Michael Backes
Thorsten Holz
ABSTRACT
Code reuse attacks allow an adversary to impose malicious behavior on an otherwise benign program. To mitigate such attacks, a common approach is to disguise the address or content of code snippets by means of randomization or rewriting, leaving the adversary with no choice but guessing. However, disclosure attacks allow an adversary to scan a process - even remotely - and enable her to read executable memory on-the-fly, thereby allowing the just-in time assembly of exploits on the target site. In this paper, we propose an approach that fundamentally thwarts the root cause of memory disclosure exploits by preventing the inadvertent reading of code while the code itself can still be executed. We introduce a new primitive we call Execute-no-Read (XnR) which ensures that code can still be executed by the processor, but at the same time code cannot be read as data. This ultimately forfeits the self-disassembly which is necessary for just-in-time code reuse attacks (JIT-ROP) to work. To the best of our knowledge, XnR is the first approach to prevent memory disclosure attacks of executable code and JIT-ROP attacks in general. Despite the lack of hardware support for XnR in contemporary Intel x86 and ARM processors, our software emulations for Linux and Windows have a run-time overhead of only 2.2% and 3.4%, respectively.
- ARM1136JF-S and ARM1136J-S Technical Reference Manual Revision: r1p5, section 6.5.2. ARM Limited.Google Scholar
- BusyBox: The Swiss Army Knife of Embedded Linux. http://www.busybox.net/.Google Scholar
- Cygwin - Posix API and tool collection for Windows. https://www.cygwin.com/.Google Scholar
- Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. Control-flow integrity. In ACM Conference on Computer and Communications Security (CCS) (2005), ACM, pp. 340--353. Google ScholarDigital Library
- Abadi, M., Budiu, M., Erlingsson, U., Necula, G. C., and Vrable, M. XFI: Software Guards for System Address Spaces. In USENIX Symposium on Operating Systems Design and Implementation (OSDI) (2006). Google ScholarDigital Library
- Akritidis, P., Cadar, C., Raiciu, C., Costa, M., and Castro, M. Preventing Memory Error Exploits with WIT. IEEE Symposium on Security and Privacy (2008). Google ScholarDigital Library
- Aleph One. Smashing the Stack for Fun and Profit. Phrack Magazine 49, 14 (1996).Google Scholar
- Bhatkar, S., Sekar, R., and DuVarney, D. C. Efficient techniques for comprehensive protection from memory error exploits. In USENIX Security Symposium (2005), USENIX Association. Google ScholarDigital Library
- Bittau, A., Belay, A., Mashtizadeh, A., MaziAlres, D., and Boneh, D. Hacking Blind. In IEEE Symposium on Security and Privacy (2014). Google ScholarDigital Library
- Bletsch, T., Jiang, X., Freeh, V. W., and Liang, Z. Jump-oriented Programming: A New Class of Code-reuse Attack. In ACM Symposium on Information, Computer and Communications Security (ASIACCS) (2011). Google ScholarDigital Library
- blexim. Basic Integer Overflows. Phrack Magazine 60, 10 (2002).Google Scholar
- Buchanan, E., Roemer, R., Shacham, H., and Savage, S. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In ACM Conference on Computer and Communications Security (CCS) (2008). Google ScholarDigital Library
- Carlini, N., and Wagner, D. ROP is Still Dangerous: Breaking Modern Defenses. In USENIX Security Symposium (2014). Google ScholarDigital Library
- Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. Return-oriented Programming Without Returns. In ACM Conference on Computer and Communications Security (CCS) (2010). Google ScholarDigital Library
- Cheng, Y., Zhou, Z., Yu, M., Ding, X., and Deng, R. H. ROPecker: A Generic and Practical Approach for Defending Against ROP Attacks. In Symposium on Network and Distributed System Security (NDSS) (2014).Google Scholar
- Davi, L., Dmitrienko, A., Egele, M., Fischer, T., Holz, T., Hund, R., Nurnberger, S., and Sadeghi, A.-R. MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones. In Symposium on Network and Distributed System Security (NDSS) (2012).Google Scholar
- Davi, L., Lehmann, D., Sadeghi, A.-R., and Monrose, F. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In USENIX Security Symposium (2014). Google ScholarDigital Library
- Davi, L. V., Dmitrienko, A., Nürnberger, S., and Sadeghi, A.-R. Gadge me if you can: Secure and efficient ad-hoc instruction-level randomization for x86 and arm. In 8th ACM SIGSAC symposium on Information, computer and communications security (ACM ASIACCS 2013) (2013), ACM, pp. 299--310. Google ScholarDigital Library
- Fratric, I. Runtime Prevention of Return-Oriented Programming Attacks. http://ropguard.googlecode.com/svn-history/r2/ trunk/doc/ropguard.pdf.Google Scholar
- gera. Advances in Format String Exploitation. Phrack Magazine 59, 12 (2002).Google Scholar
- Giuffrida, C., Kuijsten, A., and Tanenbaum, A. S. Enhanced operating system security through efficient and fine-grained address space randomization. In Proceedings of the 21st USENIX conference on Security symposium (2012), USENIX Association, pp. 40--40. Google ScholarDigital Library
- Goktas, E., Athanasopoulos, E., Bos, H., and Portokalidis, G. Out of control: Overcoming control-flow integrity. In IEEE Symposium on Security and Privacy (2014). Google ScholarDigital Library
- Goktas, E., Athanasopoulos, E., Polychronakis, M., Bos, H., and Portokalidis, G. Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard. In USENIX Security Symposium (2014). Google ScholarDigital Library
- Hiser, J. D., Nguyen-Tuong, A., Co, M., Hall, M., and Davidson, J. W. ILR: Where'd My Gadgets Go? In IEEE Symposium on Security and Privacy (2012). Google ScholarDigital Library
- Jajodia, S., Ghosh, A. K., Subrahmanian, V. S., Swarup, V., Wang, C., and Wang, X. S., Eds. Moving Target Defense II - Application of Game Theory and Adversarial Modeling, vol. 100 of Advances in Information Security. Springer, 2013. Google ScholarDigital Library
- Kil, C., Jun, J., Bookholt, C., Xu, J., and Ning, P. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Annual Computer Security Applications Conference (ACSAC) (2006). Google ScholarDigital Library
- Krahmer, S. x86--64 Buffer Overflow Exploits and the Borrowed Code Chunks Exploitation Technique. http://users.suse.com/~krahmer/no-nx.pdf, 2005.Google Scholar
- Microsoft. Kernel patch protection for x64-based operating systems. http://technet.microsoft.com/ en-us/library/cc759759(v=ws.10).aspx.Google Scholar
- Microsoft. Data Execution Prevention (DEP). http://support.microsoft.com/kb/875352/EN-US/, 2006.Google Scholar
- MITRE. Common weakness enumeration. http://cwe.mitre.org/top25/, November 2012.Google Scholar
- Onarlioglu, K., Bilge, L., Lanzi, A., Balzarotti, D., and Kirda, E. G-Free: defeating return-oriented programming through gadget-less binaries. In ACSAC'10, Annual Computer Security Applications Conference (Dec. 2010). Google ScholarDigital Library
- Pappas, V., Polychronakis, M., and Keromytis, A. D. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization. In IEEE Symposium on Security and Privacy (2012). Google ScholarDigital Library
- Pappas, V., Polychronakis, M., and Keromytis, A. D. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In USENIX Security Symposium (2013). Google ScholarDigital Library
- PaX Team. http://pax.grsecurity.net/.Google Scholar
- PaX Team. PaX Address Space Layout Randomization (ASLR). http://pax.grsecurity.net/docs/aslr.txt.Google Scholar
- Roemer, R., Buchanan, E., Shacham, H., and Savage, S. Return-Oriented Programming: Systems, Languages, and Applications. ACM Transactions on Information and System Security 15, 1 (Mar. 2012). Google ScholarDigital Library
- Sehr, D., Muth, R., Biffle, C., Khimenko, V., Pasko, E., Schimpf, K., Yee, B., and Chen, B.Adapting Software Fault Isolation to Contemporary CPU Architectures. In USENIX Security Symposium (2010). Google ScholarDigital Library
- Shacham, H. The Geometry of Innocent Flesh on the Bone: Return-into-libc Without Function Calls (on the x86). In ACM Conference on Computer and Communications Security (CCS) (2007). Google ScholarDigital Library
- Shacham, H., jin Goh, E., Modadugu, N., Pfaff, B., and Boneh, D. On the Effectiveness of Address-space Randomization. In ACM Conference on Computer and Communications Security (CCS) (2004). Google ScholarDigital Library
- Snow, K. Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., and Sadeghi, A.-R. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In IEEE Symposium on Security and Privacy (2013). Google ScholarDigital Library
- Snow, K. Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., and Sadeghi, A.-R. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In IEEE Symposium on Security and Privacy (2013). Google ScholarDigital Library
- Solar Designer. "return-to-libc" attack. Bugtraq, 1997.Google Scholar
- Sparks, S., and Butler, J. ShadowWalker: Raising the Bar for Rootkit detection. In Black Hat Japan (2005).Google Scholar
- Sun, B. Kernel patch protection for x64-based operating systems. http://blogs.mcafee.com/mcafee-labs/windows-7-kernel-api-refactoring.Google Scholar
- Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., and Ning, P. On the expressiveness of return-into-libc attacks. In Proceedings of the 14th international conference on Recent Advances in Intrusion Detection (2011), Springer-Verlag. Google ScholarDigital Library
- Van der Veen, V., Cavallaro, L., Bos, H., et al. Memory errors: the past, the present, and the future. In Research in Attacks, Intrusions, and Defenses. Springer, 2012, pp. 86--106. Google ScholarDigital Library
- Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In ACM Conference on Computer and Communications Security (CCS) (2012). Google ScholarDigital Library
- Xu, H., and Chapin, S. Address-space layout randomization using code islands. In Journal of Computer Security (2009), IOS Press, pp. 331--362. Google ScholarDigital Library
- Yee, B., Sehr, D., Dardyk, G., Chen, J. B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., and Fullagar, N. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. IEEE Symposium on Security and Privacy (2009). Google ScholarDigital Library
- Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., and Zou, W. Practical Control Flow Integrity and Randomization for Binary Executables. In IEEE Symposium on Security and Privacy (2013). Google ScholarDigital Library
- Zhang, M., and Sekar, R. Control flow integrity forcots binaries. In USENIX Security Symposium (2013). Google ScholarDigital Library
Index Terms
- You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code
Recommendations
HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities
CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and PrivacyMemory disclosure vulnerabilities have become a common component for enabling reliable exploitation of systems by leaking the contents of executable data. Previous research towards protecting executable data from disclosure has failed to gain popularity ...
Return-Oriented Programming
Attackers able to compromise the memory of a target machine can change its behavior and usually gain complete control over it. Despite the ingenious prevention and protection mechanisms that have been implemented in modern operating systems, memory ...
What you can read is what you can't execute
AbstractDue to the address space layout randomization (ASLR), code reuse attacks (CRAs) require memory probes to get available gadgets. Code reading is the basic way to obtain code information. In theory, setting the code to be unreadable can prevent ...
Comments