Skip to main content

MTD Techniques for Memory Protection Against Zero-Day Attacks

  • Chapter
  • First Online:
Adversarial and Uncertain Reasoning for Adaptive Cyber Defense

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11830))

  • 945 Accesses

Abstract

During the past 25 years, the arms race between attacks exploiting memory corruption and memory protection techniques has drawn tremendous attention. This book chapter seeks to give an in-depth review of the newest research progress made on applying the MTD methodology to protect memory corruption exploits. The new research progress also represents the current phase of the arms race in the MTD perspective. In particular, on one hand, at the frontier of defending against control-hijacking attacks, we will give an in-depth review on the shift of defense strategy from static ASLR to dynamic ASLR. On the other hand, at the frontier of defending against data-oriented attacks, we will give an in-depth review on the shift of defense strategy from static DSLR to dynamic DSLR.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Fine-grained ASLR also provides certain level of effectiveness but it can be easily circumvented by attacks such as rootkits.

  2. 2.

    SALADS uses 5 as the threshold of accesses to trigger de-randomization. Reasons are explained in the evaluation on performance of SALADS.

References

  1. Arrays of length of zero. http://gcc.gnu.org/onlinedocs/gcc/Zero-length.html

  2. Openssh benchmark. http://blog.famzah.net/2010/06/11/openssh-ciphers-performance-benchmark/

  3. SPEC CPU benchmark suite (2000). http://www.spec.org/cpu2000/

  4. Gimple (2015). https://gcc.gnu.org/onlinedocs/gccint/GIMPLE.html

  5. Backes, M., Nürnberger, S.: Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: USENIX Security Symposium (Security 2014) (2014)

    Google Scholar 

  6. Bhatkar, S., Duvarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: USENIX Security Symposium (Security 2003) (2003)

    Google Scholar 

  7. Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: USENIX Security Symposium (Security 2005) (2005)

    Google Scholar 

  8. Bigelow, D., Hobson, T., Rudd, R., Streilein, W., Okhravi, H.: Timely rerandomization for mitigating memory disclosures. In: Proceedings of the 22nd Conference on Computer and Communications Security (CCS 2015) (2015)

    Google Scholar 

  9. Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., Boneh, D.: Hacking blind. In: 2014 IEEE Symposium on Security and Privacy, Oakland (2014)

    Google Scholar 

  10. Bletsch, T., Jiang, X., Freeh, V.W., Liang, Z.: Jump-oriented programming: a new class of code-reuse attack. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS 2011) (2011)

    Google Scholar 

  11. Castro, M., Costa, M., Harris, T.: Securing software by enforcing data-flow integrity. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI 2006) (2006)

    Google Scholar 

  12. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: ACM Conference on Computer and Communications Security (CCS 2010) (2010)

    Google Scholar 

  13. Chen, H., Mao, Y., Wang, X., Zhou, D., Zeldovich, N., Kaashoek, M.F.: Linux kernel vulnerabilities: state-of-the-art defenses and open problems. In: Proceedings of the Second Asia-Pacific Workshop on Systems (2011)

    Google Scholar 

  14. Chen, P., et al.: What you see is not what you get! thwarting just-in-time ROP with chameleon. In: 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 451–462. IEEE (2017)

    Google Scholar 

  15. Chen, P., Xu, J., Lin, Z., Xu, D., Mao, B., Liu, P.: A practical approach for adaptive data structure layout randomization. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 69–89. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_4

    Chapter  Google Scholar 

  16. Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.K.: Non-control-data attacks are realistic threats. In: Proceedings of the 14th Conference on USENIX Security Symposium (Security 2005), vol. 5 (2005)

    Google Scholar 

  17. Chen, Y., Wang, Z., Whalley, D., Lu, L.: Remix: on-demand live randomization. In: Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (CODASPY 2016) (2016)

    Google Scholar 

  18. Crane, S.: Readactor: practical code randomization resilient to memory disclosure. In: 2015 Symposium on Security and Privacy, Oakland (2015)

    Google Scholar 

  19. CVE-2001-0144. SSH CRC-32 compensation attack detector (2001). http://www.securityfocus.com/bid/2347/discuss

  20. CVE-2002-0656. Apache openSSL heap overflow exploit (2002). http://www.phreedom.org/research/exploits/apache-openssl/

  21. Davi, L., Liebchen, C., Sadeghi, A.-R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Network and Distributed System Security Symposium (NDSS 2015) (2015)

    Google Scholar 

  22. Dyninst. Dyninst programmer’s guide (2013). www.dyninst.org/sites/default/files/manuals/dyninst/DyninstAPI.pdf

  23. Gionta, J., Enck, W., Ning, P.: HideM: protecting the contents of userspace memory in the face of disclosure vulnerabilities. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY 2015) (2015)

    Google Scholar 

  24. Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: USENIX Conference on Security Symposium (Security 2012) (2012)

    Google Scholar 

  25. Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: 2014 IEEE Symposium on Security and Privacy, Oakland (2014)

    Google Scholar 

  26. Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: where’d my gadgets go? In: 2012 IEEE Symposium on Security and Privacy, Oakland (2012)

    Google Scholar 

  27. Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: Proceedings of the 24th USENIX Security Symposium (Security 2015) (2015)

    Google Scholar 

  28. Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 969–986. IEEE (2016)

    Google Scholar 

  29. Kil, C., Jum, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (ASLP): towards fine-grained randomization of commodity software. In: Annual Computer Security Applications Conference (ACSAC 2006) (2006)

    Google Scholar 

  30. Lin, Z., Riley, R.D., Xu, D.: Polymorphing software by randomizing data structure layout. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 107–126. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02918-9_7

    Chapter  Google Scholar 

  31. Lu, K., Nurnberger, S., Backes, M., Lee, W.: How to make ASLR win the clone wars: runtime re-randomization. In: Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS 2016) (2016)

    Google Scholar 

  32. Microsoft. A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2 (2008). http://support.microsoft.com/kb/875352

  33. Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: 2012 IEEE Symposium on Security and Privacy, Oakland (2012)

    Google Scholar 

  34. Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: exploit hardening made easy. In: USENIX Conference on Security (Security 2011) (2011)

    Google Scholar 

  35. Seibert, J., Okhravi, H., Söderström, E.: Information leaks without memory disclosures: remote side channel attacks on diversified code. In: ACM SIGSAC Conference on Computer and Communications Security (CCS 2014) (2014)

    Google Scholar 

  36. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: ACM Conference on Computer and Communications Security (CCS 2007) (2007)

    Google Scholar 

  37. Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: 2013 IEEE Symposium on Security and Privacy, Oakland (2013)

    Google Scholar 

  38. Song, C., Lee, B., Lu, K., Harris, W.R., Kim, T., Lee, W.: Enforcing kernel security invariants with data flow integrity. In: Proceedings of the 2016 Network and Distributed System Security Symposium (NDSS 2016) (2016)

    Google Scholar 

  39. Stanley, D.M., Xu, D., Spafford, E.H.: Improved kernel security through memory layout randomization. In: International Performance Computing and Communications Conference (IPCCC 2013) (2013)

    Google Scholar 

  40. Strackx, R., et al.: Breaking the memory secrecy assumption. In: Second European Workshop on System Security (2009)

    Google Scholar 

  41. Tang, A., Sethumadhavan, S., Stolfo, S.: Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015) (2015)

    Google Scholar 

  42. PaX Team. PaX address space layout randomization (ASLR) (2003). http://pax.grsecurity.net/docs/aslr.txt

  43. PaX Team. PaX non-executable pages design & implementation (2003). http://pax.grsecurity.net/docs/noexec.txt

  44. Wartell, R., Mohan, V., Hamlen, K., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: ACM Conference on Computer and Communications Security (CCS 2012) (2012)

    Google Scholar 

  45. Xin, Z., Chen, H., Han, H., Mao, B., Xie, L.: Misleading malware similarities analysis by automatic data structure obfuscation. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 181–195. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18178-8_16

    Chapter  Google Scholar 

  46. Xu, J., Kalbarczyk, Z., Iyer, R.K.: Transparent runtime randomization for security. In: International Symposium on Reliable Distributed Systems (SRDS 2003) (2003)

    Google Scholar 

  47. Zhang, M., Sekar, R.: Control flow integrity for COTS binaries. In: USENIX Conference on Security (Security 2013) (2013)

    Google Scholar 

  48. Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: ACM Conference on Computer and Communications Security (CCS 2012) (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Ping Chen , Jun Xu or Peng Liu .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Chen, P. et al. (2019). MTD Techniques for Memory Protection Against Zero-Day Attacks. In: Jajodia, S., Cybenko, G., Liu, P., Wang, C., Wellman, M. (eds) Adversarial and Uncertain Reasoning for Adaptive Cyber Defense. Lecture Notes in Computer Science(), vol 11830. Springer, Cham. https://doi.org/10.1007/978-3-030-30719-6_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-30719-6_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-30718-9

  • Online ISBN: 978-3-030-30719-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics