Browse Theses

Code-reuse attacks have been a threat to software security since the introduction of non-executable memory protections. Despite significant advances in various types of defenses, such as control-flow integrity (CFI) and leakage-resilient code randomization, recent code-reuse attacks have demonstrated that these defenses are often not enough to prevent successful exploitation. Sophisticated exploits can reuse larger code fragments that conform to the enforced CFI policy and are not affected by randomization. The sophistication and complexity of recent exploitation techniques, which rely on memory disclosure and whole-function reuse to bypass address space layout randomization and control flow integrity, is indicative of the effect that the combination of exploit mitigations has in challenging the construction of reliable exploits. In addition to software diversification and control flow enforcement, recent efforts have focused on the complementary approach of code and API specialization to further restrict the critical operations that an attacker can perform as part of a code-reuse exploit.In this dissertation, we present API Specialization against code-reuse attacks, a light weight and effective mechanism to reduce the attack surface available to an adversary. We first present our Windows-based tool called Shredder. Shredder is a defense-in-depth exploit mitigation tool for the protection of closed-source applications. In a pre-processing phase, Shredder statically analyzes a given application to pinpoint the call sites of potentially useful(to attackers) system API functions and uses backwards data flow analysis to derive their expected argument values and generate allow list policies in a best-effort way. At runtime, using library interposition, Shredder exposes to the protected application only specialized versions of these critical API functions, and blocks any invocation that violates the enforced policy. Next, we present Saffire, a context-specific compiler-level defense against code-reuse attacks. For each calling context of a critical function, Saffire creates a specialized and hardened replica of the function with a restricted interface that can accommodate only that particular invocation. This is achieved by applying static argument binding, i.e., eliminating arguments with static values and concretizing them within the function body, and dynamic argument binding which applies a narrow-scope form of data flow integrity to restrict the acceptable values of arguments that cannot be statically derived. Finally, we present SGXPecial, a tool for specializing Intel SGX interfaces that prevent a malicious host from mounting a code-reuse attack on a trusted enclave and also prevent an untrusted third-party enclave from launching an attack on the host. We use function level, argument level and type-signature-based validations to identify a benign call against a malicious one.