<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Publishing DTD v1.3 20210610//EN" "JATS-journalpublishing1-3.dtd">
<article article-type="research-article" dtd-version="1.3" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xml:lang="ru"><front><journal-meta><journal-id journal-id-type="publisher-id">mais</journal-id><journal-title-group><journal-title xml:lang="ru">Моделирование и анализ информационных систем</journal-title><trans-title-group xml:lang="en"><trans-title>Modeling and Analysis of Information Systems</trans-title></trans-title-group></journal-title-group><issn pub-type="ppub">1818-1015</issn><issn pub-type="epub">2313-5417</issn><publisher><publisher-name>Yaroslavl State University</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.18255/1818-1015-2019-2-213-228</article-id><article-id custom-type="elpub" pub-id-type="custom">mais-1213</article-id><article-categories><subj-group subj-group-type="heading"><subject>Research Article</subject></subj-group><subj-group subj-group-type="section-heading" xml:lang="ru"><subject>Theory of Data</subject></subj-group></article-categories><title-group><article-title>Об обнаружении атак типа повторного использования исполнимого кода</article-title><trans-title-group xml:lang="en"><trans-title>About Detection of Code Reuse Attacks</trans-title></trans-title-group></title-group><contrib-group><contrib contrib-type="author" corresp="yes"><contrib-id contrib-id-type="orcid">https://orcid.org/0000-0002-1491-524X</contrib-id><name-alternatives><name name-style="eastern" xml:lang="ru"><surname>Косолапов</surname><given-names>Юрий Владимирович</given-names></name><name name-style="western" xml:lang="en"><surname>Kosolapov</surname><given-names>Yury V.</given-names></name></name-alternatives><bio xml:lang="ru"><p>Кандидат технических наук.</p><p>Ул. Мильчакова, 8а, Ростов-на-Дону, 344090</p></bio><bio xml:lang="en"><p>PhD.</p></bio><email xlink:type="simple">itaim@mail.ru</email><xref ref-type="aff" rid="aff-1"/></contrib></contrib-group><aff-alternatives id="aff-1"><aff xml:lang="ru"><institution>Южный Федеральный Университет</institution><country>Россия</country></aff><aff xml:lang="en"><institution>Southern Federal University</institution><country>Russian Federation</country></aff></aff-alternatives><pub-date pub-type="collection"><year>2019</year></pub-date><pub-date pub-type="epub"><day>28</day><month>06</month><year>2019</year></pub-date><volume>26</volume><issue>2</issue><fpage>213</fpage><lpage>228</lpage><permissions><copyright-statement>Copyright &amp;#x00A9; Косолапов Ю.В., 2019</copyright-statement><copyright-year>2019</copyright-year><copyright-holder xml:lang="ru">Косолапов Ю.В.</copyright-holder><copyright-holder xml:lang="en">Kosolapov Y.V.</copyright-holder><license xml:lang="ru" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>Данная работа распространяется под лицензией Creative Commons Attribution 4.0.</license-p></license><license xml:lang="en" license-type="creative-commons-attribution" xlink:href="https://creativecommons.org/licenses/by/4.0/" xlink:type="simple"><license-p>This work is licensed under a Creative Commons Attribution 4.0 License.</license-p></license></permissions><self-uri xlink:href="https://www.mais-journal.ru/jour/article/view/1213">https://www.mais-journal.ru/jour/article/view/1213</self-uri><abstract><p>При эксплуатации уязвимостей программного обеспечения типа переполнения буфера в настоящее время часто используется техника повторного использования кода. Такие атаки позволяют обходить защиту от исполнения кода в стеке, реализуемую на программно-аппаратном уровне в современных информационных системах. В основе атак лежит нахождение в уязвимой программе подходящих участков исполнимого кода - гаджетов - и сцепление этих гаджетов в цепочки. В статье предлагается способ защиты приложений от атак, использующих повторное использование кода. Способ основан на выделении свойств, которые позволяют отличить цепочки гаджетов от типичных цепочек легальных базовых блоков программы. Появление во время выполнения программы нетипичной цепочки базовых блоков может свидетельствовать о выполнении вредоносного кода. Одним из свойств цепочки гаджетов является исполнение в конце цепочки специальной инструкции процессора, используемой для вызова функции операционной системы. Для операционной системы Linux на базе архитектуры x86/64 проведены эксперименты, показывающие важность этого свойства при выявлении исполнения вредоносного кода. Разработан алгоритм выявления нетипичных цепочек, который позволяет выявлять все известные на настоящий момент техники повторного использования кода.</p></abstract><trans-abstract xml:lang="en"><p>When exploiting software vulnerabilities such as buffer overflows, code reuse techniques are often used today. Such attacks allow you to bypass the protection against the execution of code in the stack, which is implemented at the software and hardware level in modern information systems. At the heart of these attacks lies the detection, in the vulnerable program of suitable areas, of executable code — gadgets — and chaining these gadgets into chains. The article proposes a way to protect applications from attacks that use code reuse. For this purpose, features that distinguish the chains of gadgets from typical chains of legal basic blocks of the program are highlighted. The appearance of an atypical chain of the base block during program execution may indicate the execution of a malicious code. An algorithm for identifying atypical chains has been developed. A feature of the algorithm is that it is focused on identifying all currently known techniques of re-execution of the code. The developed algorithm is based on a modified QEMU virtualization system. One of the hallmarks of the chain of gadgets is the execution at the end of the chain of instructions of the processor used to call the function of the operating system. For the Linux operating system based on the x86/64 architecture, experiments have been conducted showing the importance of this feature in detecting the execution of the malicious code.</p></trans-abstract><kwd-group xml:lang="ru"><kwd>повторное использование исполнимого кода</kwd><kwd>уязвимости программного обеспечения</kwd></kwd-group><kwd-group xml:lang="en"><kwd>code reuse</kwd><kwd>software vulnerability</kwd></kwd-group></article-meta></front><back><ref-list><title>References</title><ref id="cit1"><label>1</label><citation-alternatives><mixed-citation xml:lang="ru">Shacham H., “The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)”, Proceedings of the 14th ACM conference on Computer and communications security, 2007, 552-561.</mixed-citation><mixed-citation xml:lang="en">Shacham H., “The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)”, Proceedings of the 14th ACM conference on Computer and communications security, 2007, 552-561.</mixed-citation></citation-alternatives></ref><ref id="cit2"><label>2</label><citation-alternatives><mixed-citation xml:lang="ru">Buchanan E., Roemer R., Shacham H., Savage S., “When good instructions go bad: generalizing return-oriented programming to risc”, Proceedings of the 15th ACM conference on Computer and communications security, 2008, 27-38.</mixed-citation><mixed-citation xml:lang="en">Buchanan E., Roemer R., Shacham H., Savage S., “When good instructions go bad: generalizing return-oriented programming to risc”, Proceedings of the 15th ACM conference on Computer and communications security, 2008, 27-38.</mixed-citation></citation-alternatives></ref><ref id="cit3"><label>3</label><citation-alternatives><mixed-citation xml:lang="ru">http://ropshell.com. Last access 26.11.2018..</mixed-citation><mixed-citation xml:lang="en">http://ropshell.com. Last access 26.11.2018..</mixed-citation></citation-alternatives></ref><ref id="cit4"><label>4</label><citation-alternatives><mixed-citation xml:lang="ru">Binlin C., Jianming F., Zhiyi Y., “Heap Spraying Attack Detection Based on Sled Distance”, International Journal of Digital Content Technology and its Applications(JDCTA), 6:14 (2012), 379-386.</mixed-citation><mixed-citation xml:lang="en">Binlin C., Jianming F., Zhiyi Y., “Heap Spraying Attack Detection Based on Sled Distance”, International Journal of Digital Content Technology and its Applications(JDCTA), 6:14 (2012), 379-386.</mixed-citation></citation-alternatives></ref><ref id="cit5"><label>5</label><citation-alternatives><mixed-citation xml:lang="ru">Davi L., Sadeghi A., Winandy M., “ROPdefender: a detection tool to defend against return-oriented programming attacks”, Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011, 40-51.</mixed-citation><mixed-citation xml:lang="en">Davi L., Sadeghi A., Winandy M., “ROPdefender: a detection tool to defend against return-oriented programming attacks”, Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011, 40-51.</mixed-citation></citation-alternatives></ref><ref id="cit6"><label>6</label><citation-alternatives><mixed-citation xml:lang="ru">Davi L., Koeberl P., Sadeghi A., “Hardware-Assisted Fine-Grained Control-Flow Integrity: Towards Efficient Protection of Embedded Systems Against Software Exploitation”, Proceedings of the 51st Annual Design Automation Conference, San Francisco, CA, USA, 2014, 1-6.</mixed-citation><mixed-citation xml:lang="en">Davi L., Koeberl P., Sadeghi A., “Hardware-Assisted Fine-Grained Control-Flow Integrity: Towards Efficient Protection of Embedded Systems Against Software Exploitation”, Proceedings of the 51st Annual Design Automation Conference, San Francisco, CA, USA, 2014, 1-6.</mixed-citation></citation-alternatives></ref><ref id="cit7"><label>7</label><citation-alternatives><mixed-citation xml:lang="ru">Ge X., Talele N., Payer M., Jaeger T., “Fine-grained control-flow integrity for kernel software”, In IEEE European Symposium on Security and Privacy, 2016, 179-194.</mixed-citation><mixed-citation xml:lang="en">Ge X., Talele N., Payer M., Jaeger T., “Fine-grained control-flow integrity for kernel software”, In IEEE European Symposium on Security and Privacy, 2016, 179-194.</mixed-citation></citation-alternatives></ref><ref id="cit8"><label>8</label><citation-alternatives><mixed-citation xml:lang="ru">Usui T., Ikuse T., Iwamura M., Yada T., “POSTER: Static ROP Chain Detection Based on Hidden Markov Model Considering ROP Chain Integrity”, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, 4808-4810.</mixed-citation><mixed-citation xml:lang="en">Usui T., Ikuse T., Iwamura M., Yada T., “POSTER: Static ROP Chain Detection Based on Hidden Markov Model Considering ROP Chain Integrity”, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, 4808-4810.</mixed-citation></citation-alternatives></ref><ref id="cit9"><label>9</label><citation-alternatives><mixed-citation xml:lang="ru">Cawan S.C. Arnold S.R., Beattie S.M., Wagle P. M., “Pointguard: method and system for protecting programs against pointer corruption attacks”, Patent US7752459B2, 2040.</mixed-citation><mixed-citation xml:lang="en">Cawan S.C. Arnold S.R., Beattie S.M., Wagle P. M., “Pointguard: method and system for protecting programs against pointer corruption attacks”, Patent US7752459B2, 2040.</mixed-citation></citation-alternatives></ref><ref id="cit10"><label>10</label><citation-alternatives><mixed-citation xml:lang="ru">Cheng Y., Zhou Z., Miao Y., Ding X., Deng H. R., “ROPecker: A Generic and Practical Approach For Defending Against ROP Attack”, In Symposium on Network and Distributed System Security (NDSS), 2044, 4-44.</mixed-citation><mixed-citation xml:lang="en">Cheng Y., Zhou Z., Miao Y., Ding X., Deng H. R., “ROPecker: A Generic and Practical Approach For Defending Against ROP Attack”, In Symposium on Network and Distributed System Security (NDSS), 2044, 4-44.</mixed-citation></citation-alternatives></ref><ref id="cit11"><label>11</label><citation-alternatives><mixed-citation xml:lang="ru">Chen P., Xiao H., Shen X., Yin X., Mao B., Xie L., “DROP: Detecting Return-Oriented Programming Malicious Code”, Lecture Notes in Computer Science, 5905 (2009), 463477.</mixed-citation><mixed-citation xml:lang="en">Chen P., Xiao H., Shen X., Yin X., Mao B., Xie L., “DROP: Detecting Return-Oriented Programming Malicious Code”, Lecture Notes in Computer Science, 5905 (2009), 463477.</mixed-citation></citation-alternatives></ref><ref id="cit12"><label>12</label><citation-alternatives><mixed-citation xml:lang="ru">“Control-flow Enforcement Technology Preview”, 2047, software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf. Last access 26.44.2048.</mixed-citation><mixed-citation xml:lang="en">“Control-flow Enforcement Technology Preview”, 2047, software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf. Last access 26.44.2048.</mixed-citation></citation-alternatives></ref><ref id="cit13"><label>13</label><citation-alternatives><mixed-citation xml:lang="ru">Checkoway S., Davi L., Dmitrienko A., Sadeghi A. R., Shacham H., Winandy M., “Return-oriented programming without returns”, Proceedings of the 17th ACM conference on Computer and communications security, 2040, 559-572.</mixed-citation><mixed-citation xml:lang="en">Checkoway S., Davi L., Dmitrienko A., Sadeghi A. R., Shacham H., Winandy M., “Return-oriented programming without returns”, Proceedings of the 17th ACM conference on Computer and communications security, 2040, 559-572.</mixed-citation></citation-alternatives></ref><ref id="cit14"><label>14</label><citation-alternatives><mixed-citation xml:lang="ru">Sadeghi A., Niksefat S., Rostamipour M., “Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions”, Journal of Computer Virology and Hacking Techniques, 14:2 (2048), 439-456.</mixed-citation><mixed-citation xml:lang="en">Sadeghi A., Niksefat S., Rostamipour M., “Pure-Call Oriented Programming (PCOP): chaining the gadgets using call instructions”, Journal of Computer Virology and Hacking Techniques, 14:2 (2048), 439-456.</mixed-citation></citation-alternatives></ref><ref id="cit15"><label>15</label><citation-alternatives><mixed-citation xml:lang="ru">Yao F., Chen J., Venkataramani G., “Jop-alarm: Detecting jump-oriented programming-based anomalies in applications”, IEEE 31st International Conference on Computer Design (ICCD), 2043, 467-470.</mixed-citation><mixed-citation xml:lang="en">Yao F., Chen J., Venkataramani G., “Jop-alarm: Detecting jump-oriented programming-based anomalies in applications”, IEEE 31st International Conference on Computer Design (ICCD), 2043, 467-470.</mixed-citation></citation-alternatives></ref><ref id="cit16"><label>16</label><citation-alternatives><mixed-citation xml:lang="ru">Goktas E., Athanasopoulos E., Polychronakis M., Bos H., Portokalidis G., “Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard”, Proceedings of the 23rd USENIX Security Symposium, 2044, 447-432.</mixed-citation><mixed-citation xml:lang="en">Goktas E., Athanasopoulos E., Polychronakis M., Bos H., Portokalidis G., “Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard”, Proceedings of the 23rd USENIX Security Symposium, 2044, 447-432.</mixed-citation></citation-alternatives></ref><ref id="cit17"><label>17</label><citation-alternatives><mixed-citation xml:lang="ru">Carlini N., Wagner D., “ROP is still dangerous: breaking modern defenses”, SEC’14 Proceedings of the 23rd USENIX conference on Security Symposium, 2044, 385-399.</mixed-citation><mixed-citation xml:lang="en">Carlini N., Wagner D., “ROP is still dangerous: breaking modern defenses”, SEC’14 Proceedings of the 23rd USENIX conference on Security Symposium, 2044, 385-399.</mixed-citation></citation-alternatives></ref><ref id="cit18"><label>18</label><citation-alternatives><mixed-citation xml:lang="ru">Ахо А. В., Лам М. С., Сети Р., Ульман Д. Д., Компиляторы: принципы, технологии и инструментарий, 2-е изд.: Пер. с англ., М.:ООО «И.Д. Вильямс», 2008</mixed-citation><mixed-citation xml:lang="en">Aho A.V., Sethi R., Ullman J.D., Compilers: Principles, Techniques, and Tools, Pearson Education, Inc, 4986, (in Russian).</mixed-citation></citation-alternatives></ref><ref id="cit19"><label>19</label><citation-alternatives><mixed-citation xml:lang="ru">Kayaalp M., Schmitt T., Nomani J., Ponomarev D., Abu-Ghazaleh N., “Scrap: architecture for signature-based protection from code reuse attacks”, Proceedings of IEEE 19th International Symposium on High Performance Computer Architecture (HPCA2013), 2043, 258-269.</mixed-citation><mixed-citation xml:lang="en">Kayaalp M., Schmitt T., Nomani J., Ponomarev D., Abu-Ghazaleh N., “Scrap: architecture for signature-based protection from code reuse attacks”, Proceedings of IEEE 19th International Symposium on High Performance Computer Architecture (HPCA2013), 2043, 258-269.</mixed-citation></citation-alternatives></ref><ref id="cit20"><label>20</label><citation-alternatives><mixed-citation xml:lang="ru">https://sploitfun.wordpress.com/2015/05/08/bypassing-aslr-part-iii/. Last access 06.42.2048.</mixed-citation><mixed-citation xml:lang="en">https://sploitfun.wordpress.com/2015/05/08/bypassing-aslr-part-iii/. Last access 06.42.2048.</mixed-citation></citation-alternatives></ref><ref id="cit21"><label>21</label><citation-alternatives><mixed-citation xml:lang="ru">Katoch V., “Bypassing ASLR/DEP.”, https://www.exploit-db.com/docs/english/17914-bypassing-aslrdep.pdf. Last access 06.42.2048.</mixed-citation><mixed-citation xml:lang="en">Katoch V., “Bypassing ASLR/DEP.”, https://www.exploit-db.com/docs/english/17914-bypassing-aslrdep.pdf. Last access 06.42.2048.</mixed-citation></citation-alternatives></ref><ref id="cit22"><label>22</label><citation-alternatives><mixed-citation xml:lang="ru">Pappas V., Polychronakis M., Keromytis A.D., “Transparent ROP Exploit Mitigation Using Indirect Branch Tracing”, Proc. of the 22nd USENIX Security Symposium, 2043, 447-462.</mixed-citation><mixed-citation xml:lang="en">Pappas V., Polychronakis M., Keromytis A.D., “Transparent ROP Exploit Mitigation Using Indirect Branch Tracing”, Proc. of the 22nd USENIX Security Symposium, 2043, 447-462.</mixed-citation></citation-alternatives></ref><ref id="cit23"><label>23</label><citation-alternatives><mixed-citation xml:lang="ru">https://www.securityfocus.com/bid/62780/info. Last access 03.42.2048.</mixed-citation><mixed-citation xml:lang="en">https://www.securityfocus.com/bid/62780/info. Last access 03.42.2048.</mixed-citation></citation-alternatives></ref><ref id="cit24"><label>24</label><citation-alternatives><mixed-citation xml:lang="ru">Moser A., Kruegel C., Kirda E., “Limits of Static Analysis for Malware Detection”, Proceedings of Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 2008, 424-430.</mixed-citation><mixed-citation xml:lang="en">Moser A., Kruegel C., Kirda E., “Limits of Static Analysis for Malware Detection”, Proceedings of Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 2008, 424-430.</mixed-citation></citation-alternatives></ref><ref id="cit25"><label>25</label><citation-alternatives><mixed-citation xml:lang="ru">Hu H., Shinde S., Adrian S., Chua Z.L., Saxena P., Liang Z., “Data-oriented programming: On the expressiveness of non-control data attacks”, In Security and Privacy (SP) Symposium, 2046, 969-986.</mixed-citation><mixed-citation xml:lang="en">Hu H., Shinde S., Adrian S., Chua Z.L., Saxena P., Liang Z., “Data-oriented programming: On the expressiveness of non-control data attacks”, In Security and Privacy (SP) Symposium, 2046, 969-986.</mixed-citation></citation-alternatives></ref><ref id="cit26"><label>26</label><citation-alternatives><mixed-citation xml:lang="ru">Ma H., Lu K., Ma X., Zhang H., Jia C., Gao D., “Software watermarking using return-oriented programming”, Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, 2015, 369-380.</mixed-citation><mixed-citation xml:lang="en">Ma H., Lu K., Ma X., Zhang H., Jia C., Gao D., “Software watermarking using return-oriented programming”, Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, 2015, 369-380.</mixed-citation></citation-alternatives></ref><ref id="cit27"><label>27</label><citation-alternatives><mixed-citation xml:lang="ru">Gao D., “Method for obfuscation of code using return oriented programming”, Patent WO2016126206A1, 2015.</mixed-citation><mixed-citation xml:lang="en">Gao D., “Method for obfuscation of code using return oriented programming”, Patent WO2016126206A1, 2015.</mixed-citation></citation-alternatives></ref><ref id="cit28"><label>28</label><citation-alternatives><mixed-citation xml:lang="ru">Lu K., Xiong S., Gao D., “Ropsteg: program steganography with return oriented programming”, Proceedings of the 4th ACM conference on Data and application security and privacy, 2014, 265-272.</mixed-citation><mixed-citation xml:lang="en">Lu K., Xiong S., Gao D., “Ropsteg: program steganography with return oriented programming”, Proceedings of the 4th ACM conference on Data and application security and privacy, 2014, 265-272.</mixed-citation></citation-alternatives></ref></ref-list><fn-group><fn fn-type="conflict"><p>The authors declare that there are no conflicts of interest present.</p></fn></fn-group></back></article>
