在C/C++語言裡,記憶體毀損漏洞是一個嚴重的安全威脅,早在1988年知名的
莫里斯蠕蟲就是利用unix裡一個程式的記憶體毀損漏洞快速的在網路上傳播,
現在許多作業系統已經有了許多漏洞利用減緩的保護機制,例如ASLR(記憶體
位 址 編 排 隨 機 化)和DEP(資 料 執 行 防 止)讓 漏 洞 利 用 攻 擊 變 得 更 加 困 難 , 但 是
在2015的pwn2own競 賽 , 駭 客 利 用 了 緩 衝 區 溢 位 的 漏 洞 攻 破 了Google開 發 的 瀏
覽器Chrome,記憶體毀損漏洞在今天依然是一個安全威脅。從攻擊者的角度
看,ASLR可以用資訊洩漏的漏洞繞掉,DEP可以使用ROP攻擊繞掉。
在本篇論文中,我們實作了一個漏洞攻擊利用的減緩機制能夠阻擋基本的ROP攻
擊和資訊洩漏,我們實作的工具是基於二進位轉譯的技術,我們在Linux x86系統
上使用intel開發的動態二進位轉譯框架Pin來實現我們的漏洞利用攻擊減緩機制。
我們的工具能夠阻擋基本的ROP攻擊和預防資訊洩漏。

Memory corruption in C/C++ is serious computer security threats. In 1988, morris
worm, the first computer worms, used a memory corruption bug to exploit a unix
programs. Since then, OS has many exploit mitigation, like Address space layout
randomization (ASLR) [1] and Data Execution Prevention (DEP) [2], which make
exploit getting harder. At Pwn2Own 2015 Security Contest, Google Chrome, a web
browser developed by google, is compromised by exploiting a buffer overflow bug [3].
Memory Corruption bug is still a problem in today. For attacker’s perspective, ASLR
can be bypassed if software has information leak and DEP can be bypass by using
Return-Oriented Programming (ROP)attack [4].
In this paper, we implement a exploit mitigation tool which can stop ROP
attack and protect information leak to harden binary. Our tool is based on dy-
namic binary instrumentation. We use Pin [5], a dynamic binary instrumentation
framework for the IA-32 and x86-64 instruction-set architectures, to implement our
exploit mitigation on x86-based Linux System. Our tool can stop basic ROP attack
and prevent information leak.

Contents
Table of Contents
i
List of Figures iii
List of Tables v
1 Introduction 1
1.1
1.2
Memory Corruption Example . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Stack Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . 2
1.1.2 Use After Free . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Memory Corruption Mitigation . . . . . . . . . . . . . . . . . . . . . 4
1.2.1 Address Space Layout Randomization(ASLR) . . . . . . . . . 4
1.2.2 DEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.3 ASLR and DEP Bypass . . . . . . . . . . . . . . . . . . . . . 6
1.2.4 Our Exploit Mitigation . . . . . . . . . . . . . . . . . . . . . . 7
2 Return Oriented Programming
8
2.1 ROP Gadgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2 ROP Attack Basic Example . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 ROP and Information Disclosure . . . . . . . . . . . . . . . . . . . . 11
2.4 ROP Attack In Pratical . . . . . . . . . . . . . . . . . . . . . . . . . 12
3 Related work
9
15
3.1 ROP Gadgets Detection . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 ROP Gadgets Randomize . . . . . . . . . . . . . . . . . . . . . . . . 16
4 Implementation
17
4.1 Dynamic Binary Instrumentation . . . . . . . . . . . . . . . . . . . . 17
4.2 Pin-A Dynamic Binary Instrumentation Tool . . . . . . . . . . . . . . 18
4.3 Development Environment . . . . . . . . . . . . . . . . . . . . . . . . 19
4.4 Our Exploit Mitigation Approach . . . . . . . . . . . . . . . . . . . . 20
4.4.1 Stack Pivot Detection . . . . . . . . . . . . . . . . . . . . . . 21
4.4.2 System Call Checker . . . . . . . . . . . . . . . . . . . . . . . 22
4.4.3 Information Disclousre Patch . . . . . . . . . . . . . . . . . . 22
5 Experiment
28
5.1 Evalution Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.2 Evalution Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.3 Performance Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
6 Conclusion
33
6.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6.2.1 Improve Performance . . . . . . . . . . . . . . . . . . . . . . . 33
6.2.2 Multi Platform . . . . . . . . . . . . . . . . . . . . . . . . . . 34
6.2.3 More information Leakage Patch . . . . . . . . . . . . . . . . 34

References
[1] address space layout randomization.
http://pax.grsecurity.net/docs/aslr.txt.
[2] non-executable pages design & implementation.
http://pax.grsecurity.net/docs/noexec.txt.
[3] Pwn2own 2015:Day two results.
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Pwn2Own-2015-Day-Two-results/ba-p/6722884.
[4] Stefan Savage Erik Buchanan,Ryan Roemer and Hovav Shacham.
Return-oriented programming:Exploits without code injection.
https://www.blackhat.com/presentations/bh-usa-08/Shacham/BH_
US_08_Shacham_Return_Oriented_Programming.pdf.
[5] Chi-Keung Luk, Robert Cohn, Robert Muth, Harish Patil, Artur Klauser, Ge-
off Lowney, Steven Wallace, Vijay Janapa Reddi, and Kim Hazelwood. Pin: Building customized program analysis tools with dynamic instrumentation. In
Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language
Design and Implementation, PLDI ’05, pages 190–200, New York, NY, USA,
2005. ACM.
[6] Aleph One. Smashing the stack for fun and profit. Phrack, 7(49), November
1996.
[7] c0ntex. Bypassing non-executable-stack during exploitation using return-to-libc. http://css.csail.mit.edu/6.858/2014/readings/return-to-libc.pdf.
[8] ltrace. http://ltrace.org/.
[9] Global offset tables. http://bottomupcs.sourceforge.net/csbu/x3824.htm.
[10] proc - process information pseudo-file system. http://linux.die.net/man/5/proc.
[11] Position independent executables(pie). https://securityblog.redhat.com/2012/11/28/position-independent-executables-pie.
[12] objdump. http://linux.die.net/man/1/objdump.
[13] Ropgadget. https://github.com/JonathanSalwan/ROPgadget.
[14] Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. Q: Exploit
hardening made easy. In Proceedings of the 20th USENIX Conference on Secu-
rity, SEC’11, pages 25–25, Berkeley, CA, USA, 2011. USENIX Association.
[15] Minh Tran, Mark Etheridge, Tyler Bletsch, Xuxian Jiang, Vincent Freeh, and
Peng Ning. On the expressiveness of return-into-libc attacks. In Proceedings of
the 14th International Conference on Recent Advances in Intrusion Detection,
RAID’11, pages 121–141, Berlin, Heidelberg, 2011. Springer-Verlag.
[16] Crispin Cowan, Calton Pu, Dave Maier, Heather Hintony, Jonathan Walpole,
Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. Stack-
guard: Automatic adaptive detection and prevention of buffer-overflow attacks.
In Proceedings of the 7th Conference on USENIX Security Symposium - Volume
7, SSYM’98, pages 5–5, Berkeley, CA, USA, 1998. USENIX Association.
[17] Freefloat ftp 1.0 - dep bypass with rop.
https://www.exploit-db.com/exploits/24944/.
[18] Microsoft internet explorer 8 - fixed col span id full aslr, dep & emet 5.1 bypass
(ms12-037). https://www.exploit-db.com/exploits/35273/.
[19] Lucas Davi, Ahmad-Reza Sadeghi, and Marcel Winandy. Ropdefender: A
detection tool to defend against return-oriented programming attacks. In Pro-
ceedings of the 6th ACM Symposium on Information, Computer and Commu-
nications Security, ASIACCS ’11, pages 40–51, New York, NY, USA, 2011.
ACM.
[20] Runtime Prevention of Return-Oriented Programming Attacks.
https://ropguard.googlecode.com/svn/trunk/doc/ropguard.pdf.
[21] Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, and Zhenkai Liang. Jump-
oriented programming: A new class of code-reuse attack. In Proceedings of
the 6th ACM Symposium on Information, Computer and Communications Se-
curity, ASIACCS ’11, pages 30–40, New York, NY, USA, 2011. ACM.
[22] Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. Transparent
rop exploit mitigation using indirect branch tracing. In Presented as part of
the 22nd USENIX Security Symposium (USENIX Security 13), pages 447–462,
Washington, D.C., 2013. USENIX.
[23] Yueqiang Cheng, Zongwei Zhou, Miao Yu, Xuhua Ding, and Robert H. Deng.
Ropecker: A generic and practical approach for defending against ROP attacks.
In 21st Annual Network and Distributed System Security Symposium, NDSS
2014, San Diego, California, USA, February 23-26, 2014, 2014.
[24] Intel(r) 64 and ia-32 architectures software developer manuals.
http:
//www.intel.com/content/dam/www/public/us/en/documents/manuals/
64-ia-32-architectures-software-developer-vol-3b-part-2-manual.
pdf.
[25] Nicholas Carlini and David Wagner. Rop is still dangerous: Breaking modern
defenses. In 23rd USENIX Security Symposium (USENIX Security 14), pages
385–399, San Diego, CA, August 2014. USENIX Association.
[26] Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis. Smash-
ing the gadgets: Hindering return-oriented programming using in-place code
randomization. In Proceedings of the 2012 IEEE Symposium on Security and
Privacy, SP ’12, pages 601–615, Washington, DC, USA, 2012. IEEE Computer
Society.
[27] Pin 2.14 user guide.
https://software.intel.com/sites/landingpage/pintool/docs/71313/Pin/html/.
[28] Pldi 2007. https://software.intel.com/sites/default/files/article/256675/pldi2007-pintutorial.pdf.
[29] Cve-2013-3893.
http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx.
[30] Advanced return-into-lib(c) exploits (pax case study). http://phrack.org/issues/58/4.html.
[31] Microsoft pe and coff specification. https://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx.
[32] Ctf? wtf? https://ctftime.org/ctf-wtf/.
[33] Wiki-like ctf write-ups repository maintained by the community 2014. https://github.com/ctfs/write-ups-2014.
[34] exploit-by-cutz.pl.
https://github.com/ctfs/write-ups-2014/blob/master/hack-lu-ctf-2014/oreo/exploit-by-cutz.pl.
[35] test.py. https://rzhou.org/~ricky/hitcon2014/rsbo/test.py.
[36] time - time a simple command or give resource usage. http://linux.about.com/library/cmd/blcmdl1_time.htm.