injection attacks to so-called code reuse attacks.Currently,ROP(Return-Oriented Programming)is the most popular technique of code reuse attack,and it is widely used in software exploits.To defend ROP,various defenses have been proposed,such as Control Flow Integrity(CFI)and fine-grained randomization.Fine-grained defenses can greatly enhance the security of the system,but cannot eliminate ROP attacks completely.In addition,such defenses often cause high performance overhead.In recent years,Stack Pointer Integrity(SPI)has been proposed to detect stack pivoting in ROP through checking integrity of the stack pointer.Because stack pivoting is commonly used in ROP attacks,this approach has become an effective ROP defense.Furthermore,this practical solution has low performance overhead generally.In this paper,existing implemented solutions base on Stack Pointer Integrity are analyzed and some shortcomings are found.On the one hand,the baseline value used as stack boundary is not protected.On the other hand,their checking policies are not fine-grained enough.In this paper,we propose an attack which bypasses the stack pointer integrity check by corrupting the baseline value.Experiments show that this attack is simple and effective.In order to make up for the shortcomings of the existing schemes,we analyze the stack pivoting feature of ROP,select indirect branch instructions as checkpoints,and propose an improved fine-grained stack pointer integrity checking approach named MSPI(Modified Stack Pointer Integrity)which combines stack boundary check and shadow stack technique.Then,a prototype of MSPI is implemented based on LLVM instrumentation tool and evaluated.Our evaluation demonstrates that MSPI can detect ROPs that pivot out the stack and ROPs that pivot with the stack,as well as corruptions to baseline value.