Presentation is loading. Please wait.

Presentation is loading. Please wait.

Remix: On-demand Live Randomization

Published byMichael Stewart Modified over 6 years ago

Similar presentations

Presentation on theme: "Remix: On-demand Live Randomization"— Presentation transcript:

1 Remix: On-demand Live Randomization
Yue Chen, Zhi Wang, David Whalley, Long Lu* Florida State University, Stony Brook University*

2 Background Buffer Overflow -> Code Injection Attack

3 Background Buffer Overflow -> Code Injection Attack
Defense: Data Execution Prevention (DEP) Write XOR Execute: a block (page) of memory cannot be marked as both writable and executable at the same time.

4 Background Buffer Overflow -> Code Injection Attack
Defense: Data Execution Prevention (DEP) Write XOR Execute: a block (page) of memory cannot be marked as both writable and executable at the same time. Return-oriented Programming (ROP) Attack Discover gadgets from existing code, and chain them by ret instructions Can be Turing complete

5 Code Reuse Attack Existing Code Chained Gadgets

6 ROP Defense Strategy ROP is one example of a broad class of attacks that require attackers to know or predict the locations of binary features.

7 ROP Defense Strategy Defense Goal
ROP is one example of a broad class of attacks that require attackers to know or predict the locations of binary features. Defense Goal Frustrate such attacks by randomizing feature space, or remove features

8 Address Space Layout Randomization
ASLR Address Space Layout Randomization Library1 Library1 Executable Executable First-time Second-time

9 ASLR - Problem Pointer Leak Library1 Executable

10 ASLR - Problem Pointer Leak De-randomized Library1 Executable

11 ASLR - Problem Brute force attacks are still possible (When the entropy is small. E.g., 32-bit systems.) Randomized only once.

12 Goal Live randomization during runtime
Finer-grained randomization unit Low performance overhead Highly composable  Can and should be combined with other defenses (traditional ASLR, function randomization, etc.) 

13 Live basic block (BB) (re-)randomization
Remix Live basic block (BB) (re-)randomization within functions A basic block is a straight-line code without jumps in or out of the middle of the block.

14 Remix Live basic block (BB) (re-)randomization within functions
Advantages: No function pointer migration Good spatial locality A basic block is a straight-line code without jumps in or out of the middle of the block.

15 Remix Function A Basic Block 1 Basic Block 2 Basic Block 3
Space for Alignment Other Functions

16 Remix Function A Function A Basic Block 1 Basic Block 3 Basic Block 2
After 0.46 seconds Basic Block 4 Basic Block 2 Basic Block 5 Basic Block 4 Space for Alignment Basic Block 1 Other Functions Other Functions

17 Remix Function A Function A Function A Basic Block 1 Basic Block 3
After 0.46 seconds After 2.13 seconds Basic Block 4 Basic Block 2 Basic Block 5 Basic Block 1 Basic Block 4 Space for Alignment Basic Block 4 Basic Block 1 Other Functions Other Functions Other Functions

18 Challenges Chain randomized basic blocks together
Need extra space to chain basic blocks Need to update instructions Stale pointer migration

19 Extra Space Case 1: Extra Jmp
(1) At the beginning of a function Jmp to BB1 Basic Block 3 Basic Block 2 Basic Block 1

20 Extra Space Case 1: Extra Jmp
(1) At the beginning of a function (2) At the end of a basic block that does not end with an instruction like jmp/ret Jmp to BB1 Basic Block 3 mov … add … Basic Block 2 mov … add … jle … Basic Block 1

21 Extra Space Case 2: Larger Displacement
Before Remix Basic Block 1 Jump to BB3 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5

22 Extra Space Case 2: Larger Displacement
Before Remix After Remix Basic Block 1 Basic Block 1 Jump to BB3 Jump to BB3 Basic Block 2 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 4 Basic Block 5 Basic Block 5 Basic Block 3

23 Extra Space Case 2: Larger Displacement
Before Remix After Remix Basic Block 1 Basic Block 1 Jump to BB3 Jump to BB3 Basic Block 2 Basic Block 2 One-byte displacement: jmp +0x10 Basic Block 3 Basic Block 4 Basic Block 4 Four-byte displacement: jmp +0x Basic Block 5 Basic Block 5 Basic Block 3

24 Extra Space Solution With Source Code: 1. Insert an extra 5-byte NOP
Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement Enough Space Guaranteed!

25 Extra Space Solution With Source Code: Without Source Code:
Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement Enough Space Guaranteed! Without Source Code: Leverage existing NOP paddings: Function alignment Loop alignment Can insert random bytes into NOP space after randomization, making attack even harder.

26 Instruction Update Q: Which instructions need updating ? A: Control-flow related ones, to adjust displacement

27 Instruction Update Two-step update (e.g., unconditional direct jmp):
Step one: Jumps to original address of BB 3 Step two: Jumps to current address of BB 3 Original After BB reordering Basic Block 1 Basic Block 3 Basic Block 3 Basic Block 3 Basic Block 2 jmp Basic Block 2 Basic Block 2 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 1 Basic Block 1

28 Instruction Update Direct call: step-one update
Indirect call: no update needed Direct jump: step-one and step-two update Indirect jump: discussed later PC-relative addressing: step-one update

29 Indirect Jump Jump to functions – unchanged PLT/GOT Tail/Sibling Call
Jump to basic blocks – see next

30 Basic Block Pointer Conversion
Why? Migrate stale pointers to basic blocks, to ensure correctness

31 Basic Block Pointer Conversion
Why? Migrate stale pointers to basic blocks, to ensure correctness Where? Return address Jump table (switch/case) Saved context (e.g., setjmp/longjmp) Kernel exception table

32 Illustration - Return Address
main Call Foo Return Site Foo

33 Illustration - Return Address
main Call Foo Return Site Foo

34 Illustration - Return Address
main Call Foo Return Site Foo

35 Optimization To Speed up the randomization procedure:
Pre-store the required information Basic block information (e.g., locations) Code/data that need updating

36 Optimization To speed up execution: Probabilistic loop bundling
Basic Block 1 Basic Block 2 Loop Basic Block 3 Basic Block 4 Basic Block 5

37 Optimization To speed up execution: Probabilistic loop bundling
Basic Block 1 Basic Block 1 Basic Block 2 Bundled BB Loop Bundle Basic Block 3 Basic Block 4 Basic Block 4 Basic Block 5 Basic Block 5

38 Optimization To speed up execution: Probabilistic loop bundling
Basic Block 1 Basic Block 1 Bundled BB Basic Block 2 Bundled BB Loop Bundle Randomize Basic Block 3 Basic Block 1 Basic Block 4 Basic Block 4 Basic Block 5 Basic Block 5 Basic Block 5 Basic Block 4

39 The bundling layout is different from time to time. – Unpredictable!
Optimization To speed up execution: Probabilistic loop bundling Basic Block 1 Basic Block 1 Bundled BB Basic Block 2 Bundled BB Loop Bundle Randomize Basic Block 3 Basic Block 1 Basic Block 4 Basic Block 4 Basic Block 5 Basic Block 5 Basic Block 5 Basic Block 4 The bundling layout is different from time to time. – Unpredictable!

40 Implementation Can work on source code using a slightly modified LLVM, or work directly on binaries.  Can work on Linux user-space applications, and FreeBSD kernel modules.

41 Evaluation - Security Finer-grained randomization:
Adds about four bits of entropy to each instruction. Live randomization during runtime: Destroy discovered gadgets immediately after each re-randomization. Software Apache nginx lighttpd Average Basic Block Number per Function 15.3 18.8 14.4 Average NOP Space (bytes) per Function 19.3 26.2 22.1 Want more entropy? – Insert more NOP space!

42 Evaluation - Performance
SPEC CPU 2006 Performance Overhead (randomized once)

43 Evaluation - Performance
SPEC CPU 2006 Size Increase

44 Evaluation - Performance
Randomization Time Interval Apache Web Server Performance Overhead (by ApacheBench) Performance depends on hardware speed. Randomization time interval can be random !

45 Evaluation - Performance
Randomization Time Interval ReiserFS Performance Overhead (by IOZone) Performance depends on hardware speed. Randomization time interval can be random !

46 Q&A

Download ppt "Remix: On-demand Live Randomization"

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin

Richard Wartell, Vishwath Mohan, Dr. Kevin Hamlen, Dr. Zhiqiang Lin
PRESENTED BY: © Mandiant Corporation. All rights reserved. X86 Binary Rewriting Many Binaries. Such Secure. Wow. Richard Wartell 06/29/14.

PRESENTED BY: © Mandiant Corporation. All rights reserved. X86 Binary Rewriting Many Binaries. Such Secure. Wow. Richard Wartell 06/29/14.
Moving Target Defense in Cyber Security

Moving Target Defense in Cyber Security
University of VirginiaDARPA SRS - 27 Jan 20051 Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.

University of VirginiaDARPA SRS - 27 Jan Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Framing Signals— A Return to Portable Shellcode

Framing Signals— A Return to Portable Shellcode
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Address Space Layout Permutation

Address Space Layout Permutation
On the Effectiveness of Address-Space Randomization CS6V81 - 005 Brian Ricks and Vasundhara Chimmad.

On the Effectiveness of Address-Space Randomization CS6V Brian Ricks and Vasundhara Chimmad.

Similar presentations

Ads by Google