多模块ROP碎片化自动布局方法

返回导向式编程(Return Oriented Programming, ROP)是一种可有效绕过数据执行保护机制的技术。ROP通过搜索内存代码区中合适的汇编指令片段,可组成一段执行特定功能的程序。已有的ROP自动构造技术只考虑ROP链的功能实现,而忽视了ROP链布局对程序内存可控性的要求,导致自动生成的ROP链实用性低。为解决该问题,提出了一种基于符号执行的多模块ROP碎片化自动布局方法。该方法在ROP自动构造Q框架的基础上,以模块为单位对ROP链进行切片;使用符号执行工具S2E,对控制流劫持状态下的程序内存状态进行动态分析;为各ROP模块匹配相应的可控内存区域,构造碎片化布局的ROP链。实验证明,相比已有技术,该方法生成的ROP链有效降低了对程序内存可控性的要求。

Automatic fragmented layout for multi-module ROP

ROP (return-oriented programming) is a technique which is able to bypass the protection of the DEP (data execution prevention). The ROP can constitute a program that performs a specific function by searching for an appropriate assembly instruction fragment in the memory code area. Previous methods for automatic generation of ROP do not consider the limitation of the layout of ROP caused by the program memory requirement, which leads to poor practicability of ROP. In order to solve this problem, a new method for automatic fragmented layout of multi-module ROP based on symbolic execution was proposed. The ROP chain was divided into different modules on the basis of automatic ROP generation framework Q; the controllability of memory was dynamically analyzed by using symbolic execution tool S2E; the controllable memory areas for each ROP module was found, and the fragmented layout ROP was automatically constructed. Experiments show that, compared with the previous methods, the ROP chain generated by the proposed method can effectively reduce the requirements for the program memory controllability.