Abstract
Address Space Layout Randomization (ASLR) is a widely used technique for the prevention of code reuse attacks. The basic concept of ASLR is to randomize the base address of executable modules at load time. Changing the load address of modules is also often needed for resolving conflicts among shared libraries with the same preferred base address. In Windows, loading a module at an arbitrary address depends on compiler-generated relocation information, which specifies the absolute code or data addresses in the module that must be adjusted due to the module’s relocation at a non-preferred base address. Relocation information, however, is often stripped from production builds of legacy software, making it more susceptible to code-reuse attacks, as ASLR is not an option.
In this paper, we introduce a technique to enable ASLR for executables with stripped relocation information by incrementally adjusting stale absolute addresses at runtime. The technique relies on runtime monitoring of memory accesses and control flow transfers to the original location of a relocated module using page table manipulation techniques. Depending on the instruction and memory access type, the system identifies stale offsets, reconstructs their relocation information, and adjusts them so that subsequent accesses to the same locations proceed directly, without any intervention. To improve performance further, the reconstructed relocation information is preserved across subsequent runs of the same program. We have implemented a prototype of the proposed technique for Windows XP, which is transparently applicable to third-party stripped binaries, and have experimentally evaluated its performance and effectiveness. Our results demonstrate that incremental runtime relocation patching is practical, incurs modest runtime overhead for initial runs of protected programs, and has negligible overhead on subsequent runs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
ATMs Face Deadline to Upgrade From Windows XP, http://www.businessweek.com/articles/2014-01-16/atms-face-deadline-to-upgrade-from-windows-xp
/ORDER (put functions in order), http://msdn.microsoft.com/en-us/library/00kh39zz.aspx
Profile-guided optimizations, http://msdn.microsoft.com/en-us/library/e7k32f4k.aspx
SPEC CPU2006 Benchmark, http://www.spec.org/cpu2006 .
Syzygy - profile guided, post-link executable reordering, http://code.google.com/p/sawbuck/wiki/SyzygyDesign
UK government pays Microsoft 5.5m to extend Windows XP support, http://www.theguardian.com/technology/2014/apr/07/uk-government-microsoft-windows-xp-public-sector
Windows, X.P.: SP3 and Office, Support Ends (April 8, 2003), http://www.microsoft.com/en-us/windows/enterprise/endofsupport.aspx
MWR Labs Pwn2Own 2013 Write-up - Webkit Exploit (2013), http://labs.mwrinfosecurity.com/blog/2013/04/19/mwr-labs-pwn2own-2013-write-up---webkit-exploit/
Abadi, M., Budiu, M., Erlingsson, Ú., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS (2005)
Bennett, J., Lin, Y., Haq, T.: The Number of the Beast (2013), http://blog.fireeye.com/research/2013/02/the-number-of-the-beast.html
Bhatkar, E., Duvarney, D.C., Sekar, R.: Address obfuscation: An efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium (2003)
Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the 14th USENIX Security Symposium (August 2005)
Cohen, F.B.: Operating system protection through program evolution. Computers and Security 12, 565–584 (1993)
Cozzie, A., Stratton, F., Xue, H., King, S.T.: Digging for data structures. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008, pp. 255–266. USENIX Association, Berkeley (2008)
Designer, S.: Getting around non-executable stack (and fix), http://seclists.org/bugtraq/1997/Aug/63
Forrest, S., Somayaji, A., Ackley, D.: Building diverse computer systems. In: Proceedings of the 6th Workshop on Hot Topics in Operating Systems, HotOS-VI (1997)
Roglia, G.F., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: Proceedings of the 25th Annual Computer Security Applications Conference, ACSAC (2009)
Guo, P.J., Perkins, J.H., McCamant, S., Ernst, M.D.: Dynamic inference of abstract types. In: Proceedings of the 2006 International Symposium on Software Testing and Analysis (ISSTA), Portland, ME, USA, July18-20, pp. 255–265 (2006)
Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d my gadgets go? In: Proceedings of the 33rd IEEE Symposium on Security & Privacy, S&P (2012)
Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space ASLR. In: Proceedings of the 34th IEEE Symposium on Security & Privacy, S&P (2013)
Johnson, R.: A castle made of sand: Adobe Reader X sandbox. CanSecWest (2011)
Kil, C., Jun, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC (2006)
Li, H.: Understanding and exploiting Flash ActionScript vulnerabilities. CanSecWest (2011)
Lin, Z., Zhang, X., Xu, D.: Automatic reverse engineering of data structures from binary execution. In: Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS 2010), San Diego, CA (February 2010)
Microsoft. Enhanced Mitigation Experience Toolkit, http://www.microsoft.com/emet
Microsoft. Windows Debugging API, http://msdn.microsoft.com/en-us/library/windows/desktop/ms679303v=vs.85.aspx
Miller, M., Burrell, T., Howard, M.: Mitigating software vulnerabilities (July 2011), http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=26788
Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: Proceedings of the 33rd IEEE Symposium on Security & Privacy, S&P (2012)
PaX Team. Address space layout randomization (2003), http://pax.grsecurity.net/docs/aslr.txt
PaX Team. Non-executable pages design & implementation (2003), http://pax.grsecurity.net/docs/noexec.txt
PaX Team. Non-relocatable executable file randomization (2003), http://pax.grsecurity.net/docs/randexec.txt
Pietrek, M.: An in-depth look into the Win32 portable executable file format, part 2, http://msdn.microsoft.com/en-us/magazine/cc301808.aspx
Ramalingam, G., Field, J., Tip, F.: Aggregate structure identification and its application to program analysis. In: Symposium on Principles of Programming Languages (POPL), pp. 119–132 (1999)
Rescorla, E.: Security holes.. Who cares? In: Proceedings of the 12th USENIX Security Symposium, pp. 75–90 (August 2003)
Serna, F.J.: CVE-2012-0769, the case of the perfect info leak (February 2012), http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf
Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS (2007)
Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS (2004)
Skape.: Locreate: An anagram for relocate. Uninformed, 6 (2007)
Slowinska, A., Stancescu, T., Bos, H.: Dde: Dynamic data structure excavation. In: Proceedings of the 1st ACM SIGCOMM Asia-Pacific Workshop on Systems (ApSys), pp. 13–18 (2010)
Slowinska, A., Stancescu, T., Bos, H.: Howard: A dynamic excavator for reverse engineering data structures. In: Proceedings of the Network and Distributed System Security Symposium, NDSS (2011)
Smithson, M., Anand, K., Kotha, A., Elwazeer, K., Giles, N., Barua, R.: Binary rewriting without relocation information. University of Maryland, Tech. Rep. (2010)
Snow, K.Z., Davi, L., Dmitrienko, A., Liebchen, C., Monrose, F., Sadeghi, A.-R.: Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In: Proceedings of the 34th IEEE Symposium on Security & Privacy, S&P (2013)
Vreugdenhil, P.: Pwn2Own (2010), Windows 7 Internet Explorer 8 exploit, http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), pp. 157–168 (October 2012)
Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity & randomization for binary executables. In: Proceedings of the 34th IEEE Symposium on Security & Privacy, S&P (2013)
Zhang, M., Sekar, R.: Control flow integrity for cots binaries. Presented as part of the 22nd USENIX Security Symposium, pp. 337–352. USENIX, Berkeley (2013)
Zovi, D.A.D.: Practical return-oriented programming. SOURCE Boston (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Pappas, V., Polychronakis, M., Keromytis, A.D. (2014). Dynamic Reconstruction of Relocation Information for Stripped Binaries. In: Stavrou, A., Bos, H., Portokalidis, G. (eds) Research in Attacks, Intrusions and Defenses. RAID 2014. Lecture Notes in Computer Science, vol 8688. Springer, Cham. https://doi.org/10.1007/978-3-319-11379-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-11379-1_4
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11378-4
Online ISBN: 978-3-319-11379-1
eBook Packages: Computer ScienceComputer Science (R0)