ABSTRACT
Code diversification is an effective mitigation against return-oriented programming attacks, which breaks the assumptions of attackers about the location and structure of useful instruction sequences, known as "gadgets". Although a wide range of code diversification techniques of varying levels of granularity exist, most of them rely on the availability of source code, debug symbols, or the assumption of fully precise code disassembly, limiting their practical applicability for the protection of closed-source third-party applications. In-place code randomization has been proposed as an alternative binary-compatible diversification technique that is tolerant of partial disassembly coverage, in the expense though of leaving some gadgets intact, at the disposal of attackers. Consequently, the possibility of constructing robust ROP payloads using only the remaining non-randomized gadgets is still open. In this paper we present instruction displacement, a code diversification technique based on static binary instrumentation that does not rely on complete code disassembly coverage. Instruction displacement aims to improve the randomization coverage and entropy of existing binary-level code diversification techniques by displacing any remaining non-randomized gadgets to random locations. The results of our experimental evaluation demonstrate that instruction displacement reduces the number of non-randomized gadgets in the extracted code regions from 15.04% for standalone in-place code randomization, to 2.77% for the combination of both techniques. At the same time, the additional indirection introduced due to displacement incurs a negligible runtime overhead of 0.36% on average for the SPEC CPU2006 benchmarks.
- /ORDER (put functions in order). http://msdn.microsoft.com/en-us/library/00kh39zz.aspx.Google Scholar
- Orp: in-place binary code randomizer. http://nsl.cs.columbia.edu/projects/orp/.Google Scholar
- Profile-guided optimizations. http://msdn.microsoft.com/en-us/library/e7k32f4k.aspx.Google Scholar
- Syzygy - profile guided, post-link executable reordering. http://code.google.com/p/syzygy/wiki/SyzygyDesign.Google Scholar
- Wine. http://www.winehq.org.Google Scholar
- MWR Labs Pwn2Own 2013 Write-up - Webkit Exploit, 2013. https://labs.mwrinfosecurity.com/blog/mwr-labs-pwn2own-2013-write-up-webkit-exploit/.Google Scholar
- B. Antoniewicz. Analysis of a Malware ROP Chain, Oct. 2013. http://blog.opensecurityresearch.com/2013/10/analysis-of-malware-rop-chain.html.Google Scholar
- M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You can run but you can't read: Preventing disclosure exploits in executable code. In Proceedings of the 21st ACM Conference on Computer and year = 2014, Communications Security (CCS), pages 1342--1353. Google ScholarDigital Library
- M. Backes and S. Nürnberger. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In Proceedings of the 23rd USENIX Security Symposium, 2014. Google ScholarDigital Library
- J. Bennett, Y. Lin, and T. Haq. The Number of the Beast, 2013. http://blog.fireeye.com/research/2013/02/the-number-of-the-beast.html.Google Scholar
- E. Bhatkar, D. C. Duvarney, and R. Sekar. Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In In Proceedings of the 12th USENIX Security Symposium, 2003. Google ScholarDigital Library
- S. Bhatkar, R. Sekar, and D. C. DuVarney. Efficient techniques for comprehensive protection from memory error exploits. In Proceedings of the 14th USENIX Security Symposium, August 2005. Google ScholarDigital Library
- A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, and D. Boneh. Hacking blind. In Proceedings of the 35th IEEE Symposium on Security and Privacy, pages 227--242, 2014. Google ScholarDigital Library
- K. Braden, S. Crane, L. Davi, M. Franz, P. Larsen, C. Liebchen, and A.-R. Sadeghi. Leakage-resilient layout randomization for mobile devices. In Proceedings of the 2016 Network and Distributed System Security (NDSS) Symposium, 2016.Google ScholarCross Ref
- N. Carlini, A. Barresi, M. Payer, D. Wagner, and T. R. Gross. Control-flow bending: On the effectiveness of control-flow integrity. In Proceedings of the 24th USENIX Security Symposium, pages 161--176, 2015. Google ScholarDigital Library
- N. Carlini and D. Wagner. ROP is Still Dangerous: Breaking Modern Defenses. In Proceedings of the 23rd USENIX Security Symposium, pages 385--399, Aug. 2014. Google ScholarDigital Library
- E. Carrera. pefile. https://github.com/erocarrera/pefile.Google Scholar
- F. B. Cohen. Operating system protection through program evolution. Computers and Security, 12:565--584, Oct. 1993. Google ScholarDigital Library
- S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical code randomization resilient to memory disclosure. In Proceedings of the 36th IEEE Symposium on Security and Privacy, May 2015. Google ScholarDigital Library
- L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2015.Google ScholarCross Ref
- L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 23rd USENIX Security Symposium, pages 401--416, Aug. 2014. Google ScholarDigital Library
- L. V. Davi, A. Dmitrienko, S. Nürnberger, and A.-R. Sadeghi. Gadge me if you can: Secure and efficient ad-hoc instruction-level randomization for x86 and arm. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (ASIACCS), pages 299--310, 2013. Google ScholarDigital Library
- S. Designer. Getting around non-executable stack (and fix). http://seclists.org/bugtraq/1997/Aug/63.Google Scholar
- I. Evans, F. Long, U. Otgonbaatar, H. Shrobe, M. Rinard, H. Okhravi, and S. Sidiroglou-Douskos. Control jujutsu: On the weaknesses of fine-grained control flow integrity. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS), pages 901--913, 2015. Google ScholarDigital Library
- S. Forrest, A. Somayaji, and D. Ackley. Building diverse computer systems. In Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), 1997. Google ScholarDigital Library
- G. Fresi Roglia, L. Martignoni, R. Paleari, and D. Bruschi. Surgically returning to randomized lib(c). In Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC), 2009. Google ScholarDigital Library
- J. Gionta, W. Enck, and P. Ning. Hidem: Protecting the contents of userspace memory in the face of disclosure vulnerabilities. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY), pages 325--336, 2015. Google ScholarDigital Library
- E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of control: Overcoming control-flow integrity. In Proceedings of the 35th IEEE Symposium on Security & Privacy (S&P), 2014. Google ScholarDigital Library
- Hex-Rays. IDA Pro Disassembler. http://www.hex-rays.com/idapro/.Google Scholar
- J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd my gadgets go? In Proceedings of the 33rd IEEE Symposium on Security & Privacy (S&P), 2012. Google ScholarDigital Library
- X. Hu, T.-c. Chiueh, and K. G. Shin. Large-scale malware indexing using function-call graphs. In Proceedings of the 16th ACM conference on Computer and Communications Security (CCS), 2009. Google ScholarDigital Library
- R. Johnson. A castle made of sand: Adobe Reader X sandbox. CanSecWest, 2011.Google Scholar
- C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC), 2006. Google ScholarDigital Library
- V. Kotov. Dissecting the newest IE10 0-day exploit (CVE-2014-0322), Feb. 2014. http://labs.bromium.com/2014/02/25/dissecting-the-newest-ie10-0-day-exploit-cve-2014-0322/.Google Scholar
- S. Krahmer. x86--64 buffer overflow exploits and the borrowed code chunks exploitation technique. http://www.suse.de/krahmer/no-nx.pdf.Google Scholar
- P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. Sok: Automated software diversity. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, pages 276--291, 2014. Google ScholarDigital Library
- H. Li. Understanding and exploiting Flash ActionScript vulnerabilities. CanSecWest, 2011.Google Scholar
- J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating return-oriented rootkits with "return-less" kernels. In Proceedings of the 5th European conference on Computer Systems (EuroSys), 2010. Google ScholarDigital Library
- M. Miller, T. Burrell, and M. Howard. Mitigating software vulnerabilities, July 2011. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=26788.Google Scholar
- K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-Free: defeating return-oriented programming through gadget-less binaries. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), 2010. Google ScholarDigital Library
- V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 601--615, 2012. Google ScholarDigital Library
- V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Security Symposium, pages 447--462, August 2013. Google ScholarDigital Library
- Parvez. Bypassing Microsoft Windows ASLR with a little help by MS-Help, Aug. 2012. http://www.greyhathacker.net/?p=585.Google Scholar
- PaX Team. Address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt.Google Scholar
- M. Pietrek. An in-depth look into the Win32 portable executable file format, part 2, 1994. https://msdn.microsoft.com/en-us/library/ms809762.aspx.Google Scholar
- N. A. Quynh. Capstone: Next-gen disassembly framework. Black Hat USA, 2014.Google Scholar
- E. G. s, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard. In Proceedings of the 23rd USENIX Security Symposium, pages 417--432, August 2014. Google ScholarDigital Library
- J. Seibert, H. Okhravi, and E. Söderström. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), pages 54--65, 2014. Google ScholarDigital Library
- F. J. Serna. CVE-2012-0769, the case of the perfect info leak, Feb. 2012. http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf.Google Scholar
- H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and Communications security, pages 552--61, October 2007. Google ScholarDigital Library
- Skape. Locreate: An anagram for relocate. Uninformed, 6, 2007.Google Scholar
- K. Z. Snow, L. Davi, A. Dmitrienko, C. Liebchen, F. Monrose, and A.-R. Sadeghi. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of the 34th IEEE Symposium on Security & Privacy (S&P), 2013. Google ScholarDigital Library
- K. Z. Snow, R. Rogowski, J. Werner, H. Koo, F. Monrose, and M. Polychronakis. Responsible disclosure: Undermining destructive code reads via code-inference attacks. In Proceedings of the 37th IEEE Symposium on Security & Privacy (S&P), May 2016.Google Scholar
- A. Tang, S. Sethumadhavan, and S. Stolfo. Heisenbyte: Thwarting memory disclosure attacks using destructive code reads. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS), pages 256--267, 2015. Google ScholarDigital Library
- R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), pages 157--168, October 2012. Google ScholarDigital Library
- R. Wartell, Y. Zhou, K. W. Hamlen, M. Kantarcioglu, and B. Thuraisingham. Differentiating code from data in x86 binaries. In Proceedings of the European Conference on Machine Learning and Knowledge Discovery in Databases, pages 522--536, 2011. Google ScholarDigital Library
- J. Werner, G. Baltas, R. Dallara, N. Otternes, K. Snow, F. Monrose, and M. Polychronakis. No-execute-after-read: Preventing code disclosure in commodity software. In Proceedings of the 11th ACM Asia Conference on Computer and Communications Security (ASIACCS), May 2016. Google ScholarDigital Library
- C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical control flow integrity & randomization for binary executables. In Proceedings of the 34th IEEE Symposium on Security & Privacy (S&P), 2013. Google ScholarDigital Library
- D. A. D. Zovi. Practical return-oriented programming. SOURCE Boston, 2010.Google Scholar
Index Terms
- Juggling the Gadgets: Binary-level Code Randomization using Instruction Displacement
Recommendations
Beasty Memories: The Quest for Practical Defense against Code Reuse Attacks
TrustED '14: Proceedings of the 4th International Workshop on Trustworthy Embedded DevicesCode reuse attacks such as return-oriented programming (ROP) are predominant attack techniques that are extensively used to exploit vulnerabilities in modern software programs. ROP maliciously combines short instruction sequences (gadgets) residing in ...
Kernel Protection Against Just-In-Time Code Reuse
The abundance of memory corruption and disclosure vulnerabilities in kernel code necessitates the deployment of hardening techniques to prevent privilege escalation attacks. As stricter memory isolation mechanisms between the kernel and user space ...
Marlin: making it harder to fish for gadgets
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications securityCode-reuse attacks, including return-oriented programming (ROP) and jump-oriented programming, bypass defenses against code injection by repurposing existing executable code in application binaries and shared libraries toward a malicious end. A common ...
Comments