research-article

Public Access

Juggling the Gadgets: Binary-level Code Randomization using Instruction Displacement

Authors:
Hyungjoon Koo

Stony Brook University, Stony Brook, NY, USA

Stony Brook University, Stony Brook, NY, USA
View Profile

,
Michalis Polychronakis

Stony Brook University, Stony Brook, NY, USA

Stony Brook University, Stony Brook, NY, USA
View Profile

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications SecurityMay 2016Pages 23–34https://doi.org/10.1145/2897845.2897863

Published:30 May 2016Publication History

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

Pages 23–34

ABSTRACT

Code diversification is an effective mitigation against return-oriented programming attacks, which breaks the assumptions of attackers about the location and structure of useful instruction sequences, known as "gadgets". Although a wide range of code diversification techniques of varying levels of granularity exist, most of them rely on the availability of source code, debug symbols, or the assumption of fully precise code disassembly, limiting their practical applicability for the protection of closed-source third-party applications. In-place code randomization has been proposed as an alternative binary-compatible diversification technique that is tolerant of partial disassembly coverage, in the expense though of leaving some gadgets intact, at the disposal of attackers. Consequently, the possibility of constructing robust ROP payloads using only the remaining non-randomized gadgets is still open. In this paper we present instruction displacement, a code diversification technique based on static binary instrumentation that does not rely on complete code disassembly coverage. Instruction displacement aims to improve the randomization coverage and entropy of existing binary-level code diversification techniques by displacing any remaining non-randomized gadgets to random locations. The results of our experimental evaluation demonstrate that instruction displacement reduces the number of non-randomized gadgets in the extracted code regions from 15.04% for standalone in-place code randomization, to 2.77% for the combination of both techniques. At the same time, the additional indirection introduced due to displacement incurs a negligible runtime overhead of 0.36% on average for the SPEC CPU2006 benchmarks.

References

/ORDER (put functions in order). http://msdn.microsoft.com/en-us/library/00kh39zz.aspx.Google Scholar
Orp: in-place binary code randomizer. http://nsl.cs.columbia.edu/projects/orp/.Google Scholar
Profile-guided optimizations. http://msdn.microsoft.com/en-us/library/e7k32f4k.aspx.Google Scholar
Syzygy - profile guided, post-link executable reordering. http://code.google.com/p/syzygy/wiki/SyzygyDesign.Google Scholar
Wine. http://www.winehq.org.Google Scholar
MWR Labs Pwn2Own 2013 Write-up - Webkit Exploit, 2013. https://labs.mwrinfosecurity.com/blog/mwr-labs-pwn2own-2013-write-up-webkit-exploit/.Google Scholar
B. Antoniewicz. Analysis of a Malware ROP Chain, Oct. 2013. http://blog.opensecurityresearch.com/2013/10/analysis-of-malware-rop-chain.html.Google Scholar
M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You can run but you can't read: Preventing disclosure exploits in executable code. In Proceedings of the 21st ACM Conference on Computer and year = 2014, Communications Security (CCS), pages 1342--1353. Google ScholarDigital Library
M. Backes and S. Nürnberger. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In Proceedings of the 23rd USENIX Security Symposium, 2014. Google ScholarDigital Library
J. Bennett, Y. Lin, and T. Haq. The Number of the Beast, 2013. http://blog.fireeye.com/research/2013/02/the-number-of-the-beast.html.Google Scholar
E. Bhatkar, D. C. Duvarney, and R. Sekar. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In In Proceedings of the 12th USENIX Security Symposium, 2003. Google ScholarDigital Library
S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium, August 2005. Google ScholarDigital Library
A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, and D. Boneh. Hacking blind. In Proceedings of the 35th IEEE Symposium on Security and Privacy, pages 227--242, 2014. Google ScholarDigital Library
K. Braden, S. Crane, L. Davi, M. Franz, P. Larsen, C. Liebchen, and A.-R. Sadeghi. Leakage-resilient layout randomization for mobile devices. In Proceedings of the 2016 Network and Distributed System Security (NDSS) Symposium, 2016.Google ScholarCross Ref
N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the 24th USENIX Security Symposium, pages 161--176, 2015. Google ScholarDigital Library
N. Carlini and D. Wagner. ROP is Still Dangerous: Breaking Modern Defenses. In Proceedings of the 23rd USENIX Security Symposium, pages 385--399, Aug. 2014. Google ScholarDigital Library
E. Carrera. pefile. https://github.com/erocarrera/pefile.Google Scholar
F. B. Cohen. Operating system protection through program evolution. Computers and Security, 12:565--584, Oct. 1993. Google ScholarDigital Library
S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In Proceedings of the 36th IEEE Symposium on Security and Privacy, May 2015. Google ScholarDigital Library
L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2015.Google ScholarCross Ref
L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 23rd USENIX Security Symposium, pages 401--416, Aug. 2014. Google ScholarDigital Library
L. V. Davi, A. Dmitrienko, S. Nürnberger, and A.-R. Sadeghi. Gadge me if you can: Secure and efficient ad-hoc instruction-level randomization for x86 and arm. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIACCS), pages 299--310, 2013. Google ScholarDigital Library
S. Designer. Getting around non-executable stack (and fix). http://seclists.org/bugtraq/1997/Aug/63.Google Scholar
I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS), pages 901--913, 2015. Google ScholarDigital Library
S. Forrest, A. Somayaji, and D. Ackley. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), 1997. Google ScholarDigital Library
G. Fresi Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC), 2009. Google ScholarDigital Library
J. Gionta, W. Enck, and P. Ning. Hidem: Protecting the contents of userspace memory in the face of disclosure vulnerabilities. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY), pages 325--336, 2015. Google ScholarDigital Library
E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In Proceedings of the 35th IEEE Symposium on Security & Privacy (S&P), 2014. Google ScholarDigital Library
Hex-Rays. IDA Pro Disassembler. http://www.hex-rays.com/idapro/.Google Scholar
J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd my gadgets go? In Proceedings of the 33rd IEEE Symposium on Security & Privacy (S&P), 2012. Google ScholarDigital Library
X. Hu, T.-c. Chiueh, and K. G. Shin. Large-scale malware indexing using function-call graphs. In Proceedings of the 16th ACM conference on Computer and Communications Security (CCS), 2009. Google ScholarDigital Library
R. Johnson. A castle made of sand: Adobe Reader X sandbox. CanSecWest, 2011.Google Scholar
C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC), 2006. Google ScholarDigital Library
V. Kotov. Dissecting the newest IE10 0-day exploit (CVE-2014-0322), Feb. 2014. http://labs.bromium.com/2014/02/25/dissecting-the-newest-ie10-0-day-exploit-cve-2014-0322/.Google Scholar
S. Krahmer. x86--64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://www.suse.de/krahmer/no-nx.pdf.Google Scholar
P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. Sok: Automated software diversity. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, pages 276--291, 2014. Google ScholarDigital Library
H. Li. Understanding and exploiting Flash ActionScript vulnerabilities. CanSecWest, 2011.Google Scholar
J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with "return-less" kernels. In Proceedings of the 5th European conference on Computer Systems (EuroSys), 2010. Google ScholarDigital Library
M. Miller, T. Burrell, and M. Howard. Mitigating software vulnerabilities, July 2011. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=26788.Google Scholar
K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), 2010. Google ScholarDigital Library
V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 601--615, 2012. Google ScholarDigital Library
V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Security Symposium, pages 447--462, August 2013. Google ScholarDigital Library
Parvez. Bypassing Microsoft Windows ASLR with a little help by MS-Help, Aug. 2012. http://www.greyhathacker.net/?p=585.Google Scholar
PaX Team. Address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt.Google Scholar
M. Pietrek. An in-depth look into the Win32 portable executable file format, part 2, 1994. https://msdn.microsoft.com/en-us/library/ms809762.aspx.Google Scholar
N. A. Quynh. Capstone: Next-gen disassembly framework. Black Hat USA, 2014.Google Scholar
E. G. s, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Proceedings of the 23rd USENIX Security Symposium, pages 417--432, August 2014. Google ScholarDigital Library
J. Seibert, H. Okhravi, and E. Söderström. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), pages 54--65, 2014. Google ScholarDigital Library
F. J. Serna. CVE-2012-0769, the case of the perfect info leak, Feb. 2012. http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf.Google Scholar
H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and Communications security, pages 552--61, October 2007. Google ScholarDigital Library
Skape. Locreate: An anagram for relocate. Uninformed, 6, 2007.Google Scholar
K. Z. Snow, L. Davi, A. Dmitrienko, C. Liebchen, F. Monrose, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of the 34th IEEE Symposium on Security & Privacy (S&P), 2013. Google ScholarDigital Library
K. Z. Snow, R. Rogowski, J. Werner, H. Koo, F. Monrose, and M. Polychronakis. Responsible disclosure: Undermining destructive code reads via code-inference attacks. In Proceedings of the 37th IEEE Symposium on Security & Privacy (S&P), May 2016.Google Scholar
A. Tang, S. Sethumadhavan, and S. Stolfo. Heisenbyte: Thwarting memory disclosure attacks using destructive code reads. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS), pages 256--267, 2015. Google ScholarDigital Library
R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), pages 157--168, October 2012. Google ScholarDigital Library
R. Wartell, Y. Zhou, K. W. Hamlen, M. Kantarcioglu, and B. Thuraisingham. Differentiating code from data in x86 binaries. In Proceedings of the European Conference on Machine Learning and Knowledge Discovery in Databases, pages 522--536, 2011. Google ScholarDigital Library
J. Werner, G. Baltas, R. Dallara, N. Otternes, K. Snow, F. Monrose, and M. Polychronakis. No-execute-after-read: Preventing code disclosure in commodity software. In Proceedings of the 11th ACM Asia Conference on Computer and Communications Security (ASIACCS), May 2016. Google ScholarDigital Library
C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity & randomization for binary executables. In Proceedings of the 34th IEEE Symposium on Security & Privacy (S&P), 2013. Google ScholarDigital Library
D. A. D. Zovi. Practical return-oriented programming. SOURCE Boston, 2010.Google Scholar

Index Terms

Juggling the Gadgets: Binary-level Code Randomization using Instruction Displacement
1. Software and its engineering
  1. Software organization and properties
    1. Contextual software domains
      1. Operating systems

Recommendations

Beasty Memories: The Quest for Practical Defense against Code Reuse Attacks
TrustED '14: Proceedings of the 4th International Workshop on Trustworthy Embedded Devices

Code reuse attacks such as return-oriented programming (ROP) are predominant attack techniques that are extensively used to exploit vulnerabilities in modern software programs. ROP maliciously combines short instruction sequences (gadgets) residing in ...
Read More
Kernel Protection Against Just-In-Time Code Reuse

The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As stricter memory isolation mechanisms between the kernel and user space ...
Read More
Marlin: making it harder to fish for gadgets
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Code-reuse attacks, including return-oriented programming (ROP) and jump-oriented programming, bypass defenses against code injection by repurposing existing executable code in application binaries and shared libraries toward a malicious end. A common ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security
May 2016
958 pages
ISBN:9781450342339
DOI:10.1145/2897845
General Chair:
Xiaofeng Chen
Xidian University, China
,
Program Chairs:
XiaoFeng Wang
Indiana University at Bloomington, USA
,
Xinyi Huang
Fujian Normal University, China
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 May 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
code diversification
return-oriented programming
Qualifiers
- research-article
Conference

Acceptance Rates
ASIA CCS '16 Paper Acceptance Rate73of350submissions,21%Overall Acceptance Rate418of2,322submissions,18%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 24
  Total Citations
  View Citations
- 711
  Total Downloads
- Downloads (Last 12 months)258
- Downloads (Last 6 weeks)35
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Juggling the Gadgets: Binary-level Code Randomization using Instruction Displacement

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Beasty Memories: The Quest for Practical Defense against Code Reuse Attacks

Kernel Protection Against Just-In-Time Code Reuse

Marlin: making it harder to fish for gadgets

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Juggling the Gadgets: Binary-level Code Randomization using Instruction Displacement

ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Beasty Memories: The Quest for Practical Defense against Code Reuse Attacks

Kernel Protection Against Just-In-Time Code Reuse

Marlin: making it harder to fish for gadgets

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media