skip to main content
10.1145/2810103.2813694acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Public Access

ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks

Published: 12 October 2015 Publication History

Abstract

A general prerequisite for a code reuse attack is that the attacker needs to locate code gadgets that perform the desired operations and then direct the control flow of a vulnerable application to those gadgets. Address Space Layout Randomization (ASLR) attempts to stop code reuse attacks by making the first part of the prerequisite unsatisfiable. However, research in recent years has shown that this protection is often defeated by commonly existing information leaks, which provides attackers clues about the whereabouts of certain code gadgets. In this paper, we present ASLR-Guard, a novel mechanism that completely prevents the leaks of code pointers, and render other information leaks (e.g., the ones of data pointers) useless in deriving code address. The main idea behind ASLR-Guard is to render leak of data pointer useless in deriving code address by separating code and data, provide a secure storage for code pointers, and encode the code pointers when they are treated as data. ASLR-Guard can either prevent code pointer leaks or render their leaks harmless. That is, ASLR-Guard makes it impossible to overwrite code pointers with values that point to or will hijack the control flow to a desired address when the code pointers are dereferenced. We have implemented a prototype of ASLR-Guard, including a compilation toolchain and a C/C++ runtime. Our evaluation results show that (1) ASLR-Guard supports normal operations correctly; (2) it completely stops code address leaks and can resist against recent sophisticated attacks; (3) it imposes almost no runtime overhead (< 1%) for C/C++ programs in the SPEC benchmark. Therefore, ASLR-Guard is very practical and can be applied to secure many applications.

References

[1]
M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity. In phACM Conference on Computer and Communication Security, 2005.
[2]
H. Y. Aravind Prakashm Xunchao Hu. vfguard: Strict protection for virtual function calls in cots c
[3]
binaries. In ph22nd Annual Network and Distributed System Security Symposium, 2015.
[4]
O. Arias, L. Davi, M. Hanreich, Y. Jin, P. Koeberl, D. Paul, A.-R. Sadeghi, and D. Sullivan. Hafix: Hardware-assisted flow integrity extension. In ph52nd Design Automation Conference (DAC), 2015.
[5]
M. Athanasakis, E. Athanasopoulos, M. Polychronakis, G. Portokalidis, and S. Ioannidis. The devil is in the constants: Bypassing defenses in browser jit engines. 2015.
[6]
berger(2014)}oxymoronM. Backes and S. Nürnberger. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In ph23rd USENIX Security Symposium, Aug. 2014.
[7]
berger, and Pewny}nuernberger2014disclosureM. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You can run but you can't read: Preventing disclosure exploits in executable code. In Proceedings of the 21st ACM conference on Computer and communications security, 2014.
[8]
s, and Boneh}Bittau2014A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, and D. Boneh. Hacking blind. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, 2014.
[9]
M. Carbone, W. Cui, L. Lu, W. Lee, M. Peinado, and X. Jiang. Mapping kernel objects to enable systematic integrity checking. 2009.
[10]
N. Carlini and D. Wagner. Rop is still dangerous: Breaking modern defenses. In ph23rd USENIX Security Symposium, 2014.
[11]
S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. 2005.
[12]
Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. Ropecker: A generic and practical approach for defending against ROP attacks. In ph21st Annual Network and Distributed System Security Symposium, 2014.
[13]
C. Cowan, S. Beattie, J. Johansen, and P. Wagle. PointGuard™: protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th conference on USENIX Security Symposium, 2003.
[14]
Crane, Homescu, Brunthaler, Larsen, and Franz}stephen2015S. Crane, A. Homescu, S. Brunthaler, P. Larsen, and M. Franz. Thwarting cache side-channel attacks through dynamic software diversity. In ph22nd Annual Network & Distributed System Security Symposium, 2015\natexlaba.
[15]
Crane, Liebchen, Homescu, Davi, Larsen, Sadeghi, Brunthaler, and Franz}TUD-CS-2015-0035S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In ph36th IEEE Symposium on Security and Privacy, 2015\natexlabb.
[16]
L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In ph23rd USENIX Security Symposium, 2014.
[17]
L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. In ph22nd Annual Network & Distributed System Security Symposium, 2015.
[18]
I. Evans, S. Fingeret, J. Gonzalez, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the Point(er): On the Effectiveness of Code Pointer Integrity. In phProceedings of the IEEE Symposium on Security and Privacy, 2015.
[19]
M. Frantzen and M. Shuey. Stackghost: Hardware facilitated stack protection. In phUSENIX Security Symposium, 2001.
[20]
C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced operating system security through efficient and fine-grained address space randomization. In phPresented as part of the 21st USENIX Security Symposium (USENIX Security 12), 2012.
[21]
as et al.(2014)Göktas, Athanasopoulos, Bos, and Portokalidis}outOfControlE. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In phProceedings of the 2014 IEEE Symposium on Security and Privacy, 2014.
[22]
W. Herlands, T. Hobson, and P. J. Donovan. Effective entropy: Security-centric metric for memory randomization techniques. In ph7th Workshop on Cyber Security Experimentation and Test (CSET 14), 2014.
[23]
J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. Ilr: Where'd my gadgets go? In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012.
[24]
Intel. Intel 64 and ia-32 architectures software developer's manual, 2014.
[25]
D. Jang, Z. Tatlock, and S. Lerner. Safedispatch: Securing C
[26]
virtual calls from memory corruption attacks. In ph21st Annual Network and Distributed System Security Symposium, 2014.
[27]
C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In Proceedings of the 22Nd Annual Computer Security Applications Conference, 2006.
[28]
V. Kuznetsov, L. Szekeres, M. Payer, G. Candea, R. Sekar, and D. Song. Code-pointer integrity. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2014.
[29]
P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. Sok: Automated software diversity. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, 2014.
[30]
Z. Lin, X. Zhang, and D. Xu. Automatic reverse engineering of data structures from binary execution. In 17th Annual Network and Distributed System Security Symposium, 2010.
[31]
A. J. Mashtizadeh, A. Bittau, D. Mazieres, and D. Boneh. Cryptographically enforced control flow integrity, 2014. arXiv preprint arXiv:1408.1451.
[32]
V. Mohan, P. Larsen, S. Brunthaler, K. W. Hamlen, and M. Franz. Opaque control-flow integrity. In 22nd Annual Network & Distributed System Security Symposium, 2015.
[33]
B. Niu and G. Tan. Modular control-flow integrity. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, 2014.
[34]
V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012.
[35]
V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent rop exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Conference on Security, 2013.
[36]
M. Prasad and T. cker Chiueh. A binary rewriting defense against stack based overflow attacks. In In Proceedings of the USENIX Annual Technical Conference, 2003.
[37]
F. Schuster, T. Tendyck, C. Liebchen, L. Davi, A.-R. Sadeghi, and T. Holz. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in c+ applications. In ph36th IEEE Symposium on Security and Privacy, 2015.
[38]
J. Seibert, H. Okhravi, and E. Soderstrom. Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code. In phProceedings of the 21st ACM Conference on Computer and Communications Security, 2014.
[39]
F. J. Serna. The info leak era on software exploitation, 2012. Blackhat USA.
[40]
H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security, 2007.
[41]
H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM conference on Computer and communications security, 2004.
[42]
K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE Symposium on Security and Privacy, 2013.
[43]
R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the memory secrecy assumption. In Proceedings of the Second European Workshop on System Security, 2009.
[44]
C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, Ú. Erlingsson, L. Lozano, and G. Pike. Enforcing forward-edge control-flow integrity in gcc & llvm. In 23rd USENIX Security Symposium, 2014.
[45]
R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, 2012.
[46]
C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity and randomization for binary executables. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, 2013.
[47]
M. Zhang and R. Sekar. Control flow integrity for cots binaries. In Usenix Security, 2013.

Cited By

View all
  • (2025)Enhancing in-process isolation for robust defense against information disclosure attacksComputers & Security10.1016/j.cose.2025.104370(104370)Online publication date: Feb-2025
  • (2024)Eclipse: Preventing Speculative Memory-error Abuse with Artificial Data DependenciesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690201(3913-3927)Online publication date: 2-Dec-2024
  • (2024)Hardware-Software Collaborative Tiered-Memory Management Framework for VirtualizationACM Transactions on Computer Systems10.1145/363956442:1-2(1-32)Online publication date: 15-Jan-2024
  • Show More Cited By

Index Terms

  1. ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
    October 2015
    1750 pages
    ISBN:9781450338325
    DOI:10.1145/2810103
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 12 October 2015

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. ASLR
    2. code reuse attack
    3. information leak
    4. randomization

    Qualifiers

    • Research-article

    Funding Sources

    • DARPA Transparent Computing program
    • ONR
    • ETRI MSIP/IITP
    • DHS
    • United States Air Force
    • NSF award

    Conference

    CCS'15
    Sponsor:

    Acceptance Rates

    CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;
    Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)226
    • Downloads (Last 6 weeks)36
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2025)Enhancing in-process isolation for robust defense against information disclosure attacksComputers & Security10.1016/j.cose.2025.104370(104370)Online publication date: Feb-2025
    • (2024)Eclipse: Preventing Speculative Memory-error Abuse with Artificial Data DependenciesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690201(3913-3927)Online publication date: 2-Dec-2024
    • (2024)Hardware-Software Collaborative Tiered-Memory Management Framework for VirtualizationACM Transactions on Computer Systems10.1145/363956442:1-2(1-32)Online publication date: 15-Jan-2024
    • (2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
    • (2024)Porting to Morello: An In-depth Study on Compiler Behaviors, CERT Guideline Violations, and Security Implications2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00028(381-397)Online publication date: 8-Jul-2024
    • (2024)DROPSYS: Detection of ROP attacks using system informationComputers & Security10.1016/j.cose.2024.103813(103813)Online publication date: Mar-2024
    • (2024)Classification of return-oriented programming gadgets: a machine learning approachJournal of Computer Virology and Hacking Techniques10.1007/s11416-024-00517-120:4(751-763)Online publication date: 19-Jun-2024
    • (2024)Satellite: Effective and Efficient Stack Memory Protection Scheme for Unsafe Programming LanguagesICT Systems Security and Privacy Protection10.1007/978-3-031-65175-5_16(221-235)Online publication date: 26-Jul-2024
    • (2023)An Optimal Active Defensive Security Framework for the Container-Based Cloud with Deep Reinforcement LearningElectronics10.3390/electronics1207159812:7(1598)Online publication date: 29-Mar-2023
    • (2023)BinWrap: Hybrid Protection against Native Node.js Add-onsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3590330(429-442)Online publication date: 10-Jul-2023
    • Show More Cited By

    View Options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Login options

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media