Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

648 visualizaciones

Publicado el

Fine-grained live ASLR (address space layout randomization) during runtime, periodically or with random time intervals.

This can significantly leverage the bar of code reuse attack, like return-oriented programming (ROP).

In case of information leak, sine it is runtime dynamic ASLR, the memory layout can be changed.

keywords for search: control-flow integrity, CFI, memory corruption, Oakland, IEEE S&P, CCS, USENIX Security, NDSS, CODASPY, memory bugs, memory error, buffer overflow, crash, use after free, double free, ptrace

Publicado en: Ingeniería
  • Sé el primero en comentar

Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

  1. 1. Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu Florida State University Stony Brook University 6th ACM Conference on Data and Applications Security and Privacy, New Orleans, LA, USA
  2. 2. Code Reuse Attack • Buffer Overflow -> Code Injection Attack
  3. 3. Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute
  4. 4. Code Reuse Attack • Buffer Overflow -> Code Injection Attack – Defense: Data Execution Prevention (DEP) • Write XOR Execute • Return-oriented Programming Attack – Discover gadgets from existing code, chain them by ret instruction – Turing complete
  5. 5. Code Reuse Attack Existing Code Chained Gadgets
  6. 6. ASLR Address Space Layout Randomization Executable Library1 Library1 Executable
  7. 7. ASLR - Problem Library1 Executable Pointer Leak
  8. 8. ASLR - Problem Library1 Executable Pointer Leak De-randomized
  9. 9. Goal • Live randomization during runtime • Finer-grained randomization unit • Low performance overhead
  10. 10. Remix Live basic block (BB) randomization within functions
  11. 11. Remix Live basic block (BB) randomization within functions Advantages: No function pointer migration Good spatial locality
  12. 12. Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A
  13. 13. Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds
  14. 14. Remix Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Space for Alignment Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Other Functions … Function A After 0.86 seconds After 2.13 seconds
  15. 15. Challenges • Chain randomized basic blocks together – Need extra space – Instruction update • Stale pointer migration
  16. 16. Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function
  17. 17. Extra Space Case 1: Extra Jmp Basic Block 1 Basic Block 2 Basic Block 3 Jmp to BB1 (1) At the Beginning of a Function (2) At the End of a Basic Block that does not end with instructions like Jmp/Ret mov … add … mov … mov … add … jle …
  18. 18. Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Before Remix
  19. 19. Extra Space Case 2: Displacement Length Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Before Remix After Remix
  20. 20. Extra Space Case 2: Displacement Length One-byte displacement: jmp +0x10 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Jump to BB3 Jump to BB3 Four-byte displacement: jmp +0x00001000 Before Remix After Remix
  21. 21. Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed!
  22. 22. Extra Space Solution With Source Code: Modify the compiler to: 1. Insert an extra 5-byte NOP instruction after each basic block 2. Only generate instructions with 4-byte displacement  Enough Space Guaranteed! Without Source Code: Leverage existing NOP paddings: • Function alignment • Loop alignment
  23. 23. Instruction Update Q: Which instructions need updating ?
  24. 24. Instruction Update Q: Which instructions need updating ? A: Control-flow related ones
  25. 25. Instruction Update Two-step update (e.g., unconditional direct jmp): Basic Block 1 Basic Block 2 Basic Block 3 Original After BB Reordering Step one: Jumps to Original Address of BB 3 Step two: Jumps to Current Address of BB 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 1 Basic Block 2 Basic Block 3 jmp
  26. 26. Instruction Update • Direct call: Step-one update • Indirect call: No update needed • Direct jump: Step-one and step-two update • Indirect jump: Discussed later • PC-relative addressing: Step-one update
  27. 27. Indirect Jump • Jump to functions – Unmoved – PLT/GOT – Tail/Sibling Call • Jump to basic blocks – See next
  28. 28. Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness
  29. 29. Basic Block Pointer Conversion • Why? - Migrate stale pointers to basic blocks, to ensure correctness • Where? - Return address - Jump table (switch/case) - Saved context (e.g., setjmp/longjmp) - Kernel exception table …
  30. 30. Optimization  Speed up randomization procedure: • Metadata Maintenance – Basic block information (e.g., location) – Code/data that need updating
  31. 31. Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop
  32. 32. Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle
  33. 33. Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Bundle Randomize
  34. 34. Bundle Optimization  Speed up execution: • Probabilistic Loop Bundling Basic Block 1 Basic Block 2 Basic Block 3 Basic Block 4 Basic Block 5 Loop Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 The bundling layout is different from time to time. – Unpredictable! Basic Block 1 Bundled BB Basic Block 4 Basic Block 5 Randomize
  35. 35. Implementation • Compiler – Slightly modified LLVM • Linux userspace applications – Ptrace, an isolated small agent to perform the randomization • Freebsd kernel modules – smp_rendezvous
  36. 36. Evaluation - Security • Finer-grained randomization: – Entropy boost • Live randomization during runtime: – Destroy discovered gadgets immediately Software Apache nginx lighttpd Average Basic Block Number per Function 15.3 18.8 14.4 Average NOP Space (bytes) per Function 19.3 26.2 22.1 Want more entropy? – Insert more NOP space!
  37. 37. Evaluation - Performance SPEC CPU 2006 Performance Overhead
  38. 38. Evaluation - Performance SPEC CPU 2006 Size Increase
  39. 39. Evaluation - Performance Apache Web Server Performance Overhead (by ApacheBench) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
  40. 40. Evaluation - Performance ReiserFS Performance Overhead (by IOZone) Randomization Time Interval Randomization time interval can be random !Performance depends on hardware speed.
  41. 41. Q&A

×