research-article

Public Access

Timely Rerandomization for Mitigating Memory Disclosures

Authors:

William Streilein,

Hamed OkhraviAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 268 - 279

https://doi.org/10.1145/2810103.2813691

Published: 12 October 2015 Publication History

Abstract

Address Space Layout Randomization (ASLR) can increase the cost of exploiting memory corruption vulnerabilities. One major weakness of ASLR is that it assumes the secrecy of memory addresses and is thus ineffective in the face of memory disclosure vulnerabilities. Even fine-grained variants of ASLR are shown to be ineffective against memory disclosures. In this paper we present an approach that synchronizes randomization with potential runtime disclosure. By applying rerandomization to the memory layout of a process every time it generates an output, our approach renders disclosures stale by the time they can be used by attackers to hijack control flow. We have developed a fully functioning prototype for x86_64 C programs by extending the Linux kernel, GCC, and the libc dynamic linker. The prototype operates on C source code and recompiles programs with a set of augmented information required to track pointer locations and support runtime rerandomization. Using this augmented information we dynamically relocate code segments and update code pointer values during runtime. Our evaluation on the SPEC CPU2006 benchmark, along with other applications, show that our technique incurs a very low performance overhead (2.1% on average).

References

[1]

Cve-2013--2028. Online, 2013.

[2]

Blind return oriented programming. Online, 2014.

[3]

Abadi, M., Budiu, M., Erlingsson, U., and Ligatti, J. Control-flow integrity. In Proc. of ACM CCS (2005).

Digital Library

[4]

Akritidis, P. Cling: A memory allocator to mitigate dangling pointers. In Proc. of USENIX Security (2010).

Digital Library

[5]

Anderson, J. P. Computer security technology planning study. volume 2. Tech. rep., DTIC Document, 1972.

[6]

Backes, M., Holz, T., Kollenda, B., Koppe, P., Nürnberger, S., and Pewny, J. You can run but you can't read. In Proc. of ACM CCS (2014).

Digital Library

[7]

Backes, M., and Nürnberger, S. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. Proc. of USENIX Security (2014).

Digital Library

[8]

Barrantes, E. G., Ackley, D. H., Palmer, T. S., Stefanovic, D., and Zovi, D. D. Randomized instruction set emulation to disrupt binary code injection attacks. In Proc. of ACM CCS (2003).

Digital Library

[9]

Bittau, A., Belay, A., Mashtizadeh, A., Mazieres, D., and Boneh, D. Hacking blind. In Proc. of IEEE S&P (2014).

Digital Library

[10]

Chen, X., Slowinska, A., and Bos, H. Membrush: A practical tool to detect custom memory allocators in c binaries. In Proc. of WCRE (2013).

[11]

Crane, S., Liebchen, C., Homescu, A., Davi, L., Larsen, P., Sadeghi, A.-R., Brunthaler, S., and Franz, M. Readactor: Practical code randomization resilient to memory disclosure. In IEEE S&P (2015).

[12]

Curtsinger, C., and Berger, E. D. Stabilizer: Statistically sound performance evaluation. In Proc. of ASPLOS (2013).

Digital Library

[13]

Davi, L., Liebchen, C., Sadeghi, A.-R., Snow, K. Z., and Monrose, F. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. Proc. of NDSS (2015).

[14]

Durden, T. Bypassing pax aslr protection, 2002.

[15]

Eager, M. J. Introduction to the dwarf debugging format. Group (2007).

[16]

Evans, I., Fingeret, S., Gonzalez, J., Otgonbaatar, U., Tang, T., Shrobe, H., Sidiroglou-Douskos, S., Rinard, M., and Okhravi, H. Missing the point(er): On the effectiveness of code pointer integrity. In Proc. of IEEE S&P (2015).

Digital Library

[17]

Giuffrida, C., Kuijsten, A., and Tanenbaum, A. S. Enhanced operating system security through efficient and fine-grained address space randomization. In Proc. of USENIX Security (2012).

Digital Library

[18]

Göktas, E., Athanasopoulos, E., Bos, H., and Portokalidis, G. Out of control: Overcoming control-flow integrity. In Proc. of IEEE S&P (2014).

Digital Library

[19]

Heartbleed.com. The heartbleed bug. Online, 2014.

[20]

Hiser, J., Nguyen, A., Co, M., Hall, M., and Davidson, J. Ilr: Where'd my gadgets go. In Proc. of IEEE S&P (2012).

Digital Library

[21]

Hiser, J., Nguyen, A., Co, M., Hall, M., and Davidson, J. Ilr: Where'd my gadgets go. In Proc. of IEEE S&P (2012).

Digital Library

[22]

Hobson, T., Okhravi, H., Bigelow, D., Rudd, R., and Streilein, W. On the challenges of effective movement. In Proceedings of the First ACM Workshop on Moving Target Defense (2014), pp. 41--50.

Digital Library

[23]

ISO. ISO/IEC 9899:2011 Information technology -- Programming languages -- C. 2011.

[24]

Jackson, T., Salamat, B., Homescu, A., Manivannan, K., Wagner, G., Gal, A., Brunthaler, S., Wimmer, C., and Franz, M. Compiler-generated software diversity. Moving Target Defense (2011), 77--98.

[25]

Jim, T., Morrisett, J. G., Grossman, D., Hicks, M. W., Cheney, J., and Wang, Y. Cyclone: A safe dialect of c. In USENIX (2002).

Digital Library

[26]

Kc, G. S., Keromytis, A. D., and Prevelakis, V. Countering code-injection attacks with instruction-set randomization. In Proc. of ACM CCS (2003).

Digital Library

[27]

Kil, C., Jun, J., Bookholt, C., Xu, J., and Ning, P. Address space layout permutation (aslp). In Proc. of ACSAC (2006).

Digital Library

[28]

Kuznetsov, V., Szekeres, L., Payer, M., Candea, G., Sekar, R., and Song, D. Code-pointer integrity.

[29]

Mohan, V., Larsen, P., Brunthaler, S., Hamlen, K., and Franz, M. Opaque control-flow integrity. In Proc. of NDSS (2015).

[30]

Mosberger, D. The libunwind project, 2014.

[31]

Nagarakatte, S., Zhao, J., Martin, M. M., and Zdancewic, S. Softbound: Highly compatible and complete spatial memory safety for c. In Proc. of PLDI (2009).

Digital Library

[32]

Nagarakatte, S., Zhao, J., Martin, M. M., and Zdancewic, S. Cets: Compiler enforced temporal safety for c. In Proc. of ISMM (2010).

Digital Library

[33]

One, A. Smashing the stack for fun and profit. Phrack magazine 7, 49 (1996), 14--16.

[34]

Parno, B., McCune, J. M., and Perrig, A. Bootstrapping trust in commodity computers. In Proc. of IEEE S&P (may 2010), pp. 414 --429.

Digital Library

[35]

PaX. Pax address space layout randomization, 2003.

[36]

Rafkind, J., Wick, A., Regehr, J., and Flatt, M. Precise garbage collection for c. In Proc. of ISMM (2009).

Digital Library

[37]

Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., and Holz, T. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in c

[38]

applications. In Proc. of IEEE S&P (2015).

[39]

Seibert, J., Okhravi, H., and Soderstrom, E. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In Proc. of ACM CCS (2014).

Digital Library

[40]

Serebryany, K., Bruening, D., Potapenko, A., and Vyukov, D. Addresssanitizer: A fast address sanity checker. In USENIX (2012).

Digital Library

[41]

Shacham, H. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proc. of ACM CCS (2007).

Digital Library

[42]

Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., and Boneh, D. On the effectiveness of address-space randomization. In Proc. of ACM CCS (2004).

Digital Library

[43]

Snow, K. Z., Monrose, F., Davi, L., Dmitrienko, A., Liebchen, C., and Sadeghi, A.-R. Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization. In Proc. of IEEE S&P (2013).

Digital Library

[44]

Strackx, R., Younan, Y., Philippaerts, P., Piessens, F., Lachmund, S., and Walter, T. Breaking the memory secrecy assumption. In Proc. of EuroSec'09 (2009), pp. 1--8.

Digital Library

[45]

Szekeres, L., Payer, M., Wei, T., and Song, D. Sok: Eternal war in memory. In Proc. of IEEE S&P (2013).

Digital Library

[46]

Tice, C., Roeder, T., Collingbourne, P., Checkoway, S., Erlingsson, Ú., Lozano, L., and Pike, G. Enforcing forward-edge control-flow integrity in gcc & llvm. In Proc. of USENIX Security (2014).

Digital Library

[47]

Wartell, R., Mohan, V., Hamlen, K. W., and Lin, Z. Binary stirring: Self-randomizing instruction addresses of legacy x86 binary code. In Proc. of ACM CCS (2012), pp. 157--168.

Digital Library

[48]

Zhang, C., Wei, T., Chen, Z., Duan, L., Szekeres, L., McCamant, S., Song, D., and Zou, W. Practical control flow integrity and randomization for binary executables. In Proc. of IEEE S&P (2013).

Digital Library

[49]

Zhang, M., and Sekar, R. Control flow integrity for cots binaries. In Proc. of USENIX Security (2013).

Digital Library

Cited By

Chang ZLin JSun HLi RWang YHu BZhao XJiang DSun NWang S(2024)Chaos: Function Granularity Runtime Address Layout Space Randomization for Kernel ModuleProceedings of the 15th ACM SIGOPS Asia-Pacific Workshop on Systems10.1145/3678015.3680476(23-30)Online publication date: 4-Sep-2024
https://dl.acm.org/doi/10.1145/3678015.3680476
Mergendahl SFickas SNorris BSkowyra RLuo BLiao XXu JKirda ELie D(2024)Manipulative Interference AttacksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690246(4569-4583)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690246
Yeoh SWang XJang JRavindran BSchiavoni VEdinger JCao JJin Z(2024)sMVX: Multi-Variant Execution on Selected Code PathsProceedings of the 25th International Middleware Conference10.1145/3652892.3654794(62-73)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3652892.3654794
Show More Cited By

Index Terms

Timely Rerandomization for Mitigating Memory Disclosures
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Code diversification has been proposed as a technique to mitigate code reuse attacks, which have recently become the predominant way for attackers to exploit memory corruption vulnerabilities. As code reuse attacks require detailed knowledge of where ...
ExOShim: preventing memory disclosure using execute-only kernel code

Information leakage and memory disclosure are major threats to the security in modern computer systems. If an attacker is able to obtain the binary-code of an application, it is possible to reverse-engineer the source-code, uncover vulnerabilities, craft ...
An Overview of Prevention/Mitigation against Memory Corruption Attack
ISCSIC '18: Proceedings of the 2nd International Symposium on Computer Science and Intelligent Control

One of the most prevalent, ancient and devastating vulnerabilities which is increasing rapidly is Memory corruption. It is a vulnerability where a memory location contents of a computer system are altered because of programming errors allowing execution ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

U.S. Department of Defense

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

97
Total Citations
View Citations
1,230
Total Downloads

Downloads (Last 12 months)156
Downloads (Last 6 weeks)20

Reflects downloads up to 11 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chang ZLin JSun HLi RWang YHu BZhao XJiang DSun NWang S(2024)Chaos: Function Granularity Runtime Address Layout Space Randomization for Kernel ModuleProceedings of the 15th ACM SIGOPS Asia-Pacific Workshop on Systems10.1145/3678015.3680476(23-30)Online publication date: 4-Sep-2024
https://dl.acm.org/doi/10.1145/3678015.3680476
Mergendahl SFickas SNorris BSkowyra RLuo BLiao XXu JKirda ELie D(2024)Manipulative Interference AttacksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690246(4569-4583)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690246
Yeoh SWang XJang JRavindran BSchiavoni VEdinger JCao JJin Z(2024)sMVX: Multi-Variant Execution on Selected Code PathsProceedings of the 25th International Middleware Conference10.1145/3652892.3654794(62-73)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3652892.3654794
Li YBao YChung Y(2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
https://doi.org/10.1109/TC.2024.3371776
Bapat AShastri JWang XSundarasamy ARavindran B(2024)Dapper: A Lightweight and Extensible Framework for Live Program State Rewriting2024 IEEE 44th International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS60910.2024.00074(738-749)Online publication date: 23-Jul-2024
https://doi.org/10.1109/ICDCS60910.2024.00074
Jin HYang SPark MCho HLee D(2024)Satellite: Effective and Efficient Stack Memory Protection Scheme for Unsafe Programming LanguagesICT Systems Security and Privacy Protection10.1007/978-3-031-65175-5_16(221-235)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65175-5_16
Mahurkar AWang XZhang HRavindran B(2023)DynaCutProceedings of the 24th International Middleware Conference10.1145/3590140.3629121(275-287)Online publication date: 27-Nov-2023
https://dl.acm.org/doi/10.1145/3590140.3629121
Berlakovich FBrunthaler SFedorova ANarayanan DDi Luna GQuerzoni L(2023)R2C: AOCR-Resilient Diversity with Reactive and Reflective CamouflageProceedings of the Eighteenth European Conference on Computer Systems10.1145/3552326.3587439(488-504)Online publication date: 8-May-2023
https://dl.acm.org/doi/10.1145/3552326.3587439
Shen ZDharsee KCriswell J(2022)Randezvous: Making Randomization Effective on MCUsProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567970(28-41)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567970
Blackburn CWang XRavindran BOkhravi HWang C(2022)Rave: A Modular and Extensible Framework for Program State Re-RandomizationProceedings of the 9th ACM Workshop on Moving Target Defense10.1145/3560828.3564008(3-10)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560828.3564008
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents