摘要:
Return-Oriented programming (ROP),in which attackers corrupt program stack in order to hijack the control flow of the program,is a popular way to attack memory corruption bugs.Control flow integrity (CFI) is a popular approach which thwarts attackers tampering with execution flow,in a way that enforces the legal targets of each indirect branches.While published CFI approaches mainly focus on protecting user programs,the OS kernel is still vulnerable to various attacks such as return-oriented rootkits (ROR),which can launch ROP attacks in vulnerable kernel modules,is able to execute arbitrary code in kernel.Compared with traditional user-level ROP,ROR is more dangerous because it happens in kernel space.According to Linux CVE from 2014 to 2016,76% of kernel bugs appear in kernel module and almost all of the published attacks happen in kernel modules,which infers that kernel modules happen to be the most dangerous area in the kernel space.However currently there are still very few number of kernel-level CFI protection mechanisms,and all of the existing ones require source-code level modification and kernel recompilation,which restricts the usage scenarios of the commodity systems.Facing off these problems,this paper proposes to leverage Intel processor trace (IPT),and presents the first system which can prevent against ROP attacks in kernel modules base on virtualization without relying on the source code of kernel and kernel modules.The evaluation proves the precision,transparency and efficiency of the new system.%Return-Oriented Programming(ROP)是一种流行的利用缓冲区溢出漏洞进行软件攻击的方法.它通过覆写程序栈上的返回地址,使程序在之后执行返回指令时跳转到攻击者指定位置的代码,因而违反了程序原本期望的控制流.控制流完整性(control-flow integrity,简称CFI)检查是目前最流行的ROP防御机制,它将每条控制流跳转指令的合法目标限制在一个合法目标地址集合内,从而阻止攻击者恶意改变程序的控制流.现有的CFI机制大多用于保护用户态程序,而当前已有诸多针对内核态的攻击被曝出,其中,Return-Oriented rootkits(ROR)[1]就是在有漏洞的内核模块中进行ROP攻击,达到执行内核任意代码的目的.相对于传统的基于用户空间的ROP攻击,ROR攻击更加危险.根据Linux CVE的数据统计,在2014年~2016年间,操作系统内核内部的漏洞有76%出现在内核模块中,其中,基本上所有被公布出来的攻击都发生在内核模块.由此可见,内核模块作为针对内核攻击的高发区,非常危险.另一方面,当前鲜有针对操作系统内核的CFI保护方案,而已有的相关系统都依赖于对内核的重新编译,这在很大程度上影响了它们的应用场景.针对这些问题,首次提出利用Intel Processor Trace(IPT)硬件机制并结合虚拟化技术,对内核模块进行透明且有效的保护,从而防御针对它的ROP攻击.实验结果表明,该系统具有极强的保护精确性、兼容性和高效性.