基于配件加权标记的代码重用攻击防御框架
|
摘要
代码重用攻击(Code Reuse Attack, CRA)目前已经成为主流的攻击方式,能够对抗多种防御机制,给计算机安全带来极大的威胁和挑战。本文提出一种基于配件加权标记(Gadget Weighted Tagging, GWT)的CRAs防御框架。首先, GWT找到代码空间中所有可能被CRAs利用的配件。其次, GWT为每个配件附加相应的权值标记,这些权值可以根据用户需求灵活地配置。最后,GWT在程序运行时监控配件的权值信息,从而检测和防御CRAs。另外,我们结合粗粒度CFI的思想,进一步提出GWT+CFI的设计框架,相比基础的GWT,GWT+CFI能够提高识别配件开端的精确性并减少可用配件的数量。我们基于软件和硬件模拟的方案实现GWT和GWT+CFI系统,结果表明其平均性能开销分别为2.31%和3.55%,且GWT理论上能够防御大多数CRAs,特别是使用自动化工具生成配件链的CRAs。
Code reuse attacks(CRAs) become the primary attack vector nowadays. CRAs are able to bypass a variety of security mechanisms so that CRAs pose a great challenge in the field of security research. In this paper, we propose Gadget Weighted Tagging(GWT), a flexible framework to protect against CRAs. First, we find all possible gadgets, which can be used in CRAs. Then, we attach weighted tags to these gadgets, and the weighted values are configurable as the need. At last, we monitor the weighted tag information at runtime to detect and prevent CRAs. Furthermore, combining with the rule-based CFI, GWT+CFI can precisely confirm the gadget start and greatly reduce the number of possible gadgets, compared to the baseline GWT. We implement a software and emulation-based hardware framework to support GWT and GWT+CFI. The results show that the average performance overheads of GWT and GWT+CFI are 2.31% and 3.55% respectively, and GWT can defeat the majority of CRAs, especially those generated by automated tools.
Code reuse attacks(CRAs) become the primary attack vector nowadays. CRAs are able to bypass a variety of security mechanisms so that CRAs pose a great challenge in the field of security research. In this paper, we propose Gadget Weighted Tagging(GWT), a flexible framework to protect against CRAs. First, we find all possible gadgets, which can be used in CRAs. Then, we attach weighted tags to these gadgets, and the weighted values are configurable as the need. At last, we monitor the weighted tag information at runtime to detect and prevent CRAs. Furthermore, combining with the rule-based CFI, GWT+CFI can precisely confirm the gadget start and greatly reduce the number of possible gadgets, compared to the baseline GWT. We implement a software and emulation-based hardware framework to support GWT and GWT+CFI. The results show that the average performance overheads of GWT and GWT+CFI are 2.31% and 3.55% respectively, and GWT can defeat the majority of CRAs, especially those generated by automated tools.
引文
[1]H.Shacham,“The Geometry of Innocent Flesh on the Bone:Return-into-libc Without Function Calls(on the x86),”in Proceedings of the 14th ACM Conference on Computer and Communications Security(CCS’07),pp.552-561,2007.
[2]S.Checkoway,L.Davi,A.Dmitrienko,A.-R.Sadeghi,H.Shacham,and M.Winandy,“Return-oriented Programming Without Returns,”in Proceedings of the 17th ACM Conference on Computer and Communications Security(CCS’10),pp.559-572,2010.
[3]E.J.Schwartz,T.Avgerinos,and D.Brumley,“Q:Exploit Hardening Made Easy,”in Proceedings of the 20th USENIX Conference on Security(Usenix Security’11),pp.25-40,2011.
[4]M.Abadi,M.Budiu,U.Erlingsson,and J.Ligatti,“Control-Flow Integrity,”in Proceedings of the 12th ACM Conference on Computer and Communications Security(CCS’05),pp.340-353,2005.
[5]L.Davi,P.Koeberl,and A.-R.Sadeghi,“Hardware-assisted fine-grained control-flow integrity:Towards efficient protection of embedded systems against software exploitation,”in Proceedings of the51st Design Automation Conference(DAC’14),pp.1-6,June 2014.
[6]C.Zhang,T.Wei,Z.Chen,L.Duan,L.Szekeres,S.Mc Camant,D.Song,and W.Zou,“Practical Control Flow Integrity and Randomization for Binary Executables,”in Proceedings of the 34th IEEE Symposium on Security and Privacy(SP’13),pp.559-573,May 2013.
[7]M.Zhang and R.Sekar,“Control Flow Integrity for COTS Binaries,”in Proceedings of the 22nd USENIX Conference on Security(Usenix Security’13),pp.337-352,2013.
[8]Y.Cheng,Z.Zhou,Y.Miao,X.Ding,and R.DENG,Huijie,“ROPecker:A Generic and Practical Approach For Defending Against ROP Attack,”in Proceedings of the 21st Annual Network and Distributed System Security Symposium(NDSS’14),Feb.2014.
[9]V.Pappas,M.Polychronakis,and A.D.Keromytis,“Transparent ROPExploit Mitigation Using Indirect Branch Tracing,”in Proceedings of the 22Nd USENIX Conference on Security(Usenix Security’13),pp.447-462,2013.
[10]E.G¨oktas,E.Athanasopoulos,H.Bos,and G.Portokalidis,“Out of Control:Overcoming Control-Flow Integrity,”in Proceedings of the35th IEEE Symposium on Security and Privacy(SP’14),pp.575-589,2014.
[11]N.Carlini and D.Wagner,“ROP is Still Dangerous:Breaking Modern Defenses,”in Proceedings of the 23rd USENIX Conference on Security Symposium(Usenix Security’14),pp.385-399,2014.
[12]E.G¨oktas?,E.Athanasopoulos,M.Polychronakis,H.Bos,and G.Portokalidis,“Size Does Matter:Why Using Gadget-chain Length to Prevent Code-reuse Attacks is Hard,”in Proceedings of the 23rd USENIX Conference on Security Symposium(Usenix Security’14),pp.417-432,2014.
[13]L.Davi,A.-R.Sadeghi,D.Lehmann,and F.Monrose,“Stitching the Gadgets:On the Ineffectiveness of Coarse-grained Control-flow Integrity Protection,”in Proceedings of the 23rd USENIX Conference on Security Symposium(Usenix Security’14),pp.401-416,2014.
[14]T.Bletsch,X.Jiang,V.W.Freeh,and Z.Liang,“Jump-oriented Programming:A New Class of Code-reuse Attack,”in Proceedings of the6th ACM Symposium on Information,Computer and Communications Security(ASIACCS’11),pp.30-40,2011.
[15]M.Abadi,M.Budiu,U.Erlingsson,and J.Ligatti,“Control-flow Integrity Principles,Implementations,and Applications,”ACM Trans.Inf.Syst.Secur.,vol.13,no.1,pp.4:1-4:40,Nov.2009.
[16]I.Evans,F.Long,U.Otgonbaatar,H.Shrobe,M.Rinard,H.Okhravi,and S.Sidiroglou-Douskos,“Control Jujutsu:On the Weaknesses of Fine-Grained Control Flow Integrity,”in Proceedings of the 22nd ACMSIGSAC Conference on Computer and Communications Security(CCS’15),pp.901-913,2015.
[17]M.Conti,S.Crane,L.Davi,M.Franz,P.Larsen,M.Negro,C.Liebchen,M.Qunaibit,and A.-R.Sadeghi,“Losing Control:On the Effectiveness of Control-Flow Integrity Under Stack Attacks,”in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS15),pp.952-963,2015.
[18]N.Carlini,A.Barresi,M.Payer,D.Wagner,and T.R.Gross,“Control-Flow Bending:On the Effectiveness of Control-Flow Integrity,”in Proceedings of the 24th USENIX Conference on Security(Usenix Security’15),2015.
[19]M.Kayaalp,M.Ozsoy,N.Abu-Ghazaleh,and D.Ponomarev,“Branch regulation:Low-overhead protection from code reuse attacks,”in Proceedings of the 39th Annual International Symposium on Computer Architecture(ISCA’12),pp.94-105,June 2012.
[20]M.Kayaalp,T.Schmitt,J.Nomani,D.Ponomarev,and N.Abu-Ghazaleh,“SCRAP:Architecture for Signature-based Protection from Code Reuse Attacks,”in Proceedings of the 2013 IEEE 19th International Symposium on High Performance Computer Architecture(HPCA’13),pp.258-269,2013.
[21]F.Schuster,T.Tendyck,C.Liebchen,L.Davi,A.R.Sadeghi,and T.Holz,“Counterfeit Object-oriented Programming:On the Diffculty of Preventing Code Reuse Attacks in C++applications,”in Proceedings of the IEEE Symposium on Security and Privacy(SP’15),2015.
[22]C.-K.Luk,R.Cohn,R.Muth,H.Patil,A.Klauser,G.Lowney,S.Wallace,V.J.Reddi,and K.Hazelwood,“Pin:Building Customized Program Analysis Tools with Dynamic Instrumentation,”in Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation(PLDI’05),pp.190-200,2005.
[23]J.L.Henning,“SPEC CPU2006 Benchmark Descriptions,”SIGARCHComput.Archit.News,vol.34,no.4,pp.1-17,Sep.2006.
[24]C.Kil,J.Jun,C.Bookholt,J.Xu,and P.Ning,“Address Space Layout Permutation(ASLP):Towards Fine-Grained Randomization of Commodity Software,”in Proceedings of the 22nd Annual Computer Security Applications Conference(ACSAC’06),pp.339-348,Dec 2006.
[25]J.Hiser,A.Nguyen-Tuong,M.Co,M.Hall,and J.W.Davidson,“ILR:Where’d My Gadgets Go?”in Proceedings of the IEEE Symposium on Security and Privacy(SP’12),pp.571-585,May 2012.
[26]K.Z.Snow,F.Monrose,L.Davi,A.Dmitrienko,C.Liebchen,and A.R.Sadeghi,“Just-In-Time Code Reuse:On the Effectiveness of Fine-Grained Address Space Layout Randomization,”in Proceedings of the IEEE Symposium on Security and Privacy(SP’13),pp.574-588,May 2013.
[27]A.Bittau,A.Belay,A.Mashtizadeh,D.Mazi`eres,and D.Boneh,“Hacking Blind,”in Proceedings of the IEEE Symposium on Security and Privacy(SP’14),pp.227-242,2014.
[28]S.Crane,C.Liebchen,A.Homescu,and L.Davi,“Readactor:Practical Code Randomization Resilient to Memory Disclosure,”in Proceedings of the IEEE Symposium on Security and Privacy(SP’15),pp.763-780,2015.
[29]S.J.Crane,S.Volckaert,F.Schuster,C.Liebchen,P.Larsen,L.Davi,A.-R.Sadeghi,T.Holz,B.De Sutter,and M.Franz,“It’s a TRaP:Table Randomization and Protection Against Function-Reuse Attacks,”in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS’15),pp.243-255,2015.
[30]T.Bletsch,X.Jiang,and V.Freeh,“Mitigating Code-reuse Attacks with Control-flow Locking,”in Proceedings of the 27th Annual Compute Security Applications Conference(ACSAC’11),pp.353-362,2011.
[31]J.Criswell,N.Dautenhahn,and V.Adve,“KCo FI:Complete Control-Flow Integrity for Commodity Operating System Kernels,”in Proceedings of the 35th IEEE Symposium on Security and Privacy(SP’14),pp.292-307,May 2014.
[32]Z.Wang and X.Jiang,“HyperSafe:A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity,”in Proceedings of the 31st IEEE Symposium on Security and Privacy(SP’10),pp.380-395,May 2010.
[33]B.Zeng,G.Tan,and U.Erlingsson,“Strato:A Retargetable Framework for Low-level Inlined-reference Monitors,”in Proceedings of the 22nd USENIX Conference on Security(Usenix Security’13),pp.369-382,2013.
[34]D.Jang,Z.Tatlock,and S.Lerner,“SAFEDISPATCH:Securing C++Virtual Calls from Memory Corruption Attacks,”in Proceedings of the Network and Distributed System Security Symposium(NDSS’14),2014.
[35]C.Tice,T.Roeder,P.Collingbourne,S.Checkoway,lfar Erlingsson,L.Lozano,and G.Pike,“Enforcing Forward-Edge Control-Flow Integrity in GCC and LLVM,”Proceedings of the Usenix Security Symposium,2014.
[36]B.Niu and G.Tan,“Modular Control-flow Integrity,”in Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation(PLDI’14),pp.577-587,2014.
[37]--,“Rock JIT:Securing Just-In-Time Compilation Using Modular Control-Flow Integrity,”in Proceedings of the ACM Sigsac Conference on Computer and Communications Security(CCS’14),pp.1317-1328,2014.
[38]A.J.Mashtizadeh,A.Bittau,D.Boneh,and D.Mazi`eres,“CCFI:Cryptographically Enforced Control Flow Integrity,”in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS’15),pp.941-951,2015.
[39]B.Niu and G.Tan,“Per-Input Control-Flow Integrity,”in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS’15),pp.914-926,2015.
[40]V.van der Veen,D.Andriesse,E.G¨oktas?,B.Gras,L.Sambuc,A.Slowinska,H.Bos,and C.Giuffrida,“Practical Context-Sensitive CFI,”in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS’15),pp.927-940,2015.
[41]Y.Xia,Y.Liu,H.Chen,and B.Zang,“CFIMon:Detecting violation of control flow integrity using performance counters,”in Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN’12),pp.1-12,June 2012.
[42]L.Tong,S.Gang,and M.Dan,“A Survey of Code Reuse Attack and Defense Mechanisms,”Journal of Cyber Security,vol(2),pp.15-27,2016.(柳童,史岗,孟丹,“代码重用攻击与防御机制综述”,信息安全学报,第2期,15-27,2016)
[2]S.Checkoway,L.Davi,A.Dmitrienko,A.-R.Sadeghi,H.Shacham,and M.Winandy,“Return-oriented Programming Without Returns,”in Proceedings of the 17th ACM Conference on Computer and Communications Security(CCS’10),pp.559-572,2010.
[3]E.J.Schwartz,T.Avgerinos,and D.Brumley,“Q:Exploit Hardening Made Easy,”in Proceedings of the 20th USENIX Conference on Security(Usenix Security’11),pp.25-40,2011.
[4]M.Abadi,M.Budiu,U.Erlingsson,and J.Ligatti,“Control-Flow Integrity,”in Proceedings of the 12th ACM Conference on Computer and Communications Security(CCS’05),pp.340-353,2005.
[5]L.Davi,P.Koeberl,and A.-R.Sadeghi,“Hardware-assisted fine-grained control-flow integrity:Towards efficient protection of embedded systems against software exploitation,”in Proceedings of the51st Design Automation Conference(DAC’14),pp.1-6,June 2014.
[6]C.Zhang,T.Wei,Z.Chen,L.Duan,L.Szekeres,S.Mc Camant,D.Song,and W.Zou,“Practical Control Flow Integrity and Randomization for Binary Executables,”in Proceedings of the 34th IEEE Symposium on Security and Privacy(SP’13),pp.559-573,May 2013.
[7]M.Zhang and R.Sekar,“Control Flow Integrity for COTS Binaries,”in Proceedings of the 22nd USENIX Conference on Security(Usenix Security’13),pp.337-352,2013.
[8]Y.Cheng,Z.Zhou,Y.Miao,X.Ding,and R.DENG,Huijie,“ROPecker:A Generic and Practical Approach For Defending Against ROP Attack,”in Proceedings of the 21st Annual Network and Distributed System Security Symposium(NDSS’14),Feb.2014.
[9]V.Pappas,M.Polychronakis,and A.D.Keromytis,“Transparent ROPExploit Mitigation Using Indirect Branch Tracing,”in Proceedings of the 22Nd USENIX Conference on Security(Usenix Security’13),pp.447-462,2013.
[10]E.G¨oktas,E.Athanasopoulos,H.Bos,and G.Portokalidis,“Out of Control:Overcoming Control-Flow Integrity,”in Proceedings of the35th IEEE Symposium on Security and Privacy(SP’14),pp.575-589,2014.
[11]N.Carlini and D.Wagner,“ROP is Still Dangerous:Breaking Modern Defenses,”in Proceedings of the 23rd USENIX Conference on Security Symposium(Usenix Security’14),pp.385-399,2014.
[12]E.G¨oktas?,E.Athanasopoulos,M.Polychronakis,H.Bos,and G.Portokalidis,“Size Does Matter:Why Using Gadget-chain Length to Prevent Code-reuse Attacks is Hard,”in Proceedings of the 23rd USENIX Conference on Security Symposium(Usenix Security’14),pp.417-432,2014.
[13]L.Davi,A.-R.Sadeghi,D.Lehmann,and F.Monrose,“Stitching the Gadgets:On the Ineffectiveness of Coarse-grained Control-flow Integrity Protection,”in Proceedings of the 23rd USENIX Conference on Security Symposium(Usenix Security’14),pp.401-416,2014.
[14]T.Bletsch,X.Jiang,V.W.Freeh,and Z.Liang,“Jump-oriented Programming:A New Class of Code-reuse Attack,”in Proceedings of the6th ACM Symposium on Information,Computer and Communications Security(ASIACCS’11),pp.30-40,2011.
[15]M.Abadi,M.Budiu,U.Erlingsson,and J.Ligatti,“Control-flow Integrity Principles,Implementations,and Applications,”ACM Trans.Inf.Syst.Secur.,vol.13,no.1,pp.4:1-4:40,Nov.2009.
[16]I.Evans,F.Long,U.Otgonbaatar,H.Shrobe,M.Rinard,H.Okhravi,and S.Sidiroglou-Douskos,“Control Jujutsu:On the Weaknesses of Fine-Grained Control Flow Integrity,”in Proceedings of the 22nd ACMSIGSAC Conference on Computer and Communications Security(CCS’15),pp.901-913,2015.
[17]M.Conti,S.Crane,L.Davi,M.Franz,P.Larsen,M.Negro,C.Liebchen,M.Qunaibit,and A.-R.Sadeghi,“Losing Control:On the Effectiveness of Control-Flow Integrity Under Stack Attacks,”in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS15),pp.952-963,2015.
[18]N.Carlini,A.Barresi,M.Payer,D.Wagner,and T.R.Gross,“Control-Flow Bending:On the Effectiveness of Control-Flow Integrity,”in Proceedings of the 24th USENIX Conference on Security(Usenix Security’15),2015.
[19]M.Kayaalp,M.Ozsoy,N.Abu-Ghazaleh,and D.Ponomarev,“Branch regulation:Low-overhead protection from code reuse attacks,”in Proceedings of the 39th Annual International Symposium on Computer Architecture(ISCA’12),pp.94-105,June 2012.
[20]M.Kayaalp,T.Schmitt,J.Nomani,D.Ponomarev,and N.Abu-Ghazaleh,“SCRAP:Architecture for Signature-based Protection from Code Reuse Attacks,”in Proceedings of the 2013 IEEE 19th International Symposium on High Performance Computer Architecture(HPCA’13),pp.258-269,2013.
[21]F.Schuster,T.Tendyck,C.Liebchen,L.Davi,A.R.Sadeghi,and T.Holz,“Counterfeit Object-oriented Programming:On the Diffculty of Preventing Code Reuse Attacks in C++applications,”in Proceedings of the IEEE Symposium on Security and Privacy(SP’15),2015.
[22]C.-K.Luk,R.Cohn,R.Muth,H.Patil,A.Klauser,G.Lowney,S.Wallace,V.J.Reddi,and K.Hazelwood,“Pin:Building Customized Program Analysis Tools with Dynamic Instrumentation,”in Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation(PLDI’05),pp.190-200,2005.
[23]J.L.Henning,“SPEC CPU2006 Benchmark Descriptions,”SIGARCHComput.Archit.News,vol.34,no.4,pp.1-17,Sep.2006.
[24]C.Kil,J.Jun,C.Bookholt,J.Xu,and P.Ning,“Address Space Layout Permutation(ASLP):Towards Fine-Grained Randomization of Commodity Software,”in Proceedings of the 22nd Annual Computer Security Applications Conference(ACSAC’06),pp.339-348,Dec 2006.
[25]J.Hiser,A.Nguyen-Tuong,M.Co,M.Hall,and J.W.Davidson,“ILR:Where’d My Gadgets Go?”in Proceedings of the IEEE Symposium on Security and Privacy(SP’12),pp.571-585,May 2012.
[26]K.Z.Snow,F.Monrose,L.Davi,A.Dmitrienko,C.Liebchen,and A.R.Sadeghi,“Just-In-Time Code Reuse:On the Effectiveness of Fine-Grained Address Space Layout Randomization,”in Proceedings of the IEEE Symposium on Security and Privacy(SP’13),pp.574-588,May 2013.
[27]A.Bittau,A.Belay,A.Mashtizadeh,D.Mazi`eres,and D.Boneh,“Hacking Blind,”in Proceedings of the IEEE Symposium on Security and Privacy(SP’14),pp.227-242,2014.
[28]S.Crane,C.Liebchen,A.Homescu,and L.Davi,“Readactor:Practical Code Randomization Resilient to Memory Disclosure,”in Proceedings of the IEEE Symposium on Security and Privacy(SP’15),pp.763-780,2015.
[29]S.J.Crane,S.Volckaert,F.Schuster,C.Liebchen,P.Larsen,L.Davi,A.-R.Sadeghi,T.Holz,B.De Sutter,and M.Franz,“It’s a TRaP:Table Randomization and Protection Against Function-Reuse Attacks,”in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS’15),pp.243-255,2015.
[30]T.Bletsch,X.Jiang,and V.Freeh,“Mitigating Code-reuse Attacks with Control-flow Locking,”in Proceedings of the 27th Annual Compute Security Applications Conference(ACSAC’11),pp.353-362,2011.
[31]J.Criswell,N.Dautenhahn,and V.Adve,“KCo FI:Complete Control-Flow Integrity for Commodity Operating System Kernels,”in Proceedings of the 35th IEEE Symposium on Security and Privacy(SP’14),pp.292-307,May 2014.
[32]Z.Wang and X.Jiang,“HyperSafe:A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity,”in Proceedings of the 31st IEEE Symposium on Security and Privacy(SP’10),pp.380-395,May 2010.
[33]B.Zeng,G.Tan,and U.Erlingsson,“Strato:A Retargetable Framework for Low-level Inlined-reference Monitors,”in Proceedings of the 22nd USENIX Conference on Security(Usenix Security’13),pp.369-382,2013.
[34]D.Jang,Z.Tatlock,and S.Lerner,“SAFEDISPATCH:Securing C++Virtual Calls from Memory Corruption Attacks,”in Proceedings of the Network and Distributed System Security Symposium(NDSS’14),2014.
[35]C.Tice,T.Roeder,P.Collingbourne,S.Checkoway,lfar Erlingsson,L.Lozano,and G.Pike,“Enforcing Forward-Edge Control-Flow Integrity in GCC and LLVM,”Proceedings of the Usenix Security Symposium,2014.
[36]B.Niu and G.Tan,“Modular Control-flow Integrity,”in Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation(PLDI’14),pp.577-587,2014.
[37]--,“Rock JIT:Securing Just-In-Time Compilation Using Modular Control-Flow Integrity,”in Proceedings of the ACM Sigsac Conference on Computer and Communications Security(CCS’14),pp.1317-1328,2014.
[38]A.J.Mashtizadeh,A.Bittau,D.Boneh,and D.Mazi`eres,“CCFI:Cryptographically Enforced Control Flow Integrity,”in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS’15),pp.941-951,2015.
[39]B.Niu and G.Tan,“Per-Input Control-Flow Integrity,”in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS’15),pp.914-926,2015.
[40]V.van der Veen,D.Andriesse,E.G¨oktas?,B.Gras,L.Sambuc,A.Slowinska,H.Bos,and C.Giuffrida,“Practical Context-Sensitive CFI,”in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security(CCS’15),pp.927-940,2015.
[41]Y.Xia,Y.Liu,H.Chen,and B.Zang,“CFIMon:Detecting violation of control flow integrity using performance counters,”in Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN’12),pp.1-12,June 2012.
[42]L.Tong,S.Gang,and M.Dan,“A Survey of Code Reuse Attack and Defense Mechanisms,”Journal of Cyber Security,vol(2),pp.15-27,2016.(柳童,史岗,孟丹,“代码重用攻击与防御机制综述”,信息安全学报,第2期,15-27,2016)