Hristo Bojinov
Dan Boneh
ABSTRACT
Address Space Layout Randomization (ASLR) is a defensive technique supported by many desktop and server operating systems. While smartphone vendors wish to make it available on their platforms, there are technical challenges in implementing ASLR on these devices. Pre-linking, limited processing power and restrictive update processes make it difficult to use existing ASLR implementation strategies even on the latest generation of smartphones. In this paper we introduce retouching, a mechanism for executable ASLR that requires no kernel modifications and is suitable for mobile devices. We have implemented ASLR for the Android operating system and evaluated its effectiveness and performance. In addition, we introduce crash stack analysis, a technique that uses crash reports locally on the device, or in aggregate in the cloud to reliably detect attempts to brute-force ASLR protection. We expect that retouching and crash stack analysis will become standard techniques in mobile ASLR implementations.
- Android. www.android.com.Google Scholar
- Ruediger R. Asche. Rebasing win32 dlls: The whole story, 1995. http://msdn.microsoft.com/en-us/library/ms810432.aspx.Google Scholar
- Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In In Proceedings of the 12th USENIX Security Symposium, pages 105--120, 2003. Google ScholarDigital Library
- Dion Blazakis. Interpreter exploitation: Pointer inference and jit spraying, 2010. http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf.Google Scholar
- Monica Chew and Dawn Song. Mitigating buffer overflows by operating system randomization. Technical report, UC Berkeley, 2002.Google Scholar
- Crispin Cowan, Steve Beattie, John Johansen, and Perry Wagle. Pointguard#8482;: Protecting pointers from buffer overflow vulnerabilities. In In Proc. of the 12th Usenix Security Symposium, 2003. Google ScholarDigital Library
- Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and Marcel Winandy. Privilege escalation attacks on android. In ISC, pages 346--360, 2010. Google ScholarDigital Library
- Jake Edge. Linux aslr vulnerabilities, 2009. http://lwn.net/Articles/330866/.Google Scholar
- Hiroaki Etoh. Gcc extension for protecting applications from stack-smashing attacks, 2005. http://www.research.ibm.com/trl/projects/security/ssp/.Google Scholar
- Aurélien Francillon, Daniele Perito, and Claude Castelluccia. Defending embedded systems against control flow attacks. In SecuCode '09: Proceedings of the first ACM workshop on Secure execution of untrusted code, pages 19--26, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- Gaurav S. Kc. Countering code-injection attacks with instruction-set randomization. In In Proceedings of the ACM Computer and Communications Security (CCS) Conference, pages 272--280. ACM Press, 2003. Google ScholarDigital Library
- Chongkyung Kil, Jinsuk Jun, Christopher Bookholt, Jun Xu, and Peng Ning. Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In ACSAC '06: Proceedings of the 22nd Annual Computer Security Applications Conference, pages 339--348, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
- J. Krhovjak, V. Matyas, and J. Zizkovsky. Generating Random and Pseudorandom Sequences in Mobile Devices, pages 122--. Springer, 2009.Google Scholar
- David Litchfield. Buffer underruns, dep, aslr and improving the exploitation prevention mechanisms (xpms) on the windows platform, 2005. http://www.ngssoftware.com/papers/xpms.pdf.Google Scholar
- Charlie Miller. Owning the fanboys: Hacking mac os x, 2008. http://www.blackhat.com/presentations/bh-jp-08/bh-jp-08-Miller/BlackHat%-Japan-08-Miller-Hacking-OSX.pdf.Google Scholar
- Charlie Miller. Fuzzing the phone in your phone, 2009. http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-F%uzzingPhone-PAPER.pdf.Google Scholar
- John Moser. Prelink and address space randomization, 2006. http://lwn.net/Articles/190139/.Google Scholar
- Giampaolo Fresi Roglia, Lorenzo Martignoni, Roberto Paleari, and Danilo Bruschi. Surgically returning to randomized lib(c). In ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications Conference, pages 60--69, Washington, DC, USA, 2009. IEEE Computer Society. Google ScholarDigital Library
- Clint Ruoho. Aslr: Leopard versus vista, 2008. http://www.laconicsecurity.com/aslr-leopard-versus-vista.html.Google Scholar
- Mark Russinovich. Inside the windows vista kernel: Part 3, 2007. http://technet.microsoft.com/en-us/magazine/2007.04.vistakernel.aspx.Google Scholar
- segvguard. http://www.daemon-systems.org/man/security.8.html.Google Scholar
- Hovav Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86. In In Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007. Google ScholarDigital Library
- Hovav Shacham, Eu jin Goh, Nagendra Modadugu, Ben Pfaff, and Dan Boneh. On the effectiveness of address-space randomization. In In CCS'04: Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 298--307. ACM Press, 2004. Google ScholarDigital Library
- Brad Spengler. Pax: The guaranteed end of arbitrary code execution, 2003. http://grsecurity.net/PaX-presentation_files/frame.htm.Google Scholar
- The PaX Team. Homepage of the pax team, 2008. http://pax.grsecurity.net/.Google Scholar
- Ollie Whitehouse. An analysis of address space layout randomization on windows vista, 2007. http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomi%zation.pdf.Google Scholar
- Haizhi Xu and Steve J. Chapin. Improving address space randomization with a dynamic offset randomization technique. In SAC '06: Proceedings of the 2006 ACM symposium on Applied computing, pages 384--391, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
Index Terms
- Address space randomization for mobile devices
Recommendations
Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityModern operating systems use hardware support to protect against control-flow hijacking attacks such as code-injection attacks. Typically, write access to executable pages is prevented and kernel mode execution is restricted to kernel code pages only. ...
Protecting against address space layout randomisation (ASLR) compromises and return-to-libc attacks using network intrusion detection systems
Writable XOR executable (W X) and address space layout randomisation (ASLR) have elevated the understanding necessary to perpetrate buffer overflow exploits[1]. However, they have not proved to be a panacea[1---3], and so other mechanisms, such as stack ...
Mobile Attacks and Defense
Smartphones' features are great, but with the power they provide, there's also a threat. Smartphones are becoming a target of attackers in the same way PCs have been for many years. This article examines the security models of two popular smart phone ...
Comments