一种基于风险代码抽取的控制流保护方法  

作　　者：李勇钢 钟叶青 郑伊健 林果园[1] 鲍宇[1] LI Yong-Gang;CHUNG Yeh-Ching;ZHENG Yi-Jian;LIN Guo-Yuan;BAO Yu(Department of Information Security,Schoolof Computer Science,China University of Mining and Technology,Xushou,Jiangsu 221l16;School of Data Science,Chinese University of Hong Kong(Shenzhen),Shenzhen,Guangdong 518172)

机构地区：[1]中国矿业大学计算机学院信息安全系,江苏徐州221116 [2]香港中文大学(深圳)数据科学学院,广东深圳518172

出　　处：《计算机学报》2024年第6期1372-1392,共21页Chinese Journal of Computers

基　　金：“中央高校基本科研业务费专项资金”(2023QN1078)资助.

摘　　要：代码复用攻击是控制流安全面临的主要威胁之一.虽然地址分布随机化能够缓解该攻击,但它们很容易被代码探测技术绕过.相比之下,控制流完整性方法具有更好的保护效果.但是,现有的方法要么依赖于源码分析,要么采用无差别跟踪的方式追踪所有的控制流转移.前者无法摆脱对源码的依赖性,后者则会引入巨大的运行时开销.针对上述问题,本文提出一种新的控制流保护方法MCE(Micro Code Extraction).MCE的保护目标是源码不可用的闭源对象.与现有的方法相比,MCE并不会盲目地追踪所有的控制流转移活动.它实时地检测代码探测活动,并仅将被探测的代码作为保护目标.之后,MCE抽取具有潜在风险的代码片段,以进一步缩小目标对象的大小.最后,所有跳转到风险代码中的控制流都会被追踪和检测,以保护它的合法性.实验和分析表明,MCE对代码探测和代码复用攻击具有良好的保护效果,并在一般场景下仅对CPU引入2%的开销.Code reuse attack is one of the main threats to control flow security.Although address space layout randomization can mitigate this attack,it can be bypassed by code probes.In contrast,control flow integrity methods have better protection effects.However,either rely on source code or track all control flows in the entire life cycle of the target process.The former cannot protect the closed source objects,while the latter introduces significant runtime overhead.In response to the above issues,this paper proposes a control flow protection method MCE(Micro Code Extraction).The protection targets of MCE are closed source objects whose source are unavailable.Compared with existing methods,MCE does not blindly track all control flow transfer activities.It detects code probes in real-time and only targets the probed code as a protection target.Afterwards,MCE extracts the code snippets with potential risks to further reduce the size of the target object.Finally,all control flows that jump into the risk code will be tracked and detected.Experiments and analysis have shown that MCE has a good protection effect on code probes and code reuse attacks,and only introduces 2%overhead to the CPU in general scenarios.

关 键 词：代码探测 代码复用攻击 控制流劫持 代码抽取 内存访问控制 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]