Ares：一个稳健的实时编译引擎保护系统

doi:10.7523/jssn.2095-6134.2014.02.018

中国科学院大学学报 ›› 2014, Vol. 31 ›› Issue (2): 267-275.DOI: 10.7523/jssn.2095-6134.2014.02.018

Ares：一个稳健的实时编译引擎保护系统

朱若宇¹, 张玉清^1,2, 燕敬博¹

1. 西安电子科技大学综合业务网理论及关键技术国家重点实验室, 西安 710071;
2. 中国科学院大学国家计算机网络入侵防范中心, 北京 100049

收稿日期:2013-02-01 修回日期:2013-05-24 发布日期:2014-03-15
通讯作者: 张玉清，E-mail：zhangyq@nipc.org.cn
基金资助:
Supported by National Natural Science Foundation of China(61272481) and National Natural Science Foundation of Beijing(4122089)

Ares：a robust protection system for just-in-time engines

ZHU Ruoyu¹, ZHANG Yuqing^1,2, YAN Jingbo¹

1. Key Lab of Computer Networks and Information Security of Ministry of Education, Xidian University, Xi'an 710071, China;
2. National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing 100049, China

Received:2013-02-01 Revised:2013-05-24 Published:2014-03-15
Supported by:
Supported by National Natural Science Foundation of China(61272481) and National Natural Science Foundation of Beijing(4122089)

摘要/Abstract

摘要：

JIT（实时）编译技术可以大大提高代码执行效率. 目前大部分浏览器以及 Java，Perl，Ruby，Flash都采用JIT技术提高性能. 但是，JIT引擎为了达到较高的执行效率，将具有读写可执行权限的对象分配到可预期的偏移位置. 这违背了数据执行保护以及随机地址分配的保护措施. 我们分析了两个现有的JIT引擎保护工具. 基于本文的分析，设计与实现了JIT引擎保护工具Ares. Ares不需要修改JIT引擎源码，使JIT引擎免受现有各种针对JIT引擎的攻击. 实验证明其时间与内存开销在可接受范围内.

关键词: 实时编译引擎, 随机地址分配, 数据执行保护, 防范工具

Abstract:

JIT(just-in-time) compilation technique improves the efficiency of code execution. In almost all web browsers as well as Java, Perl, Python, Ruby and Flash, JIT is implemented into their already complex code base. However, for high effectiveness, JIT engines allocate memory with RWX (readable, writable, and executable) permissions to predictable offsets, which goes against DEP (data execution prevention) and ASLR (address space layout randomization). We first analyze two existed JIT defense tools and show the defects of them. Based on our analysis, we design and implement an approach named Ares to protect JIT engines from normal JIT-based attack without modifying JIT engines' source code. Experiments show that our approach guarantees the safety of JIT compilation and the overhead is acceptable.

Key words: JIT (just-in-time) compilation engine, ASLR, DEP, defense tools

中图分类号:

TP393

朱若宇, 张玉清, 燕敬博. Ares：一个稳健的实时编译引擎保护系统[J]. 中国科学院大学学报, 2014, 31(2): 267-275.

ZHU Ruoyu, ZHANG Yuqing, YAN Jingbo. Ares：a robust protection system for just-in-time engines[J]. , 2014, 31(2): 267-275.

参考文献

[1] Blazakis D. Interpreter exploitation[C]//WOOT'10: The USENIX Workshop on Offensive Technologies. Washington, 2010.

[2] US-CERT/NIST. Mozilla firefox and seamonkey 'nsDOMAttribute' use-after-free memory corruption vulnerability[DB/OL].(2010-12-10)[2013-01-15].http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3766.

[3] Crispin C, Calton P, Dave M, et al. StackGuard: automatic adaptive detection and prevention of buffer-overow attack[C]//USENIX'98: USENIX Security Symposium. San Antonio, 1998.

[4] Bhatkar E, Duvarney D, Sekar R. Address obfuscation: an efficient approach to combat a broad range of memory error exploits[C]//USENIX'03: USENIX Security Symposium. Washington, 2003: 105-120.

[5] Groef W, Nikiforakis N, Younan Y, et al. Jitsec: Just-in-time security for code injection attack[C]//WiSec'10: Benelux Workshop on Information and System Security. New Jersey, 2010: 1-15.

[6] Chen P, Fang Y, Mao B, et al. JITDefender: a defense JIT spraying attack[J]. IFIP Advances in Information and Communication Technology, 2011, 354: 142-153.

[7] Microsoft. The enhanced mitigation experience toolkit[DB/OL].(2011-06-12)[2013-01-15].http://support.microsoft.com/kb/2458544.

[8] Wiki. Just-in-time compilation[EB/OL].(2012-02-11)[2012-12-30].http://en.wikipedia.org/wiki/Just-in-time_compilation.

[9] CWE. Compiler optimization removal or modification of security-critical code[DB/OL].(2008-10-01)[2012-12-25]. http://cwe.mitre.org/data/definitions/733.html.

[10] Novark G, Berger D.E. DieHarder: securing the heap[C]//CCS'10: The ACM conference on Computer and communications security. New York, 2010: 573-584.

[11] Emery D, Berger D.E, Benjamin G. DieHard: probabilistic memory safety for unsafe languages[C]//PLDI'06: ACM SIGPLAN 2006 Conference on Programming Language Design and Implementation. Ottawa, Canada, 2006: 158-168.

[12] Dhurjati D, Adve V. Eciently detecting all dangling pointer uses in production servers[C]//DSN'06: The International Conference on Dependable Systems and Networks. Philadelphia, PA, USA, 2006: 269-280.

[13] Akritidis P. Cling: A memory allocator to mitigate dangling pointers[C]//USENIX Security'10: The 19th USENIX conference on Security. Berkeley, CA, USA, 2010.

[14] Rjati D, Kowshik S, Adve V, et al. Memory safety without runtime checks or garbage collection[C]//LCTES'03: The ACM SIGPLAN Conference on Language, Compiler and Tool for Embedded Systems. San Diego, CA, USA, 2003: 69-80.

[15] Rohlf C, Yan I. Attacking clientside JIT compilers[C]//Black Hat Technical Security Conference. USA, 2011.

[16] Berger E D, Zorn B G. DieHard: probabilistic memory safety for unsafe languages[C]//PLDI '06: Programming Language Design and Implementation. Ottawa, CA, 2006: 158-168.

[17] Dhurjati D, Kowshik S, Adve V, et al. Memory safety without runtime checks or garbage collection[C]//LCTES '03: The ACM SIGPLAN Conference on Language, Compiler, and Tool for Embedded Systems. San Diego, CA, USA, 2003: 69-80.

[18] Designer S. "return-to-libc"attack. Bugtraq mailing list, 1997.

[19] Sintsov A. Oracle document capture (EasyMail Objects EMSMTP.DLL 6.0.1) activeX control BOF-JIT-spray exploit[DB/OL]. (2010-05-03)[2013-01-10]. http://dsecrg.com/pages/expl/show.php?id=28.

[20] Sintsov A. JIT spraying attack on safari[DB/OL].(2010-05-15)[2013-01-05]. http://www.exploit-db.com/exploits/12614/.

Ares：一个稳健的实时编译引擎保护系统

Ares：a robust protection system for just-in-time engines

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

访问统计

联系我们

[1]	戴志明, 周明拓, 杨旸, 李剑, 刘军. 智能工厂中的雾计算资源调度[J]. 中国科学院大学学报, 2021, 38(5): 702-711.
[2]	刘婷, 罗喜良. 移动边缘计算中的在线任务卸载方法[J]. 中国科学院大学学报, 0, (): 21542-21542.
[3]	朱兆伟, 刘婷, 钱骅, 罗喜良. 非稳态雾赋能网络中的在线任务卸载方法[J]. 中国科学院大学学报, 2020, 37(5): 699-707.
[4]	赖训飞, 梁旭文, 谢卓辰, 李宗旺. 基于实体嵌入和长短时记忆网络的入侵检测方法[J]. 中国科学院大学学报, 2020, 37(4): 553-561.
[5]	赵择, 徐佑宇, 唐亮, 卜智勇. 基于改进一对一算法的网络流量分类[J]. 中国科学院大学学报, 2020, 37(4): 570-576.
[6]	薛开平, 柳彬, 李威, 洪佩琳. 一种面向未知链路帧的格式特征提取与分类算法[J]. 中国科学院大学学报, 2018, 35(4): 521-528.
[7]	田洁, 王伟强, 孙翼. 一种免除二值化的视频叠加中文字符识别方法[J]. 中国科学院大学学报, 2018, 35(3): 402-408.
[8]	叶延玲, 傅晓彤, 张玉清, 乐洪舟. 一种自动化的Android应用定向行为测试方法[J]. 中国科学院大学学报, 2018, 35(3): 409-416.
[9]	严志涛, 方滨兴, 刘奇旭, 崔翔. 一种基于无线路由器的IoT设备轻量级防御框架[J]. 中国科学院大学学报, 2017, 34(6): 759-770.
[10]	王开泳, 邓羽. 基于微博数据的中原城市群空间联系强度测度[J]. 中国科学院大学学报, 2016, 33(6): 775-782.
[11]	闫淑筠, 王文杰, 张玉清. 一种有效的Web指纹识别方法[J]. 中国科学院大学学报, 2016, 33(5): 679-685.
[12]	侯金钟, 张立波, 罗铁坚. 一种均衡视频资源的分布存储方法[J]. 中国科学院大学学报, 2016, 33(5): 686-692.
[13]	曹来成, 赵建军, 崔翔, 李可. 基于余弦测度下K-means的网络空间终端设备识别[J]. 中国科学院大学学报, 2016, 33(4): 562-569.
[14]	吴敬征, 武延军, 武志飞, 杨牧天, 罗天悦, 王永吉. 基于有向信息流的Android隐私泄露类恶意应用检测方法[J]. 中国科学院大学学报, 2015, 32(6): 807-815.
[15]	董颖, 张玉清, 乐洪舟. Joomla内容管理系统漏洞利用技术[J]. 中国科学院大学学报, 2015, 32(6): 825-835.