research-article

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code

Authors:

Eric SöderströmAuthors Info & Claims

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 54 - 65

https://doi.org/10.1145/2660267.2660309

Published: 03 November 2014 Publication History

Abstract

Code diversification has been proposed as a technique to mitigate code reuse attacks, which have recently become the predominant way for attackers to exploit memory corruption vulnerabilities. As code reuse attacks require detailed knowledge of where code is in memory, diversification techniques attempt to mitigate these attacks by randomizing what instructions are executed and where code is located in memory. As an attacker cannot read the diversified code, it is assumed he cannot reliably exploit the code.

In this paper, we show that the fundamental assumption behind code diversity can be broken, as executing the code reveals information about the code. Thus, we can leak information without needing to read the code. We demonstrate how an attacker can utilize a memory corruption vulnerability to create side channels that leak information in novel ways, removing the need for a memory disclosure vulnerability. We introduce seven new classes of attacks that involve fault analysis and timing side channels, where each allows a remote attacker to learn how code has been diversified.

References

[1]

ABADI, M., BUDIU, M., ERLINGSSON, U., AND LIGATTI, J. Control-flow integrity. In Computer and Communications Security (CCS) (2005).

Digital Library

[2]

ACIIÇMEZ, O., BRUMLEY, B. B., AND GRABHER, P. New results on instruction cache attacks. In CHES (2010).

Digital Library

[3]

AKRITIDIS, P., CADAR, C., RAICIU, C., COSTA, M., AND CASTRO, M. Preventing Memory Error Exploits with WIT. In Security and Privacy (2008).

Digital Library

[4]

BHATKAR, S., AND SEKAR, R. Data space randomization. In DIMVA (2008).

Digital Library

[5]

BIHAM, E., AND SHAMIR, A. Differential fault analysis of secret key cryptosystems. In CRYPTO (1997).

Digital Library

[6]

BITTAU, A., BELAY, A., MASHTIZADEH, A., MAZIERES, D., AND BONEH, D. Hacking blind. In Security and Privacy (2014).

Digital Library

[7]

BLAZAKIS, D. Leaking addresses with vulnerabilities that can't read good. SummerCon '13. http://www.trapbit.com/talks/Summerc0n2013-GCWoah.pdf.

[8]

BONNEAU, J., AND MIRONOV, I. Cache-collision timing attacks against AES. In CHES (2006).

Digital Library

[9]

BRUMLEY, B. B., AND TUVERI, N. Remote timing attacks are still practical. In ESORICS (2011).

Digital Library

[10]

BRUMLEY, D., AND BONEH, D. Remote timing attacks are practical. In USENIX Security Symposium (2003).

Digital Library

[11]

CHECKOWAY, S., DAVI, L., DMITRIENKO, A., SADEGHI, A.-R., SHACHAM, H., AND WINANDY, M. Return-oriented programming without returns. In CCS (2010).

Digital Library

[12]

CROSBY, S. A., WALLACH, D. S., AND RIEDI, R. H. Opportunities and limits of remote timing attacks. ACM Transactions on Information and System Security 12, 3 (Jan. 2009), 17:1--17:29.

Digital Library

[13]

DURVAUX, F., RENAULD, M., STANDAERT, F.-X., VAN OLDENEEL TOT OLDENZEEL, L., AND VEYRAT-CHARVILLON, N. Efficient removal of random delays from embedded software implementations using hidden markov models. vol. 7771 of Lecture Notes in Computer Science. 2013, pp. 123--140.

Digital Library

[14]

DUSART, P., LETOURNEUX, G., AND VIVOLO, O. Differential fault analysis on AES. In ACNS (2003).

[15]

FORREST, S., SOMAYAJI, A., AND ACKLEY, D. Building diverse computer systems. In HotOS (1997).

Digital Library

[16]

FRANZ, M., BRUNTHALER, S., LARSEN, P., HOMESCU, A., AND NEISIUS, S. Profile-guided automated software diversity. In the 2013 IEEE/ACM International Symposium on Code Generation and Optimization (CGO) (2013).

Digital Library

[17]

GENKIN, D., SHAMIR, A., AND TROMER, E. RSA key extraction via low-bandwidth acoustic cryptanalysis. Tech. rep., 2013.

[18]

GIUFFRIDA, C., KUIJSTEN, A., AND TANENBAUM, A. S. Enhanced operating system security through efficient and fine-grained address space randomization. In the 21st USENIX Security Symposium (2012).

Digital Library

[19]

HISER, J., NGUYEN-TUONG, A., CO, M., HALL, M., AND DAVIDSON, J. W. ILR: Where'd my gadgets go? In Security and Privacy (2012).

Digital Library

[20]

HOCH, J. J., AND SHAMIR, A. Fault analysis of stream ciphers. In CHES (2004), Springer, pp. 240--253.

[21]

HOMESCU, A., BRUNTHALER, S., LARSEN, P., AND FRANZ, M. librando: Transparent code randomization for just-in-time compilers. In CCS (2013).

Digital Library

[22]

HUND, R., WILLEMS, C., AND HOLZ, T. Practical timing side channel attacks against kernel space aslr. In Security and Privacy (2013).

Digital Library

[23]

JACKSON, T., HOMESCU, A., CRANE, S., LARSEN, P., BRUNTHALER, S., AND FRANZ, M. Diversifying the software stack using randomized nop insertion. Moving Target Defense II: Application of Game Theory and Adversarial Modeling 100 (2013), 151--174.

[24]

JOYE, M., PAILLIER, P., AND SCHOENMAKERS, B. On second-order differential power analysis. In CHES (2005).

Digital Library

[25]

KC, G. S., KEROMYTIS, A. D., AND PREVELAKIS, V. Countering code-injection attacks with instruction-set randomization. In CCS (2003).

Digital Library

[26]

KIL, C., JUN, J., BOOKHOLT, C., XU, J., AND NING, P. Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software. In ACSAC (2006).

Digital Library

[27]

KOCHER, P. C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In CRYPTO (1996).

Digital Library

[28]

KOCHER, P. C., JAFFE, J., AND JUN, B. Differential power analysis. In CRYPTO (1999).

Digital Library

[29]

ONARLIOGLU, K., BILGE, L., LANZI, A., BALZAROTTI, D., AND KIRDA, E. G-free: Defeating return-oriented programming through gadget-less binaries. In ACSAC'10 (2010).

Digital Library

[30]

OSWALD, D., RICHTER, B., AND PAAR, C. Side-channel attacks on the Yubikey 2 one-time password generator. In Research in Attacks, Intrusions, and Defenses (RAID). 2013.

[31]

PAPPAS, V., POLYCHRONAKIS, M., AND KEROMYTIS, A. D. Smashing the gadgets: Hindering return-oriented programming using in-place code randomization. In Security and Privacy (2012).

Digital Library

[32]

PROUFF, E., RIVAIN, M., AND BÉVAN, R. Statistical analysis of second order differential power analysis. IEEE Transactions on Computers 58, 6 (2009), 799--811.

Digital Library

[33]

SHACHAM, H. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In CCS (2007).

Digital Library

[34]

SHACHAM, H., PAGE, M., PFAFF, B., GOH, E.-J., MODADUGU, N., AND BONEH, D. On the effectiveness of address-space randomization. In CCS (2004).

Digital Library

[35]

SKOWYRA, R., CASTEEL, K., OKHRAVI, H., ZELDOVICH, N., AND STREILEIN,W. Systematic analysis of defenses against return-oriented programming. In RAID. 2013.

[36]

SNOW, K. Z., MONROSE, F., DAVI, L., DMITRIENKO, A., LIEBCHEN, C., AND SADEGHI, A.-R. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Security and Privacy (2013).

Digital Library

[37]

SOVAREL, A. N., EVANS, D., AND PAUL, N. Where's the feeb? the effectiveness of instruction set randomization. In the 14th conference on USENIX Security Symposium (2005).

Digital Library

[38]

STRACKX, R., YOUNAN, Y., PHILIPPAERTS, P., PIESSENS, F., LACHMUND, S., AND WALTER, T. Breaking the memory secrecy assumption. In EUROSEC (2009).

Digital Library

[39]

SZEKERES, L., PAYER, M., WEI, T., AND SONG, D. Sok: Eternal war in memory. In Security and Privacy (2013).

Digital Library

[40]

THE PAX TEAM. Address space layout randomization. http://pax.grsecurity.net/docs/aslr.txt.

[41]

TROMER, E., OSVIK, D. A., AND SHAMIR, A. Efficient cache attacks on AES, and countermeasures. Journal of Cryptology 23, 2 (Jan. 2010), 37--71.

Digital Library

[42]

TROMER, E., AND SHAMIR, A. Acoustic cryptanalysis : on nosy people and noisy machines. In Eurocrypt Rump Session (2004).

[43]

TUNSTALL, M., MUKHOPADHYAY, D., AND ALI, S. Differential fault analysis of the advanced encryption standard using a single fault. In the International Conference on Information Security Theory and Practice (WISTP) (2011).

Digital Library

[44]

WANG, Z., AND LEE, R. B. New cache designs for thwarting software cache-based side channel attacks. In the 34th Annual International Symposium on Computer Architecture (ISCA) (2007).

Digital Library

[45]

WARTELL, R., MOHAN, V., HAMLEN, K. W., AND LIN, Z. Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In CCS (2012).

Digital Library

[46]

ZHANG, Y., JUELS, A., REITER, M. K., AND RISTENPART, T. Cross-vm side channels and their use to extract private keys. In CCS (2012).

Digital Library

Cited By

Mergendahl SFickas SNorris BSkowyra RLuo BLiao XXu JKirda ELie D(2024)Manipulative Interference AttacksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690246(4569-4583)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690246
Dharsee KCriswell JCalandrino JTroncoso C(2023)JinnProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620627(6965-6982)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620627
Ahmed SLiljestrand HJamjoom HHicks MAsokan NYao DCalandrino JTroncoso C(2023)Not all data are created equalProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620318(1433-1450)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620318
Show More Cited By

Index Terms

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Timely Rerandomization for Mitigating Memory Disclosures
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Address Space Layout Randomization (ASLR) can increase the cost of exploiting memory corruption vulnerabilities. One major weakness of ASLR is that it assumes the secrecy of memory addresses and is thus ineffective in the face of memory disclosure ...
ExOShim: preventing memory disclosure using execute-only kernel code

Information leakage and memory disclosure are major threats to the security in modern computer systems. If an attacker is able to obtain the binary-code of an application, it is possible to reverse-engineer the source-code, uncover vulnerabilities, craft ...
Thwarting Memory Disclosure with Efficient Hypervisor-enforced Intra-domain Isolation
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Exploiting memory disclosure vulnerabilities like the HeartBleed bug may cause arbitrary reading of a victim's memory, leading to leakage of critical secrets such as crypto keys, personal identity and financial information. While isolating code that ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

November 2014

1592 pages

ISBN:9781450329576

DOI:10.1145/2660267

General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Defense Advanced Research Projects Agency

Conference

CCS'14

Sponsor:

SIGSAC

CCS'14: 2014 ACM SIGSAC Conference on Computer and Communications Security

November 3 - 7, 2014

Arizona, Scottsdale, USA

Acceptance Rates

CCS '14 Paper Acceptance Rate 114 of 585 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

91
Total Citations
View Citations
997
Total Downloads

Downloads (Last 12 months)35
Downloads (Last 6 weeks)2

Reflects downloads up to 12 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Mergendahl SFickas SNorris BSkowyra RLuo BLiao XXu JKirda ELie D(2024)Manipulative Interference AttacksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690246(4569-4583)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690246
Dharsee KCriswell JCalandrino JTroncoso C(2023)JinnProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620627(6965-6982)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620627
Ahmed SLiljestrand HJamjoom HHicks MAsokan NYao DCalandrino JTroncoso C(2023)Not all data are created equalProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620318(1433-1450)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620318
Wang HSinghal ALiu P(2023)Tackling imbalanced data in cybersecurity with transfer learning: a case with ROP payload detectionCybersecurity10.1186/s42400-022-00135-86:1Online publication date: 5-Jan-2023
https://doi.org/10.1186/s42400-022-00135-8
Yao JZhang T(2023)Co-Designing Hardware/Software to Protect Crypto-Chip Side Channel Analysis at Design Time2023 IEEE 6th International Conference on Automation, Electronics and Electrical Engineering (AUTEEE)10.1109/AUTEEE60196.2023.10407457(233-237)Online publication date: 15-Dec-2023
https://doi.org/10.1109/AUTEEE60196.2023.10407457
Li YLin GChung YMa YLu YBao Y(2023)MagBoxFuture Generation Computer Systems10.1016/j.future.2022.10.035140:C(282-298)Online publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1016/j.future.2022.10.035
Tsoupidi RTroubitsyna EPapadimitratos P(2023)Thwarting code-reuse and side-channel attacks in embedded systemsComputers & Security10.1016/j.cose.2023.103405133(103405)Online publication date: Oct-2023
https://doi.org/10.1016/j.cose.2023.103405
Kim SJang EPark HPark K(2023)Pwnable-SherpaComputers and Security10.1016/j.cose.2022.103009125:COnline publication date: 1-Feb-2023
https://dl.acm.org/doi/10.1016/j.cose.2022.103009
Ren TWilliams RGanguly SDe Carli LLu L(2023)Breaking Embedded Software Homogeneity with Protocol MutationsSecurity and Privacy in Communication Networks10.1007/978-3-031-25538-0_40(770-790)Online publication date: 4-Feb-2023
https://doi.org/10.1007/978-3-031-25538-0_40
Pearce HSurabhi VKrishnamurthy PTrujillo JKarri RKhorrami F(2022)Detecting Hardware Trojans in PCBs Using Side Channel LoopbacksIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2022.317117430:7(926-937)Online publication date: Jul-2022
https://doi.org/10.1109/TVLSI.2022.3171174
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents