Advertisement

Detile: Fine-Grained Information Leak Detection in Script Engines

  • Robert Gawlik
  • Philipp KoppeEmail author
  • Benjamin Kollenda
  • Andre Pawlowski
  • Behrad Garmany
  • Thorsten Holz
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9721)

Abstract

Memory disclosure attacks play an important role in the exploitation of memory corruption vulnerabilities. By analyzing recent research, we observe that bypasses of defensive solutions that enforce control-flow integrity or attempt to detect return-oriented programming require memory disclosure attacks as a fundamental first step. However, research lags behind in detecting such information leaks.

In this paper, we tackle this problem and present a system for fine-grained, automated detection of memory disclosure attacks against scripting engines. The basic insight is as follows: scripting languages, such as JavaScript in web browsers, are strictly sandboxed. They must not provide any insights about the memory layout in their contexts. In fact, any such information potentially represents an ongoing memory disclosure attack. Hence, to detect information leaks, our system creates a clone of the scripting engine process with a re-randomized memory layout. The clone is instrumented to be synchronized with the original process. Any inconsistency in the script contexts of both processes appears when a memory disclosure was conducted to leak information about the memory layout. Based on this detection approach, we have designed and implemented Detile (detection of information leaks), a prototype for the JavaScript engine in Microsoft’s Internet Explorer 10/11 on Windows 8.0/8.1. An empirical evaluation shows that our tool can successfully detect memory disclosure attacks even against this proprietary software.

Notes

Acknowledgements

We would like to thank the anonymous reviewers for their valuable comments. This work was supported by the European Commission through the ERC Starting Grant No. 640110 (BASTION).

References

  1. 1.
    Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: ACM Conference on Computer and Communications Security (CCS) (2005)Google Scholar
  2. 2.
    Alexa. The top 500 sites on the web (2014). http://www.alexa.com/topsites
  3. 3.
    Athanasakis, M., Athanasopoulos, E., Polychronakis, M., Portokalidis, G., Ioannidis, S.: The devil is in the constants: bypassing defenses in browser JIT engines. In: Symposium on Network and Distributed System Security (NDSS) (2015)Google Scholar
  4. 4.
    Backes, M., Nürnberger, S.: Oxymoron: making fine-grained memory randomization practical byallowing code sharing. In: USENIX Security Symposium (2014)Google Scholar
  5. 5.
    Barrantes, E.G., Ackley, D.H., Palmer, T.S., Stefanovic, D., Zovi, D.D.: Randomized instruction set emulation to disrupt binary code injection attacks. In: ACM Conference on Computer and Communications Security (CCS) (2003)Google Scholar
  6. 6.
    Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., Boneh, D.: Hacking blind. In: IEEE Symposium on Security and Privacy (2014)Google Scholar
  7. 7.
    Blazakis, D.: Interpreter Exploitation: Pointer Inference and JIT Spraying. BlackHat DC, USA (2010)Google Scholar
  8. 8.
    Bruening, D., Duesterwald, E., Amarasinghe, S.: Design and implementation of a dynamic optimization framework for windows. In: 4th ACM Workshop on Feedback-Directed and Dynamic Optimization (FDDO-4) (2001)Google Scholar
  9. 9.
    Bruschi, D., Cavallaro, L., Lanzi, A.: Diversified process replicæ for defeating memory error exploits. In: IEEE International Performance, Computing, and Communications Conference, 2007, IPCCC 2007 (2007)Google Scholar
  10. 10.
    Capizzi, R., Longo, A., Venkatakrishnan, V., Sistla, A.P.: Preventing information leaks through shadow executions. In: Annual Computer Security Applications Conference (ACSAC) (2008)Google Scholar
  11. 11.
    Carlini, N., Wagner, D.: ROP is still dangerous: breaking modern defenses. In: USENIX Security Symposium (2014)Google Scholar
  12. 12.
    Cheng, Y., Zhou, Z., Yu, M., Ding, X., Deng, R.H.: ROPecker: a generic and practical approach for defending against ROP attacks. In: Symposium on Network and Distributed System Security (NDSS) (2014)Google Scholar
  13. 13.
    Conti, M., Crane, S., Davi, L., Franz, M., Larsen, P., Negro, M., Liebchen, C., Qunaibit, M., Sadeghi, A.-R.: Losing control: on the effectiveness of control-flow integrity understack attacks. In: ACM Conference on Computer and Communications Security (CCS) (2015)Google Scholar
  14. 14.
    Cox, B., Evans, D., Filipi, A., Rowanhill, J., Hu, W., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N.-variant Systems: a secretless framework for security through diversity. In: USENIX Security Symposium (2006)Google Scholar
  15. 15.
    Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.-R., Brunthaler, S., Franz, M.: Readactor: practical code randomization resilient to memory disclosure. In: IEEE Symposium on Security and Privacy (2015)Google Scholar
  16. 16.
    Crane, S., Volckaert, S., Schuster, F., Liebchen, C., Larsen, P., Davi, L., Sadeghi, A.-R., Holz, T., Sutter, B.D., Franz, M.: It’s a TRAP: table randomization and protection against functionreuse attacks. In: ACM Conference on Computer and Communications Security (CCS) (2015)Google Scholar
  17. 17.
    Croft, J., Caesar, M.: Towards practical avoidance of information leakage in enterprise networks. In: HotSec (2011)Google Scholar
  18. 18.
    Davi, L., Lehmann, D., Sadeghi, A.-R., Monrose, F.: Stitching the gadgets: on the ineffectiveness of coarse-grainedcontrol-flow integrity protection. In: USENIX Security Symposium (2014)Google Scholar
  19. 19.
    Davi, L., Liebchen, C., Sadeghi, A.-R., Snow, K.Z., Monrose, F.: Isomeron: code randomization resilient to (just-in-time) return-oriented programming. In: Symposium on Network and Distributed System Security (NDSS) (2015)Google Scholar
  20. 20.
    Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: IEEE Symposium on Security and Privacy (2010)Google Scholar
  21. 21.
    Erlingsson, U., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: XFI: Software guards for system address spaces. In: Symposium on Operating Systems Design and Implementation (OSDI) (2006)Google Scholar
  22. 22.
  23. 23.
    Fratric, I.: Runtime Prevention of Return-Oriented Programming Attacks. http://ropguard.googlecode.com/svn-history/r2/trunk/doc/ropguard.pdf
  24. 24.
    Gawlik, R., Kollenda, B., Koppe, P., Garmany, B., Holz, T.: Enabling client-side crash-resistance to overcome diversification and information hiding. In: Symposium on Network and Distributed System Security (NDSS) (2016)Google Scholar
  25. 25.
    Gawlik, R., Koppe, P., Kollenda, B., Pawlowski, A., Garmany, B., Holz, T., Report, T.: Detile: Fine-Grained Information Leak Detection in Script Engines. Technical report, Ruhr-University Bochum (2016)Google Scholar
  26. 26.
    Göktaş, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: Overcoming control-flow integrity. In: IEEE Symposium on Security and Privacy (2014)Google Scholar
  27. 27.
    Göktaş, E., Athanasopoulos, E., Polychronakis, M., Bos, H., Portokalidis, G.: Size does matter: why using gadget-chain length to prevent code-reuseattacks is hard. In: USENIX Security Symposium (2014)Google Scholar
  28. 28.
    Hirvonen, T.: Dynamic flash instrumentation for fun and profit. Black Hat, USA (2014)Google Scholar
  29. 29.
    Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: ILR: Where’d my gadgets go? In: IEEE Symposium on Security and Privacy (2012)Google Scholar
  30. 30.
    Hosek, P., Cadar, C.: Varan the unbelievable: an efficient n-version execution framework. In: International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (2015)Google Scholar
  31. 31.
    Kc, G.S., Keromytis, A.D., Prevelakis, V.: Countering code-injection attacks with instruction-set randomization. In: ACM Conference on Computer and Communications Security (CCS) (2003)Google Scholar
  32. 32.
    Kil, C., Jim, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (ASLP): towards fine-grained randomization of commodity software. In: Annual Computer Security Applications Conference (ACSAC) (2006)Google Scholar
  33. 33.
    Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: Symposium on Operating Systems Design and Implementation (OSDI) (2014)Google Scholar
  34. 34.
    Li, H.: Inside AVM. In: REcon (2012)Google Scholar
  35. 35.
    Luk, C.-K., Cohn, R., Muth, R., Patil, H., Klauser, A., Lowney, G., Wallace, S., Reddi, V.J., Hazelwood, K.: Pin: building customized program analysis tools with dynamic instrumentation. In: ACM Sigplan Notices (2005)Google Scholar
  36. 36.
  37. 37.
    Microsoft. What is the Windows Integrity Mechanism? (2014). http://msdn.microsoft.com/en-us/library/bb625957.aspx
  38. 38.
    Molnar, I.: Exec Shield, new Linux security feature. News-Forge, May 2003Google Scholar
  39. 39.
    Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-free: defeating return-oriented programming through gadget-lessbinaries. In: Annual Computer Security Applications Conference (ACSAC) (2010)Google Scholar
  40. 40.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: hindering return-oriented programming usingin-place code randomization. In: IEEE Symposium on Security and Privacy (2012)Google Scholar
  41. 41.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Transparent ROP exploit mitigation using indirect branch tracing. In: USENIX Security Symposium (2013)Google Scholar
  42. 42.
    Prandini, M., Ramilli, M.: Return-oriented programming. In: IEEE Symposium on Security and Privacy (2012)Google Scholar
  43. 43.
    Russinovich, M., Solomon, D., Ionescu, A.: Windows Internals, Part 2. Microsoft Press, Redmond (2012)Google Scholar
  44. 44.
    Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., Holz, T.: Counterfeit object-oriented programming. In: IEEE Symposium on Security and Privacy (2015)Google Scholar
  45. 45.
    Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., Holz, T.: Evaluating the effectiveness of current Anti-ROP defenses. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 88–108. Springer, Heidelberg (2014)Google Scholar
  46. 46.
    Security, V.: Advanced Exploitation of Mozilla Firefox Use-after-free (MFSA2012-22) (2012). http://www.vupen.com/blog/20120625.Advanced_Exploitation_of_Mozilla_Firefox_UaF_CVE-2012-0469.php
  47. 47.
    Serna, F.J.: The info leak era on software exploitation. In: Black Hat USA (2012)Google Scholar
  48. 48.
    Snow, K.Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.-R.: Just-in-time code reuse: on the effectiveness of fine-grained addressspace layout randomization. In: IEEE Symposium on Security and Privacy (2013)Google Scholar
  49. 49.
    Song, C., Zhang, C., Wang, T., Lee, W., Melski, D.: Exploiting and protecting dynamic code generation. In: Symposium on Network and Distributed System Security (NDSS) (2015)Google Scholar
  50. 50.
    Sovarel, A.N., Evans, D., Paul, N.: Where’s the FEEB? the effectiveness of instruction set randomization. In: USENIX Security Symposium (2005)Google Scholar
  51. 51.
    Strackx, R., Younan, Y., Philippaerts, P., Piessens, F., Lachmund, S., Walter, T.: Breaking the memory secrecy assumption. In: ACM European Workshop on System Security (EUROSEC) (2009)Google Scholar
  52. 52.
    Szekeres, L., Payer, M., Wei, T., Song, D.: SoK: eternal war in memory. In: IEEE Symposium on Security and Privacy (2013)Google Scholar
  53. 53.
    Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., Pike, G.: Enforcing forward-edge control-flow integrity in gcc & llvm. In: USENIX Security Symposium (2014)Google Scholar
  54. 54.
    Volckaert, S., Coppens, B., De Sutter, B.: Cloning your gadgets: complete rop attack immunity with multi-variant execution. IEEE Trans. Dependable Secure Comput. (2015)Google Scholar
  55. 55.
    Vreugdenhil, P.: A browser is only as strong as its weakest byte - Part 2 (2012)Google Scholar
  56. 56.
    Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: ACM Conference on Computer and Communications Security (CCS) (2012)Google Scholar
  57. 57.
    Weiss, Y., Barrantes, E.G.: Known/chosen key attacks against software instruction set randomization. In: ACM Conference on Computer and Communications Security (CCS) (2006)Google Scholar
  58. 58.
    Yan, T.: The art of leaks: the return of heap feng shui. In: CanSecWest (2014)Google Scholar
  59. 59.
    Yu, Y.: ROPs are for the 99 %. In: CanSecWest (2014)Google Scholar
  60. 60.
    Yu, Y.: Write Once, Pwn Anywhere. In: Black Hat USA (2014)Google Scholar
  61. 61.
    Zalewski, M.: Two more browser memory disclosure bugs (2014). http://lcamtuf.blogspot.de/2014/10/two-more-browser-memory-disclosure-bugs.html
  62. 62.
    Zalewski, M.: Bi-level TIFFs and the tale of the unexpectedly early patch (2015). http://lcamtuf.blogspot.de/2015/02/bi-level-tiffs-and-tale-of-unexpectedly.html
  63. 63.
    ZDI.CVE-2011-1346, (Pwn2Own) Microsoft Internet Explorer Uninitialized Variable Information Leak Vulnerability. http://www.zerodayinitiative.com/advisories/ZDI-11-198/
  64. 64.
    Zeigler, A.: IE8 and Loosely-Coupled IE (LCIE) (2008). http://blogs.msdn.com/b/ie/archive/2008/03/11/ie8-and-loosely-coupled-ie-lcie.aspx
  65. 65.
    Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., Zou, W.: Practical control flow integrity & randomization for binary executables. In: IEEE Symposium on Security and Privacy (2013)Google Scholar
  66. 66.
    Zhang, M., Sekar, R.: BinCFI: control flow integrity for COTS binaries. In: USENIX Security Symposium (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Robert Gawlik
    • 1
  • Philipp Koppe
    • 1
    Email author
  • Benjamin Kollenda
    • 1
  • Andre Pawlowski
    • 1
  • Behrad Garmany
    • 1
  • Thorsten Holz
    • 1
  1. 1.Horst Görtz Institute for IT-Security (HGI)Ruhr-Universität BochumBochumGermany

Personalised recommendations