Mengchen Cao,Xiantong Hou,Tao Wang,Hunter Qu,Yajin Zhou,Xiaolong Bai,Fuwei Wang

DOI: https://doi.org/10.1145/3319535.3345654

2019-01-01

Abstract:The use of uninitialized variables is a common issue. It could cause kernel information leak, which defeats the widely deployed security defense, i.e., kernel address space layout randomization (KASLR). Though a recent system called Bochspwn Reloaded reported multiple memory leaks in Windows kernels, how to effectively detect this issue is still largely behind.

Xun Zhan,Tao Zheng,Shixiang Gao

DOI: https://doi.org/10.1109/sere-c.2014.28

2014-01-01

Abstract:Code reuse attacks such as return-oriented programming, one of the most powerful threats to software system, rely on the absolute address of instructions. Therefore, address space randomization should be an effective defending method. However, current randomization techniques either are lack of enough entropy or have significant time or space overhead. In this paper, we present a novel fine-grained randomization technique at basic block level. In contrast to previous work, our technique dealt with critical technical challenges including indirect branches, callbacks and position independent codes properly at least cost. We implement an efficient prototype randomization system which supports Linux ELF file format and x86 architecture. Our evaluation demonstrated that it can defend ROP attacks with tiny performance overhead (4% on average) successfully.

Yutian Yang,Jinjiang Tu,Wenbo Shen,Songbo Zhu,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3334268

2024-01-01

Abstract:Nowadays, code reuse attacks impose a substantial threat to the security of operating system kernels. Control-flow graph-based CFI techniques, while effective, bring considerable performance overhead, thus limiting their practical adoption in real-world products. As an alternative approach, recent research suggests safeguarding the integrity of sensitive pointers as a countermeasure against manipulation attempts. Unfortunately, existing pointer integrity protection schemes only protect sensitive pointers partially and ignore assembly code, leaving protection gaps. To fill up these protection gaps, we propose a novel security concept named full life-cycle integrity , which enforces the integrity of a sensitive pointer at every step on its value flow chain. To realize full life-cycle integrity, we propose three novel techniques, including assembly-aware sensitivity for analyzing assembly code, Merkle PAC tree for protecting interrupt context securely and efficiently, and pointer-grained authentication for defeating spatial substitution attacks. We have developed a practical implementation of comprehensive life-cycle integrity for the Linux kernel, called ”kernel Code Pointer Authentication” (kCPA), which leverages the ARM Pointer Authentication (PAuth) mechanism. This implementation has been extended to the Apple M1 architecture for real-world evaluation on PAuth hardware. Our assessment demonstrates that kCPA effectively mitigates a range of real-world attacks while incurring a minimal 2.5% performance overhead for the Phoronix Test Suite and nearly negligible performance impact for SPEC2017 benchmarks.

Martín Ochoa,Sebastian Banescu,Cynthia Disenfeld,Gilles Barthe,Vijay Ganesh

DOI: https://doi.org/10.48550/arXiv.1701.06743

2017-02-17

Abstract:Despite numerous countermeasures proposed by practitioners and researchers, remote control-flow alteration of programs with memory-safety vulnerabilities continues to be a realistic threat. Guaranteeing that complex software is completely free of memory-safety vulnerabilities is extremely expensive. Probabilistic countermeasures that depend on random secret keys are interesting, because they are an inexpensive way to raise the bar for attackers who aim to exploit memory-safety vulnerabilities. Moreover, some countermeasures even support legacy systems. However, it is unclear how to quantify and compare the effectiveness of different probabilistic countermeasures or combinations of such countermeasures. In this paper we propose a methodology to rigorously derive security bounds for probabilistic countermeasures. We argue that by representing security notions in this setting as events in probabilistic games, similarly as done with cryptographic security definitions, concrete and asymptotic guarantees can be obtained against realistic attackers. These guarantees shed light on the effectiveness of single countermeasures and their composition and allow practitioners to more precisely gauge the risk of an attack.

Cryptography and Security

James Roney,Troy Appel,Prateek Pinisetti,James Mickens

DOI: https://doi.org/10.1109/spw53761.2021.00057

2021-05-01

Abstract:Historically, attackers have sought to manipulate programs through the corruption of return addresses, function pointers, and other control flow data. However, as protections like ASLR, stack canaries, and no-execute bits have made such attacks more difficult, data-oriented exploits have received increasing attention. Such exploits try to subvert a program by reading or writing non-control data, without introducing any foreign code or violating the program’s legitimate control flow graph. Recently, a data-oriented exploitation technique called memory cartography was introduced, in which an attacker navigates between allocated memory regions using a precompiled map to disclose sensitive program data. The efficacy of memory cartography is dependent on inter-region pointers being located at constant offsets within memory regions; thus, cartographic attacks are difficult to launch against memory regions like heaps and stacks that have nondeterministic layouts. In this paper, we lower the barrier to successful attacks against nondeterministic memory, demonstrating that pointers between regions of memory often possess unique “signatures” that allow attackers to identify them with high accuracy. These signatures are accurate even when the pointers reside in non-deterministic memory areas. In many real-world programs, this allows an attacker that is capable of reading bytes from a single heap to access all of process memory. Our findings underscore the importance of memory isolation via separate address spaces.

Yan Fen,Yuan Fuchao,Shen Xiaobing,Yin Xinchun,Mao Bing

DOI: https://doi.org/10.1016/j.phpro.2012.02.259

2011-01-01

Computer Science

Abstract:Code injection attack has become a typical representative of the attacks against memory, buffer overflow attacks which is the most commonly used. It relies on the change of control-flow, let the program point to the malicious code in order to obtain the root rights. This paper presents a method using randomization based on data protection, through the protection of pointers and arrays to defend buffer overflow attacks effectively.

Robert Schilling,Mario Werner,Pascal Nasahl,Stefan Mangard

DOI: https://doi.org/10.1145/3274694.3274728

2018-09-24

Abstract:Reading and writing memory are, besides computation, the most common operations a processor performs. The correctness of these operations is therefore essential for the proper execution of any program. However, as soon as fault attacks are considered, assuming that the hardware performs its memory operations as instructed is not valid anymore. In particular, attackers may induce faults with the goal of reading or writing incorrectly addressed memory, which can have various critical safety and security implications. In this work, we present a solution to this problem and propose a new method for protecting every memory access inside a program against address tampering. The countermeasure comprises two building blocks. First, every pointer inside the program is redundantly encoded using a multi-residue error detection code. The redundancy information is stored in the unused upper bits of the pointer with zero overhead in terms of storage. Second, load and store instructions are extended to link data with the corresponding encoded address from the pointer. Wrong memory accesses subsequently infect the data value allowing the software to detect the error. For evaluation purposes, we implemented our countermeasure into a RISC-V processor, tested it on a FPGA development board, and evaluated the induced overhead. Furthermore, a LLVM-based C compiler has been modified to automatically encode all data pointers, to perform encoded pointer arithmetic, and to emit the extended load/store instructions with linking support. Our evaluations show that the countermeasure induces an average overhead of 10% in terms of code size and 7% regarding runtime, which makes it suitable for practical adoption.

Cryptography and Security

Chao Zhang,Tao Wei,Zhaofeng Chen,Lei Duan,Stephen McCamant,Laszlo Szekeres

DOI: https://doi.org/10.1145/2484313.2484376

2013-01-01

Abstract:Function pointers have recently become an important attack vector for control-flow hijacking attacks. However, no protection mechanisms for function pointers have yet seen wide adoption. Methods proposed in the literature have high overheads, are not compatible with existing development process, or both. In this paper, we investigate several protection methods and propose a new method called FPGate (i.e., Function Pointer Gate). FPGate rewrites x86 binary executables and implements a novel method to overcome compatibility issues. All these protection methods are then evaluated and compared from the perspectives of performance and ease of deployment. Experiments show that FPGate achieves a good balance between performance, robustness and compatibility.

Xiaoguang Wang,Yong Qi

DOI: https://doi.org/10.1109/iscc.2017.8024570

2017-01-01

Abstract:Remote server vulnerability exploit is one of the most troublesome threat to the Internet security. An effective defense against the remote vulnerability exploit is code randomization, which randomizes the program code address to disrupt the malicious payload execution. Unfortunately, code randomization is particularly susceptible to address exposure vulnerabilities; the leak of a single code or data pointer is often sufficient to de-randomize the protected process. Existing solutions either prevent part of the address exposures (e.g., code-pointer exposure only), or are too heavyweight (e.g., have to involve a hypervisor software or a modified OS kernel). In this paper, we propose AXIS that can provide existing code randomization techniques with a comprehensive protection against address exposure. AXIS first redirects the code pointers through an indirection table that is protected by the execute-no-read memory segment. During the load time, all static data will be relocated to random locations, which breaks the fixed offsets between code and data. We have implemented a prototype of AXIS with only a customized compiler and a pre-loaded library. Our experiments show that AXIS can successfully eliminate address exposure with a minimal performance overhead.

Peter Henderson,Muthucumaru Maheswaran

DOI: https://doi.org/10.48550/arXiv.1611.00742

2016-11-02

Cryptography and Security

Abstract:Embedded systems permeate through nearly all aspects of modern society. From cars to refrigerators to nuclear refineries, securing these systems has never been more important. Intrusions, such as the Stuxnet malware which broke the centrifuges in Iran's Natanz refinery, can be catastrophic to not only the infected systems, but even to the wellbeing of the surrounding population. Modern day protection mechanisms for these embedded systems generally look only at protecting the network layer, and those that try to discover malware already existing on a system typically aren't efficient enough to run on a standalone embedded system. As such, we present a novel way to ensure that no malware has been inserted into an embedded system. We chaotically randomize the entire memory space of the application, interspersing watchdog-monitor programs throughout, to monitor that the core application hasn't been infiltrated. By validating the original program through conventional methods and creating a clean reset, we can ensure that any inserted malware is purged from the system with minimal effect on the given system. We also present a software prototype to validate the possibility of this approach, but given the limitations and vulnerabilities of the prototype, we also suggest a hardware alternative to the system.

Ping Chen,Zhisheng Hu,Jun Xu,Minghui Zhu,Peng Liu

DOI: https://doi.org/10.1186/s42400-018-0003-x

2018-01-01

Abstract:In the wake of the research community gaining deep understanding about control-hijacking attacks, data-oriented attacks have emerged. Among data-oriented attacks, data structure manipulation attack (DSMA) is a major category. Pioneering research was conducted and shows that DSMA is able to circumvent the most effective defenses against control-hijacking attacks - DEP, ASLR and CFI. Up to this day, only two defense techniques have demonstrated their effectiveness: Data Flow Integrity (DFI) and Data Structure Layout Randomization (DSLR). However, DFI has high performance overhead, and dynamic DSLR has two main limitations. L-1: Randomizing a large set of data structures will significantly affect the performance. L-2: To be practical, only a fixed sub-set of data structures are randomized. In the case that the data structures targeted by an attack are not covered, dynamic DSLR is essentially noneffective.To address these two limitations, we propose a novel technique, feedback-control-based adaptive DSLR and build a system named SALADSPlus. SALADSPlus seeks to optimize the trade-off between security and cost through feedback control. Using a novel feedback-control-based adaptive algorithm extended from the Upper Confidence Bound (UCB) algorithm, the defender (controller) uses the feedbacks (cost-effectiveness) from previous randomization cycles to adaptively choose the set of data structures to randomize (the next action). Different from dynamic DSLR, the set of randomized data structures are adaptively changed based on the feedbacks. To obtain the feedbacks, SALADSPlus inserts canary in each data structure at the time of compilation. We have implemented SALADSPlus based on gcc-4.5.0. Experimental results show that the runtime overheads are 1.8%, 3.7%, and 5.3% when the randomization cycles are selected as 10s, 5s, and 1s respectively.

Lorenzo Binosi,Gregorio Barzasi,Michele Carminati,Stefano Zanero,Mario Polino

DOI: https://doi.org/10.1145/3658644.3690239

2024-08-29

Abstract:Address Space Layout Randomization (ASLR) is a crucial defense mechanism employed by modern operating systems to mitigate exploitation by randomizing processes' memory layouts. However, the stark reality is that real-world implementations of ASLR are imperfect and subject to weaknesses that attackers can exploit. This work evaluates the effectiveness of ASLR on major desktop platforms, including Linux, MacOS, and Windows, by examining the variability in the placement of memory objects across various processes, threads, and system restarts. In particular, we collect samples of memory object locations, conduct statistical analyses to measure the randomness of these placements and examine the memory layout to find any patterns among objects that could decrease this randomness. The results show that while some systems, like Linux distributions, provide robust randomization, others, like Windows and MacOS, often fail to adequately randomize key areas like executable code and libraries. Moreover, we find a significant entropy reduction in the entropy of libraries after the Linux 5.18 version and identify correlation paths that an attacker could leverage to reduce exploitation complexity significantly. Ultimately, we rank the identified weaknesses based on severity and validate our entropy estimates with a proof-of-concept attack. In brief, this paper provides the first comprehensive evaluation of ASLR effectiveness across different operating systems and highlights opportunities for Operating System (OS) vendors to strengthen ASLR implementations.

Cryptography and Security

Ping Chen,Jun Xu,Jun Wang,Peng Liu

DOI: https://doi.org/10.48550/arXiv.1507.02786

2015-07-10

Abstract:Fine-grained Address Space Randomization has been considered as an effective protection against code reuse attacks such as ROP/JOP. However, it only employs a one-time randomization, and such a limitation has been exploited by recent just-in-time ROP and side channel ROP, which collect gadgets on-the-fly and dynamically compile them for malicious purposes. To defeat these advanced code reuse attacks, we propose a new defense principle: instantly obsoleting the address-code associations. We have initialized this principle with a novel technique called virtual space page table remapping and implemented the technique in a system CHAMELEON. CHAMELEON periodically re-randomizes the locations of code pages on-the-fly. A set of techniques are proposed to achieve our goal, including iterative instrumentation that instruments a to-be-protected binary program to generate a re-randomization compatible binary, runtime virtual page shuffling, and function reordering and instruction rearranging optimizations. We have tested CHAMELEON with over a hundred binary programs. Our experiments show that CHAMELEON can defeat all of our tested exploits by both preventing the exploit from gathering sufficient gadgets, and blocking the gadgets execution. Regarding the interval of our re-randomization, it is a parameter and can be set as short as 100ms, 10ms or 1ms. The experiment results show that CHAMELEON introduces on average 11.1%, 12.1% and 12.9% performance overhead for these parameters, respectively.

Cryptography and Security

Ping Chen,Jun Xu,Zhiqiang Lin,Dongyan Xu,Bing Mao,Peng Liu

DOI: https://doi.org/10.1007/978-3-319-24174-6_4

2015-01-01

Abstract:Attackers often corrupt data structures to compromise software systems. As a countermeasure, data structure layout randomization has been proposed. Unfortunately, existing techniques require manual designation of randomize-able data structures without guaranteeing the correctness and keep the layout unchanged at runtime. We present a system, called SALADS, that automatically translates a program to a DSSR Data Structure Self-Randomizing program. At runtime, a DSSR program dynamically randomizes the layout of each security-sensitive data structure by itself autonomously. DSSR programs regularly re-randomize a data structure when it has been accessed several times after last randomization. More importantly, DSSR programs automatically determine the randomizability of instances and randomize each instance independently. We have implemented SALADS based on gcc-4.5.0 and generated DSSR user-level applications, OS kernels, and hypervisors. Our experiments show that the DSSR programs can defeat a wide range of attacks with reasonable performance overhead.

Zhijie Jerry Shi,Fan Zhang

2006-01-01

Abstract:Elliptic curve cryptography (ECC) has attracted a lot of attention because it can provide similar levels of security with much shorter keys than the arithmetic of multiple-precision integers in finite fields, which has been widely used in many public-key and key-exchange algorithms. Small key sizes are especially important to resource constrained devices as shorter keys require less storage space and consume less power to transmit and compute. However, ECC algorithms are vulnerable to power analysis attacks, which exploit the instantaneous power consumptions of computing devices to retrieve secret data. Many countermeasures have been proposed to make ECC implementations secure against power analysis. One of the approaches is randomized algorithms that generate different power traces even if the input of the algorithm is the same. For example, the randomized scalar point multiplication algorithm proposed by Oswald et al. combines two algorithms and uses random variables to decide which algorithm to follow at different stages of the execution. The randomized algorithm can thwart traditional power analysis attacks. However, in this paper, we propose an effective attack on the randomized algorithms. Our attack does not require a large number of power traces and has a very high success rate.

Shixiang Gao,Tao Zheng,Xun Zhan,XianPing Tao,Qiaoming Zhu,Junyuan Xie,Wenyang Bai

DOI: https://doi.org/10.1007/978-3-319-09265-2_12

2014-01-01

Abstract:By preventing attacks which exploit stack buffer overflow vulnerabilities, address space layout randomization is an effective way for embedded systems protection. However, ASLR will probably suffer exhaustive attacks because the pertinence is not strong. At present only coarse-grained randomization has been implemented because one of the key bottlenecks for fine-grained randomization is the dependencies between functions cannot be constructed completely due to indirect calls. As a result, we give a static inter-procedural backtracking recognition mechanism in this paper by using intermediate code analysis technologies to identify the destination addresses of indirect callings generated by function pointers.

Mohannad Ismail,Andrew Quach,Christopher Jelesnianski,Yeongjin Jang,Changwoo Min

DOI: https://doi.org/10.48550/arXiv.2203.15121

2022-03-29

Abstract:ARM is becoming more popular in desktops and data centers, opening a new realm in terms of security attacks against ARM. ARM has released Pointer Authentication, a new hardware security feature that is intended to ensure pointer integrity with cryptographic primitives. In this paper, we utilize Pointer Authentication (PA) to build a novel scheme to completely prevent any misuse of security-sensitive pointers. We propose PACTight to tightly seal these pointers. PACTight utilizes a strong and unique modifier that addresses the current issues with the state-of-the-art PA defense mechanisms. We implement four defenses based on the PACTight mechanism. Our security and performance evaluation results show that PACTight defenses are more efficient and secure. Using real PA instructions, we evaluated PACTight on 30 different applications, including NGINX web server, with an average performance overhead of 4.07% even when enforcing our strongest defense. PACTight demonstrates its effectiveness and efficiency with real PA instructions on real hardware.

Cryptography and Security

Ping Chen,Jun Xu,Zhisheng Hu,Xinyu Xing,Minghui Zhu,Bing Mao,Peng Liu

DOI: https://doi.org/10.1109/DSN.2017.47

2017-01-01

Abstract:Address space randomization has long been used for counteracting code reuse attacks, ranging from conventional ROP to sophisticated Just-in-Time ROP. At the high level, it shuffles program code in memory and thus prevents malicious ROP payload from performing arbitrary operations. While effective in mitigating attacks, existing randomization mechanisms are impractical for real-world applications and systems, especially considering the significant performance overhead and potential program corruption incurred by their implementation. In this paper, we introduce CHAMELEON, a practical defense mechanism that hinders code reuse attacks, particularly Just-in-Time ROP attacks. Technically speaking, CHAMELEON instruments program code, randomly shuffles code page addresses and minimizes the attack surface exposed to adversaries. While this defense mechanism follows in the footprints of address space randomization, our design principle focuses on using randomization to obstruct code page disclosure, making the ensuing attacks infeasible. We implemented a prototype of CHAMELEON on Linux operating system and extensively experimented it in different settings. Our theoretical and empirical evaluation indicates the effectiveness and efficiency of CHAMELEON in thwarting Just-in-Time ROP attacks.

Yihua Zhang,Marina Blanton,Ghada Almashaqbeh

DOI: https://doi.org/10.1145/3154600

IF: 2.717

2018-02-24

ACM Transactions on Privacy and Security

Abstract:Recent compilers allow a general-purpose program (written in a conventional programming language) that handles private data to be translated into a secure distributed implementation of the corresponding functionality. The resulting program is then guaranteed to provably protect private data using secure multi-party computation techniques. The goals of such compilers are generality, usability, and efficiency, but the complete set of features of a modern programming language has not been supported to date by the existing compilers. In particular, recent compilers PICCO and the two-party ANSI C compiler strive to translate any C program into its secure multi-party implementation, but they currently lack support for pointers and dynamic memory allocation, which are important components of many C programs. In this work, we mitigate the limitation and add support for pointers to private data and consequently dynamic memory allocation to the PICCO compiler, enabling it to handle a more diverse set of programs over private data. Because doing so opens up a new design space, we investigate the use of pointers to private data (with known as well as private locations stored in them) in programs and report our findings. Aside from dynamic memory allocation, we examine other important topics associated with common pointer use such as reference by pointer/address, casting, and building various data structures in the context of secure multi-party computation. This results in enabling the compiler to automatically translate a user program that uses pointers to private data into its distributed implementation that provably protects private data throughout the computation. We empirically evaluate the constructions and report on the performance of representative programs.

computer science, information systems

Vlad-Alexandru Teodorescu,Dorel Lucanu

DOI: https://doi.org/10.4204/EPTCS.410.7

2024-10-31

Abstract:Pointers are a powerful, but dangerous feature provided by the C and C++ programming languages, and incorrect use of pointers is a common source of bugs and security vulnerabilities. Making secure software is crucial, as vulnerabilities exploited by malicious actors not only lead to monetary losses, but possibly loss of human lives. Fixing these vulnerabilities is costly if they are found at the end of development, and the cost will be even higher if found after deployment. That is why it is desirable to find the bugs as early in the development process as possible. We propose a framework that can statically find use-after-free bugs at compile-time and report the errors to the users. It works by tracking the lifetime of objects and memory locations pointers might point to and, using this information, a possibly invalid dereferencing of a pointer can be detected. The framework was tested on over 100 handwritten small tests, as well as 5 real-world projects, and has shown good results detecting errors, while at the same time highlighting some scenarios where false positive reports may occur. Based on the results, it was concluded that our framework achieved its goals, as it is able to detect multiple patterns of use-after-free bugs, and correctly report the errors to the programmer.

Formal Languages and Automata Theory