Upload File

remix: on-demand live randomization (fine-grained live aslr during runtime)

  • Home
  • Engineering
  • Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)
41
Remix: On-demand Live Randomization Yue Chen, Zhi Wang, David Whalley, Long Lu Florida State University Stony Brook University 6 th ACM Conference on Data and Applications Security and Privacy, New Orleans, LA, USA

Upload: yue-chen

Post on 19-Jan-2017

257 views

Category:

Engineering


5 download

Report

TRANSCRIPT

Page 1: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Remix: On-demand Live Randomization

Yue Chen, Zhi Wang, David Whalley, Long LuFlorida State UniversityStony Brook University

6th ACM Conference on Data and Applications Security and Privacy, New Orleans, LA, USA

Page 2: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Code Reuse Attack

• Buffer Overflow -> Code Injection Attack

Page 3: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Code Reuse Attack

• Buffer Overflow -> Code Injection Attack– Defense: Data Execution Prevention (DEP)• Write XOR Execute

Page 4: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Code Reuse Attack

• Buffer Overflow -> Code Injection Attack– Defense: Data Execution Prevention (DEP)• Write XOR Execute

• Return-oriented Programming Attack– Discover gadgets from existing code, chain them

by ret instruction– Turing complete

Page 5: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Code Reuse Attack

Existing Code

Chained Gadgets

Page 6: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

ASLRAddress Space Layout Randomization

Executable

Library1

Library1

Executable

Page 7: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

ASLR - Problem

Library1

Executable

Pointer Leak

Page 8: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

ASLR - Problem

Library1

Executable

Pointer Leak

De-randomized

Page 9: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Goal

• Live randomization during runtime• Finer-grained randomization unit• Low performance overhead

Page 10: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Remix

Live basic block (BB) randomization within functions

Page 11: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Remix

Live basic block (BB) randomization within functions

Advantages:No function pointer migration

Good spatial locality

Page 12: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Remix

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Space for Alignment

Other Functions…

Function A

Page 13: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Remix

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Space for Alignment

Other Functions…

Function A

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Other Functions…

Function A

After0.86 seconds

Page 14: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Remix

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Space for Alignment

Other Functions…

Function A

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Other Functions…

Function A

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Other Functions…

Function A

After0.86 seconds

After2.13 seconds

Page 15: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Challenges

• Chain randomized basic blocks together– Need extra space– Instruction update

• Stale pointer migration

Page 16: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Extra SpaceCase 1: Extra Jmp

Basic Block 1

Basic Block 2

Basic Block 3

Jmp to BB1

(1) At the Beginning of a Function

Page 17: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Extra SpaceCase 1: Extra Jmp

Basic Block 1

Basic Block 2

Basic Block 3

Jmp to BB1

(1) At the Beginning of a Function (2) At the End of a Basic Block that does not end with instructions like Jmp/Ret

mov …add …mov …

mov …add …jle …

Page 18: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Extra SpaceCase 2: Displacement Length

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Jump to BB3

Before Remix

Page 19: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Extra SpaceCase 2: Displacement Length

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Jump to BB3 Jump to BB3

Before Remix After Remix

Page 20: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Extra SpaceCase 2: Displacement Length

One-byte displacement:jmp +0x10

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Jump to BB3 Jump to BB3

Four-byte displacement:jmp +0x00001000

Before Remix After Remix

Page 21: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Extra SpaceSolution

With Source Code:

Modify the compiler to:1. Insert an extra 5-byte NOP instruction after each basic block2. Only generate instructions with4-byte displacement

Enough Space Guaranteed!

Page 22: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Extra SpaceSolution

With Source Code:

Modify the compiler to:1. Insert an extra 5-byte NOP instruction after each basic block2. Only generate instructions with4-byte displacement

Enough Space Guaranteed!

Without Source Code:

Leverage existing NOP paddings:

• Function alignment• Loop alignment

Page 23: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Instruction Update

Q: Which instructions need updating ?

Page 24: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Instruction Update

Q: Which instructions need updating ?A: Control-flow related ones

Page 25: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Instruction UpdateTwo-step update (e.g., unconditional direct jmp):

Basic Block 1

Basic Block 2

Basic Block 3

Original After BB ReorderingStep one:Jumps to OriginalAddress of BB 3

Step two:Jumps to CurrentAddress of BB 3

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 1

Basic Block 2

Basic Block 3

jmp

Page 26: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Instruction Update

• Direct call: Step-one update• Indirect call: No update needed• Direct jump: Step-one and step-two update• Indirect jump: Discussed later• PC-relative addressing: Step-one update

Page 27: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Indirect Jump

• Jump to functions – Unmoved– PLT/GOT– Tail/Sibling Call

• Jump to basic blocks – See next

Page 28: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Basic Block Pointer Conversion

• Why?- Migrate stale pointers to basic blocks, to ensure

correctness

Page 29: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Basic Block Pointer Conversion

• Why?- Migrate stale pointers to basic blocks, to ensure

correctness• Where?

- Return address- Jump table (switch/case)- Saved context (e.g., setjmp/longjmp)- Kernel exception table…

Page 30: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Optimization

Speed up randomization procedure:• Metadata Maintenance– Basic block information (e.g., location)– Code/data that need updating

Page 31: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Optimization Speed up execution:• Probabilistic Loop Bundling

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Loop

Page 32: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Optimization Speed up execution:• Probabilistic Loop Bundling

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Loop

Basic Block 1

Bundled BB

Basic Block 4

Basic Block 5

Bundle

Page 33: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Optimization Speed up execution:• Probabilistic Loop Bundling

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Loop

Basic Block 1

Bundled BB

Basic Block 4

Basic Block 5

Basic Block 1

Bundled BB

Basic Block 4

Basic Block 5

Bundle Randomize

Page 34: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Bundle

Optimization Speed up execution:• Probabilistic Loop Bundling

Basic Block 1

Basic Block 2

Basic Block 3

Basic Block 4

Basic Block 5

Loop

Basic Block 1

Bundled BB

Basic Block 4

Basic Block 5

The bundling layout is different from time to time. – Unpredictable!

Basic Block 1

Bundled BB

Basic Block 4

Basic Block 5

Randomize

Page 35: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Implementation

• Compiler– Slightly modified LLVM

• Linux userspace applications– Ptrace, an isolated small agent to perform the

randomization• Freebsd kernel modules– smp_rendezvous

Page 36: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Evaluation - Security• Finer-grained randomization:– Entropy boost

• Live randomization during runtime:– Destroy discovered gadgets immediately

Software Apache nginx lighttpd

Average Basic Block Number per Function 15.3 18.8 14.4

Average NOP Space (bytes) per Function 19.3 26.2 22.1

Want more entropy? – Insert more NOP space!

Page 37: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Evaluation - Performance

SPEC CPU 2006 Performance Overhead

Page 38: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Evaluation - Performance

SPEC CPU 2006 Size Increase

Page 39: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Evaluation - Performance

Apache Web Server Performance Overhead (by ApacheBench)Randomization Time Interval

Randomization time interval can be random !Performance depends on hardware speed.

Page 40: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Evaluation - Performance

ReiserFS Performance Overhead (by IOZone)Randomization Time Interval

Randomization time interval can be random !Performance depends on hardware speed.

Page 41: Remix: On-demand Live Randomization (Fine-grained live ASLR during runtime)

Q&A


Remix: On-demand Live Randomizationww2.cs.fsu.edu/~ychen/paper/Remix_slides.pdf · •Live randomization during runtime •Finer-grained randomization unit ... –Can and should be

DEP-ASLR Bypass Without ROP-JIT

From Zygote to Morula: Fortifying Weakened ASLR on Android

ASLR Win7 Shellcode Exploit Pekeinfo

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization · How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu ... All existing techniques for memory randomization

INFERENCE OF RESIDUAL ATTACK SURFACE UNDER … · A2DG Abstract API Dependence Graph API Application Programming Interface ARP Arbitrary Read Primitive ASLR Address Space Layout Randomization

Flashlite 2.x 3.x Aslr (1)

NES-Bypass Win7 Kernel Aslr

Randomization workshop

ASLR smack and laugh reference

CHOOSING THE LEVEL OF RANDOMIZATION. Unit of Randomization: Individual?

2012 flash aslr bypass

Lec8 Randomization

Approximate Randomization tests

ASLR Minix

Failure Of DEP And ASLR

ASLR on the Line: Practical Cache Attacks on the MMUherbertb/download/papers/anc_ndss17.pdf · based architectures, making ASLR and caching conflicting ... sandboxing environments

Ch 6 randomization

Randomization and Controls

Stack Canaries & ASLR Computer Security CSC 405

Randomization & Blinding

DEP/ASLR bypass without ROP/JIT

History of Randomization

Defeating DEP and ASLR in Windows

Canaries, DEP, and ASLR - Carnegie Mellon Universitydbrumley/courses/18487-f13/powerpoint/05... · Control Flow Hijack Defenses Canaries, DEP, and ASLR David Brumley Carnegie Mellon

Control Flow Hijack Defenses Canaries, DEP, and ASLR

Adding ASLR to jailbroken iPhonespowerofcommunity.net/poc2010/stefan.pdf · Stefan Esser • Adding ASLR to jailbroken iPhones • December 2010 • iPhone Security • in 2010 iPhone

Choosing the level of randomization Module 4.2. Unit of Randomization: Individual?

Protecting Against Address Space Layout Randomization (ASLR

Introduction - Cyber · Web viewTo reduce this risk, Address Space Layout Randomization (ASLR) should be enabled for all applications that support it. By default, ASLR is enabled

ASLR - Address Space Layout Randomization.pdf

Adding ASLR to jailbroken iPhones - PUT.AS€¦ · Stefan Esser • Adding ASLR to jailbroken iPhones • December 2010 • iPhone Security • in 2010 iPhone Security got hit badly

Practical Timing Side Channel Attacks Against Kernel Space ASLR

Randomization Overview

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization · How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu†, Stefan Nurnberger¨ ‡§, Michael Backes‡¶,