Abstract
Latest defenses against code-reuse attacks focus on information hiding and randomization as important building blocks. The main idea is that an attacker is not able to find the position of the code she wants to reuse, hence thwarting successful attacks. Current state-of-the-art defenses achieve this by employing concepts such as execute-only memory combined with booby traps.
In this paper, we show that an attacker is able to abuse symbol metadata to gain valuable information about the address space. In particular, an attacker can mimic dynamic loading and manually resolve symbol addresses. We show that this is a powerful attack vector inherent to many applications using symbol resolving at runtime, an ubiquitous concept in today’s systems. More importantly, we utilize this approach to resolve and reuse functions otherwise unavailable to an attacker due to function table randomization. To confirm the practical impact of this attack vector, we demonstrate how dynamic loading can be exploited to bypass Readactor++, the state-of-the-art defense against code-reuse attacks, despite its use of booby traps and virtual function table (vtable) randomization. Furthermore, we present a novel approach to protect symbol metadata to defend against such attacks. Our defense, called Symtegrity, is able to safeguard symbols from an attacker, whilst preserving functionality provided by the loader. It is both orthogonal to existing defenses and applicable to arbitrary binary executables. Empirical evaluation results show that our approach has an overhead of roughly 8% during application startup. At runtime, however, no noticeable performance impact is measured, as evident from both browser and SPEC benchmarks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Alexa Internet, Inc.: Top 500 sites on the web. http://www.alexa.com/topsites
Alsaheel, A., Pande, R.: Using EMET to disable EMET. https://www.fireeye.com/blog/threat-research/2016/02/using_emet_to_disabl.html
Backes, M., Holz, T., Kollenda, B., Koppe, P., Nürnberger, S., Pewny, J.: You can run but you can’t read: preventing disclosure exploits in executable code. In: ACM CCS (2014)
Bigelow, D., Hobson, T., Rudd, R., Streilein, W., Okhravi, H.: Timely rerandomization for mitigating memory disclosures. In: ACM CCS (2015)
Braden, K., Davi, L., Liebchen, C., Sadeghi, A.-R., Crane, S., Franz, M., Larsen, P.: Leakage-resilient layout randomization for mobile devices. In: NDSS (2016)
Chen, X., Bos, H., Giuffrida, C.: CodeArmor: virtualizing the code space to counter disclosure attacks. In: IEEE EuroS&P (2017)
Chromium: Usage of the zygote process creation model in Chromium. https://chromium.googlesource.com/chromium/src/+/master/docs/linux_zygote.md
Contag, M., Gawlik, R., Pawlowski, A., Holz, T.: On the weaknesses of function table randomization. Technical report, Ruhr-Universität Bochum (2018)
Crane, S., Larsen, P., Brunthaler, S., Franz, M.: Booby trapping software. In: ACM Workshop on New Security Paradigms (NSPW) (2013)
Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.-R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: IEEE S&P (2015)
Crane, S., Volckaert, S., Schuster, F., Liebchen, C., Larsen, P., Davi, L., Sadeghi, A.-R., Holz, T., Sutter, B.D., Franz, M.: It’s a TRAP: table randomization and protection against function reuse attacks. In: ACM CCS (2015)
Di Federico, A., Cama, A., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: How the ELF ruined Christmas. In: USENIX Security (2015)
Evans, I., Fingeret, S., González, J., Otgonbaatar, U., Tang, T., Shrobe, H., Sidiroglou-Douskos, S., Rinard, M., Okhravi, H.: Missing the point(er): on the effectiveness of code pointer integrity. In: IEEE S&P (2015)
Gawlik, R., Kollenda, B., Koppe, P., Garmany, B., Holz, T.: Enabling client-side crash-resistance to overcome diversification and information hiding. In: NDSS (2016)
Gionta, J., Enck, W., Ning, P.: HideM: protecting the contents of userspace memory in the face of disclosure vulnerabilities. In: ACM CODASPY (2015)
Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: USENIX Security (2012)
glibc. link.h header file, defining link_map. https://github.com/bminor/glibc/blob/master/include/link.h
Göktaş, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: IEEE S&P (2014)
Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: USENIX OSDI (2014)
Lee, B., Lu, L., Wang, T., Kim, T., Lee, W.: From zygote to morula: fortifying weakened ASLR on android. In: IEEE S&P (2014)
Lu, K., Song, C., Lee, B., Chung, S.P., Kim, T., Lee, W.: ASLR-guard: stopping address space leakage for code reuse attacks. In: ACM CCS (2015)
Mashtizadeh, A.J., Bittau, A., Boneh, D., Mazières, D.: CCFI: cryptographically enforced control flow integrity. In: ACM CCS (2015)
Microsoft: The Enhanced Mitigation Experience Toolkit. https://support.microsoft.com/en-us/kb/2458544
National Vulnerability Database: Vulnerability Summary for CVE-2014-3176. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3176
Nergal: The advanced return-into-lib(c) exploits: PaX case study. http://phrack.org/issues/58/4.html
Payer, M., Hartmann, T., Gross, T.R.: Safe loading - a foundation for secure execution of untrusted programs. In: IEEE S&P (2012)
Bania, P.: Bypassing EMET Export Address Table Access Filtering feature. http://piotrbania.com/all/articles/anti_emet_eaf.txt
Pomonis, M., Petsios, T., Keromytis, A.D., Polychronakis, M., Kemerlis, V.P.: kR\({}^\wedge \)X: comprehensive Kernel protection against just-in-time code reuse. In: ACM European Conference on Computer Systems (EuroSys) (2017)
Rudd, R., Skowyra, R., Bigelow, D., Dedhia, V., Hobson, T., Crane, S., Liebchen, C., Larsen, P., Davi, L., Franz, M., et al.: Address-oblivious code reuse: on the effectiveness of leakage-resilient diversity. In: NDSS (2016)
Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., Holz, T.: Counterfeit object-oriented programming: on the difficulty of preventing code reuse attacks in C++ applications. In: IEEE S&P (2015)
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: ACM CCS (2004)
Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: IEEE S&P (2013)
Tang, A., Sethumadhavan, S., Stolfo, S.: Heisenbyte: thwarting memory disclosure attacks using destructive code reads. In: ACM CCS (2015)
WebKit: JetStream JavaScript benchmark suite. http://browserbench.org/JetStream/
Williams-King, D., Gobieski, G., Williams-King, K., Blake, J.P., Yuan, X., Colp, P., Zheng, M., Kemerlis, V.P., Yang, J., Aiello, W.: Shuffler: fast and deployable continuous code re-randomization. In: USENIX OSDI (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Contag, M., Gawlik, R., Pawlowski, A., Holz, T. (2018). On the Weaknesses of Function Table Randomization. In: Giuffrida, C., Bardin, S., Blanc, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2018. Lecture Notes in Computer Science(), vol 10885. Springer, Cham. https://doi.org/10.1007/978-3-319-93411-2_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-93411-2_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93410-5
Online ISBN: 978-3-319-93411-2
eBook Packages: Computer ScienceComputer Science (R0)