remix: on-demand live randomization (fine-grained live aslr during runtime)
TRANSCRIPT
Remix: On-demand Live Randomization
Yue Chen, Zhi Wang, David Whalley, Long LuFlorida State UniversityStony Brook University
6th ACM Conference on Data and Applications Security and Privacy, New Orleans, LA, USA
Code Reuse Attack
• Buffer Overflow -> Code Injection Attack– Defense: Data Execution Prevention (DEP)• Write XOR Execute
Code Reuse Attack
• Buffer Overflow -> Code Injection Attack– Defense: Data Execution Prevention (DEP)• Write XOR Execute
• Return-oriented Programming Attack– Discover gadgets from existing code, chain them
by ret instruction– Turing complete
Goal
• Live randomization during runtime• Finer-grained randomization unit• Low performance overhead
Remix
Live basic block (BB) randomization within functions
Advantages:No function pointer migration
Good spatial locality
Remix
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Space for Alignment
Other Functions…
Function A
Remix
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Space for Alignment
Other Functions…
Function A
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Other Functions…
Function A
After0.86 seconds
Remix
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Space for Alignment
Other Functions…
Function A
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Other Functions…
Function A
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Other Functions…
Function A
After0.86 seconds
After2.13 seconds
Challenges
• Chain randomized basic blocks together– Need extra space– Instruction update
• Stale pointer migration
Extra SpaceCase 1: Extra Jmp
Basic Block 1
Basic Block 2
Basic Block 3
Jmp to BB1
(1) At the Beginning of a Function
Extra SpaceCase 1: Extra Jmp
Basic Block 1
Basic Block 2
Basic Block 3
Jmp to BB1
(1) At the Beginning of a Function (2) At the End of a Basic Block that does not end with instructions like Jmp/Ret
mov …add …mov …
mov …add …jle …
Extra SpaceCase 2: Displacement Length
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Jump to BB3
Before Remix
Extra SpaceCase 2: Displacement Length
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Jump to BB3 Jump to BB3
Before Remix After Remix
Extra SpaceCase 2: Displacement Length
One-byte displacement:jmp +0x10
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Jump to BB3 Jump to BB3
Four-byte displacement:jmp +0x00001000
Before Remix After Remix
Extra SpaceSolution
With Source Code:
Modify the compiler to:1. Insert an extra 5-byte NOP instruction after each basic block2. Only generate instructions with4-byte displacement
Enough Space Guaranteed!
Extra SpaceSolution
With Source Code:
Modify the compiler to:1. Insert an extra 5-byte NOP instruction after each basic block2. Only generate instructions with4-byte displacement
Enough Space Guaranteed!
Without Source Code:
Leverage existing NOP paddings:
• Function alignment• Loop alignment
Instruction UpdateTwo-step update (e.g., unconditional direct jmp):
Basic Block 1
Basic Block 2
Basic Block 3
Original After BB ReorderingStep one:Jumps to OriginalAddress of BB 3
Step two:Jumps to CurrentAddress of BB 3
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 1
Basic Block 2
Basic Block 3
jmp
Instruction Update
• Direct call: Step-one update• Indirect call: No update needed• Direct jump: Step-one and step-two update• Indirect jump: Discussed later• PC-relative addressing: Step-one update
Indirect Jump
• Jump to functions – Unmoved– PLT/GOT– Tail/Sibling Call
• Jump to basic blocks – See next
Basic Block Pointer Conversion
• Why?- Migrate stale pointers to basic blocks, to ensure
correctness
Basic Block Pointer Conversion
• Why?- Migrate stale pointers to basic blocks, to ensure
correctness• Where?
- Return address- Jump table (switch/case)- Saved context (e.g., setjmp/longjmp)- Kernel exception table…
Optimization
Speed up randomization procedure:• Metadata Maintenance– Basic block information (e.g., location)– Code/data that need updating
Optimization Speed up execution:• Probabilistic Loop Bundling
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Loop
Optimization Speed up execution:• Probabilistic Loop Bundling
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Loop
Basic Block 1
Bundled BB
Basic Block 4
Basic Block 5
Bundle
Optimization Speed up execution:• Probabilistic Loop Bundling
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Loop
Basic Block 1
Bundled BB
Basic Block 4
Basic Block 5
Basic Block 1
Bundled BB
Basic Block 4
Basic Block 5
Bundle Randomize
Bundle
Optimization Speed up execution:• Probabilistic Loop Bundling
Basic Block 1
Basic Block 2
Basic Block 3
Basic Block 4
Basic Block 5
Loop
Basic Block 1
Bundled BB
Basic Block 4
Basic Block 5
The bundling layout is different from time to time. – Unpredictable!
Basic Block 1
Bundled BB
Basic Block 4
Basic Block 5
Randomize
Implementation
• Compiler– Slightly modified LLVM
• Linux userspace applications– Ptrace, an isolated small agent to perform the
randomization• Freebsd kernel modules– smp_rendezvous
Evaluation - Security• Finer-grained randomization:– Entropy boost
• Live randomization during runtime:– Destroy discovered gadgets immediately
Software Apache nginx lighttpd
Average Basic Block Number per Function 15.3 18.8 14.4
Average NOP Space (bytes) per Function 19.3 26.2 22.1
Want more entropy? – Insert more NOP space!
Evaluation - Performance
Apache Web Server Performance Overhead (by ApacheBench)Randomization Time Interval
Randomization time interval can be random !Performance depends on hardware speed.
Evaluation - Performance
ReiserFS Performance Overhead (by IOZone)Randomization Time Interval
Randomization time interval can be random !Performance depends on hardware speed.