结合容错攻击和内存区域统计的ASLR绕过方法
|
摘要
ASLR是防御漏洞攻击的重要保护机制,而容错攻击是绕过ASLR的主要方法之一,即利用容错机制重复尝试搜索内存中的敏感信息。针对目前容错攻击的搜索算法耗时长导致实用性不强的问题,提出了一种结合容错攻击和内存区域统计的ASLR绕过方法。通过软件逆向深入分析容错攻击的原理,包括操作系统和浏览器等软件的容错机制内部实现和容错攻击实现方法;分析进程内存空间分布,统计不同区域的系统DLL分布的平均比例,选定最大概率内存区域搜索DLL并定位关键基址,从而绕过ASLR保护,实验结果证明该方法相对现有方法极大缩短了平均耗时和最大耗时,提高了容错攻击的实用性;探讨了容错攻击更多的应用前景。
ASLR is an important protection mechanism against vulnerability attack. Crash-resistance attack is a main method to bypass ASLR, which can search for sensitive information in memory repeatedly utilizing crash-resistance mechanism. However, the current search algorithm of crash-resistance attack takes a long time to find useful information which results in less practical. In order to enhance the practicability of attack, a novel method is proposed which combines crashresistance and memory range statistics to bypass ASLR. This method analyzes crash-resistance attack deeply by using software reverse engineering to find out internal implementation of crash-resistance mechanism in operating systems and browser software. It analyzes space layout in a process memory, counts up the average proportion of system DLLs distribution in different ranges, and selects the range of maximum probability to search DLLs and to locate key base address in order to bypass ASLR. The test results show that the proposed method greatly reduces the average time consumption and the maximum time consumption compared with the existing methods.
ASLR is an important protection mechanism against vulnerability attack. Crash-resistance attack is a main method to bypass ASLR, which can search for sensitive information in memory repeatedly utilizing crash-resistance mechanism. However, the current search algorithm of crash-resistance attack takes a long time to find useful information which results in less practical. In order to enhance the practicability of attack, a novel method is proposed which combines crashresistance and memory range statistics to bypass ASLR. This method analyzes crash-resistance attack deeply by using software reverse engineering to find out internal implementation of crash-resistance mechanism in operating systems and browser software. It analyzes space layout in a process memory, counts up the average proportion of system DLLs distribution in different ranges, and selects the range of maximum probability to search DLLs and to locate key base address in order to bypass ASLR. The test results show that the proposed method greatly reduces the average time consumption and the maximum time consumption compared with the existing methods.
引文
[1] Lu K,Song C,Lee B,et al.ASLR-guard:stopping address space leakage for code reuse attacks[C]//ACM SIGSAC Conference on Computer and Communications Security,2015:280-291.
[2] PaX Team.Pageexec[EB/OL].(2001).https://pax.grsecurity.net/docs/pageexec.txt.
[3] Yan T.The art of leaks:the return of heap Feng Shui[C]//CanSecWest 2014,2014.
[4] Afek J,Sharabani A.Dangling pointer:smashing the pointer for fun and profit[C]//Black Hat USA 2007,2007.
[5] Shacham H,Page M,Pfaff B,et al.On the effectiveness of address-space randomization[C]//ACM Conference on Computer and Communications Security,2004:298-307.
[6] Bittau A,Belay A,Mashtizadeh A,et al.Hacking blind[C]//IEEE Symposium on Security and Privacy,2014:227-242.
[7] Seibert J,Okkhravi H.Information leaks without memory disclosures:remote side channel attacks on diversified code[C]//ACM Conference on Computer and Communications Security,2014:54-65.
[8] Gawlik R,Kollenda B,Koppe P,et al.Enabling clientside crash-resistance to overcome diversification and information hiding[C]//Network and Distributed System Security Symposium,2016.
[9] Hund R,Willems C,Holz T.Practical timing side channel attacks against kernel space ASLR[C]//IEEE Security and Privacy,2013:191-205.
[10] Gras B,Razavi K,Bosman E,et al.ASLR on the line:practical cache attacks on the MMU[C]//Network and Distributed System Security Symposium,2017.
[11] Evtyushkin D,Ponomarev D,Abughazaleh N.Jump over ASLR:attacking branch predictors to bypass ASLR[C]//IEEE International Symposium on Microarchitecture,2016:1-13.
[12] Roemer R,Buchanan E,Shacham H,et al.Return-oriented programming:systems,languages,and applications[J].ACM Transactions on Information&System Security,2012,15(1):2.
[13] Snow K Z,Monrose F,Davi L,et al.Just-in-time code reuse:on the effectiveness of finegrained address space layout randomization[C]//IEEE Symposium on Security and Privacy,2013:574-588.
[14] Microsoft.Vulnerability in Internet Explorer could allow remote code execution[EB/OL].(2014-02-19).https://technet.microsoft.com/en-us/library/security/2934088.
[15] Microsoft.Vulnerabilities in Windows OLE could allow remote code execution[EB/OL].(2014-01-11).https://technet.microsoft.com/en-us/library/security/ms14-064.aspx#ID0EUYAE.
[2] PaX Team.Pageexec[EB/OL].(2001).https://pax.grsecurity.net/docs/pageexec.txt.
[3] Yan T.The art of leaks:the return of heap Feng Shui[C]//CanSecWest 2014,2014.
[4] Afek J,Sharabani A.Dangling pointer:smashing the pointer for fun and profit[C]//Black Hat USA 2007,2007.
[5] Shacham H,Page M,Pfaff B,et al.On the effectiveness of address-space randomization[C]//ACM Conference on Computer and Communications Security,2004:298-307.
[6] Bittau A,Belay A,Mashtizadeh A,et al.Hacking blind[C]//IEEE Symposium on Security and Privacy,2014:227-242.
[7] Seibert J,Okkhravi H.Information leaks without memory disclosures:remote side channel attacks on diversified code[C]//ACM Conference on Computer and Communications Security,2014:54-65.
[8] Gawlik R,Kollenda B,Koppe P,et al.Enabling clientside crash-resistance to overcome diversification and information hiding[C]//Network and Distributed System Security Symposium,2016.
[9] Hund R,Willems C,Holz T.Practical timing side channel attacks against kernel space ASLR[C]//IEEE Security and Privacy,2013:191-205.
[10] Gras B,Razavi K,Bosman E,et al.ASLR on the line:practical cache attacks on the MMU[C]//Network and Distributed System Security Symposium,2017.
[11] Evtyushkin D,Ponomarev D,Abughazaleh N.Jump over ASLR:attacking branch predictors to bypass ASLR[C]//IEEE International Symposium on Microarchitecture,2016:1-13.
[12] Roemer R,Buchanan E,Shacham H,et al.Return-oriented programming:systems,languages,and applications[J].ACM Transactions on Information&System Security,2012,15(1):2.
[13] Snow K Z,Monrose F,Davi L,et al.Just-in-time code reuse:on the effectiveness of finegrained address space layout randomization[C]//IEEE Symposium on Security and Privacy,2013:574-588.
[14] Microsoft.Vulnerability in Internet Explorer could allow remote code execution[EB/OL].(2014-02-19).https://technet.microsoft.com/en-us/library/security/2934088.
[15] Microsoft.Vulnerabilities in Windows OLE could allow remote code execution[EB/OL].(2014-01-11).https://technet.microsoft.com/en-us/library/security/ms14-064.aspx#ID0EUYAE.