ROP is a popular attacking technology used to exploit software vulnerability,and it is always updating to against the technology of defensing ROP.Both kBouncer and ROPecker are the state-of-the-art ROP defense tools,and they are effective in detecting traditional ROP and JOP,and they can trace the process of indirect jump instructions by detecting ROP characters and using LBR register.The bypassing method proposed by Nicholas has the disadvantage that it is hard to find available ROP gadgets.This paper proposed a novel method to organize ROP gadgets.The ROP frame was constructed to execute traditional gadgets in loops by multipath dispatcher.Using this ROP frame,attackers can use plenty of traditional gadgets to execute a complete and efficient ROP chain.The test results show that this method is easy to implement,and it is able to perform complex functions.More importantly,the proposed ROP frame can bypass ROPecker and kBouncer because it has small enough characters.%ROP是一种流行的软件漏洞利用技术,它与ROP检测技术的对抗正在不断升级.主流的ROP检测工具kBouncer和ROPecker通过LBR寄存器追踪间接跳转指令的执行过程,结合ROP特征检测,对传统的ROP以及改进的JOP等攻击行为都有很好的检测效果.Nicholas提出了绕防方法,但它存在可用gadget数量少、实现难度大等问题.提出了一种基于多路径分发的ROP框架构造方法,基于3种类型的gadget模块构造了一个gadget循环执行的框架,在该框架内可以使用丰富的常规gadget,从而形成一条完整、高效的ROP攻击链.实验表明该方法的实现难度低,不仅能够完成复杂的ROP功能,而且特征足够小,能够绕过主流ROP检测工具的检测.
展开▼
