research-article

LMP: light-weighted memory protection with hardware assistance

Authors:

David LieAuthors Info & Claims

ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

Pages 460 - 470

https://doi.org/10.1145/2991079.2991089

Published: 05 December 2016 Publication History

Abstract

Despite a long history and numerous proposed defenses, memory corruption attacks are still viable. A secure and low-overhead defense against return-oriented programming (ROP) continues to elude the security community. Currently proposed solutions still must choose between either not fully protecting critical data and relying instead on information hiding, or using incomplete, coarse-grain checking that can be circumvented by a suitably skilled attacker. In this paper, we present a light-weighted memory protection approach (LMP) that uses Intel's MPX hardware extensions to provide complete, fast ROP protection without having to rely in information hiding. We demonstrate a prototype that defeats ROP attacks while incurring an average runtime overhead of 3.9%.

References

[1]

Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. Control-flow integrity. In Proceedings of the 12th ACM Conference on Computer and Communications Security (Alexandria, Virginia, 2005).

Digital Library

[2]

Andersen, S., and Abella, V. Data execution prevention. https://technet.microsoft.com/en-us/library/bb457155.aspx, 2004. Last accessed: 2016-09-01.

[3]

Bounov, D., Kici, R. G., and Lerner, S. Protecting C++ dynamic dispatch through VTable interleaving. In Proceedings of the 23rd Annual Networked & Distributed System Security Symposium (NDSS) (San Diego, California, 2016).

[4]

Castro, M., Costa, M., and Harris, T. Securing software by enforcing data-flow integrity. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (Seattle, Washington, 2006).

Digital Library

[5]

Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., and Winandy, M. Return-oriented programming without returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security (Chicago, Illinois, 2010).

Digital Library

[6]

Cheng, Y., Zhou, Z., Yu, M., Ding, X., and Deng, R. ROPecker: A generic and practical approach for defending against rop attacks. In Proceedings of the 21st Annual Networked & Distributed System Security Symposium (NDSS) (San Diego, California, 2014).

[7]

Chiueh, T.-C., and Hsu, F.-H. RAD: A compile-time solution to buffer overflow attacks. In Proceedings of the The 21st International Conference on Distributed Computing Systems (Washington, DC, 2001).

Digital Library

[8]

Christoulakis, N., Christou, G., Athanasopoulos, E., and Ioannidis, S. HCFI: Hardware-enforced control-flow integrity. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy (2016).

Digital Library

[9]

Criswell, J., Dautenhahn, N., and Adve, V. Virtual Ghost: Protecting applications from hostile operating systems. In Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (Salt Lake City, Utah, 2014).

Digital Library

[10]

Dang, T. H., Maniatis, P., and Wagner, D. The performance cost of shadow stacks and stack canaries. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (Singapore, 2015).

Digital Library

[11]

Davi, L., Hanreich, M., Paul, D., Sadeghi, A.-R., Koeberl, P., Sullivan, D., Arias, O., and Jin, Y. HAFIX: Hardware-assisted flow integrity extension. In Proceedings of the 52nd Annual Design Automation Conference (2015).

Digital Library

[12]

Davi, L., Sadeghi, A.-R., Lehmann, D., and Monrose, F. Stitching the gadgets: On the ineffectiveness of coarse-grained control-flow integrity protection. In Proceedings of the 35th IEEE Symposium on Security and Privacy (San Jose, California, 2014).

[13]

Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., and Paxson, V. The matter of heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (Vancouver, BC, Canada, 2014).

Digital Library

[14]

Erlingsson, U., Abadi, M., Vrable, M., Budiu, M., and Necula, G. C. XFI: Software guards for system address spaces. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (Seattle, Washington, 2006).

Digital Library

[15]

Evans, I., Fingeret, S., Gonzalez, J., Otgonbaatar, U., Tang, T., Shrobe, H., Sidiroglou-Douskos, S., Rinard, M., and Okhravi, H. Missing the point(er): On the effectiveness of code pointer integrity. In Proceedings of the 36th IEEE Symposium on Security and Privacy (San Jose, California, 2015).

Digital Library

[16]

Fratrić, I. ROPGuard: Runtime prevention of return-oriented programming attacks. http://www.ieee.hr/_download/repository/Ivan_Fratric.pdf, 2012. Last accessed: 2016-09-01.

[17]

Ganesh, K. Pointer checker: Easily catch out-of-bounds memory accesses. https://software.intel.com/sites/products/parallelmag/singlearticles/issue11/7080_2_IN_ParallelMag_Issue11_Pointer_Checker.pdf. Last accessed: 2016-09-01.

[18]

Göktas, E., Athanasopoulos, E., Bos, H., and Portokalidis, G. Out of control: Overcoming control-flow integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy (San Jose, California, 2014).

Digital Library

[19]

Hu, H., Shinde, S., Sendroiu, A., Chua, Z. L., Saxena, P., and Liang, Z. Data-oriented programming: On the expressiveness of non-control data attacks. In Proceedings of the 37th IEEE Symposium on Security and Privacy (San Jose, California, 2016).

[20]

Hund, R., Willems, C., and Holz, T. Practical timing side channel attacks against kernel space ASLR. In Proceedings of the 34th IEEE Symposium on Security and Privacy (Washington, D.C., 2013).

Digital Library

[21]

Intel. Control-flow enforcement technology preview, Document Number: 334525-001, Revision 1.0. https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf, June 2016. Last Last accessed: 2016-09-01.

[22]

Kil, C., Jim, J., Bookholt, C., Xu, J., and Ning, P. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Proceedings of Computer Security Applications Conference (ASAC) (Miami Beach, Florida, 2006).

Digital Library

[23]

Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., and Song, D. Code-pointer integrity. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation (Broomfield, Colorado, 2014).

Digital Library

[24]

Liu, L., Han, J., Gao, D., Jing, J., and Zha, D. Launching return-oriented programming attacks against randomized relocatable executables. In Proceedings of the 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) (Changsha, China, 2011).

Digital Library

[25]

Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K. W., and Franz, M. Opaque control-flow integrity. In Proceedings of the 22nd Annual Networked & Distributed System Security Symposium (NDSS) (San Diego, California, 2015).

[26]

Pappas, V., Polychronakis, M., and Keromytis, A. D. Transparent ROP exploit mitigation using indirect branch tracing. In Proceedings of the 22nd USENIX Security Symposium (Washington, D.C., 2013).

Digital Library

[27]

PaX-Team. PaX ASLR (address space layout randomization). http://pax.grsecurity.net/docs/aslr.txt, 2003. Last Last accessed: 2016-09-01.

[28]

Pincus, J., and Baker, B. Beyond stack smashing: recent advances in exploiting buffer overruns. IEEE Journal of Security and Privacy 2, 4 (July 2004), 20--27.

Digital Library

[29]

Roemer, R., Buchanan, E., Shacham, H., and Savage, S. Return-oriented programming: Systems, languages, and applications. ACM Transaction on Information and System Security 15, 1 (March 2012), 2:1--2:34.

Digital Library

[30]

Seibert, J., Okhravi, H., and Söderström, E. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014).

Digital Library

[31]

Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security (Washington, D.C., 2004).

Digital Library

[32]

Snow, K. Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., and Sadeghi, A.-R. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proceedings of the 34th IEEE Symposium on Security and Privacy (Washington, D.C., 2013).

Digital Library

[33]

Strackx, R., Younan, Y., Philippaerts, P., Piessens, F., Lachmund, S., and Walter, T. Breaking the memory secrecy assumption. In Proceedings of the Second European Workshop on System Security (2009).

Digital Library

[34]

Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, U., Lozano, L., and Pike, G. Enforcing forward-edge control-flow integrity in GCC & LLVM. In Proceedings of the 23rd USENIX Security Symposium (San Diego, California, 2014).

Digital Library

[35]

Tran, M., Etheridge, M., Bletsch, T., Jiang, X., Freeh, V., and Ning, P. On the expressiveness of return-into-libc attacks. In Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection (Menlo Park, California, 2011).

Digital Library

[36]

Vogl, S., Gawlik, R., Garmany, B., Kittel, T., Pfoh, J., Eckert, C., and Holz, T. Dynamic hooks: Hiding control flow changes within non-control data. In Proceedings of the 23rd USENIX Security Symposium (San Diego, California, 2014).

Digital Library

[37]

Wahbe, R., Lucco, S., Anderson, T. E., and Graham, S. L. Efficient software-based fault isolation. SIGOPS Operating System Review 27, 5 (Dec. 1993), 203--216.

Digital Library

[38]

Wang, Z., and Jiang, X. HyperSafe: A lightweight approach to provide lifetime hypervisor control-flow integrity. In Proceedings of the 31st IEEE Symposium on Security and Privacy (San Jose, California, 2010).

Digital Library

[39]

Zeng, B., Tan, G., and Morrisett, G. Combining control-flow integrity and static analysis for efficient and validated data sandboxing. In Proceedings of the 18th ACM Conference on Computer and Communications Security (Chicago, Illinois, 2011).

Digital Library

[40]

Zhang, C., Carr, S. A., Li, T., Ding, Y., Song, C., Payer, M., and Song, D. VTrust: Regaining trust on virtual calls. In Proceedings of the 23rd Annual Networked & Distributed System Security Symposium (NDSS) (San Diego, California, 2016).

Cited By

KUZUNO HYAMAUCHI T(2020)Identification of Kernel Memory Corruption Using Kernel Memory Secret Observation MechanismIEICE Transactions on Information and Systems10.1587/transinf.2019ICP0011E103.D:7(1462-1475)Online publication date: 1-Jul-2020
https://doi.org/10.1587/transinf.2019ICP0011
Canakci SDelshadtehrani LZhou BJoshi AEgele M(2020)Efficient Context-Sensitive CFI Enforcement Through a Hardware MonitorDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-030-52683-2_13(259-279)Online publication date: 7-Jul-2020
https://doi.org/10.1007/978-3-030-52683-2_13
Huang ZLie DTan GJaeger T(2019)Using Safety Properties to Generate Vulnerability Patches2019 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2019.00071(539-554)Online publication date: May-2019
https://doi.org/10.1109/SP.2019.00071
Show More Cited By

Index Terms

LMP: light-weighted memory protection with hardware assistance
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

Counterfeit Object-oriented Programming: On the Difficulty of Preventing Code Reuse Attacks in C++ Applications
SP '15: Proceedings of the 2015 IEEE Symposium on Security and Privacy

Code reuse attacks such as return-oriented programming (ROP) have become prevalent techniques to exploit memory corruption vulnerabilities in software programs. A variety of corresponding defenses has been proposed, of which some have already been ...
Analyzing the Gadgets
ESSoS 2016: Proceedings of the 8th International Symposium on Engineering Secure Software and Systems - Volume 9639

Current low-level exploits often rely on code-reuse, whereby short sections of code gadgets are chained together into a coherent exploit that can be executed without the need to inject any code. Several protection mechanisms attempt to eliminate this ...
SeBROP: blind ROP attacks without returns
Abstract
Currently, security-critical server programs are well protected by various defense techniques, such as Address Space Layout Randomization(ASLR), eXecute Only Memory(XOM), and Data Execution Prevention(DEP), against modern code-reuse attacks like ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '16: Proceedings of the 32nd Annual Conference on Computer Security Applications

December 2016

614 pages

ISBN:9781450347716

DOI:10.1145/2991079

Conference Chair:
Stephen Schwab
USC Information Sciences Institute
,
Program Chairs:
Wil Robertson
Northeastern University
,
Davide Balzarotti
Eurecom

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSERC Discovery Grant

Conference

ACSAC '16

Sponsor:

ACSA

ACSAC '16: 2016 Annual Computer Security Applications Conference

December 5 - 8, 2016

California, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
208
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)2

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

KUZUNO HYAMAUCHI T(2020)Identification of Kernel Memory Corruption Using Kernel Memory Secret Observation MechanismIEICE Transactions on Information and Systems10.1587/transinf.2019ICP0011E103.D:7(1462-1475)Online publication date: 1-Jul-2020
https://doi.org/10.1587/transinf.2019ICP0011
Canakci SDelshadtehrani LZhou BJoshi AEgele M(2020)Efficient Context-Sensitive CFI Enforcement Through a Hardware MonitorDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-030-52683-2_13(259-279)Online publication date: 7-Jul-2020
https://doi.org/10.1007/978-3-030-52683-2_13
Huang ZLie DTan GJaeger T(2019)Using Safety Properties to Generate Vulnerability Patches2019 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2019.00071(539-554)Online publication date: May-2019
https://doi.org/10.1109/SP.2019.00071
Kuzuno HYamauchi T(2019)KMO: Kernel Memory Observer to Identify Memory Corruption by Secret Inspection MechanismInformation Security Practice and Experience10.1007/978-3-030-34339-2_5(75-94)Online publication date: 6-Nov-2019
https://doi.org/10.1007/978-3-030-34339-2_5
Jin HLiu BDu YZou D(2018)BoundShield: Comprehensive Mitigation for Memory Disclosure Attacks via Secret Region IsolationIEEE Access10.1109/ACCESS.2018.28358386(36341-36353)Online publication date: 2018
https://doi.org/10.1109/ACCESS.2018.2835838
Ge XCui WJaeger T(2017)GRIFFINACM SIGARCH Computer Architecture News10.1145/3093337.303771645:1(585-598)Online publication date: 4-Apr-2017
https://dl.acm.org/doi/10.1145/3093337.3037716
Ge XCui WJaeger T(2017)GRIFFINACM SIGPLAN Notices10.1145/3093336.303771652:4(585-598)Online publication date: 4-Apr-2017
https://dl.acm.org/doi/10.1145/3093336.3037716
Ge XCui WJaeger T(2017)GRIFFINACM SIGOPS Operating Systems Review10.1145/3093315.303771651:2(585-598)Online publication date: 4-Apr-2017
https://doi.org/10.1145/3093315.3037716
Ge XCui WJaeger TChen YTemam OCarter J(2017)GRIFFINProceedings of the Twenty-Second International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3037697.3037716(585-598)Online publication date: 4-Apr-2017
https://dl.acm.org/doi/10.1145/3037697.3037716

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents