nach oben

Erschienen in:

2017 | OriginalPaper | Buchkapitel

SafeStack\(^+\): Enhanced Dual Stack to Combat Data-Flow Hijacking

verfasst von : Yan Lin, Xiaoxiao Tang, Debin Gao

Erschienen in: Information Security and Privacy

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

SafeStack, initially proposed as a key component of Code Pointer Integrity (CPI), separates the program stack into two distinct regions to provide a safe region for sensitive code pointers. SafeStack can prevent buffer overflow attacks that overwrite sensitive code pointers, e.g., return addresses, to hijack control flow of the program, and has been incorporated into the Clang project of LLVM as a C-based language front-end. In this paper, we propose and implement SafeStack\(^+\), an enhanced dual stack LLVM plug-in that further protects programs from data-flow hijacking. SafeStack\(^+\) locates data flow sensitive variables on the unsafe stack that could potentially affect evaluation of branching conditions, and adds canaries of random sizes and values to them to detect malicious overwriting. We implement SafeStack\(^+\) as a plug-in on LLVM 3.8 and perform extensive experiments to justify a lazy checking mechanism that adds on average 3.0% of runtime and 5.3% of memory overhead on top of SafeStack on SPEC CPU2006 benchmark programs. Our security analysis confirms that SafeStack\(^+\) is effective in detecting data-flow hijacking attacks.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Splitting Third-Party Libraries’ Privileges from Android Apps

Nächstes Kapitel Prover Efficient Public Verification of Dense or Sparse/Structured Matrix-Vector Multiplication

Clang: a C language family frontend for LLVM. https://clang.llvm.org/

SafeStack.cpp. http://llvm.org/docs/doxygen/html/SafeStack_8cpp_source.html

Pax ASLR (Address Space Layout Randomiztion) (2003). https://pax.grsecurity.net/docs/aslr.txt

MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution (2013). http://www.cvedetails.com/cve/cve-2013-0230

The LLVM Compiler Infrastructure (2016). http://llvm.org/

Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity. In: Proceedings of the 12th ACM Conference on Computer and Communications Security, pp. 340–353. ACM (2005)

Akritidis, P., Costa, M., Castro, M., Hand, S.: Baggy bounds checking: an efficient and backwards-compatible defense against out-of-bounds errors. In: Proceedings of the 18th USENIX Security Symposium, pp. 51–66 (2009)

Andersen, S., Abella, V.: Data execution prevention. Changes to functionality in microsoft windows xp service pack, 2 (2004)

Bhatkar, S., DuVarney, D.C., Sekar, R.: Efficient techniques for comprehensive protection from memory error exploits. In: Proceedings of the 14th USENIX Security Symposium (2005)

10.

Carlini, N., Wagner, D.: Rop is still dangerous: breaking modern defenses. In: Proceedings of the 23rd USENIX Security Symposium, vol. 14 (2014)

11.

Chen, X., Slowinska, A., Andriesse, D., Bos, H., Giuffrida, C.: Stackarmor: comprehensive protection from stack-based memory error vulnerabilities for binaries. In: Symposium on Network and Distributed System Security (2015)

12.

Cowan, C., Beattie, S., Johansen, J., Wagle, P.: Pointguard tm: protecting pointers from buffer overflow vulnerabilities. In: Proceedings of the 12th USENIX Security Symposium, vol. 12, pp. 91–104 (2003)

13.

Cowan, C., Pu, C., Maier, D., Walpole, J., Bakke, P., Beattie, S., Grier, A., Wagle, P., Zhang, Q., Hinton, H.: Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium, vol. 98, pp. 63–78 (1998)

14.

Dang, T.H., Maniatis, P., Wagner, D.: The performance cost of shadow stacks and stack canaries. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 555–566. ACM (2015)

15.

Ding, B., He, Y., Wu, Y., Miller, A., Criswell, J.: Baggy bounds with accurate checking. In: International Symposium on Software Reliability Engineering Workshops, pp. 195–200. IEEE (2012)

16.

Duck, G.J., Yap, R.H., Cavallaro, L.: Stack bounds protection with low fat pointers. In: Symposium on Network and Distributed System Security (2017)

17.

Erlingsson, Ú., Abadi, M., Vrable, M., Budiu, M., Necula, G.C.: Xfi: software guards for system address spaces. In: Proceedings of the 7th Symposium on Operating Systems Design and Implementation, pp. 75–88. USENIX Association (2006)

18.

Fu, J., Lin, Y., Zhang, X.: Code reuse attack mitigation based on function randomization without symbol table. In: Proceeding of the 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 394–401. IEEE (2016)

19.

Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: Proceedings of the 35th IEEE Symposium on Security and Privacy, pp. 575–589. IEEE (2014)

20.

Hiser, J., Nguyen-Tuong, A., Co, M., Hall, M., Davidson, J.W.: Ilr: where’d my gadgets go? In: Proceedings of the 33rd IEEE Symposium on Security and Privacy, pp. 571–585. IEEE (2012)

21.

Jim, T., Morrisett, J.G., Grossman, D., Hicks, M.W., Cheney, J., Wang, Y.: Cyclone: a safe dialect of C. In: Proceedings of the USENIX Annual Technical Conference, pp. 275–288 (2002)

22.

Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., Song, D.: Code-pointer integrity. In: Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation, vol. 14, pp. 147–163 (2014)

23.

Lin, Y., Tang, X., Gao, D., Fu, J.: Control flow integrity enforcement with dynamic code optimization. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 366–385. Springer, Cham (2016). doi:10.1007/978-3-319-45871-7_22 CrossRef

24.

Nagarakatte, S., Zhao, J., Martin, M.M., Zdancewic, S.: Softbound: highly compatible and complete spatial memory safety for C. In: ACM Conference on Programming Language Design and Implementation, vol. 44(6), pp. 245–258 (2009)

25.

Necula, G.C., McPeak, S., Weimer, W.: Ccured: type-safe retrofitting of legacy code. In: Proceedings of the 29th ACM Symposium on Principles of Programming Languages, vol. 37, pp. 128–139. ACM (2002)

26.

Payer, M., Barresi, A., Gross, T.R.: Fine-grained control-flow integrity through binary hardening. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 144–164. Springer, Cham (2015). doi:10.1007/978-3-319-20550-2_8 CrossRef

27.

Schuster, F., Tendyck, T., Pewny, J., Maaß, A., Steegmanns, M., Contag, M., Holz, T.: Evaluating the effectiveness of current Anti-ROP defenses. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 88–108. Springer, Cham (2014). doi:10.1007/978-3-319-11379-1_5

28.

Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 157–168. ACM (2012)

29.

Wilander, J., Nikiforakis, N., Younan, Y., Kamkar, M., Joosen, W.: Ripe: runtime intrusion prevention evaluator. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 41–50. ACM (2011)

30.

Younan, Y., Pozza, D., Piessens, F., Joosen, W.: Extended protection against stack smashing attacks without performance loss. In: Proceedings of the 22nd Annual Computer Security Applications Conference, pp. 429–438. IEEE (2006)

31.

Zhang, M., Sekar, R.: Control flow integrity for cots binaries. In: Proceedings of the 22nd USENIX Security Symposium, vol. 13 (2013)

Titel: SafeStack: Enhanced Dual Stack to Combat Data-Flow Hijacking
verfasst von: Yan Lin
Xiaoxiao Tang
Debin Gao
Verlag: Springer International Publishing
Buch: Information Security and Privacy
Print ISBN: 978-3-319-59869-7

Electronic ISBN: 978-3-319-59870-3

Copyright-Jahr: 2017
DOI: https://doi.org/10.1007/978-3-319-59870-3_6

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"