Abstract
Software vulnerabilities are a serious threat for security of information systems. Any software written in C/C++ contain considerable amount of vulnerabilities. Some of them can be used by attackers to seize control of the system. In this paper, for counteracting such vulnerabilities, we propose to use compiler transformations: function reordering by permutation within a module, insertion of additional local variables into the function’s stack, local variables hashing on the stack. By means of these transformations, it is suggested to generate a diversified population of executable files of the application being compiled. Such an approach, for example, complicates planning of the ROP attacks on the entire population. Having obtained a single executable file, the attacker can create an ROP exploit, which works only for this version of the application. The other executable files of the population will remain insensitive to this attack.
Similar content being viewed by others
References
Dazhi, Z., Detecting program vulnerabilities using trace-based security testing, Ph. D. Dissertation, Arlington, TX: University of Texas at Arlington, 2011.
Avetisyan, A., Belevantsev, A., Borodin, A., and Nesov, B., The use of static analysis for searching vulnerabilities and critical errors in sources code, Trudy ISP RAN (Proceedings of ISP RAS), 2011, vol. 21, pp. 23–38.
Stojanovski, N., Gusev, M., Gligoroski, G., and Knapskog, S., Bypassing data execution prevention on Microsoft Windows XP SP2, Proceedings of the Second International Conference on Availability, Reliability and Security, ARES’ 07, 2007, pp. 1222–1226.
Shacham, H., Page, M., Pfaff, B., Goh, E., Modadugu, N., Boneh, D., On the effectiveness of addressspace randomization, Proc. of the 11th ACM Conf. on Computer and Communications Security, CCS’ 04, 2004, pp. 298–307.
Wagle, P. and Cowan, C., Stackguard: simple stack smash protection for GCC, Proc. of the GCC Developers Summit, 2003, pp. 243–255.
Jelinek, J., Object size checking to prevent (some) buffer overflows, 2004. https://gcc.gnu.org/ml/gccpatches/2004-09/msg02055.html.
Sinnadurai, S., Zhao, Q., and Wong, W., Transparent runtime shadow stack: Protection against malicious return address modifications, 2008.
StackShield: A “stack smashing” technique protection tool for Linux. http:/www.angelfire.com/sk/stackshield.
Ozdoganoglu, H., Vijaykumar, T.N., Brodley, C.E., Jalote, A., and Kuperman, B.A., SmashGuard: A hardware solution to prevent security attacks on the function return address, Technical Report TR-ECE 03-13, Purdue University, 2004.
Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., and Kirda, E., G-Free: defeating return-oriented programming through gadget-less binaries, Proc. of the 26th Annual Computer Security Applications Conf., ACSAC’ 10, 2010, pp. 49–58.
Li, J., Wang, Z., Jiang, X., Grace, M., and Bahram, S., Defeating return-oriented rootkits with “return-less” kernels, Proceedings of the 5th European Conference on Computer Systems, EuroSys’ 10, 2010, pp. 195–208.
Ivannikov, V., Kurmangaleev, Sh., Belevantsev, A., Nurmukhametov, A., Savchenko, V., Matevosyan, R., and Àvetisyan, A., Implementing obfuscating transformations in the LLVM compiler infrastructure, Tr. Inst. Sistemnogo Program. Ross. Akad. Nauk, 2014, vol. 26, no. 1, pp. 327–342.
Stewart, M., Algorithmic diversity for software security. http://arxiv.org/abs/1312.3891.
Franz, M., E unibus pluram: Massive-scale software diversity as a defense mechanism, Proc. of the 2010 Workshop on New Security Paradigms, NSPW’10, 2010, pp. 7–16.
Author information
Authors and Affiliations
Corresponding author
Additional information
Original Russian Text © A.R. Nurmukhametov, Sh.F. Kurmangaleev, V.V. Kaushan, S.S. Gaissaryan, 2014, published in Proceedings of the Institute for System Programming of RAS, 2014, Vol. 26, I. 3, pp. 113–126.
Rights and permissions
About this article
Cite this article
Nurmukhametov, A.R., Kurmangaleev, S.F., Kaushan, V.V. et al. Application of compiler transformations against software vulnerabilities exploitation. Program Comput Soft 41, 231–236 (2015). https://doi.org/10.1134/S0361768815040052
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1134/S0361768815040052