ABSTRACT
Vulnerabilities that disclose executable memory pages enable a new class of powerful code reuse attacks that build the attack payload at runtime. In this work, we present Heisenbyte, a system to protect against memory disclosure attacks. Central to Heisenbyte is the concept of destructive code reads -- code is garbled right after it is read. Garbling the code after reading it takes away from the attacker her ability to leverage memory disclosure bugs in both static code and dynamically generated just-in-time code. By leveraging existing virtualization support, Heisenbyte's novel use of destructive code reads sidesteps the problem of incomplete binary disassembly in binaries, and extends protection to close-sourced COTS binaries, which are two major limitations of prior solutions against memory disclosure vulnerabilities. Our experiments demonstrate that Heisenbyte can tolerate some degree of imperfect static analysis in disassembled binaries, while effectively thwarting dynamic code reuse exploits in both static and JIT code, at a modest 1.8% average runtime overhead due to virtualization and 16.5% average overhead due to the destructive code reads.
- M. Athanasakis, E. Athanasopoulos, M. Polychronakis, G. Portokalidis, and S. Ioannidis. The devil is in the constants: Bypassing defenses in browser jit engines. In Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS 2015), 2015.Google ScholarCross Ref
- M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You can run but you can't read: Preventing disclosure exploits in executable code. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 1342--1353, New York, NY, USA, 2014. ACM. Google ScholarDigital Library
- M. Backes and S. Nürnberger. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. Proc. 23rd Usenix Security Sym, pages 433--447, 2014. Google ScholarDigital Library
- T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pages 30--40. ACM, 2011. Google ScholarDigital Library
- S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In 36th IEEE Symposium on Security and Privacy (Oakland), May 2015.Google ScholarDigital Library
- L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. 2015.Google Scholar
- Z. Deng, X. Zhang, and D. Xu. Spider: Stealthy binary program instrumentation and debugging via hardware virtualization. In Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC '13, pages 289--298, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- H. Dybdahl, P. G. Kjeldsberg, M. Grannæs, and L. Natvig. Destructive-read in embedded dram, impact on power consumption. J. Embedded Comput., 2(2):249--260, Apr. 2006. Google ScholarDigital Library
- I. Evans, S. Fingeret, J. González, U. Otgonbaatar, T. Tang, H. Shrobe, S. Sidiroglou-Douskos, M. Rinard, and H. Okhravi. Missing the point(er): On the effectiveness of code pointer integrity. In 36th IEEE Symposium on Security and Privacy (Oakland), May 2015.Google ScholarDigital Library
- J. Gionta, W. Enck, and P. Ning. Hidem: Protecting the contents of userspace memory in the face of disclosure vulnerabilities. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY '15, pages 325--336, New York, NY, USA, 2015. ACM. Google ScholarDigital Library
- Fyyre. Disable patchguard - the easy/lazy way. http://fyyre.ivory-tower.de/projects/bootloader.txt, 2011.Google Scholar
- J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten. Lest we remember: cold-boot attacks on encryption keys. Communications of the ACM, 52(5):91--98, 2009. Google ScholarDigital Library
- A. Homescu, S. Brunthaler, P. Larsen, and M. Franz. Librando: transparent code randomization for just-in-time compilers. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, pages 993--1004. ACM, 2013. Google ScholarDigital Library
- Intel. Intel 64 and IA-32 Architectures Software Developer's Manual - Volume 3C, 2014.Google Scholar
- C. Kil, J. Jim, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In Computer Security Applications Conference, 2006. ACSAC'06. 22nd Annual, pages 339--348. IEEE, 2006. Google ScholarDigital Library
- Microsoft. Asynchronous procedure calls. https://msdn.microsoft.com/en-us/library/windows/desktop/ms681951(v=vs.85).aspx.Google Scholar
- Microsoft. Windows resource protection. https://msdn.microsoft.com/en-us/library/windows/desktop/cc185681(v=vs.85).aspx.Google Scholar
- V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 601--615. IEEE, 2012. Google ScholarDigital Library
- P. Pie. Mobile Pwn2Own Autumn 2013 - Chrome on Android - Exploit Writeup, 2013.Google Scholar
- J. Seibert, H. Okkhravi, and E. Söderström. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 54--65. ACM, 2014. Google ScholarDigital Library
- H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security, pages 552--561. ACM, 2007. Google ScholarDigital Library
- K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Security and Privacy (SP), 2013 IEEE Symposium on, pages 574--588. IEEE, 2013. Google ScholarDigital Library
- S. Sparks and J. Butler. Raising the bar for windows rootkit detection. http://phrack.org/issues/63/8.html, 2005.Google Scholar
- D. L. C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. In Proceedings of the Ninth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS IX, pages 168--177, New York, NY, USA, 2000. ACM. Google ScholarDigital Library
- J. Torrey. More shadow walker: Tlb-splitting on modern x86. Blackhat USA, 2014.Google Scholar
- P. Van Oorschot, A. Somayaji, and G. Wurster. Hardware-assisted circumvention of self-hashing software tamper resistance. Dependable and Secure Computing, IEEE Transactions on, 2(2):82--92, April 2005. Google ScholarDigital Library
- R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 157--168. ACM, 2012. Google ScholarDigital Library
- R. Wartell, Y. Zhou, K. W. Hamlen, M. Kantarcioglu, and B. Thuraisingham. Differentiating code from data in x86 binaries. In Machine Learning and Knowledge Discovery in Databases, pages 522--536. Springer, 2011. Google ScholarDigital Library
- C. Song, C. Zhang, T. Wang, W. Lee, and D. Melski. Exploiting and protecting dynamic code generation. In Proceedings of the 2015 Network and Distributed System Security (NDSS) Symposium, 2015.Google ScholarCross Ref
Index Terms
- Heisenbyte: Thwarting Memory Disclosure Attacks using Destructive Code Reads
Recommendations
Timely Rerandomization for Mitigating Memory Disclosures
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityAddress Space Layout Randomization (ASLR) can increase the cost of exploiting memory corruption vulnerabilities. One major weakness of ASLR is that it assumes the secrecy of memory addresses and is thus ineffective in the face of memory disclosure ...
No-Execute-After-Read: Preventing Code Disclosure in Commodity Software
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications SecurityMemory disclosure vulnerabilities enable an adversary to successfully mount arbitrary code execution attacks against applications via so-called just-in-time code reuse attacks, even when those applications are fortified with fine-grained address space ...
Breaking and Fixing Destructive Code Read Defenses
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceJust-in-time return-oriented programming (JIT-ROP) is a powerful memory corruption attack that bypasses various forms of code randomization. Execute-only memory (XOM) can potentially prevent these attacks, but requires source code. In contrast, ...
Comments