Politecnico di Torino (logo)

PROLEPSIS: Binary Instrumentation Tool for Control-Flow Integrity in ARM and RISC-V

Alessandro Iandoli

PROLEPSIS: Binary Instrumentation Tool for Control-Flow Integrity in ARM and RISC-V.

Rel. Paolo Ernesto Prinetto, Gianluca Roascio. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2022

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (1MB) | Preview

The Internet of Things, also shortened with the term IoT, represents an ecosystem made of web-enabled smart devices (the IoT devices), implemented as embedded systems, which collect, send and take other actions on the data that they acquire from their environment. IoT started to grow rapidly in recent years, leading to an increasing usage of embedded systems in the daily life of common people, and in critical infrastructures of companies like SCADA systems. For this reason IoT devices started to be the target of different cyber-attacks with the objective of controlling the functionalities of the embedded system, or exfiltrating the data that are treated. Tipically, cyber-attacks are carried out by exploiting software vulnerabilities present in the code executed by a victim system. The software application that are executed by embedded systems are usually written with the C/C++ language, which provides total freedom to the developer in terms of interaction with hardware resources especially memory. Since memory management is all entailed to the developer, this may lead to introduce memory corruption vulnerabilities in the program, like buffer overflows or use-after-frees that can be exploited by an attacker to hijack the execution flow and possibly execute remote commands on the vulnerable systems. Software protection techniques like Data Execution Prevention were introduced in order to prevent such attacks, but nowadays Code-Reuse Attack techniques like Return-Oriented Programming (ROP) or Jump-Oriented Programming (JOP) can bypass such mechanisms. Such attack techniques consist in redirecting the execution flow to a chain of so-called ROP/JOP gadgets. A gadget consist of a small piece of code inside the vulnerable program image (few instructions), ending either with a return or with a jump instruction, that will redirect the execution flow to the next gadget in the chain. The chain is created by the attacker with the aim of executing arbitrary commands on the vulnerable system. The countermeasure to Code-Reuse Attack is represented by Control-Flow Integrity solutions (CFI). CFI aims at guaranteeing the correcteness of the execution flow by retrieving the set of valid destinations for each control-flow transfer instruction, and constraining that instruction to redirect the execution flow only to a valid destination in the set. The constraint is enforced by inserting instrumentation code in the proper locations in the program. The aim of the present thesis is to present PROLEPSIS, a tool that can automatically retrieve the set of destinations for each control-flow transfer instruction, by using binary analysis on the program, and then instrument the program with instructions that are provided externally by the user, with the aim of making the program resistant to Code-Reuse attack techniques and other attacks aiming at hijacking the execution flow of a program. The tool was written in Python and exploits the abstractions provided by the reverse engineering framework Radare2 for program analysis. The interaction with the Radare2 is carried out by leveraging the primitives provided by the r2pipe module. The tool was integrated with two existing CFI solutions, one for ARM platform and the other one for RISC-V.

Relators: Paolo Ernesto Prinetto, Gianluca Roascio
Academic year: 2022/23
Publication type: Electronic
Number of Pages: 66
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: UNSPECIFIED
URI: http://webthesis.biblio.polito.it/id/eprint/24598
Modify record (reserved for operators) Modify record (reserved for operators)