Translated Titles

Compiler-based approach to protect return address



Key Words

堆疊緩衝區溢位 ; 返回位址保護 ; stack-based buffer overflow ; return address protection ; compiler-based



Volume or Term/Year and Month of Publication


Academic Degree Category




Content Language


Chinese Abstract

堆疊緩衝區溢位攻擊(Stack-based Buffer overflow attack) 一直都是軟體安全頭痛的問題之一,到目前為止還是沒有有效的抑制方法,只能透過編譯器及作業系統的支援促使程式運行狀態宛若處在黑箱之中,藉此使攻擊者無法得到必要的資訊而進一步的利用弱點達到攻擊的效果。 本論文針對返回位址 (return address) 的保護為重點,核心思想為阻止返回位址被惡意的資料所覆蓋,從而避免攻擊者控制指令指標(Instruction Pointer, IP) 來達到更動程式流程的目的。 實驗結果顯示,本論文提出來的保護方法可以確切的保護堆疊中的返回位址不被惡意資料覆蓋,因此也提升了程式本身的安全性。

English Abstract

Stack-based buffer overflow attack has been one of the most tough problem of security vulnerability. There is no effectively solution to eliminated for now. Can only make your program runtime like a black box to avoid attacker exploit vulnerability by gathering necessary information of your program. In this paper we provide a compiler-based solution to prevent Stack-based Buffer overflow attack on the function return address. To prevent override of return address means no control flow hijacked, and the integrity of the program. Experiment shows that the approach we proposed could protect the return address in the stack buffer effectively therefore more secure software.

Topic Category 基礎與應用科學 > 資訊科學
電機資訊學院 > 資訊工程學系
  1. [1] C. Cowan, P. Wagle, C. Pu, S. Beatte, J. Walpole., “Buffer overflows: Attacks and Defenses for the Vulnerability of the Decade., available via https://css.csail.mit.edu/6.858/2012/readings/buffer-overflows.pdf, DARPA Information Survivability Conference and Exposition, 2000, view in 2017.
  2. [3] PaX-Team, “PaX ASLR(Address Space Layout Randomization)” available via https://pax.grsecurity.net/docs/aslr.txt, 2003, view in 2017.
  3. [2] Haroon Meer, “Memory Corruption Attacks The (almost) Complete History” available via , https://media.blackhat.com/bh-us-10/whitepapers/Meer/BlackHat-USA-2010-Meer-History-of-Memory-Corruption-Attacks-wp.pdf, Black Hat 2010 USA., view in 2017.
  4. [4] Perry Wagle, Crispin Cowan “StackGuard: Simple Stack Smash Protection for GCC” available via, https://ece.uwaterloo.ca/~vganesh/TEACHING/S2014/ECE458/Stackguard.pdf, Immunix Inc., 2003, view in 2017.
  5. [5] PaX-Team, “PaX non-executable pages” available via https://pax.grsecurity.net/docs/noexec.txt, view in 2017.
  6. [6] Aleph One, “Smashing The Stack For Fun And Profit” available via http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf, Phrack Magazine, vol.7 no.49, 1996.
  7. [7] Wikipedia, “calling convention” available via https://www.wikiwand.com/en/X86_calling_conventions, view in 2017.
  8. [8] Wikipedia, “Prologue”, available via https://en.wikipedia.org/wiki/Prologue, view in 2017.
  9. [9] Wikipedia, “Epilogue”, available via https://en.wikipedia.org/wiki/Epilogue, view in 2017.
  10. [10] Gustavo, “anatomy of a program in memory”, available via http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/, view in 2017.
  11. [11] Erik Buchanan, Ryan Roemer, Stefan Savage, Hovav Shacham, “Return-oriented Programming Exploitation without Code Injection” available via https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_US_08_Shacham_Return_Oriented_Programming.pdf, Black Hat 2008 USA., view in 2017.
  12. [12] Nergal, “The advanced return-into-lib(c) Exploits: PaX case study”, available via http://phrack.org/issues/58/4.html#article, Phrack, vol. 11 no. 58, 2001, view in 2017.
  13. [13] H. Shacham, “The geometry of innocent flesh on the bone: return-into-libc without function calls”, available via https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf, ACM CCS, 2007, view in 2017.
  14. [14] Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy, “Return-Oriented Programming without Returns”, available via https://www2.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf, ACM CCS, 2010, view in 2017.
  15. [15] Minh Tran, Mark Etheridge, Tyler Bletsch, Xuxian Jiang, Vincent Freeh, Peng Ning, “On the expressiveness of return-into-libc attacks”, available via https://astojanov.files.wordpress.com/2011/09/tran_raid11.pdf, RAID’11, 2013, view in 2017.
  16. [16] Ryan Roemer, Erik Buchanan, Hovav Shacham, Stefan Savage, “Return-Oriented Programming: Systems, Languages, and Applications”, available via https://cseweb.ucsd.edu/~hovav/dist/rop.pdf, Manuscript, 2009, view in 2017.
  17. [17] Remi Mabon, “Sigreturn Oriented Programming is a real Threat”, available via http://cs.emis.de/LNI/Proceedings/Proceedings259/2077.pdf, Lecture Notes in Informatics, Gesellschaft fr Informatik, Boon, 2016, view in 2017.
  18. [18] Tyler Bletsch, Xuxian Jiang, Vice w. Freeh, Zhenkai Liang, “Jump-Oriented Programming: A New Class of Code-Reuse Attack”, available via https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf, ACM Symp. Computer and Communications Security, 2011, view 2017.
  19. [19] Mathias Payer, “String Oriented Programming – Circumventing ASLR, DEP and Other Guards”, available via https://nebelwelt.net/publications/files/1128c3.pdf, Chaos Community Congress, 2011, view in 2017.
  20. [20] Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song., “SoK: Eternal War in memory”, available via https://nebelwelt.net/publications/files/13Oakland.pdf, IEEE International Symposium on Security and Privacy, 2013, view in 2017.
  21. [21] Hector Marco-Gisbert, Ripoll, “On the Effectiveness of Full-ASLR on 64-bit Linux, available via https://cybersecurity.upv.es/attacks/offset2lib/offset2lib-paper.pdf, DeepSec, 2014, view 2017.
  22. [22] P. Wagle, Q. Zhang, and H. Hinton. StackGuard: Automatic adaptive “detection and prevention of buffer-overflow attacks”, available via https://www.usenix.org/legacy/publications/library/proceedings/sec98/full_papers/cowan/cowan.pdf, USENIX Security Symposium, 1998, view in 2017.
  23. [23] Linux manual, “Linux Programmer’s Manual - Fork”, available via http://man7.org/linux/man-pages/man2/fork.2.html, view 2017.
  24. [24] Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazieres, Dan Boneh, “Hacking Blind”, available via http://www.scs.stanford.edu/brop/bittau-brop.pdf, Security and Privacy (SP), 2014 IEEE Symposium, view in 2017.
  25. [25] Koike Yuki, “Hunting Birds”, available via https://www.npca.jp/works/magazine/2015_1/, Code Blue, 2015, view in 2017.
  26. [26] Wikipedia, “W^X”, available via http://en.wikipedia.org/wiki/W?X, view in 2017.
  27. [27] Maythias Payer, “Too much PIE is bad for performance”, available via https://nebelwelt.net/publications/files/12TRpie.pdf, ETH Zurich Technical Report, 2012, view in 2017.
  28. [28] 俞甲子, 石凡, 潘愛民, “程式設計師的自我修養 – 連結. 載入. 程式庫”, 碁峰資訊股份有限公司, 2009.
  29. [29] A. D. Federico, A. Cama, Y. Shoshitaishvili, C. Kruegel, G. Vigna. “How the elf ruined Christmas”, available via https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/di-frederico, 24th USENIX Security Symposium, 2015, view 2017.
  30. [30] Redhat, “Enhance application security with FORTIFY_SOURCE”, available via https://access.redhat.com/blogs/766093/posts/1976213, view in 2017.
  31. [31] Fedora,”Compiler Time Buffer Checks (FORTIFY_SOURCE)”, available via https://fedoraproject.org/wiki/Security_Features?rd=Security/Features#Compile_Time_Buffer_Checks_.28FORTIFY_SOURCE.29, view in 2017.
  32. [32] Linux manual, “FEATURE_TEST_MACROS(7)” available via http://man7.org/linux/man-pages/man7/feature_test_macros.7.html, view in 2017.
  33. [33] Clang Project. Clang – A C Language Family Frontend for LLVM, view in 2017.
  34. [34] Low-Level Virtual Machine Project. “LLVM”, available via http://llvm.org/, view in 2017.
  35. [35] Jannik Pewny, Thorsten Holz, “Control-Flow Restrictor: Compiler-based CFI for iOS”, available via https://hgi.rub.de/media/emma/veroeffentlichungen/2013/10/02/CFI-compiler-acsac13.pdf, Annual Computer Security Applications Conference, 2013, view in 2017.
  36. [36] Kuznetsov, V., Payer, M., Szekerrs, L., Candea, G., Sekar, R., Song, D., “Code-Pointer Integrity”, available via http://dslab.epfl.ch/pubs/cpi.pdf, OSDI, 2014, view in 2017.
  37. [37] M. Zhang, R. Sekar, “Control flow integrity for COTS binaries”, available via http://seclab.cs.sunysb.edu/seclab/pubs/usenix13.pdf, USENIX Security Symposium, 2013, view in 2017.
  38. [38] LLVM Project., “the-mc-layer”, available via http://llvm.org/docs/CodeGenerator.html#the-mc-layer, view in 2017.
  39. [39] Kaan Onarlioglu, Leyla Bilge, Andrea Lanzi, “G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries”, available via http://www.s3.eurecom.fr/docs/acsac10_gfree.pdf, 26th ACSAC, 2010, view in 2017.
  40. [40] LLVM Project., “using-the-machineinstrbuilder”, available via http://llvm.org/docs/CodeGenerator.html#using-the-machineinstrbuilder-h-functions, view in 2017.
  41. [41] LLVM Project, “Prologue/Epilogue Code Insertion”, available via http://llvm.org/docs/CodeGenerator.html#prolog-epilog-code-insertion, view 2017.
  42. [42] Michal Matz, Jan Hubicka, Andreas Jaeger, Mark Mitchell, “System V Application Binary Interface AMD64 Architecture Processor Supplement Draft”, available via https://uclibc.org/docs/psABI-x86_64.pdf, 2014, view in 2017.
  43. [43] CVE, “Common Vulnerabilities and Exposures”, available via https://cve.mitre.org/index.html, view 2017.