Advertisement

Marlin: A Fine Grained Randomization Approach to Defend against ROP Attacks

  • Aditi Gupta
  • Sam Kerr
  • Michael S. Kirkpatrick
  • Elisa Bertino
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)

Abstract

Code-reuse attacks, such as return-oriented programming (ROP), bypass defenses against code injection by repurposing existing executable code toward a malicious end. A common feature of these attacks is the reliance on the knowledge of the layout of the executable code. We propose a fine grained randomization based approach that modifies the layout of executable code and hinders code-reuse attack. Our solution, Marlin, randomizes the internal structure of the executable code, thereby denying the attacker the necessary a priori knowledge of instruction addresses for constructing the desired exploit payload. Our approach can be applied to any ELF binary and every execution of this binary uses a different randomization. Our work shows that such an approach is feasible and significantly increases the level of security against code-reuse based attacks.

Keywords

Return-oriented programming Security Integrity Malware 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bhatkar, E., Duvarney, D.C., Sekar, R.: Address obfuscation: an efficient approach to combat a broad range of memory error exploits. In: Proc. of the 12th USENIX Security Symposium, pp. 105–120 (2003)Google Scholar
  2. 2.
    Bhatkar, S., Sekar, R., DuVarney, D.C.: Efficient techniques for comprehensive protection from memory error exploits. In: Proc. of the 14th Conference on USENIX Security Symposium, SSYM 2005, vol. 14, p. 17 (2005)Google Scholar
  3. 3.
    Bletsch, T., Jiang, X., Freeh, V.: Jump-oriented programming: A new class of code-reuse attack. Tech. Rep. TR-2010-8, North Carolina State University (2010)Google Scholar
  4. 4.
    Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: generalizing return-oriented programming to risc. In: Proc. of the 15th ACM Conference on Computer and Communications Security, pp. 27–38 (2008)Google Scholar
  5. 5.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: Proc. of the 17th ACM Conference on Computer and Communications Security, pp. 559–572 (2010)Google Scholar
  6. 6.
    Chen, P., Xiao, H., Shen, X., Yin, X., Mao, B., Xie, L.: DROP: Detecting return-oriented programming malicious code. In: Prakash, A., Sen Gupta, I. (eds.) ICISS 2009. LNCS, vol. 5905, pp. 163–177. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Chen, P., Xing, X., Han, H., Mao, B., Xie, L.: Efficient detection of the return-oriented programming malicious code. In: Jha, S., Mathuria, A. (eds.) ICISS 2010. LNCS, vol. 6503, pp. 140–155. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Chen, P., Xing, X., Mao, B., Xie, L.: Return-oriented rootkit without returns (on the x86). In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 340–354. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  9. 9.
    Cowan, C., Beattie, S., Johansen, J., Wagle, P.: Pointguard: Protecting pointers from buffer overflow vulnerabilities. In: Proc. of the 12th Usenix Security Symposium (2003)Google Scholar
  10. 10.
    Cowan, C., Pu, C., Maier, D., Hinton, H., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q.: Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proc. of the 7th USENIX Security Symposium, pp. 63–78 (1998)Google Scholar
  11. 11.
    Davi, L., Dmitrienko, A., Nürnberger, S., Sadeghi, A.R.: Xifer: A software diversity tool against code-reuse attacks. In: 4th ACM International Workshop on Wireless of the Students, by the Students, for the Students, S3 2012 (August 2012)Google Scholar
  12. 12.
    Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Privilege escalation attacks on android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 346–360. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  13. 13.
    Davi, L., Sadeghi, A.R., Winandy, M.: Dynamic integrity measurement and attestation: towards defense against return-oriented programming attacks. In: Proc. of the 2009 ACM Workshop on Scalable Trusted Computing, pp. 49–54 (2009)Google Scholar
  14. 14.
    Davi, L., Sadeghi, A.R., Winandy, M.: ROPdefender: a detection tool to defend against return-oriented programming attacks. In: Proc. of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 40–51 (2011)Google Scholar
  15. 15.
    Dullien, T., Kornau, T., Weinmann, R.P.: A framework for automated architecture-independent gadget search. In: Proc. of the 4th USENIX Conference on Offensive Technologies, WOOT 2010 (2010)Google Scholar
  16. 16.
    Francillon, A., Castelluccia, C.: Code injection attacks on harvard-architecture devices. In: Proc. of the 15th ACM Conference on Computer and Communications Security, pp. 15–26 (2008)Google Scholar
  17. 17.
    Franz, M.: E unibus pluram: massive-scale software diversity as a defense mechanism. In: Proc. of the 2010 Workshop on New Security Paradigms, NSPW 2010, pp. 7–16 (2010)Google Scholar
  18. 18.
    Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: Ilr: Where’d my gadgets go? In: Proc. of the 2012 IEEE Symposium on Security and Privacy, pp. 571–585 (2012)Google Scholar
  19. 19.
    Hund, R., Holz, T., Freiling, F.C.: Return-oriented rootkits: bypassing kernel code integrity protection mechanisms. In: Proc. of the 18th Conference on USENIX Security Symposium, SSYM 2009, pp. 383–398 (2009)Google Scholar
  20. 20.
    Salwan, J.: ROPgadget tool, http://shell-storm.org/project/ROPgadget/
  21. 21.
    Kil, C., Jun, J., Bookholt, C., Xu, J., Ning, P.: Address space layout permutation (aslp): Towards fine-grained randomization of commodity software. In: Proc. of the 22nd Annual Computer Security Applications Conference, pp. 339–348 (2006)Google Scholar
  22. 22.
    Li, J., Wang, Z., Jiang, X., Grace, M., Bahram, S.: Defeating return-oriented rootkits with ”return-less” kernels. In: Proc. of the 5th European Conference on Computer Systems, pp. 195–208 (2010)Google Scholar
  23. 23.
    MSDN Microsoft: /ORDER (Put Functions in Order), http://msdn.microsoft.com/en-us/library/00kh39zz.aspx
  24. 24.
    MSDN Microsoft: Profile-guided optimizations, http://msdn.microsoft.com/en-us/library/e7k32f4k.aspx
  25. 25.
    Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., Kirda, E.: G-free: defeating return-oriented programming through gadget-less binaries. In: Proc. of the 26th Annual Computer Security Applications Conference, pp. 49–58 (2010)Google Scholar
  26. 26.
    Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In: IEEE Symposium on Security and Privacy, pp. 601–615 (2012)Google Scholar
  27. 27.
    Paradyn Project: UNSTRIP (2011), http://paradyn.org/html/tools/unstrip.html
  28. 28.
  29. 29.
    Roeder, T., Schneider, F.B.: Proactive obfuscation. ACM Trans. Comput. Syst. 28, 1–4 (2010)CrossRefGoogle Scholar
  30. 30.
    Roglia, G., Martignoni, L., Paleari, R., Bruschi, D.: Surgically returning to randomized lib(c). In: Annual Computer Security Applications Conference, ACSAC 2009, pp. 60–69 (December 2009)Google Scholar
  31. 31.
    Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proc. of the 14th ACM Conference on Computer and Communications Security, pp. 552–561. ACM (2007)Google Scholar
  32. 32.
    Shacham, H., Page, M., Pfaff, B., Goh, E.J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proc. of the 11th ACM Conference on Computer and Communications Security, pp. 298–307 (2004)Google Scholar
  33. 33.
    Sovarel, A.N., Evans, D., Paul, N.: Where’s the feeb? The effectiveness of instruction set randomization. In: Proc. of the 14th Conference on USENIX Security Symposium, vol. 14, p. 10 (2005)Google Scholar
  34. 34.
    Durden, T.: Bypassing PaX ASLR protection. Phrack Magazine 59(9) (June 2002)Google Scholar
  35. 35.
    Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 157–168. ACM, New York (2012)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Aditi Gupta
    • 1
  • Sam Kerr
    • 1
  • Michael S. Kirkpatrick
    • 2
  • Elisa Bertino
    • 1
  1. 1.Purdue UniversityWest LafayetteUSA
  2. 2.James Madison UniversityHarrisonburgUSA

Personalised recommendations