Article

Improving address space randomization with a dynamic offset randomization technique

Authors:

Steve J. ChapinAuthors Info & Claims

SAC '06: Proceedings of the 2006 ACM symposium on Applied computing

Pages 384 - 391

https://doi.org/10.1145/1141277.1141364

Published: 23 April 2006 Publication History

Abstract

Address Space Randomization (ASR) techniques randomize process layout to prevent attackers from locating target functions. Prior ASR techniques have considered single-target attacks, which succeed if the attacker can locate a single, powerful system library function. These techniques are not sufficient to defend against chained return-into-lib(c) attacks, each of which calls a sequence of system library functions in order.In this paper, we propose a new ASR technique, code islands, that randomizes not only the base pointers of memory mapping (mmapping), but also relative distances between functions, maximally and dynamically. Our technique can minimize the utility of information gained in early probes of a chained return-into-lib(c) attack, for later stages of that attack. With a pre-defined rerandomization thresh-old, our code islands technique not only is exponentially more effective than any prior ASR technique in defending against brute-force searches for locations of multiple targets---a key component of chained return-into-lib (c) attacks, but can also maintain high service availability even under attack. Our overhead measurement on some well-known GNU applications shows that it takes less than 0.05 second to load/rerandomize a process with the necessary C system library functions using code islands, and our technique introduces a 3-10% run-time overhead from inter-island control transfers. We conclude that the code island technique is well-suited to dedicated multi-threaded servers.

References

[1]

Aleph One. Smashing The Stack For Fun And Profit. www.Phrack.org, 49(14), November 1996.

[2]

E. G. Barrantes, D. H. Ackley, S. Forrest, T. S. Palmer, D. Stefanovic, and D. D. Zovi. Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks. In Proceedings of the 10th ACM Conference On Computer And Communication Security, October 2003.

Digital Library

[3]

M. Bernaschi, E. Gabrielli, and L. V. Mancini. Enhancements to the linux kernel for blocking buffer overflow based attacks. In 4th Linux showcase & conference, October 2000.

Digital Library

[4]

S. Bhatkar, D. C. DuVarney, and R. Sekar. Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits. In Proceedings of the 12th USENIX Security Symposium, Washington D.C., August 2003.

Digital Library

[5]

S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium, Baltimore, MD, August 2005.

Digital Library

[6]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle. Pointguard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, August 2003.

Digital Library

[7]

U. Drepper. How to write shared libraries, January 2005. http://people.redhat.com/drepper/dsohowto.pdf.

[8]

T. Durden. Bypassing PaX ASLR protection. www.Phrack.org, 59(9), June 2002.

[9]

eEye Digital Security. ANALYSIS: .ida "Code Red" Worm, July 2001. http://www.eeye.com/html/research/advisories/AL20010717.html.

[10]

eEye Digital Security. Microsoft Internet Information Services Remote Buffer Overflow (SYSTEM Level Access), June 2001. http://www.eeye.com/html/Research/Advisories/AD20010618.html.

[11]

S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A Sense of Self for Unix Processes. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, 1996.

Digital Library

[12]

G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering Code-Injection Attacks With Instruction-Set Randomization. In Proceedings of the 10th ACM Conference On Computer And Communication Security, October 2003.

Digital Library

[13]

Z. Liang and R. Sekar. Automated, Sub-second Attack Signature Generation: A Basis for Building Self-Protecting Servers. Technical report, Department of Computer Science, Stony Brook University, May 2005.

[14]

Z. Liang and R. Sekar. Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers. In Proceedings of the 12th ACM Conference on Computer and Communications Security, Alexandria, VA, November 2005.

Digital Library

[15]

Nergal. The Advanced Return-into-lib(c) Exploits. www.Phrack.org, 58(4), December 2001.

[16]

openwall. segvguard. ftp://ftp.pl.openwall.com/misc/segvguard/.

[17]

W. Purczynski. kNoX---Implementation of Non-Executable Page Protection Mechanism. http://www.opennet.ru/prog/info/1769.shtml, May 2003.

[18]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the Effectiveness of Address Space Randomization. In Proceedings of the 11th ACM Conference On Computer And Communication Security, Washington, DC, USA, October 2004.

Digital Library

[19]

Solar Designer. Non-Executable User Stack. http://www.openwall.com/linux/.

[20]

N. Sovarel, D. Evans, and N. Paul. Where's the FEEB? The Effectiveness of Instruction Set Randomization. In Proceedings of the 14th USENIX Security Symposium, Baltimore, MD, August 2005.

Digital Library

[21]

the Pax team. PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt.

[22]

D. Wagner and P. Soto. Mimicry Attacks on Host-Based Intrusion Detection Systems. In Proceedings of the 9th ACM Conference On Computer And Communication Security, Washington, DC, USA, November 2002.

Digital Library

[23]

J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent Runtime Randomization for Security. In Proceedings of the 22nd Symposium on Reliable and Distributed Systems (SRDS), Florence, Italy, October 2003.

[24]

J. Xu, P. Ning, C. Kil, Y. Zhai, and C. Bookholt. Automatic Diagnosis and Response to Memory Corruption Vulnerabilities. In Proceedings of the 12th ACM Conference on Computer and Communications Security, Alexandria, VA, November 2005.

Digital Library

Cited By

Biernacki LGallagher MBertacco VAustin T(2020)Thwarting Control Plane Attacks with Displaced and Dilated Address Spaces2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)10.1109/HOST45689.2020.9300273(57-68)Online publication date: 7-Dec-2020
https://doi.org/10.1109/HOST45689.2020.9300273
Hawkins WNguyen-Tuong AHiser JCo MDavidson JOkhravi HOu X(2017)MixrProceedings of the 2017 Workshop on Moving Target Defense10.1145/3140549.3140551(27-37)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3140549.3140551
Evtyushkin DPonomarev DAbu-Ghazaleh NHsu WYang CLipasti MLee H(2016)Jump over ASLRThe 49th Annual IEEE/ACM International Symposium on Microarchitecture10.5555/3195638.3195686(1-13)Online publication date: 15-Oct-2016
https://dl.acm.org/doi/10.5555/3195638.3195686
Show More Cited By

Index Terms

Improving address space randomization with a dynamic offset randomization technique
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

On the effectiveness of address-space randomization
CCS '04: Proceedings of the 11th ACM conference on Computer and communications security

Address-space randomization is a technique used to fortify systems against buffer overflow attacks. The idea is to introduce artificial diversity by randomizing the memory location of certain system components. This mechanism is available for both Linux ...
Return address randomization scheme for annuling data-injection buffer overflow attacks
Inscrypt'06: Proceedings of the Second SKLOIS conference on Information Security and Cryptology

Buffer overflow(BOF) has been the most common form of vulnerability in software systems today, and many methods exist to defend software systems against BOF attacks. Among them, the instruction set randomization scheme, which makes attacker not to know ...
Address-space layout randomization using code islands
Best papers of the Sec Track at the 2006 ACM Symposium

Address-Space Layout Randomization (ASLR) techniques prevent intruders from locating target functions by randomizing the process layout. Prior ASLR techniques defended against single-target brute force attacks, which work by locating a single, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '06: Proceedings of the 2006 ACM symposium on Applied computing

April 2006

1967 pages

ISBN:1595931082

DOI:10.1145/1141277

Conference Chair:
Hisham M. Haddad
Kennesaw State University, Kennesaw, Georgia

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 April 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SAC06

Sponsor:

SIGAPP

SAC06: The 2006 ACM Symposium on Applied Computing

April 23 - 27, 2006

Dijon, France

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
438
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)1

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Biernacki LGallagher MBertacco VAustin T(2020)Thwarting Control Plane Attacks with Displaced and Dilated Address Spaces2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)10.1109/HOST45689.2020.9300273(57-68)Online publication date: 7-Dec-2020
https://doi.org/10.1109/HOST45689.2020.9300273
Hawkins WNguyen-Tuong AHiser JCo MDavidson JOkhravi HOu X(2017)MixrProceedings of the 2017 Workshop on Moving Target Defense10.1145/3140549.3140551(27-37)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3140549.3140551
Evtyushkin DPonomarev DAbu-Ghazaleh NHsu WYang CLipasti MLee H(2016)Jump over ASLRThe 49th Annual IEEE/ACM International Symposium on Microarchitecture10.5555/3195638.3195686(1-13)Online publication date: 15-Oct-2016
https://dl.acm.org/doi/10.5555/3195638.3195686
Evtyushkin DPonomarev DAbu-Ghazaleh N(2016)Jump over ASLR: Attacking branch predictors to bypass ASLR2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO)10.1109/MICRO.2016.7783743(1-13)Online publication date: Oct-2016
https://doi.org/10.1109/MICRO.2016.7783743
Curtsinger CBerger E(2013)STABILIZERACM SIGPLAN Notices10.1145/2499368.245114148:4(219-228)Online publication date: 16-Mar-2013
https://dl.acm.org/doi/10.1145/2499368.2451141
Curtsinger CBerger E(2013)STABILIZERACM SIGARCH Computer Architecture News10.1145/2490301.245114141:1(219-228)Online publication date: 16-Mar-2013
https://dl.acm.org/doi/10.1145/2490301.2451141
Curtsinger CBerger ESarkar VBodik R(2013)STABILIZERProceedings of the eighteenth international conference on Architectural support for programming languages and operating systems10.1145/2451116.2451141(219-228)Online publication date: 16-Mar-2013
https://dl.acm.org/doi/10.1145/2451116.2451141
Skowyra RCasteel KOkhravi HZeldovich NStreilein W(2013)Systematic Analysis of Defenses against Return-Oriented ProgrammingProceedings of the 16th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 814510.1007/978-3-642-41284-4_5(82-102)Online publication date: 23-Oct-2013
https://dl.acm.org/doi/10.1007/978-3-642-41284-4_5
Bojinov HBoneh DCannings RMalchev IGollmann DWesthoff DTsudik GAsokan N(2011)Address space randomization for mobile devicesProceedings of the fourth ACM conference on Wireless network security10.1145/1998412.1998434(127-138)Online publication date: 14-Jun-2011
https://dl.acm.org/doi/10.1145/1998412.1998434

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten