Xgadget：基于动静结合的二进制Gadget搜索

doi:10.3778/j.issn.1002-8331.2212-0026

摘要/Abstract

摘要： 代码复用技术一直以来都是软件安全研究领域的热点，ROP（return-oriented programming）、JOP（jump-oriented programming）和DOP（data-oriented programming）技术是典型代表。Gadget搜索是代码复用的基础，针对现有静态搜索算法存在支持的Gadget类型不多，不能同时搜索动态链接库等问题，提出了基于动静结合的二进制Gadget搜索方法，基于此开发了搜索工具Xgadget。利用动态映像级插桩，对所有函数进行反汇编；设计了Token级和指令级有穷自动机，实现了基于自动机的静态搜索算法；在五款应用程序中对其进行了测试与评估。实验结果表明，算法支持ROP、JOP、DOP等多种Gadget类型的搜索，能够同时对目标程序动态链接库进行搜索，搜索数量是ROPgadget的12.5倍，单位指令搜索时间较之降低32.1%。算法为不同需求的代码复用提供更为广泛的支持，且输出结果是二进制Gadget，后续复用更直接，有利于代码复用自动化利用。

关键词: 代码复用, Gadget搜索, 动静结合, DFA算法, 二进制, DOP方法, 动态链接库

Abstract: Code reuse techniques have consistently been a popular area of software security research. ROP (return-oriented programming), JOP (jump-oriented programming) and DOP (data-oriented programming) are representative techniques, and Gadget search is the basis for code reuse. The existing static Gadget search algorithm supports a few types of Gadgets and cannot search the dependent dynamic link libraries at the same time. To address these problems, this paper proposes a binary Gadget search method named Xgadget based on a combination of dynamic and static. Xgadget first disassembles all functions in image by using dynamic image-level staking, then designs token-level and instruction-level DFAs, and implements a static search algorithm based on the DFA. In this paper, Xgadget is evaluated in five applications. The experimental results show that Xgadget supports multiple Gadget types such as ROP, JOP, DOP, etc. , and can simultaneously perform Gadget searches on the dynamic link libraries that the target program depends on. The number of Gadgets searched is 12.5 times higher than that of ROPgadget, and the search time per instruction is reduced by 32.1%. Xgadget provides broader support for code reuse with different requirements, and the output is a binary Gadget, which is more direct for subsequent reuse and easy to utilize for code reuse automation.

Key words: code reuse, Gadget search, dynamic and static combination, deterministic finite automaton (DFA), binary, data-oriented programming (DOP), dynamic link library

吕建强, 付才, 何帅, 江帅, 李明, 韩兰胜. Xgadget：基于动静结合的二进制Gadget搜索[J]. 计算机工程与应用, 2024, 60(9): 299-308.

LYU Jianqiang, FU Cai, HE Shuai, JIANG Shuai, LI Ming, HAN Lansheng. Xgadget： Binary Gadget Search Method Based on Combination of Dynamic and Static Technique[J]. Computer Engineering and Applications, 2024, 60(9): 299-308.

参考文献

[1] WANG W H, HU G Y, XU X L, et al. CRAlert: hardware-assisted code reuse attack detection[J]. IEEE Transactions on Circuits and Systems II: Express Briefs, 2022, 69(3): 1607-1611.
[2] VISHNYAKOV A V, NURMUKHAMETOV A R. Survey of methods for automated code-reuse exploit generation[J]. Programming and Computer Software, 2021, 47(4): 271-297.
[3] SHACHAM H. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)[C]//Proceedings of the 2007 ACM Conference on Computer and Communications Security (CCS 2007), Alexandria, Virginia, USA, October 28-31, 2007: 552-561.
[4] SCHLOEGEL M, BLAZYTKO T, BASLER J, et al. Towards automating code-reuse attacks using synthesized gadget chains[C]//Proceedings of the Computer Security 26th European Symposium on Research, Darmstadt, Germany, October 4-8, 2021: 218-239.
[5] 彭建山, 丁大钊, 王清贤. 结合容错攻击和内存区域统计的ASLR绕过方法[J]. 计算机工程与应用, 2019, 55(2): 72-78.
PENG J S, DING D Z, WANG Q X. ASLR bypassing method combining crash-resistance and memory range statistics[J]. Computer Engineering and Applications, 2019, 55(2): 72-78.
[6] LI Y, WANG M Z, ZHANG C, et al. Finding cracks in shields: on the security of control flow integrity mechanisms[C]//ACM SIGSAC Conference on Computer and Communications Security (CCS’20), November 9-13, 2020: 1821-1835.
[7] YOO S, PARK J, KIM S, et al. In-kernel control-flow integrity on commodity OSes using ARM pointer authentication[C]//Proceedings of the 31st USENIX Security Symposium Boston, MA, USA, August 10-12, 2022: 89-106.
[8] KORUYEH E M, SHIRAZI S H A, KHASAWNEH K, et al. SpecCFI: mitigating spectre attacks using CFI informed speculation[C]//IEEE Symposium on Security and Privacy (SP’20), San Francisco, CA, USA, May 18-21, 2020: 39-53.
[9] MA H Y, LU K J, MA X J, et al. Software watermarking using return-oriented programming[C]//Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIA CCS’15), Singapore, April 14-17, 2015: 369-380.
[10] BLETSCH T K, JIANG X X, FREEH V W, et al. Jump-oriented programming: a new class of code-reuse attack[C]//Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIA CCS’11), Hong Kong, China, March 22-24, 2011: 30-40.
[11] ZHANG T N, CAI M, ZHANG D M, et al. SeBROP: blind ROP attacks without returns[J]. Frontiers in Computer Science, 2022, 16(4): 164818.
[12] 邢骁, 陈平, 丁文彪, 等. BIOP: 自动构造增强型ROP攻击[J]. 计算机学报, 2014, 37(5): 1111-1123.
XING X, CHEN P, DING W B, et al. BIOP: automatic construction of enhandced ROP attack[J]. Chinese Journal of Computers, 2014, 37(5): 1111-1123.
[13] TSOUPIDI R M, LOZANO R C, BAUDRY B. Constraint-based diversification of JOP gadgets[J]. Journal of Artificial Intelligence Research, 2021, 72: 1471-1505.
[14] 彭国军, 梁玉, 张焕国, 等. 软件二进制代码重用技术综述[J]. 软件学报, 2017, 28(8): 2026-2045.
PENG G J, LIANG Y, ZHANG H G, et al. Survey on software binary code reuse technologies[J]. Journal of Software, 2017, 28(8): 2026-2045.
[15] SCHUSTER F, TENDYCK T, LIEBCHEN C, et al. Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications[C]//Proceedings of the IEEE Symposium on Security and Privacy (S&P), San Jose CA, USA, May 17-21, 2015: 745-762.
[16] DAVI L, LIEBCHEN C, SADEHGI A R, et al. Isomeron: code randomization resilient to (just-in-time) return-oriented programming[C]//Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, California, USA, February 8-11, 2015.
[17] 王丰峰, 张涛, 徐伟光, 等. 进程控制流劫持攻击与防御技术综述[J]. 网络与信息安全学报, 2019, 5(6): 10-20.
WANG F F, ZHANG T, XU W G, et al. Overview of control-flow hijacking attack and defense techniques for process[J]. Chinese Journal of Network and Information Security, 2019, 5(6): 10-20.
[18] 牛伟纳, 赵成洋, 张小松, 等. ROPDetector: 一种基于硬件性能计数器的ROP攻击实时检测方法[J]. 计算机学报, 2021, 44(4): 761-772.
NIU W N, ZHAO C Y, ZHANG X S, et al. ROPDetector: a real-time detection method of ROP attack based on hardware performance counter[J]. Chinese Journal of Computers, 2021, 44(4): 761-772.
[19] HU H, SHINDE S, ADRIAN S, et al. Data-oriented programming: on the expressiveness of non-control data attacks[C]//Proceedings of the IEEE Symposium on Security and Privacy (S&P), San Jose, CA, USA, May 22-26, 2016: 969-986.
[20] ISPOGLOU K K, ALBASSAM B, JAEGER, et al. Block oriented programming: automating data-only attacks[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS’18), Toronto, ON, Canada, October15-19, 2018: 1868-1882.