David Bigelow
ABSTRACT
Address Space Layout Randomization (ASLR) can increase the cost of exploiting memory corruption vulnerabilities. One major weakness of ASLR is that it assumes the secrecy of memory addresses and is thus ineffective in the face of memory disclosure vulnerabilities. Even fine-grained variants of ASLR are shown to be ineffective against memory disclosures. In this paper we present an approach that synchronizes randomization with potential runtime disclosure. By applying rerandomization to the memory layout of a process every time it generates an output, our approach renders disclosures stale by the time they can be used by attackers to hijack control flow. We have developed a fully functioning prototype for x86_64 C programs by extending the Linux kernel, GCC, and the libc dynamic linker. The prototype operates on C source code and recompiles programs with a set of augmented information required to track pointer locations and support runtime rerandomization. Using this augmented information we dynamically relocate code segments and update code pointer values during runtime. Our evaluation on the SPEC CPU2006 benchmark, along with other applications, show that our technique incurs a very low performance overhead (2.1% on average).
- Cve-2013--2028. Online, 2013.Google Scholar
- Blind return oriented programming. Online, 2014.Google Scholar
- Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. Control-flow integrity. In Proc. of ACM CCS (2005). Google ScholarDigital Library
- Akritidis, P. Cling: A memory allocator to mitigate dangling pointers. In Proc. of USENIX Security (2010). Google ScholarDigital Library
- Anderson, J. P. Computer security technology planning study. volume 2. Tech. rep., DTIC Document, 1972.Google ScholarCross Ref
- Backes, M., Holz, T., Kollenda, B., Koppe, P., Nürnberger, S., and Pewny, J. You can run but you can't read. In Proc. of ACM CCS (2014).Google ScholarDigital Library
- Backes, M., and Nürnberger, S. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. Proc. of USENIX Security (2014). Google ScholarDigital Library
- Barrantes, E. G., Ackley, D. H., Palmer, T. S., Stefanovic, D., and Zovi, D. D. Randomized instruction set emulation to disrupt binary code injection attacks. In Proc. of ACM CCS (2003). Google ScholarDigital Library
- Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., and Boneh, D. Hacking blind. In Proc. of IEEE S&P (2014). Google ScholarDigital Library
- Chen, X., Slowinska, A., and Bos, H. Membrush: A practical tool to detect custom memory allocators in c binaries. In Proc. of WCRE (2013).Google ScholarCross Ref
- Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.-R., Brunthaler, S., and Franz, M. Readactor: Practical code randomization resilient to memory disclosure. In IEEE S&P (2015).Google Scholar
- Curtsinger, C., and Berger, E. D. Stabilizer: Statistically sound performance evaluation. In Proc. of ASPLOS (2013). Google ScholarDigital Library
- Davi, L., Liebchen, C., Sadeghi, A.-R., Snow, K. Z., and Monrose, F. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. Proc. of NDSS (2015).Google ScholarCross Ref
- Durden, T. Bypassing pax aslr protection, 2002.Google Scholar
- Eager, M. J. Introduction to the dwarf debugging format. Group (2007).Google Scholar
- Evans, I., Fingeret, S., Gonzalez, J., Otgonbaatar, U., Tang, T., Shrobe, H., Sidiroglou-Douskos, S., Rinard, M., and Okhravi, H. Missing the point(er): On the effectiveness of code pointer integrity. In Proc. of IEEE S&P (2015).Google ScholarDigital Library
- Giuffrida, C., Kuijsten, A., and Tanenbaum, A. S. Enhanced operating system security through efficient and fine-grained address space randomization. In Proc. of USENIX Security (2012). Google ScholarDigital Library
- Göktas, E., Athanasopoulos, E., Bos, H., and Portokalidis, G. Out of control: Overcoming control-flow integrity. In Proc. of IEEE S&P (2014). Google ScholarDigital Library
- Heartbleed.com. The heartbleed bug. Online, 2014.Google Scholar
- Hiser, J., Nguyen, A., Co, M., Hall, M., and Davidson, J. Ilr: Where'd my gadgets go. In Proc. of IEEE S&P (2012). Google ScholarDigital Library
- Hiser, J., Nguyen, A., Co, M., Hall, M., and Davidson, J. Ilr: Where'd my gadgets go. In Proc. of IEEE S&P (2012). Google ScholarDigital Library
- Hobson, T., Okhravi, H., Bigelow, D., Rudd, R., and Streilein, W. On the challenges of effective movement. In Proceedings of the First ACM Workshop on Moving Target Defense (2014), pp. 41--50. Google ScholarDigital Library
- ISO. ISO/IEC 9899:2011 Information technology -- Programming languages -- C. 2011.Google Scholar
- Jackson, T., Salamat, B., Homescu, A., Manivannan, K., Wagner, G., Gal, A., Brunthaler, S., Wimmer, C., and Franz, M. Compiler-generated software diversity. Moving Target Defense (2011), 77--98.Google Scholar
- Jim, T., Morrisett, J. G., Grossman, D., Hicks, M. W., Cheney, J., and Wang, Y. Cyclone: A safe dialect of c. In USENIX (2002). Google ScholarDigital Library
- Kc, G. S., Keromytis, A. D., and Prevelakis, V. Countering code-injection attacks with instruction-set randomization. In Proc. of ACM CCS (2003). Google ScholarDigital Library
- Kil, C., Jun, J., Bookholt, C., Xu, J., and Ning, P. Address space layout permutation (aslp). In Proc. of ACSAC (2006). Google ScholarDigital Library
- Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., and Song, D. Code-pointer integrity.Google Scholar
- Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K., and Franz, M. Opaque control-flow integrity. In Proc. of NDSS (2015).Google ScholarCross Ref
- Mosberger, D. The libunwind project, 2014.Google Scholar
- Nagarakatte, S., Zhao, J., Martin, M. M., and Zdancewic, S. Softbound: Highly compatible and complete spatial memory safety for c. In Proc. of PLDI (2009). Google ScholarDigital Library
- Nagarakatte, S., Zhao, J., Martin, M. M., and Zdancewic, S. Cets: Compiler enforced temporal safety for c. In Proc. of ISMM (2010). Google ScholarDigital Library
- One, A. Smashing the stack for fun and profit. Phrack magazine 7, 49 (1996), 14--16.Google Scholar
- Parno, B., McCune, J. M., and Perrig, A. Bootstrapping trust in commodity computers. In Proc. of IEEE S&P (may 2010), pp. 414 --429. Google ScholarDigital Library
- PaX. Pax address space layout randomization, 2003.Google Scholar
- Rafkind, J., Wick, A., Regehr, J., and Flatt, M. Precise garbage collection for c. In Proc. of ISMM (2009). Google ScholarDigital Library
- Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., and Holz, T. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in cGoogle Scholar
- applications. In Proc. of IEEE S&P (2015).Google Scholar
- Seibert, J., Okhravi, H., and Soderstrom, E. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In Proc. of ACM CCS (2014). Google ScholarDigital Library
- Serebryany, K., Bruening, D., Potapenko, A., and Vyukov, D. Addresssanitizer: A fast address sanity checker. In USENIX (2012). Google ScholarDigital Library
- Shacham, H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proc. of ACM CCS (2007). Google ScholarDigital Library
- Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. On the effectiveness of address-space randomization. In Proc. of ACM CCS (2004). Google ScholarDigital Library
- Snow, K. Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., and Sadeghi, A.-R. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proc. of IEEE S&P (2013). Google ScholarDigital Library
- Strackx, R., Younan, Y., Philippaerts, P., Piessens, F., Lachmund, S., and Walter, T. Breaking the memory secrecy assumption. In Proc. of EuroSec'09 (2009), pp. 1--8. Google ScholarDigital Library
- Szekeres, L., Payer, M., Wei, T., and Song, D. Sok: Eternal war in memory. In Proc. of IEEE S&P (2013). Google ScholarDigital Library
- Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., and Pike, G. Enforcing forward-edge control-flow integrity in gcc & llvm. In Proc. of USENIX Security (2014). Google ScholarDigital Library
- Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proc. of ACM CCS (2012), pp. 157--168. Google ScholarDigital Library
- Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., and Zou, W. Practical control flow integrity and randomization for binary executables. In Proc. of IEEE S&P (2013). Google ScholarDigital Library
- Zhang, M., and Sekar, R. Control flow integrity for cots binaries. In Proc. of USENIX Security (2013). Google ScholarDigital Library
Index Terms
- Timely Rerandomization for Mitigating Memory Disclosures
Recommendations
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityCode diversification has been proposed as a technique to mitigate code reuse attacks, which have recently become the predominant way for attackers to exploit memory corruption vulnerabilities. As code reuse attacks require detailed knowledge of where ...
ExOShim: preventing memory disclosure using execute-only kernel code
Information leakage and memory disclosure are major threats to the security in modern computer systems. If an attacker is able to obtain the binary-code of an application, it is possible to reverse-engineer the source-code, uncover vulnerabilities, craft ...
An Overview of Prevention/Mitigation against Memory Corruption Attack
ISCSIC '18: Proceedings of the 2nd International Symposium on Computer Science and Intelligent ControlOne of the most prevalent, ancient and devastating vulnerabilities which is increasing rapidly is Memory corruption. It is a vulnerability where a memory location contents of a computer system are altered because of programming errors allowing execution ...
Comments