透過保護參數完整性以防止敏感系統呼叫之濫用

Abstract

現代應用程式包含眾多功能以滿足多樣化的用戶需求，並依賴系統調用與核心進行通信。然而，系統調用也為攻擊者提供了機會，從而危害進程甚至整個系統。例如，濫用 execve 可以導致權限提升，而 mprotect 可以允許 shellcode 注入。

儘管最近的努力旨在保護控制流以防止系統調用被濫用，但研究表明，攻擊者可以在不干擾執行流的情況下繞過這些保護。因此，在本文中，我們提出了一個新穎的參數完整性框架，以防止系統調用參數和函數指針被劫持。我們對系統調用參數和函數指針的使用-定義鏈進行靜態分析，並在運行時將它們複製到安全區域。此外，我們利用軟體影子調用棧來提高參數完整性保護的效率和效果。通過強制執行這些不變性，我們可以有效地檢測真實世界的 CVE 和複雜的攻擊場景。

我們將此框架實現為一個定制的 LLVM 編譯器和一個 C++ 運行時庫。經過在真實世界應用中的測試，我們的原型表明，我們的方法僅引入了適度的開銷，具體而言，在 NGINX 上為 1.82%

Modern applications incorporate numerous functionalities to meet diverse user needs, relying on system calls to communicate with the kernel. However, system calls also provide opportunities for attackers to compromise processes or, even worse, the entire system. For example, abusing execve can lead to privilege escalation, while mprotect can enable shellcode injection.

Although recent efforts have aimed to protect control flow to prevent the abuse of system calls, studies have shown that attackers can bypass these protections without disrupting the execution flow. Therefore, in this paper, we propose a novel Argument Integrity framework that safeguards system call arguments and function pointers from hijacking. We perform static analysis of the use-def chain of system call arguments and function pointers, and create copies of them in a secure region during runtime. Additionally, we leverage a software shadow call stack to enhance the efficiency and effectiveness of argument integrity protection. By enforcing these invariants, we can effectively detect real-world CVEs and sophisticated attack scenarios.

We implemented our framework as a customized LLVM compiler and a C++ runtime library. Our prototypes, tested on real-world applications, demonstrate that our approach introduces only modest overhead, specifically 1.82% on NGINX.