Address space layout randomization (ASLR) has been widely deployed in operating systems (OS) to hide memory layout, which mitigates code reuse attacks (CRAs). Unfortunately, the memory probing techniques can still provide attackers with enough information to bypass ASLR. Although the control flow integrity (CFI) methods are not affected by code probing, they face the precision problem of control flow graphs (CFG). To make matters worse, most methods rely on the source code of the targets to be protected, which leads to their restrictions on the protection of the objects without source code. To solve these problems, MagBox is proposed in this paper. It identifies the risk functions that can provide gadgets for CRAs by detecting and analyzing attackers’ code probing activities. If the function is probed, it will be moved to a new address space. After that, the control flow transfers of the function will be tracked and analyzed in real time to judge their legitimacy. Experiment results and analysis show that MagBox can mitigate CRAs, and only introduces 3.4% performance overhead to the CPU.

地址空间布局随机化 (ASLR) 已广泛部署在操作系统 (OS) 中以隐藏内存布局，从而减轻代码重用攻击 (CRA)。不幸的是，内存探测技术仍然可以为攻击者提供足够的信息来绕过 ASLR。尽管控制流完整性（CFI）方法不受代码探测的影响，但它们面临着控制流图（CFG）的精度问题。更糟糕的是，大多数方法依赖于被保护目标的源代码，这导致它们对没有源代码的对象的保护受到限制。为了解决这些问题，本文提出了 MagBox。它通过检测和分析攻击者的代码探测活动来识别可以为 CRA 提供小工具的风险功能。如果函数被探测到，它将被移动到一个新的地址空间。之后，将实时跟踪分析功能的控制流转移，判断其合法性。实验结果和分析表明，MagBox 可以缓解 CRA，并且只会给 CPU 带来 3.4% 的性能开销。