A Practical Approach for Adaptive Data Structure Layout Randomization

  • Ping Chen
  • Jun XuEmail author
  • Zhiqiang Lin
  • Dongyan Xu
  • Bing Mao
  • Peng Liu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9326)


Attackers often corrupt data structures to compromise software systems. As a countermeasure, data structure layout randomization has been proposed. Unfortunately, existing techniques require manual designation of randomize-able data structures without guaranteeing the correctness and keep the layout unchanged at runtime. We present a system, called SALADS, that automatically translates a program to a DSSR (Data Structure Self-Randomizing) program. At runtime, a DSSR program dynamically randomizes the layout of each security-sensitive data structure by itself autonomously. DSSR programs regularly re-randomize a data structure when it has been accessed several times after last randomization. More importantly, DSSR programs automatically determine the randomizability of instances and randomize each instance independently. We have implemented SALADS based on gcc-4.5.0 and generated DSSR user-level applications, OS kernels, and hypervisors. Our experiments show that the DSSR programs can defeat a wide range of attacks with reasonable performance overhead.



This work was supported in part by ARO W911NF-13-1-0421 (MURI), NSF CCF-1320605, and NSF CNS-1422594, Chinese National Natural Science Foundation (NSFC 61073027, NSFC 61272078).


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS 2005) (2005)Google Scholar
  5. 5.
    Backes, M., Nürnberger, S.: Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: USENIX Security Symposium (Security 2014) (2014)Google Scholar
  6. 6.
    Baliga, A., Ganapathy, V., Iftode, L.: Automatic inference and enforcement of kernel data structure invariants. In: Annual Computer Security Applications Conference (ACSAC 2008) (2008)Google Scholar
  7. 7.
    Berre, S.L.: Bypassing windows 7 kernel aslr (2011).
  8. 8.
    Bhatkar, E., Duvarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: USENIX Security Symposium (Security 2003) (2003)Google Scholar
  9. 9.
    Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., Boneh, D.: Hacking blind. In: IEEE Symposium on Security and Privacy (Oakland 2014) (2014)Google Scholar
  10. 10.
    Bursztein, E., Hamburg, M., Lagarenne, J., Boneh, D.: Openconflict: preventing real time map hacks in online games. In: IEEE Security and Privacy (Oakland 2011) (2011)Google Scholar
  11. 11.
    Chen, H., Mao, Y., Wang, X., Zhou, D., Zeldovich, N., Kaashoek, M.F.: Linux kernel vulnerabilities: state-of-the-art defenses and open problems. In: Asia-Pacific Workshop on Systems (APSys 2011) (2011)Google Scholar
  12. 12.
    Crispin, C., Calton, P., Dave, M., Heather, H., Jonathan, W., Peat, B., Steve, B., Aaron, G., Perry, W., Qian, Z.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: USENIX Security Symposium (Security 1998) (1998)Google Scholar
  13. 13.
    CVE-2001-0144. Ssh crc-32 compensation attack detector (2001).
  14. 14.
    CVE-2002-0656. Apache openssl heap overflow exploit (2002).
  15. 15.
    Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nrnberger, S., Sadeghi, A.-R.: Mocfi: a framework to mitigate control-flow attacks on smartphones. In: Annual Network and Distributed System Security Symposium (NDSS 2012) (2012)Google Scholar
  16. 16.
    Davi, L., Liebchen, C., Sadeghi, A.-R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Annual Network and Distributed System Security Symposium (NDSS 2015) (2015)Google Scholar
  17. 17.
    Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: USENIX Conference on Security Symposium (Security 2012) (2012)Google Scholar
  18. 18.
    Harrison, K., Xu, S.: Protecting cryptographic keys from memory disclosure attacks. In: Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2007) (2007)Google Scholar
  19. 19.
    Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.: Ilr: Where’d my gadgets go? In: IEEE Symposium on Security and Privacy (Oakland 2012) (2012)Google Scholar
  20. 20.
    Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: USENIX Security Symposium (Security 2009) (2009)Google Scholar
  21. 21.
    Hund, R., Willems, C., Holz, T.: Practical timing side channel attacks against kernel space aslr. In: IEEE Symposium on Security and Privacy (Oakland 2013) (2013)Google Scholar
  22. 22.
    Kil, C., Jim, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (aslp): towards fine-grained randomization of commodity software. In: Annual Computer Security Applications Conference (ACSAC 2006) (2006)Google Scholar
  23. 23.
    Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: Sok: automated software diversity. In: IEEE Symposium on Security and Privacy (Oakland 2014) (2014)Google Scholar
  24. 24.
    Lin, Z., Riley, R.D., Xu, D.: Polymorphing software by randomizing data structure layout. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 107–126. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  25. 25.
    Lin, Z., Zhang, X., Xu, D.: Automatic reverse engineering of data structures from binary execution. In: Annual Network and Distributed System Security Symposium (NDSS 2010), San Diego, CA, February 2010Google Scholar
  26. 26.
    McVoy, L., Staelin, C.: lmbench: portable tools for performance analysis. In: USENIX Security Symposium (Security 1996) (1996)Google Scholar
  27. 27.
    Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-free: defeating return-oriented programming through gadget-less binaries. In: Annual Computer Security Applications Conference (ACSAC 2010) (2010)Google Scholar
  28. 28.
    Pappas, V., Polychronakis, M., Keromytis, A.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: IEEE Symposium on Security and Privacy (Oakland 2012) (2012)Google Scholar
  29. 29.
    Parvez: Bypassing microsoft windows aslr with a little help by ms-help (2012).
  30. 30.
    Seibert, J., Okhravi, H., Söderström, E.: Information leaks without memory disclosures: remote side channel attacks on diversified code. In: ACM Conference on Computer and Communications Security (CCS 2014) (2014)Google Scholar
  31. 31.
    Serna, F.J.: Cve-2012-0769, the case of the perfect info leak (2012).
  32. 32.
    Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: ACM Conference on Computer and Communications Security (CCS 2004) (2004)Google Scholar
  33. 33.
    Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: IEEE Symposium on Security and Privacy (Oakland 2013) (2013)Google Scholar
  34. 34.
    Stanley, D.M., Xu, D., Spafford, E.H.: Improved kernel security through memory layout randomization. In: 2013 IEEE 32nd International Performance Computing and Communications Conference (IPCCC), pp. 1–10. IEEE (2013)Google Scholar
  35. 35.
    Strackx, R., Younan, Y., Philippaerts, P., Piessens, F., Lachmund, S., Walter, T.: Breaking the memory secrecy assumption. In: European Workshop on System Security (EUROSEC 2009) (2009)Google Scholar
  36. 36.
    P. Team: Pax address space layout randomization (aslr) (2003).
  37. 37.
    Wang, Z., Jiang, X.: Hypersafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: IEEE Symposium on Security and Privacy (Oakland 2010) (2010)Google Scholar
  38. 38.
    Wartell, R., Mohan, V., Hamlen, K., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: ACM Conference on Computer and Communications Security (CCS 2012) (2012)Google Scholar
  39. 39.
    Xin, Z., Chen, H., Han, H., Mao, B., Xie, L.: Misleading malware similarities analysis by automatic data structure obfuscation. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 181–195. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  40. 40.
    Zhang, C., Wei, T., Chen, Z., Duan, L., McCamant, S., Szekeres, L., Song, D., Zou, W.: Practical control flow integrity and randomization for binary executables. In: IEEE Symposium on Security and Privacy (Oakland 2013) (2013)Google Scholar
  41. 41.
    Zhang, M., Sekar, R.: Control flow integrity for cots binaries. In: USENIX Security Symposium (Security 2013) (2013)Google Scholar
  42. 42.
    Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-vm side channels and their use to extract private keys. In: ACM Conference on Computer and Communications Security (CCS 2012) (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Open Access This chapter is licensed under the terms of the Creative Commons Attribution-NonCommercial 2.5 International License (, which permits any noncommercial use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  • Ping Chen
    • 1
    • 2
    • 3
  • Jun Xu
    • 1
    Email author
  • Zhiqiang Lin
    • 4
  • Dongyan Xu
    • 3
  • Bing Mao
    • 2
  • Peng Liu
    • 1
  1. 1.College of Information Sciences and TechnologyThe Pennsylvania State UniversityState CollegeUSA
  2. 2.State Key Laboratory for Novel Software Technology, Department of Computer Science and TechnologyNanjing UniversityNanjingChina
  3. 3.Department of Computer SciencePurdue UniversityWest LafayetteUSA
  4. 4.Department of Computer ScienceUniversity of Texas at DallasRichardsonUSA

Personalised recommendations