Advertisement

Building Code Randomization Defenses

  • Lucas Davi
  • Ahmad-Reza Sadeghi
Chapter
Part of the SpringerBriefs in Computer Science book series (BRIEFSCOMPUTER)

Abstract

The basic observation is that an adversary typically generates an attack vector and aims to simultaneously compromise as many systems as possible using the same attack vector (i.e., one attack payload). To mitigate this so-called ultimate attack, Cohen proposes to diversify a software program into multiple and different instances while each instance still covers the entire semantics of the root software program. The goal is to force the adversary to tailor a specific attack vector/payload for each software instance and computer system making the attack tremendously expensive.

Keywords

Code Randomization Memory Page Translation Lookaside Buffer Software Diversity Code Pointer 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Backes, M., Nürnberger, S.: Oxymoron: making fine-grained memory randomization practical by allowing code sharing. In: Proceedings of the 23rd USENIX Security Symposium (2014). http://dl.acm.org/citation.cfm?id=2671225.2671253
  2. 2.
    Backes, M., Holz, T., Kollenda, B., Koppe, P., Nürnberger, S., Pewny, J.: You can run but you can’t read: Preventing disclosure exploits in executable code. In: Proceedings of the 21st ACM Conference on Computer and Communications Security, CCS’14 (2014). http://doi.acm.org/10.1145/2660267.2660378
  3. 3.
    Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS’03 (2003). http://doi.acm.org/10.1145/948109.948147
  4. 4.
    Bhatkar, S., DuVarney, D., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proceedings of the 12th USENIX Security Symposium (2003). http://dl.acm.org/citation.cfm?id=1251353.1251361
  5. 5.
    Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the 14th USENIX Security Symposium (2005). http://dl.acm.org/citation.cfm?id=1251398.1251415
  6. 6.
    Bittau, A., Belay, A., Mashtizadeh, A., Mazières, D., Boneh, D.: Hacking blind. In: Proceedings of the 35th IEEE Symposium on Security and Privacy, SP’14 (2014). http://dx.doi.org/10.1109/SP.2014.22
  7. 7.
    Cohen, F.B.: Operating system protection through program evolution. Comput. Secur. 12(6), 565–584 (1993). doi: 10.1016/0167-4048(93)90054-9 CrossRefGoogle Scholar
  8. 8.
    Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: Proceedings of the 36th IEEE Symposium on Security and Privacy, SP’15 (2015). doi:10.1109/SP.2015.52Google Scholar
  9. 9.
    Davi, L., Dmitrienko, A., Nürnberger, S., Sadeghi, A.R.: Gadge me if you can - secure and efficient ad-hoc instruction-level randomization for x86 and ARM. In: Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security, ASIACCS’13 (2013). http://doi.acm.org/10.1145/2484313.2484351
  10. 10.
    Davi, L., Liebchen, C., Sadeghi, A.R., Snow, K.Z., Monrose, F.: Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. In: Proceedings of the 22nd Annual Network and Distributed System Security Symposium, NDSS’15 (2015). http://www.internetsociety.org/doc/isomeron-code-randomization-resilient-just-time-return-oriented-programming
  11. 11.
    Forrest, S., Somayaji, A., Ackley, D.: Building diverse computer systems. In: Proceedings of the 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), HOTOS’97 (1997). http://dl.acm.org/citation.cfm?id=822075.822408
  12. 12.
    Franz, M.: E unibus pluram: massive-scale software diversity as a defense mechanism. In: Proceedings of the 2010 Workshop on New Security Paradigms, NSPW’10 (2010). http://doi.acm.org/10.1145/1900546.1900550
  13. 13.
    Fresi Roglia, G., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: Proceedings of the 25th Annual Computer Security Applications Conference, ACSAC’09 (2009). http://dx.doi.org/10.1109/ACSAC.2009.16
  14. 14.
    gera: Advances in format string exploitation. Phrack Mag. 59(12) (2002). http://www.phrack.com/issues.html?issue=59&id=7
  15. 15.
    Gionta, J., Enck, W., Ning, P.: HideM: protecting the contents of userspace memory in the face of disclosure vulnerabilities. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY’15 (2015). http://doi.acm.org/10.1145/2699026.2699107
  16. 16.
    Giuffrida, C., Kuijsten, A., Tanenbaum, A.S.: Enhanced operating system security through efficient and fine-grained address space randomization. In: Proceedings of the 21st USENIX Security Symposium (2012). http://dl.acm.org/citation.cfm?id=2362793.2362833
  17. 17.
    Gupta, A., Kerr, S., Kirkpatrick, M., Bertino, E.: Marlin: a fine grained randomization approach to defend against ROP attacks. In: Network and System Security. Lecture Notes in Computer Science, vol. 7873 (2013). http://dx.doi.org/10.1007/978-3-642-38631-2_22
  18. 18.
    Hiser, J.D., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d my gadgets go? In: Proceedings of the 33rd IEEE Symposium on Security and Privacy, SP’12 (2012). http://dx.doi.org/10.1109/SP.2012.39
  19. 19.
    Homescu, A., Brunthaler, S., Larsen, P., Franz, M.: Librando: transparent code randomization for just-in-time compilers. In: Proceedings of the 20th ACM Conference on Computer and Communications Security, CCS’13 (2013). http://doi.acm.org/10.1145/2508859.2516675
  20. 20.
    Homescu, A., Neisius, S., Larsen, P., Brunthaler, S., Franz, M.: Profile-guided automated software diversity. In: Proceedings of the 2013 IEEE/ACM International Symposium on Code Generation and Optimization, CGO’13 (2013). http://dx.doi.org/10.1109/CGO.2013.6494997
  21. 21.
    Jackson, T., Salamat, B., Homescu, A., Manivannan, K., Wagner, G., Gal, A., Brunthaler, S., Wimmer, C., Franz, M.: Compiler-generated software diversity. In: Moving Target Defense. Advances in Information Security, vol. 54. Springer, New York (2011). http://dx.doi.org/10.1007/978-1-4614-0977-9_4
  22. 22.
    Jackson, T., Homescu, A., Crane, S., Larsen, P., Brunthaler, S., Franz, M.: Diversifying the software stack using randomized NOP insertion. In: Moving Target Defense II. Advances in Information Security, vol. 100. Springer, New York (2013). http://dx.doi.org/10.1007/978-1-4614-5416-8_8
  23. 23.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS’03 (2003). http://doi.acm.org/10.1145/948109.948146
  24. 24.
    Kil, C., Jun, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (ASLP): towards fine-grained randomization of commodity software. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC’06 (2006). http://dx.doi.org/10.1109/ACSAC.2006.9
  25. 25.
    Larsen, P., Homescu, A., Brunthaler, S., Franz, M.: SoK: automated software diversity. In: Proceedings of the 35th IEEE Symposium on Security and Privacy, SP’14 (2014). http://dx.doi.org/10.1109/SP.2014.25
  26. 26.
    Liu, L., Han, J., Gao, D., Jing, J., Zha, D.: Launching return-oriented programming attacks against randomized relocatable executables. In: Proceedings of the 10th International Conference on Trust, Security and Privacy in Computing and Communications, TRUSTCOM’11 (2011). http://dx.doi.org/10.1109/TrustCom.2011.9
  27. 27.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy, SP’12 (2012). http://dx.doi.org/10.1109/SP.2012.41
  28. 28.
    PaX Team: PaX address space layout randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt
  29. 29.
    Serna, F.J.: CVE-2012-0769, the case of the perfect info leak. http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf (2012)
  30. 30.
    Shacham, H., Jin Goh, E., Modadugu, N., Pfaff, B., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS’04 (2004). http://doi.acm.org/10.1145/1030083.1030124
  31. 31.
    Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Just-in-time code reuse: on the effectiveness of fine-grained address space layout randomization. In: Proceedings of the 34th IEEE Symposium on Security and Privacy, SP’13 (2013). http://dx.doi.org/10.1109/SP.2013.45. Received the Best Student Paper Award
  32. 32.
    Sotirov, A., Dowd, M.: Bypassing browser memory protections in Windows Vista. http://www.phreedom.org/research/bypassing-browser-memory-protections/ (2008). Presented at Black Hat 2008
  33. 33.
    Sovarel, A.N., Evans, D., Paul, N.: Where’s the FEEB? The effectiveness of instruction set randomization. In: Proceedings of the 14th USENIX Security Symposium (2005). http://dl.acm.org/citation.cfm?id=1251398.1251408
  34. 34.
    Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of the 19th ACM Conference on Computer and Communications Security, CCS’12 (2012). http://doi.acm.org/10.1145/2382196.2382216
  35. 35.
    Weiss, Y., Barrantes, E.G.: Known/chosen key attacks against software instruction set randomization. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC’06 (2006). http://dx.doi.org/10.1109/ACSAC.2006.33

Copyright information

© The Author(s) 2015

Authors and Affiliations

  • Lucas Davi
    • 1
  • Ahmad-Reza Sadeghi
    • 1
  1. 1.CASEDTechnische Universität DarmstadtDarmstadtGermany

Personalised recommendations