ARMv8 ROP shellcode复杂控制流构造  

作　　者：赵利军 董莎莎 Zhao Lijun;Dong Shasha(Military Theoretical Innovation and Operational Experiment Center,Army Engineering University,Xuzhou 221000,Jiangsu,China)

机构地区：[1]陆军工程大学军事理论创新与作战实验中心,江苏徐州221000

出　　处：《计算机应用与软件》2019年第5期225-230,共6页Computer Applications and Software

摘　　要：一个复杂的ROP shellcode从语义层面经常会用到循环和递归等控制流形式。条件跳转控制流gadget是循环和递归等控制结构的基础。然而ARMv7指令集中的间接条件跳转指令在ARMv8指令集中已经不再存在。ARMv8指令集中的条件跳转指令的目标地址的偏移已经被硬编码,不能被使用,所以ARMv8架构下只能通过无条件跳转gadget的重复使用实现循环和递归。这不仅执行效率低,而且浪费了大量的内存空间。基于上述问题,对ARMv7架构的条件跳转gadget进行了分析,提出一种ARMv8架构基于CMP指令和CSEL指令gadget构造条件跳转gadget方法。不仅解决了ARMv7架构基于间接条件跳转指令gadget构造ROP shellcode复杂控制流的方法在ARMv8架构中不再适用的问题,而且通过实验证明了与无条件跳转gadget方法相比,节省了大量的内存空间。Control-flow form such as loops and recursion is often used for a complex ROP shellcode at the semantic level.Conditional jump control flow gadget is the foundation of control structures such as loops and recursion.However,the indirect conditional jump instructions in the ARMv7 instruction set no longer exist in the ARMv8 instruction set.The target address offset of conditional jump instructions in the ARMv8 instruction set has been hard-coded and cannot be used.Therefore,only by the reuse of unconditional jump gadget can cycle and recursion achieved,which is inefficient to execute and wastes a lot of memory space.To solve the above problems,we analyzed the conditional jump gadget in ARMv7 architecture,and proposed a method of constructing conditional jump gadget based on CMP instruction and CSEL instruction gadget in ARMv8 architecture.It could solve the problem that the method of constructing complex control flow of ROP shellcode based on indirect conditional jump instruction gadget in ARMv7 architecture was no longer applicable in ARMv8 architecture.It is proved by experiments that this method can save a lot of memory space compared with unconditional jump gadget method.

关 键 词：ROP SHELLCODE ARMv8 控制流语义 CMP GADGET CSEL GADGET 

分 类 号：TP309.[自动化与计算机技术—计算机系统结构]