| Summary: | 碩士 === 國立中正大學 === 資訊工程研究所 === 107 === In the arm race between protection and exploitation on leveraging memory corruption, return-to-dl-resolve exploit provide attackers another way to invoke arbitrary library functions. This exploitation later has evolved into a powerful exploitation because of Return Oriented Programming (ROP). Recently, return-to-dl-resolve exploit can even bypass common protections such as Address Space Layout Randomization (ASLR) and RELocation Read Only (RELRO). There are two problems: indexing out-of-bound relocation entry and accessible linking information structures. Recent mitigation strategies are based on compiler assistance or eager binding. These compiler based mitigation strategies focus on protecting single binaries because the dynamic linker may not be secure enough. In this work, we present a lightweight protection mechanism against abusing dynamic function resolving. Our solution sets up the boundary checking and hides the linking information structures to prevent the dynamic linker from resolving functions with fake structures. Compared with eager binding, our solution is more flexible on the binding issue, both for partial RELRO and full RELRO. This solution features quick deployment and modularity support through hardening the dynamic linker, and the performance overhead is negligible.
|
|---|
