Abstract
Memory Corruption attacks have monopolized the headlines in the security research community for the past two decades. NX/XD, ASLR, and canary-based protections have been introduced to defend effectively against memory corruption attacks. Most of these techniques rely on keeping secret in some key information needed by the attackers to build the exploit. Unfortunately, due to the inherent limitations of these defenses, it is relatively difficult to restrain trained attackers to find those secrets and create effective exploits. Through an information disclosure vulnerability, attackers could leak stack data of the runtime process and scan out canary word without crashing the program. We present DiffGuard, a modification of the canary based protections which eliminates stack sweep attacks against the canary and proposes a more robust countermeasures against the byte-by-byte discovery of stack canaries in forking programs. We have implemented a compiler-based DiffGuard which consists of a plugin for the GCC and a PIC dynamic shared library that gets linked with the running application via LD PRELOAD. DiffGuard incurs an average runtime overhead of 3.2%, meanwhile, ensures application correctness and seamless integration with third-party software.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
China National Vulnerability Database of Information Security(CNNVD)[Z/OL]. http://www.cnnvd.org.cn/
van der Veen, V., dutt-Sharma, N., Cavallaro, L., Bos, H.: Memory errors: the past, the present, and the future. In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds.) RAID 2012. LNCS, vol. 7462, pp. 86–106. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33338-5_5
Cowan, C., Pu, C., Maier, D., Hintony, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: StackGuard: automatic adaptive detection and prevention of buffer overflow attacks
Etoh, H.: GCC extension for protecting applications from stack-smashing attacks
Microsoft.GS (Buffer Security Check) (2002). https://msdn.microsoft.com/en-us/library/8dbf701c.aspx
PaX Team: Address Space Layout Randomization (2003). https://pax.grsecurity.net/docs/aslr.txt
PaX Team: Non-executable pages design & implementation (2003). https://pax.grsecurity.net/docs/noexec.txt
Bulba and Kil3r: Bypassing stackguard and stackshield. Phrack, 56 (2002)
Richarte, G.: Four different tricks to bypass stackshield and stackguard protection, World Wide Web, 1 (2002)
Shacham, H., et al.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security. ACM (2004)
Buchanan, E., et al.: When good instructions go bad: generalizing return-oriented programming to RISC. In: Proceedings of the 15th ACM Conference on Computer and Communications Security. ACM (2008)
CVE-2012-3569. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3569
Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., Boneh, D.: Hacking blind. In: 2014 IEEE Symposium on Security and Privacy, pp. 227–242 (2014)
Marco-Gisbert, H., Ripoll, I.: Preventing brute force attacks against stack canary protection on networking servers. In: 12th IEEE International Symposium on Network Computing and Applications (NCA), pp. 243–250, August 2013
Petsios, T., Kemerlis, V.P., Polychronakis, M., Keromytis, A.D.: Dynaguard: armoring canary-based protections against brute-force attacks. In: Proceedings of the 31st Annual Computer Security Applications Conference, ACSAC 2015, pp. 351–360. ACM, New York (2015)
Bryant, R., David Richard, O.H., David Richard, O.H.: Computer Systems: A Programmer’s Perspective, vol. 2. Prentice Hall, Upper Saddle River (2003)
Stallman, R.M.: The GCC Developer Community: GNU Compiler Collection Internals (2017). https://gcc.gnu.org/onlinedocs/gccint/
Henning, J.L.: SPEC CPU2006 benchmark descriptions. ACM SIGARCH Comput. Archit. News 34(4), 1–17 (2006)
Metasploit. Nginx HTTP Server 1.3.9-1.4.0 - Chuncked Encoding Stack Buffer Overflow (2013). http://www.exploit-db.com/exploits/25775/
Etoh, H.: GCC extension for protecting applications from stack-smashing attacks (2005). http://goo.gl/Tioc4C
Chiueh, T.-C., Hsu, F.-H.: RAD: a compile-time solution to buffer overflow attacks. In: Proceedings of ICDCS, pp. 409–417 (2001)
Park, Y.-J., Lee, G.: Repairing return address stack for buffer overflow protection. In: Proceedings of CF, pp. 335–342 (2004)
Corliss, M.L., Lewis, E.C., Roth, A.: Using DISE to protect return addresses from attack. ACM SIGARCH Comput. Archit. News 33(1), 65–72 (2005)
Sinnadurai, S., Zhao, Q., fai Wong, W.: Transparent runtime shadow stack: protection against malicious return address modifications (2008). http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.120.5702
Dang, T.H., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: Proceedings of ASIACCS, pp. 555–566 (2015)
Acknowledgments
We would like to thank Theofilos Petsios et al. for their open source implementation of DynaGuard which helps ours quickly getting start of out work. When we have trouble in using SPEC CPU2006, Theofilos Petsios give us some advice. This work was supported in part by grants from the Chinese National Natural Science Foundation (61272078).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Zhu, J., Zhou, W., Wang, Z., Mu, D., Mao, B. (2018). DiffGuard: Obscuring Sensitive Information in Canary Based Protections. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 238. Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_39
Download citation
DOI: https://doi.org/10.1007/978-3-319-78813-5_39
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78812-8
Online ISBN: 978-3-319-78813-5
eBook Packages: Computer ScienceComputer Science (R0)