Abstract:
Attackers use software vulnerabilities to hijack the execution flow of the program, direct it to the malicious code or instructions that compose the malicious code, and finally achieve the purpose of controlling the behavior of the entire system. This kind of malicious attack is called control flow attack. Based on research of the principle of control flow attack, this paper proposes a method based on the return address signature to detect control flow attack. The scheme firstly triggers pseudo random number generator to generate the key K to perform XOR encrypt operation with the return address that push into stack when the processor executes the call instruction, and uses the MD5 algorithm to generate the signature for the encrypted return address; Then, when processor executes the ret instruction, uses the MD5 algorithm to generate the signature for the encrypted return address that popped from stack. Finally, control flow attack can be detected according to whether the push_address signature matches the pop address signature. The experimental results show that the return address signature has good randomness and the control flow instruction that can be used to hijack the control flow is reduced to 81.27%, which can effectively prevent control flow attacks caused by maliciously tampering of the return address.