Abstract—

Today, a code reuse technique is often used when exploiting software vulnerabilities, such as a buffer overflow. These attacks bypass the protection against execution of code in the stack, which is implemented on the hardware and software levels in modern information systems. The attacks are based on finding suitable sections of executable code–gadgets–in the vulnerable program and linking these gadgets into chains. The article proposes a method to protect applications against code reuse attacks. The method is based on detecting properties that distinguish between chains of gadgets and typical chains of legitimate program basic blocks. The appearance of an atypical chain of basic blocks during program execution may indicate the execution of a malicious code. One of the properties of a chain of gadgets is that at the end of the chain a special processor instruction used to call a function of the operating system is executed. Experiments are carried out for the x86/64 Linux operating system which show the importance of this property for detecting malicious code execution. An algorithm for identifying atypical chains is developed which makes it possible to detect all currently known code reuse techniques.

中文翻译：

---

关于检测代码重用攻击

摘要-

如今，在利用软件漏洞（例如缓冲区溢出）时，经常使用代码重用技术。这些攻击绕过了防止堆栈中的代码执行的保护，该保护是在现代信息系统中的硬件和软件级别上实现的。攻击的基础是在易受攻击的程序中找到适当的可执行代码部分（小工具），并将这些小工具链接到链中。本文提出了一种保护应用程序免受代码重用攻击的方法。该方法基于检测区分小工具链和合法程序基本块的典型链的属性。在程序执行过程中出现的非典型基本块链可能表示恶意代码的执行。小工具链的特性之一是，在链的末尾执行用于调用操作系统功能的特殊处理器指令。针对x86 / 64 Linux操作系统进行了实验，这些实验表明此属性对于检测恶意代码执行的重要性。开发了一种用于识别非典型链的算法，该算法可以检测所有当前已知的代码重用技术。