Skip to main content
SpringerLink
Log in

Dynamic and Secure Memory Transformation in Userspace

  • Conference paper
  • First Online:
Computer Security – ESORICS 2020 (ESORICS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12308))

Included in the following conference series:

Abstract

Continuous code re-randomization has been proposed as a way to prevent advanced code reuse attacks. However, recent research shows the possibility of exploiting the runtime stack even when performing integrity checks or code re-randomization protections. Additionally, existing re-randomization frameworks do not achieve strong isolation, transparency and efficiency when securing the vulnerable application. In this paper we present Chameleon, a userspace framework for dynamic and secure application memory transformation. Chameleon is an out-of-band system, meaning it leverages standard userspace primitives to monitor and transform the target application memory from an entirely separate process. We present the design and implementation of Chameleon to dynamically re-randomize the application stack slot layout, defeating recent attacks on stack object exploitation. The evaluation shows Chameleon significantly raises the bar of stack object related attacks with only a 1.1% overhead when re-randomizing every 50 ms.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This information could potentially be inferred heuristically, e.g., from a decompiler.

  2. 2.

    x86-64 backends typically emit small immediate operands using a 1-byte encoding.

  3. 3.

    Chameleon uses the int3 instruction.

  4. 4.

    This file allows tracers to seek to arbitrary addresses in the target’s address space to read/write ranges of memory.

  5. 5.

    https://github.com/sashs/Ropper.

References

  1. Aga, M.T., Austin, T.: Smokestack: thwarting DOP attacks with runtime stack layout randomization. In 2019 IEEE/ACM International Symposium on Code Generation and Optimization (CGO), pp. 26–36. IEEE (2019)

    Google Scholar 

  2. Aleph, O.: Smashing the stack for fun and profit (1996). http://www.shmoo.com/phrack/Phrack49/p49-14

  3. Backes, M., Nürnberger, S.: Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: Proceedings of the 23rd USENIX Security Symposium, pp. 433–447 (2014)

    Google Scholar 

  4. Bailey, D.H., et al.: The NAS parallel benchmarks summary and preliminary results. In Supercomputing 1991: Proceedings of the 1991 ACM/IEEE Conference on Supercomputing, pp. 158–165. IEEE (1991)

    Google Scholar 

  5. Barbalace, A., et al.: Breaking the boundaries in heterogeneous-ISA datacenters. In: ACM SIGPLAN Notices, vol. 52, pp. 645–659. ACM (2017)

    Google Scholar 

  6. Bigelow, D., Hobson, T., Rudd, R., Streilein, W., Okhravi, H.: Timely rerandomization for mitigating memory disclosures. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 268–279. ACM (2015)

    Google Scholar 

  7. Bruening, D.: Efficient, transparent, and comprehensive runtime code manipulation. Ph.D thesis, Massachusetts Institute of Technology, September 2004

    Google Scholar 

  8. Burow, N., Zhang, X., Payer, M.: Shining light on shadow stacks (2018). arXiv preprint arXiv:1811.03165

  9. Carlini, N., Barresi, A., Payer, M., Wagner, D., Gross, T.R.: Control-flow bending: on the effectiveness of control-flow integrity. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 161–176 (2015)

    Google Scholar 

  10. Chen, X., Slowinska, A., Andriesse, D., Bos, H., Giuffrida, C.: Stackarmor: comprehensive protection from stack-based memory error vulnerabilities for binaries. In: NDSS. Citeseer (2015)

    Google Scholar 

  11. Chen, Y., Wang, Z., Whalley, D., Lu, L.: Remix: on-demand live randomization. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 50–61. ACM (2016)

    Google Scholar 

  12. Cheng, Y., Zhou, Z., Miao, Y., Ding, X., Deng, R.H.: ROPecker: a generic and practical approach for defending against ROP attacks. In: Symposium on Network and Distributed System Security (NDSS) (2014)

    Google Scholar 

  13. Cowan, C., et al.: StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium, August 1998

    Google Scholar 

  14. Crane, S., et al.: Readactor: practical code randomization resilient to memory disclosure. In: 36th IEEE Symposium on Security and Privacy (Oakland), May 2015

    Google Scholar 

  15. CRIU. CRIU Compel. https://criu.org/Compel. Accessed 14 Apr 2019

  16. CVE-2013-2028. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2028. Accessed 14 Apr 2019

  17. Davi, L., Liebchen, C., Sadeghi, A.R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Proceedings of the 22nd Network and Distributed Systems Security Symposium (NDSS) (2015)

    Google Scholar 

  18. Davi, L., Sadeghi, A.R., Lehmann, D., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection. In: Proceedings of the 23rd USENIX Conference on Security, SEC 2014 (2014)

    Google Scholar 

  19. Devietti, J., Blundell, C., Martin, M.M.K., Zdancewic, S.: Hardbound: architectural support for spatial safety of the C programming language. In: Proceedings of the 13th International Conference on Architectural Support for Programming Languages and Operating Systems (2008)

    Google Scholar 

  20. Durumeric, Z., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 475–488. ACM (2014)

    Google Scholar 

  21. DWARF Standards Committee. The DWARF Debugging Standard, February 2017

    Google Scholar 

  22. Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy SP 2014 (2014)

    Google Scholar 

  23. Göktas, E., et al.: Position-independent code reuse: On the effectiveness of ASLR in the absence of information disclosure. In: 2018 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 227–242. IEEE (2018)

    Google Scholar 

  24. Hu, H., Chua, Z.L., Adrian, S., Saxena, P., Liang, Z.: Automatic generation of data-oriented exploits. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 177–192 (2015)

    Google Scholar 

  25. Hu, H., Shinde, S., Adrian, S., Chua, Z.L., Saxena, P., Liang, Z.: Data-oriented programming: on the expressiveness of non-control data attacks. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 969–986. IEEE (2016)

    Google Scholar 

  26. Ispoglou, K.K., AlBassam, B., Jaeger, T., Payer, M.: Block oriented programming: automating data-only attacks. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1868–1882. ACM (2018)

    Google Scholar 

  27. kernel.org. Userfaultfd. https://www.kernel.org/doc/Documentation/vm/user faultfd.txt. Accessed 14 Apr 2019

  28. Kroes, T., Koning, K., van der Kouwe, E., Bos, H., Giuffrida, C.: Delta pointers: buffer overflow checks without the checks. In: Proceedings of the Thirteenth EuroSys Conference, p. 22. ACM (2018)

    Google Scholar 

  29. Linux Kernel Address Space Layout Randomization. http://lwn.net/Articles/569635/. Accessed 14 Apr 2019

  30. LLVM Compiler Infrastructure. Stack maps and patch points in LLVM. https://llvm.org/docs/StackMaps.html. Accessed 14 Apr 2019

  31. Lu, K., Walter, M.T., Pfaff, D., Nümberger, S., Lee, W., Backes, M.: Unleashing use-before-initialization vulnerabilities in the linux kernel using targeted stack spraying. In: NDSS (2017)

    Google Scholar 

  32. Luk, C.K., et al.: Pin: building customized program analysis tools with dynamic instrumentation. In: ACM SIGPLAN Notices, vol. 40, pp. 190–200. ACM (2005)

    Google Scholar 

  33. Nagarakatte, S., Zhao, J., Martin, M.M.K., Zdancewic, S.: SoftBound: highly compatible and complete spatial memory safety for C. In: Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2009 (2009)

    Google Scholar 

  34. Oleksenko, O., Kuvaiskii, D., Bhatotia, P., Felber, P., Fetzer, C.: Intel MPX explained: a cross-layer analysis of the intel MPX system stack. Proc. ACM Measur. Anal. Comput. Syst. 2(2), 28 (2018)

    Google Scholar 

  35. Reese, W.: Nginx: the high-performance web server and reverse proxy. Linux J. 2008(173), 2 (2008)

    Google Scholar 

  36. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inf. Syst. Secur. (TISSEC) 15(1), 2 (2012)

    Article  Google Scholar 

  37. Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: exploit hardening made easy. In: USENIX Security Symposium, pp. 25–41 (2011)

    Google Scholar 

  38. Seo, S., Jo, G., Lee, J.: Performance characterization of the NAS parallel benchmarks in openCL. In: 2011 IEEE international symposium on workload characterization (IISWC), pp. 137–148. IEEE (2011)

    Google Scholar 

  39. Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: AddressSanitizer: a fast address sanity checker. In: Presented as part of the 2012 USENIX Annual Technical Conference (USENIX ATC 12), pp. 309–318 (2012)

    Google Scholar 

  40. Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, October 2007

    Google Scholar 

  41. Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time Code Reuse: on the effectiveness of fine-grained address space layout randomization. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 574–588. IEEE (2013)

    Google Scholar 

  42. Standard Performance Evaluation Corporation. SPEC CPU 2017. https://www.spec.org/cpu2017. Accessed 14 Apr 2019

  43. Szekeres, L., Payer, M., Wei, T., Song, D.: Sok: eternal war in memory. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 48–62. IEEE (2013)

    Google Scholar 

  44. The Linux man-pages project. mmap(2) - Linux manual page, April 2020. http://man7.org/linux/man-pages/man2/mmap.2.html

  45. Venkat, A., Shamasunder, S., Shacham, H., Tullsen, D.M.: Hipstr: heterogeneous-ISA program state relocation. In: ACM SIGARCH Computer Architecture News, vol. 44, pp. 727–741. ACM (2016)

    Google Scholar 

  46. Analysis of nginx 1.3.9/1.4.0 stack buffer overflow and x64 exploitation (CVE-2013-2028). https://www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013-2028.html. Accessed 14 Apr 2019

  47. Wang, R., et al.: Ramblr: making reassembly great again. In: Proceedings of the 2017 Network and Distributed System Security Symposium (2017)

    Google Scholar 

  48. Wikipedia. Ptrace. http://en.wikipedia.org/wiki/Ptrace. Accessed 14 Apr 2019

  49. Wikipedia. Shadow stack. https://en.wikipedia.org/wiki/Shadow_stack. Accessed 14 Apr 2019

  50. Williams-King, D., et al.: Shuffler: fast and deployable continuous code re-randomization. In: OSDI, pp. 367–382 (2016)

    Google Scholar 

Download references

Acknowledgments

This work is supported in part by the US Office of Naval Research (ONR) under grants N00014-18-1-2022 and N00014-16-1-2711, and by NAVSEA/NEEC under grant N00174-16-C-0018.

Author information

Authors and Affiliations

  1. Virginia Tech, Blacksburg, VA, USA

    Robert Lyerly, Xiaoguang Wang & Binoy Ravindran

Authors
  1. Robert Lyerly
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiaoguang Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Binoy Ravindran
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Robert Lyerly , Xiaoguang Wang or Binoy Ravindran .

Editor information

Editors and Affiliations

  1. University of Surrey, Guildford, UK

    Liqun Chen

  2. Purdue University, West Lafayette, IN, USA

    Ninghui Li

  3. Delft University of Technology, Delft, The Netherlands

    Kaitai Liang

  4. University of Surrey, Guildford, UK

    Steve Schneider

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lyerly, R., Wang, X., Ravindran, B. (2020). Dynamic and Secure Memory Transformation in Userspace. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds) Computer Security – ESORICS 2020. ESORICS 2020. Lecture Notes in Computer Science(), vol 12308. Springer, Cham. https://doi.org/10.1007/978-3-030-58951-6_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-58951-6_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-58950-9

  • Online ISBN: 978-3-030-58951-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation