1. University of VirginiaDARPA SRS - 27 Jan 20051 Effectiveness of Instruction Set Randomization Ana Nora Sovarel and David Evans DARPA SRS – Genesis Project University of Virginia Department of Computer Science Where’s the FEEB?

2. University of VirginiaDARPA SRS - 27 Jan 20052 How secure is ISR? Shacham et. al. [CCS 2004] presented a brute force attack on memory address space randomization –24-bit effective key space Can a similar attack be constructed against instruction set randomization? –Larger key space (32 bits - 4K bytes) –Need to attack in fragments –Need a way to tell if fragment guess is correct

3. University of VirginiaDARPA SRS - 27 Jan 20053 Answer: Slows down an attack about 26 minutes Under the right circumstances…

4. University of VirginiaDARPA SRS - 27 Jan 20054 Requirements Need a vulnerability –Any buffer overflow vulnerability will do –Must know the exact memory location Must be able to crash server (lots of times) without re-randomization –Possible if server handles requests by forking processes (e.g., Apache) Need to know if server crashes –Socket open between attack client and server

5. University of VirginiaDARPA SRS - 27 Jan 20055 Jump Attack: Make Infinite Loop Vulnerable Buffer Overwritten Return Address 0xEB (Jump) 0xFE (-2) Unknown Masks Correct Guess Guessing first 2 byte masks 2 16 Possibilities Need about 2 12 guesses to learn first 2 bytes

6. University of VirginiaDARPA SRS - 27 Jan 20056 Incremental Jump Attack Vulnerable Buffer Overwritten Return Address 0xEB (Jump) 0xFE (-2) Unknown Masks Correct Guess Guessing first 2 byte masks Overwritten Return Address 0xEB (Jump) 0xFE (-2) Guessed Masks Guessing additional byte masks: < 256 attempts 0xCD (INT)

7. University of VirginiaDARPA SRS - 27 Jan 20057 False Positives – Bad News Incorrect guesses might produce same behavior as correct guess –Injected bytes demask to instruction that produces indistinguishable behavior e.g., conditional jump inst often behaves like jump –Injected bytes demask to “harmless” instruction, and subsequently executed instruction is (or behaves like) correct guess One incorrect mask guess will probably disrupt attack code

8. University of VirginiaDARPA SRS - 27 Jan 20058 False Positives – Good News Can distinguish correct mask using other instructions Try using guessed mask to inject a harmless one-byte instruction Overwritten Return Address 0x90 (NOP) 0xEB (Jump) 0xFE (-2) Guessed Masks

9. University of VirginiaDARPA SRS - 27 Jan 20059 False Positives – Better News Structure of false positives can be used to make guessing more efficient –Conditional jump instructions (e.g., JP/JNP) –Opcodes 0x70-0x7E are all conditional jumps –All are complementary pairs: 0x7 0b xyz  not taken  0x7 0b xyz  is taken! 32 guesses that try all values of first 4 bits and last bit always find an infinite loop –Need more guesses to determine correct mask Need up to 2 5+8 guesses to get first 2 bytes

10. University of VirginiaDARPA SRS - 27 Jan 200510 Scaling the Attack Once we have learned enough masks: –Use near jump to return location instead of creating infinite loops –Fill subsequent instructions with 0xCD bytes 0xCD 0xCD is interrupt instruction guaranteed to crash Package attack code: don’t need to obtain enough masks to hold entire worm, just enough to hold decrypting micro-VM

11. University of VirginiaDARPA SRS - 27 Jan 200511 Extended Attack Overwritten Return Address Guessed Masks 0xE9 (Near Jump) 0xCD (INT) 0xEB (Jump) 0x06 32-bit offset (to jump to original return address) “Crash Zone” Expected work: < 16 attempts to find first jumping instruction ~ 8 attempts to determine correct mask

12. University of VirginiaDARPA SRS - 27 Jan 200512 Experiments Implemented attack against constructed vulnerable server protected with RISE [Barrantes et. al, 2003] –Memory space randomization works! Turned of Fedora’s address space randomization –Needed to modify RISE Ensure separate processes use same randomization key (other proposed ISR implementations wouldn’t need this) Able to obtain correct key most of the time 8 bytes: 99%1024 bytes: 85%

13. University of VirginiaDARPA SRS - 27 Jan 200513 Results Average Number of Attempts Key Bytes Acquired (log scale) 2 816641024 Jump Attack Return Attack < 31,000 attempts (26 minutes) to acquire 1024 key bytes 255 attempts (50 seconds) to get first byte 1 Jump Attack First 2 bytes: 2027 attempts / byte Next 14 bytes: 222 attempts / bytes Next 1008 bytes: 23.25 attempts / byte

14. University of VirginiaDARPA SRS - 27 Jan 200514 Solutions Attack depends on being able to determine key from one known ciphertext-(likely) plaintext pair (trivial with XOR) –Use block cipher or permute ISA to make this hard –Strata’s fragment cache makes this possible Attack depends on being able to launch multiple attack attempts against the same key –Re-randomize and restart after any process crash (enables easy denial-of-service) –Re-randomize frequently (without restarting)

15. G ENESIS : A Framework For Achieving Component Diversity http://www.cs.virginia.edu/genesis John Knight, Jack Davidson, David Evans, Anh Nguyen-Tuong; Adrian Filipi, Jonathan Rowanhill, Michael Crane, Wei Hu, Jeffrey Shirley, Ana Nora Sovarel, Dan Williams University of Virginia Chenxi Wang Carnegie Mellon University