Abstract
During the past 25 years, the arms race between attacks exploiting memory corruption and memory protection techniques has drawn tremendous attention. This book chapter seeks to give an in-depth review of the newest research progress made on applying the MTD methodology to protect memory corruption exploits. The new research progress also represents the current phase of the arms race in the MTD perspective. In particular, on one hand, at the frontier of defending against control-hijacking attacks, we will give an in-depth review on the shift of defense strategy from static ASLR to dynamic ASLR. On the other hand, at the frontier of defending against data-oriented attacks, we will give an in-depth review on the shift of defense strategy from static DSLR to dynamic DSLR.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Fine-grained ASLR also provides certain level of effectiveness but it can be easily circumvented by attacks such as rootkits.
- 2.
SALADS uses 5 as the threshold of accesses to trigger de-randomization. Reasons are explained in the evaluation on performance of SALADS.
References
Arrays of length of zero. http://gcc.gnu.org/onlinedocs/gcc/Zero-length.html
Openssh benchmark. http://blog.famzah.net/2010/06/11/openssh-ciphers-performance-benchmark/
SPEC CPU benchmark suite (2000). http://www.spec.org/cpu2000/
Gimple (2015). https://gcc.gnu.org/onlinedocs/gccint/GIMPLE.html
Backes, M., Nürnberger, S.: Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: USENIX Security Symposium (Security 2014) (2014)
Bhatkar, S., Duvarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: USENIX Security Symposium (Security 2003) (2003)
Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: USENIX Security Symposium (Security 2005) (2005)
Bigelow, D., Hobson, T., Rudd, R., Streilein, W., Okhravi, H.: Timely rerandomization for mitigating memory disclosures. In: Proceedings of the 22nd Conference on Computer and Communications Security (CCS 2015) (2015)
Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., Boneh, D.: Hacking blind. In: 2014 IEEE Symposium on Security and Privacy, Oakland (2014)
Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS 2011) (2011)
Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI 2006) (2006)
Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: ACM Conference on Computer and Communications Security (CCS 2010) (2010)
Chen, H., Mao, Y., Wang, X., Zhou, D., Zeldovich, N., Kaashoek, M.F.: Linux kernel vulnerabilities: state-of-the-art defenses and open problems. In: Proceedings of the Second Asia-Pacific Workshop on Systems (2011)
Chen, P., et al.: What you see is not what you get! thwarting just-in-time ROP with chameleon. In: 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 451–462. IEEE (2017)
Chen, P., Xu, J., Lin, Z., Xu, D., Mao, B., Liu, P.: A practical approach for adaptive data structure layout randomization. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 69–89. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_4
Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium (Security 2005), vol. 5 (2005)
Chen, Y., Wang, Z., Whalley, D., Lu, L.: Remix: on-demand live randomization. In: Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY 2016) (2016)
Crane, S.: Readactor: practical code randomization resilient to memory disclosure. In: 2015 Symposium on Security and Privacy, Oakland (2015)
CVE-2001-0144. SSH CRC-32 compensation attack detector (2001). http://www.securityfocus.com/bid/2347/discuss
CVE-2002-0656. Apache openSSL heap overflow exploit (2002). http://www.phreedom.org/research/exploits/apache-openssl/
Davi, L., Liebchen, C., Sadeghi, A.-R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Network and Distributed System Security Symposium (NDSS 2015) (2015)
Dyninst. Dyninst programmer’s guide (2013). www.dyninst.org/sites/default/files/manuals/dyninst/DyninstAPI.pdf
Gionta, J., Enck, W., Ning, P.: HideM: protecting the contents of userspace memory in the face of disclosure vulnerabilities. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY 2015) (2015)
Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: USENIX Conference on Security Symposium (Security 2012) (2012)
Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy, Oakland (2014)
Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: where’d my gadgets go? In: 2012 IEEE Symposium on Security and Privacy, Oakland (2012)
Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: Proceedings of the 24th USENIX Security Symposium (Security 2015) (2015)
Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 969–986. IEEE (2016)
Kil, C., Jum, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (ASLP): towards fine-grained randomization of commodity software. In: Annual Computer Security Applications Conference (ACSAC 2006) (2006)
Lin, Z., Riley, R.D., Xu, D.: Polymorphing software by randomizing data structure layout. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 107–126. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02918-9_7
Lu, K., Nurnberger, S., Backes, M., Lee, W.: How to make ASLR win the clone wars: runtime re-randomization. In: Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS 2016) (2016)
Microsoft. A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2 (2008). http://support.microsoft.com/kb/875352
Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: 2012 IEEE Symposium on Security and Privacy, Oakland (2012)
Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: exploit hardening made easy. In: USENIX Conference on Security (Security 2011) (2011)
Seibert, J., Okhravi, H., Söderström, E.: Information leaks without memory disclosures: remote side channel attacks on diversified code. In: ACM SIGSAC Conference on Computer and Communications Security (CCS 2014) (2014)
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security (CCS 2007) (2007)
Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: 2013 IEEE Symposium on Security and Privacy, Oakland (2013)
Song, C., Lee, B., Lu, K., Harris, W.R., Kim, T., Lee, W.: Enforcing kernel security invariants with data flow integrity. In: Proceedings of the 2016 Network and Distributed System Security Symposium (NDSS 2016) (2016)
Stanley, D.M., Xu, D., Spafford, E.H.: Improved kernel security through memory layout randomization. In: International Performance Computing and Communications Conference (IPCCC 2013) (2013)
Strackx, R., et al.: Breaking the memory secrecy assumption. In: Second European Workshop on System Security (2009)
Tang, A., Sethumadhavan, S., Stolfo, S.: Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015) (2015)
PaX Team. PaX address space layout randomization (ASLR) (2003). http://pax.grsecurity.net/docs/aslr.txt
PaX Team. PaX non-executable pages design & implementation (2003). http://pax.grsecurity.net/docs/noexec.txt
Wartell, R., Mohan, V., Hamlen, K., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: ACM Conference on Computer and Communications Security (CCS 2012) (2012)
Xin, Z., Chen, H., Han, H., Mao, B., Xie, L.: Misleading malware similarities analysis by automatic data structure obfuscation. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 181–195. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18178-8_16
Xu, J., Kalbarczyk, Z., Iyer, R.K.: Transparent runtime randomization for security. In: International Symposium on Reliable Distributed Systems (SRDS 2003) (2003)
Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Conference on Security (Security 2013) (2013)
Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: ACM Conference on Computer and Communications Security (CCS 2012) (2012)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Chen, P. et al. (2019). MTD Techniques for Memory Protection Against Zero-Day Attacks. In: Jajodia, S., Cybenko, G., Liu, P., Wang, C., Wellman, M. (eds) Adversarial and Uncertain Reasoning for Adaptive Cyber Defense. Lecture Notes in Computer Science(), vol 11830. Springer, Cham. https://doi.org/10.1007/978-3-030-30719-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-30719-6_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-30718-9
Online ISBN: 978-3-030-30719-6
eBook Packages: Computer ScienceComputer Science (R0)