LIU Jia-xiang,JIANG Jian-hui,CHEN Lin-bo

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.05.017

2012-01-01

Abstract:In the paper,the basic attack patterns for Intel 80X86 are classified in the viewpoint of assemble language programs.The weak-ness of the existing dynamic buffer-overflow prevention mechanisms is discussed.A new dynamic stack buffer-overflow prevention mechanism based on return-address translation is proposed.The new mechanism is proved to be able to defend multiple patterns attacks with an acceptable performance tradeoff.We present experimental results of both the penetration resistance and the performance impact of the propsed mechanism.With simple modification,the mechanism is suitable for different security and performance needs.

Mengchen Cao,Xiantong Hou,Tao Wang,Hunter Qu,Yajin Zhou,Xiaolong Bai,Fuwei Wang

DOI: https://doi.org/10.1145/3319535.3345654

2019-01-01

Abstract:The use of uninitialized variables is a common issue. It could cause kernel information leak, which defeats the widely deployed security defense, i.e., kernel address space layout randomization (KASLR). Though a recent system called Bochspwn Reloaded reported multiple memory leaks in Windows kernels, how to effectively detect this issue is still largely behind.

Yi Zhuang,Tao Zheng,Zhitian Lin

2014-01-01

Abstract:Fine-grained address space layout randomization has recently been proposed as a method of efficiently mitigating ROP attacks. In this paper, we introduce a design and implementation of a framework based on a runtime strategy that undermines the benefits of fine-grained ASLR. Specifically, we abuse a memory disclosure to map an application’s memory layout on-the-fly, dynamically discover gadgets and construct the desired exploit payload, and finish our goals by using virtual function call mechanism—all with a script environment at the time an exploit is launched. We demonstrate the effectiveness of our framework by using it in conjunction with a real-world exploit against Internet Explorer and other applications protected by fine-grained ASLR. Moreover, we provide evaluations that demonstrate the practicality of run-time code reuse attacks. Our work shows that such a framework is effective and fine-grained ASLR may not be as promising as first thought. Keywords-code reuse; security; dynamic; fine-grained ASLR

Zhaohui Liang,Bin Liang,Luping Li,Wei Chen

DOI: https://doi.org/10.1109/NSWCTC.2009.39

2009-01-01

Abstract:The existing code injection attack defense methods have some deficiencies on performance overhead and effectiveness. In order to ensure the system performance, we propose a method that uses system call randomization to counter code injection attacks based on instruction set randomization idea. An injected code would perform its actions with system calls. System call randomization on operating system level will prevent the injected code from executing correctly. Moreover, with an extended compiler, our method can perform source code randomization during compiling and implement binary executable files randomization by feature matching. The experiments show that our method can effectively counter variety code injection attacks with low overhead.

Xun Zhan,Tao Zheng,Shixiang Gao

DOI: https://doi.org/10.1109/sere-c.2014.28

2014-01-01

Abstract:Code reuse attacks such as return-oriented programming, one of the most powerful threats to software system, rely on the absolute address of instructions. Therefore, address space randomization should be an effective defending method. However, current randomization techniques either are lack of enough entropy or have significant time or space overhead. In this paper, we present a novel fine-grained randomization technique at basic block level. In contrast to previous work, our technique dealt with critical technical challenges including indirect branches, callbacks and position independent codes properly at least cost. We implement an efficient prototype randomization system which supports Linux ELF file format and x86 architecture. Our evaluation demonstrated that it can defend ROP attacks with tiny performance overhead (4% on average) successfully.

CHEN Lin-bo,JIANG Jian-hui,ZHANG Dan-qing

DOI: https://doi.org/10.3969/j.issn.1002-137X.2013.09.019

2013-01-01

Computer Science

Abstract:Despite the numerous prevention and protection techniques that have been developed,the exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks.Because of the adoption of the write or execute only policy(W♁X)and address space layout randomization(ASLR),modern operate systems have been strengthened against code injection attacks.However,attackers have responded by employing code reuse attacks,in which software vulnerability is exploited to weave control flow through existing code base.Solutions targeting different aspects of the attack itself have got some success,but none of them can be a silver bullet.Under this situation,a novel defense technique was presented in order to prevent code reuse attacks,especially return-oriented programming(ROP)attacks.This new defense technique,which was benefit from the protection of return address,could dynamically prevent the execution of gadgets ending with 0xc3.Without requiring access to side information such as source code or debugging information,this defense technique could prevent ROP attacks with low performance overhead.

Ping Chen,Jun Xu,Jun Wang,Peng Liu

DOI: https://doi.org/10.48550/arXiv.1507.02786

2015-07-10

Abstract:Fine-grained Address Space Randomization has been considered as an effective protection against code reuse attacks such as ROP/JOP. However, it only employs a one-time randomization, and such a limitation has been exploited by recent just-in-time ROP and side channel ROP, which collect gadgets on-the-fly and dynamically compile them for malicious purposes. To defeat these advanced code reuse attacks, we propose a new defense principle: instantly obsoleting the address-code associations. We have initialized this principle with a novel technique called virtual space page table remapping and implemented the technique in a system CHAMELEON. CHAMELEON periodically re-randomizes the locations of code pages on-the-fly. A set of techniques are proposed to achieve our goal, including iterative instrumentation that instruments a to-be-protected binary program to generate a re-randomization compatible binary, runtime virtual page shuffling, and function reordering and instruction rearranging optimizations. We have tested CHAMELEON with over a hundred binary programs. Our experiments show that CHAMELEON can defeat all of our tested exploits by both preventing the exploit from gathering sufficient gadgets, and blocking the gadgets execution. Regarding the interval of our re-randomization, it is a parameter and can be set as short as 100ms, 10ms or 1ms. The experiment results show that CHAMELEON introduces on average 11.1%, 12.1% and 12.9% performance overhead for these parameters, respectively.

Cryptography and Security

Joobeom Yun,Ki-Woong Park,Dongyoung Koo,Youngjoo Shin

DOI: https://doi.org/10.3390/en13061332

IF: 3.2

2020-03-13

Energies

Abstract:Nowadays, various computing services are often hosted on cloud platforms for their availability and cost effectiveness. However, such services are frequently exposed to vulnerabilities. Therefore, many countermeasures have been invented to defend against software hacking. At the same time, more complicated attacking techniques have been created. Among them, code-reuse attacks are still an effective means of abusing software vulnerabilities. Although state-of-the-art address space layout randomization (ASLR) runtime-based solutions provide a robust way to mitigate code-reuse attacks, they have fundamental limitations; for example, the need for system modifications, and the need for recompiling source codes or restarting processes. These limitations are not appropriate for mission-critical services because a seamless operation is very important. In this paper, we propose a novel ASLR technique to provide memory rerandomization without interrupting the process execution. In addition, we describe its implementation and evaluate the results. In summary, our method provides a lightweight and seamless ASLR for critical service applications.

energy & fuels

Xiaoguang Wang,Yong Qi

DOI: https://doi.org/10.1109/iscc.2017.8024570

2017-01-01

Abstract:Remote server vulnerability exploit is one of the most troublesome threat to the Internet security. An effective defense against the remote vulnerability exploit is code randomization, which randomizes the program code address to disrupt the malicious payload execution. Unfortunately, code randomization is particularly susceptible to address exposure vulnerabilities; the leak of a single code or data pointer is often sufficient to de-randomize the protected process. Existing solutions either prevent part of the address exposures (e.g., code-pointer exposure only), or are too heavyweight (e.g., have to involve a hypervisor software or a modified OS kernel). In this paper, we propose AXIS that can provide existing code randomization techniques with a comprehensive protection against address exposure. AXIS first redirects the code pointers through an indirection table that is protected by the execute-no-read memory segment. During the load time, all static data will be relocated to random locations, which breaks the fixed offsets between code and data. We have implemented a prototype of AXIS with only a customized compiler and a pre-loaded library. Our experiments show that AXIS can successfully eliminate address exposure with a minimal performance overhead.

Jiangchao Liu,Liqian Chen,Xavier Rival

DOI: https://doi.org/10.1109/tcad.2018.2858462

IF: 2.9

2018-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:User-space programs rely on memory allocation primitives when they need to construct dynamic structures such as lists or trees. However, low-level OS kernel services and embedded device drivers typically avoid resorting to an external memory allocator in such cases, and store structure elements in contiguous arrays instead. This programming pattern leads to very complex code, based on data-structures that can be viewed and accessed either as arrays or as chained dynamic structures. The code correctness then depends on intricate invariants mixing both aspects. We propose a static analysis that is able to verify such programs. It relies on the combination of abstractions of the allocator array and of the dynamic structures built inside it. This approach allows to integrate program reasoning steps inherent in the array and in the chained structure into a single abstract interpretation. We report on the successful verification of several embedded OS kernel services and drivers.

Lorenzo Binosi,Gregorio Barzasi,Michele Carminati,Stefano Zanero,Mario Polino

DOI: https://doi.org/10.1145/3658644.3690239

2024-08-29

Abstract:Address Space Layout Randomization (ASLR) is a crucial defense mechanism employed by modern operating systems to mitigate exploitation by randomizing processes' memory layouts. However, the stark reality is that real-world implementations of ASLR are imperfect and subject to weaknesses that attackers can exploit. This work evaluates the effectiveness of ASLR on major desktop platforms, including Linux, MacOS, and Windows, by examining the variability in the placement of memory objects across various processes, threads, and system restarts. In particular, we collect samples of memory object locations, conduct statistical analyses to measure the randomness of these placements and examine the memory layout to find any patterns among objects that could decrease this randomness. The results show that while some systems, like Linux distributions, provide robust randomization, others, like Windows and MacOS, often fail to adequately randomize key areas like executable code and libraries. Moreover, we find a significant entropy reduction in the entropy of libraries after the Linux 5.18 version and identify correlation paths that an attacker could leverage to reduce exploitation complexity significantly. Ultimately, we rank the identified weaknesses based on severity and validate our entropy estimates with a proof-of-concept attack. In brief, this paper provides the first comprehensive evaluation of ASLR effectiveness across different operating systems and highlights opportunities for Operating System (OS) vendors to strengthen ASLR implementations.

Cryptography and Security

江建慧,章力源,金涛,陈川

DOI: https://doi.org/10.3969/j.issn.0253-374x.2010.06.024

2010-01-01

Abstract:The paper presents an analysis of the principle of stack buffer overflow attacks and basic attack patterns for Intel 80×86 architecture and C/C++.Then,the merits and drawbacks of the existing dynamic buffer overflow prevention methods are discussed.On the basis of the address obfuscation and integrity checking,this paper presents a new dynamic buffer overflow prevention method based on k circular random sequence.This improved prevention method can defend attacks of multiple patterns with high probability and enhance the intrusion-tolerance capability of the vulnerable software.

Hai Jin,Benxi Liu,Yajuan Du,Deqing Zou

DOI: https://doi.org/10.1109/access.2018.2835838

IF: 3.9

2018-01-01

IEEE Access

Abstract:Address space layout randomization (ASLR) is now widely adopted in modern operating systems to thwart code reuse attacks. However, an adversary can still bypass fine-grained ASLR by exploiting memory corruption vulnerabilities and performing memory disclosure attacks. Although Execute-no-Read schemes have been proven to be an efficient solution against read-based memory disclosures, existing solutions need modifications to kernel or hypervisor. Besides, the defense of execution-based memory disclosures has been ignored. In this paper, we propose BoundShield, a self-protection scheme that provides comprehensive protection against memory disclosure attacks, especially against those based on executing arbitrary code by leveraging Intel Memory Protection Extension. BoundShield protects code memory by defending not only read-based memory disclosure attacks but also execution-based memory disclosure attacks. On one hand, read-based memory disclosures can be eliminated by hiding all code sections and code pointers in a secret region separated from the user address space. On the other hand, BoundShield prevents return addresses from being corrupted and ensures that all function pointers point to the legitimate entries whenever they are dereferenced, which significantly reduces the attack surface for execution-based memory disclosures. We have implemented a prototype of BoundShield based on a set of modifications to compiler toolchain and the standard C library. Our evaluation results show that the BoundShield can provide strong defenses against memory disclosure attacks while incurring a small performance overhead.

YongGang Li,GuoYuan Lin,Yeh-Ching Chung,YaoWen Ma,Yi Lu,Yu Bao

DOI: https://doi.org/10.1016/j.future.2022.10.035

IF: 7.307

2023-03-01

Future Generation Computer Systems

Abstract:Address space layout randomization (ASLR) has been widely deployed in operating systems (OS) to hide memory layout, which mitigates code reuse attacks (CRAs). Unfortunately, the memory probing techniques can still provide attackers with enough information to bypass ASLR. Although the control flow integrity (CFI) methods are not affected by code probing, they face the precision problem of control flow graphs (CFG). To make matters worse, most methods rely on the source code of the targets to be protected, which leads to their restrictions on the protection of the objects without source code. To solve these problems, MagBox is proposed in this paper. It identifies the risk functions that can provide gadgets for CRAs by detecting and analyzing attackers’ code probing activities. If the function is probed, it will be moved to a new address space. After that, the control flow transfers of the function will be tracked and analyzed in real time to judge their legitimacy. Experiment results and analysis show that MagBox can mitigate CRAs, and only introduces 3.4% performance overhead to the CPU.

computer science, theory & methods

HOU Shang-wen,HUANG Jian-jun,LIANG Bin,YOU Wei,SHI Wen-chang

DOI: https://doi.org/10.11896/jsjkx.220500091

2022-01-01

Abstract:In recent years,code reuse attack has become a mainstream attack against binary programs.The code reuse attack such as ROP uses the instruction gadgets in the memory space to construct an instruction sequence that can realize specific functions and achieve malicious purposes.According to the basic principle of the code reuse attack,this paper proposes a defense method based on real-time function loading and unloading.More specifically,the method shrinks the code space by the dynamic loading/unloading,to reduce the attack surface and defend the code reuse.First,it extracts sufficient function information in the dependent libraries of the target program by static analysis,and uses this information in the form of replacement libraries.Second,it introduces real-time loading in the dynamic loader in Linux,and proposes an auto-triggerable and auto-restorable loading/unloading.In order to reduce the high overhead caused by frequent unloading,a randomized batch unloading mechanism is designed.Finally,experiments are carried out in a real environment to verify the effectiveness of the scheme against code reuse attacks,and the significance of the randomized unloading strategy is demonstrated.

Ping Chen,Jun Xu,Zhisheng Hu,Xinyu Xing,Minghui Zhu,Bing Mao,Peng Liu

DOI: https://doi.org/10.1109/DSN.2017.47

2017-01-01

Abstract:Address space randomization has long been used for counteracting code reuse attacks, ranging from conventional ROP to sophisticated Just-in-Time ROP. At the high level, it shuffles program code in memory and thus prevents malicious ROP payload from performing arbitrary operations. While effective in mitigating attacks, existing randomization mechanisms are impractical for real-world applications and systems, especially considering the significant performance overhead and potential program corruption incurred by their implementation. In this paper, we introduce CHAMELEON, a practical defense mechanism that hinders code reuse attacks, particularly Just-in-Time ROP attacks. Technically speaking, CHAMELEON instruments program code, randomly shuffles code page addresses and minimizes the attack surface exposed to adversaries. While this defense mechanism follows in the footprints of address space randomization, our design principle focuses on using randomization to obstruct code page disclosure, making the ensuing attacks infeasible. We implemented a prototype of CHAMELEON on Linux operating system and extensively experimented it in different settings. Our theoretical and empirical evaluation indicates the effectiveness and efficiency of CHAMELEON in thwarting Just-in-Time ROP attacks.

沈达宇,黄皓

2012-01-01

Abstract:The basic protection idea we proposed is the randomization of the data in memory.Through modify the program,instrument new instructions,making the data saved to memory randomization.In this way we can effectively prevent the destruction of the non-control data attack,and even play a certain effect on data privacy protection.This paper achieves a compiler optimization Pass module based on open source project of LLVM compiler,which can optimize executable program from the hazards of non-control data attacks when the source files can be obtained.

Lei Duan,Tao Wei,Tielei Wang,Tianfang Guo,Wei Zou

2010-01-01

Abstract:Just-in-time (JIT)-spraying, which first appeared in Blackhat DC 2010, is a new kind of attack techniques based on JIS compilation. This technique allows attackers to bypass data execution prevention (DEP) and address space layout randomization (ASLR). There are not yet any public methods to prevent this kind of attack which makes users quite vulnerable. This attack was analyzed to build models for Sledge, Shellcode's handover, and other key points to develop a JIT-spraying prevention mechanism based on random instruction padding. Quantitative analysis of the method's effectiveness shows that the best solution reduces the success rate of JIT-spraying attacks to less than 10 -6 and only introduces about 13% more padding instructions. This approach is demonstrated in V8, which is the JavaScript engine of the Chrome browser, and the performance overhead is less than 1%. The mechanism can also be used in other JIT compilers to provide more effective safety protection combined with DEP and ASLR.

Chao Zhang,Tao Wei,Zhaofeng Chen,Lei Duan,Laszlo Szekeres,Stephen McCamant,Dawn Song,Wei Zou

DOI: https://doi.org/10.1109/sp.2013.44

2013-01-01

Security and Privacy

Abstract:Control Flow Integrity (CFI) provides a strong protection against modern control-flow hijacking attacks. However, performance and compatibility issues limit its adoption. We propose a new practical and realistic protection method called CCFIR (Compact Control Flow Integrity and Randomization), which addresses the main barriers to CFI adoption. CCFIR collects all legal targets of indirect control-transfer instructions, puts them into a dedicated "Springboard section" in a random order, and then limits indirect transfers to flow only to them. Using the Springboard section for targets, CCFIR can validate a target more simply and faster than traditional CFI, and provide support for on-site target-randomization as well as better compatibility. Based on these approaches, CCFIR can stop control-flow hijacking attacks including ROP and return-into-libc. Results show that ROP gadgets are all eliminated. We observe that with the wide deployment of ASLR, Windows/x86 PE executables contain enough information in relocation tables which CCFIR can use to find all legal instructions and jump targets reliably, without source code or symbol information. We evaluate our prototype implementation on common web browsers and the SPEC CPU2000 suite: CCFIR protects large applications such as GCC and Firefox completely automatically, and has low performance overhead of about 3.6%/8.6% (average/max) using SPECint2000. Experiments on real-world exploits also show that CCFIR-hardened versions of IE6, Firefox 3.6 and other applications are protected effectively.

YA Tan,JY Zheng,YD Cao

DOI: https://doi.org/10.1109/pdcat.2005.47

2005-01-01

Abstract:Buffer overflows remain the leading cause of software vulnerabilities in the world of information security. The proposed segment-based non-executable stack approach aims to prevent the injection and execution of arbitrary code in an existing process's stack space under Windows NT/2000 and Intel 32-bit CPUs. The application's user-mode stack is relocated to the higher address and the effective limit of the code segment excludes the relocated stack from the code segment. The segmentation logic of IA-32 processors monitors the accesses to the memory ranges and a page fault is generated if instruction fetches are initiated in the stack memory pages. It is highly effective in preventing both known and yet unknown stack smashing attacks.