Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook University Department of Computer Science USENIX Security Symposium, 2003 Tracy Wagner CDA 6938 March 22, 2007

Outline Introduction Attack Goals and Methods Address Obfuscation Transformations Implementation Concerns Effectiveness Performance Conclusion Strengths/Weaknesses/Future Work

Introduction Exploits of memory programming errors Stack smashing Integer overflow Heap overflow Double-free vulnerability C/C++ low level control Require precise knowledge of victim program

Introduction Address Obfuscation Make relative or absolute addresses of program code and data impossible to predict On execution, virtual addresses are randomized Exploits become non-deterministic Effective against large-scale attacks Randomization strategies for both data and code locations

Attack Goals Cause the target program to execute attack code Attack Code Injected Code – provided by attacker Existing Code – already part of program

How Do We Attack? Direct Change Control Flow of Program – change a code pointer Return address – stack Function pointers – stack, heap, static area Global offset table (GOT) Indirect Change Security-Critical Data used in the course of execution Arguments to system calls Variables holding sensitive data

How Do We Attack? Address-Dependent Attacks Can corrupt code-pointer or data-pointer Overwrite pointer value with the absolute address of attacker-defined data or code Relative Address-Dependent Attacks Corrupts non-pointer data Need to know relative distance between buffer and location of item to corrupt

Address Obfuscation Goal is to Randomize: Absolute locations of all code and data Relative distances between data items Transformations Randomize Base Addresses of Memory Regions Permute the Order of Variables/Routines Introduce Random Gaps Between Objects

Base Address Randomization Changing the base addresses of code and data by a random amount Over a large range (1 – 100 million) results in highly unpredictable virtual addresses Does not increase the physical memory requirements Some virtual address space becomes unusable

Base Address Randomization Base address of stack All stack addresses randomized Subtract a large random value from stack pointer Base address of heap Randomizes absolute locations of data Allocate a large block of random size

Base Address Randomization Starting address of DLLs Randomize location of all code and static data Prevents existing code attacks, static data corruption Locations of routines and static data Randomize all functions and associated static data in the executable Similar to DLL randomization

Variable/Routine Permutations Three possible transformations Order of local variables in stack frame Order of static variables Order of routines in shared libraries or in executable Defends against relative distance exploits Difficult to predict distances

Random Gaps Between Objects When relative order of objects cannot be changed Add random padding: Stack frames Between malloc requests Variables in static area Gaps within routines (add jump instructions)

Implementation - Timing Performing Transformations Compile-time, link-time, installation- time, load-time Higher performance when closer to compile-time Delaying transformations: Can apply to third party software System tools not modified

Implementation - Timing Determining Randomization Amounts Transformation time Beginning of program execution Continuously, during execution Continuously is most secure Performance or compatibility issues may force other choices Transformation time – necessary to re-transform code periodically

Effectiveness Not foolproof, but will increase work Defends against attacks which involve overwriting a single value without ability to read memory contents Can be defeated in specific instances Program allows reading of memory contents Double pointer attack Partial overwrite attack

Performance Static relocation at link-time (1) Dynamic relocation at load-time (2) Transformations Relocate base of stack, heap, and code regions Introduce random gaps within stack frames for each routine, at the end of each malloc-requested block

Performance Static relocation at link-time essentially no runtime overhead Dynamic relocation at load-time has noticeable overhead but provides broad protection for DLL distribution

Conclusion Addresses root cause of buffer overflow exploits Predictable location of data Generic mechanism providing wide range of applications Causes attacker to start from scratch for each system attack Slows the spread of self-replicating attacks

Strengths Developed and analyzed range of transformations that can be implemented with low runtime overheads Permits randomization of variable and routine locations Protects against a wide range of attacks Easily applied to existing code, selective applications

Weaknesses Transformation time randomizations introduce opportunity for local attacker Adding jump instructions to skip over inserted gaps within routines would provide more information to attacker Programs have to be periodically re- obfuscated because some randomizations have been fixed at transformation times Vulnerable to some specially crafted attacks in current implementation

Future Work Further implementation of described transformations Improve randomization at binary level Tool to work with existing binaries Add information section to binary Move towards randomizing at start of program execution and continuously changing during execution to avoid necessity of re-obfuscation