HBROP:基于硬件性能计数器的函数级ROP检测  被引量：3

作　　者：严飞[1,2] 彭慧容 何凡[1,3] 黄凡[1,2] 

机构地区：[1]空天信息安全与可信计算教育部重点实验室,湖北武汉430072 [2]武汉大学计算机学院,湖北武汉430072 [3]武汉理工大学计算机科学与技术学院,湖北武汉430070

出　　处：《武汉大学学报（理学版）》2017年第2期109-116,共8页Journal of Wuhan University:Natural Science Edition

基　　金：国家自然科学基金(61272452;61003268;61303024);国家高技术研究发展(863)计划(2015AA016002);国家重点基础研究发展计划(973)(2014CB340600);江苏省自然科学基金青年基金(BK20130372)资助项目

摘　　要：ROP(return oriented programming)能够绕过数据执行保护,并结合内存泄漏和暴力破解突破ASLR等现有系统防御机制,具有极大危害,为此本文基于ROP shellcode不满足时间和空间局部性原理,会影响分支预测不命中、缓存命中率等性能事件值的现象,提出了一种利用硬件性能计数器(hardware performance counters,HPCs)进行的ROP检测方法 HBROP,该方法分为离线预处理和动态监控两个阶段.在离线预处理阶段收集并存储所有函数正常的性能事件值,在动态监控阶段监测程序执行,在调用敏感系统函数前检测同一函数相同性能事件值是否异常变化.基于该方法,本文实现了一个HBROP的实验系统,实验表明,本文所选取的8个性能事件具有较好的ROP检测特征;本文的方法,与同类工作相比较,性能开销在可接受范围内.ROP （return oriented programming） has great threat, for it can bypass data execution protection, and break ASLR and other existing system defense mechanisms by combining with memory leaks and brute force to break. This paper presents an approach to detect ROP attacks with the use of Hardware Performance Counters, based on the phenomenon that ROP attacks will affect branch misprediction numbers, the cache hit rate and other performance events because it does not satisfy the principle of locality in time and space. This approach consists of an offline preproeessing and an online monitoring component. In the offline preprocessing stage, the normal performance event values of all functions are collected and stored. During the dynamic monitoring phase, our approach uses function-level instrumentation to detect the abnormal of the same performance events in the same function before sensitive system calls. Based on this method, we implement the HBROP experimental system and the experiments show that the selected eight class of performance events has better ROP detection feature, and compared with the same type of work, the performance overhead is within the acceptable range.

关 键 词：ROP 分支预测不命中 缓存命中率 硬件性能计数器 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]