Remix: On-demand Live Randomization

Slides:



Advertisements
Similar presentations
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Advertisements

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
PRESENTED BY: © Mandiant Corporation. All rights reserved. X86 Binary Rewriting Many Binaries. Such Secure. Wow. Richard Wartell 06/29/14.
Moving Target Defense in Cyber Security
University of VirginiaDARPA SRS - 27 Jan Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Review: Software Security David Brumley Carnegie Mellon University.
Framing Signals— A Return to Portable Shellcode
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Address Space Layout Permutation
On the Effectiveness of Address-Space Randomization CS6V Brian Ricks and Vasundhara Chimmad.
Hardware Assisted Control Flow Obfuscation for Embedded Processors Xiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh Pande HIDE: An Infrastructure.
Mitigation of Buffer Overflow Attacks
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks.
Exploitation possibilities of memory related vulnerabilities
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Introduction to Information Security ROP – Recitation 5.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
University of Maryland Instrumentation with Relocatable Program Code Tugrul Ince Department of Computer Science University of Maryland, College Park, MD.
Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.
On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.
A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 29-May 1, 2013 Detecting Code Reuse Attacks Using Dyninst Components Emily Jacobson, Drew.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Qin Zhao1, Joon Edward Sim2, WengFai Wong1,2 1SingaporeMIT Alliance 2Department of Computer Science National University of Singapore
Introduction to Information Security
Secure Programming Dr. X
Mitigation against Buffer Overflow Attacks
Protecting Memory What is there to protect in memory?
Machine dependent Assembler Features
Protecting Memory What is there to protect in memory?
Secure Programming Dr. X
Protecting Memory What is there to protect in memory?
Pinpointing Vulnerabilities
Introduction to Information Security
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
CSC 495/583 Topics of Software Security Stack Overflows (2)
Microprocessor and Assembly Language
CSC 495/583 Topics of Software Security Return-oriented programming
Improving Program Efficiency by Packing Instructions Into Registers
A System for Protecting the Integrity of Virtual Function Tables
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
Continuous, Low Overhead, Run-Time Validation of Program Executions
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Lesson Objectives Aims Key Words Compiler, interpreter, assembler
Address Space Layout Randomization (ASLR) Dirk Gordon
Computer Architecture and the Fetch-Execute Cycle
Efficient x86 Instrumentation:
The Design & Implementation of Hyperupcalls
CSE 451: Operating Systems Autumn 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 596 Allen Center 1.
CSE 451: Operating Systems Winter 2007 Module 2 Architectural Support for Operating Systems Brian Bershad 562 Allen Center 1.
Optimization 薛智文 (textbook ch# 9) 薛智文 96 Spring.
CSE 451: Operating Systems Winter 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 412 Sieg Hall 1.
Subroutines and the Stack
Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization Nathaniel Enos.
Presentation transcript:

Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University*

Background Buffer Overflow -> Code Injection Attack

Background Buffer Overflow -> Code Injection Attack Defense: Data Execution Prevention (DEP) Write XOR Execute: a block (page) of memory cannot be marked as both writable and executable at the same time.

Background Buffer Overflow -> Code Injection Attack Defense: Data Execution Prevention (DEP) Write XOR Execute: a block (page) of memory cannot be marked as both writable and executable at the same time. Return-oriented Programming (ROP) Attack Discover gadgets from existing code, and chain them by ret instructions Can be Turing complete

Code Reuse Attack Existing Code Chained Gadgets

ROP Defense Strategy ROP is one example of a broad class of attacks that require attackers to know or predict the locations of binary features.

ROP Defense Strategy Defense Goal ROP is one example of a broad class of attacks that require attackers to know or predict the locations of binary features. Defense Goal Frustrate such attacks by randomizing feature space, or remove features

Address Space Layout Randomization ASLR Address Space Layout Randomization Library1 Library1 Executable Executable First-time Second-time

ASLR - Problem Pointer Leak Library1 Executable

ASLR - Problem Pointer Leak De-randomized Library1 Executable

ASLR - Problem Brute force attacks are still possible (When the entropy is small. E.g., 32-bit systems.) Randomized only once.

Goal Live randomization during runtime Finer-grained randomization unit Low performance overhead Highly composable  Can and should be combined with other defenses (traditional ASLR, function randomization, etc.) 

Live basic block (BB) (re-)randomization Remix Live basic block (BB) (re-)randomization within functions A basic block is a straight-line code without jumps in or out of the middle of the block.

Remix Live basic block (BB) (re-)randomization within functions Advantages: No function pointer migration Good spatial locality A basic block is a straight-line code without jumps in or out of the middle of the block.

Remix Function A Basic Block 1 Basic Block 2 Basic Block 3 Space for Alignment Other Functions …

Remix Function A Function A Basic Block 1 Basic Block 3 Basic Block 2 After 0.46 seconds Basic Block 4 Basic Block 2 Basic Block 5 Basic Block 4 Space for Alignment Basic Block 1 Other Functions … Other Functions …

Remix Function A Function A Function A Basic Block 1 Basic Block 3 After 0.46 seconds After 2.13 seconds Basic Block 4 Basic Block 2 Basic Block 5 Basic Block 1 Basic Block 4 Space for Alignment Basic Block 4 Basic Block 1 Other Functions … Other Functions … Other Functions …

Challenges Chain randomized basic blocks together Need extra space to chain basic blocks Need to update instructions Stale pointer migration

Extra Space Case 1: Extra Jmp (1) At the beginning of a function Jmp to BB1 Basic Block 3 Basic Block 2 Basic Block 1

Extra Space Case 1: Extra Jmp (1) At the beginning of a function (2) At the end of a basic block that does not end with an instruction like jmp/ret Jmp to BB1 Basic Block 3 mov … add … Basic Block 2 mov … add … jle … Basic Block 1

Extra Space Case 2: Larger Displacement Before Remix Basic Block 1 Jump to BB3 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5

Extra Space Case 2: Larger Displacement Before Remix After Remix Basic Block 1 Basic Block 1 Jump to BB3 Jump to BB3 Basic Block 2 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 4 Basic Block 5 Basic Block 5 Basic Block 3

Extra Space Case 2: Larger Displacement Before Remix After Remix Basic Block 1 Basic Block 1 Jump to BB3 Jump to BB3 Basic Block 2 Basic Block 2 One-byte displacement: jmp +0x10 Basic Block 3 Basic Block 4 Basic Block 4 Four-byte displacement: jmp +0x00001000 Basic Block 5 Basic Block 5 Basic Block 3

Extra Space Solution With Source Code: 1. Insert an extra 5-byte NOP Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement Enough Space Guaranteed!

Extra Space Solution With Source Code: Without Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement Enough Space Guaranteed! Without Source Code: Leverage existing NOP paddings: Function alignment Loop alignment Can insert random bytes into NOP space after randomization, making attack even harder.

Instruction Update Q: Which instructions need updating ? A: Control-flow related ones, to adjust displacement

Instruction Update Two-step update (e.g., unconditional direct jmp): Step one: Jumps to original address of BB 3 Step two: Jumps to current address of BB 3 Original After BB reordering Basic Block 1 Basic Block 3 Basic Block 3 Basic Block 3 Basic Block 2 jmp Basic Block 2 Basic Block 2 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 1 Basic Block 1

Instruction Update Direct call: step-one update Indirect call: no update needed Direct jump: step-one and step-two update Indirect jump: discussed later PC-relative addressing: step-one update

Indirect Jump Jump to functions – unchanged PLT/GOT Tail/Sibling Call Jump to basic blocks – see next

Basic Block Pointer Conversion Why? Migrate stale pointers to basic blocks, to ensure correctness

Basic Block Pointer Conversion Why? Migrate stale pointers to basic blocks, to ensure correctness Where? Return address Jump table (switch/case) Saved context (e.g., setjmp/longjmp) Kernel exception table …

Illustration - Return Address main … Call Foo Return Site Foo …

Illustration - Return Address main … Call Foo Return Site Foo …

Illustration - Return Address main … Call Foo Return Site Foo …

Optimization To Speed up the randomization procedure: Pre-store the required information Basic block information (e.g., locations) Code/data that need updating

Optimization To speed up execution: Probabilistic loop bundling Basic Block 1 Basic Block 2 Loop Basic Block 3 Basic Block 4 Basic Block 5

Optimization To speed up execution: Probabilistic loop bundling Basic Block 1 Basic Block 1 Basic Block 2 Bundled BB Loop Bundle Basic Block 3 Basic Block 4 Basic Block 4 Basic Block 5 Basic Block 5

Optimization To speed up execution: Probabilistic loop bundling Basic Block 1 Basic Block 1 Bundled BB Basic Block 2 Bundled BB Loop Bundle Randomize Basic Block 3 Basic Block 1 Basic Block 4 Basic Block 4 Basic Block 5 Basic Block 5 Basic Block 5 Basic Block 4

The bundling layout is different from time to time. – Unpredictable! Optimization To speed up execution: Probabilistic loop bundling Basic Block 1 Basic Block 1 Bundled BB Basic Block 2 Bundled BB Loop Bundle Randomize Basic Block 3 Basic Block 1 Basic Block 4 Basic Block 4 Basic Block 5 Basic Block 5 Basic Block 5 Basic Block 4 The bundling layout is different from time to time. – Unpredictable!

Implementation Can work on source code using a slightly modified LLVM, or work directly on binaries.  Can work on Linux user-space applications, and FreeBSD kernel modules.

Evaluation - Security Finer-grained randomization: Adds about four bits of entropy to each instruction. Live randomization during runtime: Destroy discovered gadgets immediately after each re-randomization. Software Apache nginx lighttpd Average Basic Block Number per Function 15.3 18.8 14.4 Average NOP Space (bytes) per Function 19.3 26.2 22.1 Want more entropy? – Insert more NOP space!

Evaluation - Performance SPEC CPU 2006 Performance Overhead (randomized once)

Evaluation - Performance SPEC CPU 2006 Size Increase

Evaluation - Performance Randomization Time Interval Apache Web Server Performance Overhead (by ApacheBench) Performance depends on hardware speed. Randomization time interval can be random !

Evaluation - Performance Randomization Time Interval ReiserFS Performance Overhead (by IOZone) Performance depends on hardware speed. Randomization time interval can be random !

Q&A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.