research-article

Public Access

Remix: On-demand Live Randomization

Authors:

Long LuAuthors Info & Claims

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

Pages 50 - 61

https://doi.org/10.1145/2857705.2857726

Published: 09 March 2016 Publication History

Abstract

Code randomization is an effective defense against code reuse attacks. It scrambles program code to prevent attackers from locating useful functions or gadgets. The key to secure code randomization is achieving high entropy. A practical approach to boost entropy is on-demand live randomization that works on running processes. However, enabling live randomization is challenging in that it often requires manual efforts to solve ambiguity in identifying function pointers.

In this paper, we propose Remix, an efficient and practical live randomization system for both user processes and kernel modules. Remix randomly shuffles basic blocks within their respective functions. By doing so, it avoids the complexity of migrating stale function pointers, and allows mixing randomized and non-randomized code to strike a balance between performance and security. Remix randomizes a running process in two steps: it first randomly reorders its basic blocks, and then comprehensively migrates live pointers to basic blocks. Our experiments show that Remix can significantly increase randomness with low performance overhead on both CPU and I/O intensive benchmarks and kernel modules, even at very short randomization intervals.

References

[1]

M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-Flow Integrity: Principles, Implementations, and Applications. In Proceedings of the 12th ACM Conference on Computer and Communications Security, 2005.

Digital Library

[2]

H. Agrawal and J. R. Horgan. Dynamic Program Slicing. In ACM SIGPLAN Notices, volume 25, pages 246--256. ACM, 1990.

Digital Library

[3]

Apple. OS X MountainLion Core Technologies Overview. http://movies.apple.com/media/us/osx/2012/docs/OSX_MountainLion_Core_Technologies_Overview.pdf.

[4]

ARM: the Architecture for the Digital World. http://www.arm.com/.

[5]

Linux Kernel Address Space Layout Randomization. http://lwn.net/Articles/569635/.

[6]

M. Backes, T. Holz, B. Kollenda, P. Koppe, S. Nürnberger, and J. Pewny. You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code. In Proceedings of the 21st ACM Conference on Computer and Communications Security, 2014.

Digital Library

[7]

M. Backes and S. Nürnberger. Oxymoron: Making fine-grained memory randomization practical by allowing code sharing. In Proceedings of the 23rd USENIX Security Symposium, 2014.

Digital Library

[8]

E. G. Barrantes, D. H. Ackley, S. Forrest, and D. Stefanović. Randomized Instruction Set Emulation. ACM Transactions on Information and System Security, 8(1):3--40, 2005.

Digital Library

[9]

S. Bhatkar and R. Sekar. Data Space Randomization. In Proceedings of the 5th Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2008.

Digital Library

[10]

A. Bittau, A. Belay, A. Mashtizadeh, D. Mazieres, and D. Boneh. Hacking Blind. In Proceedings of the 35th IEEE Symposium on Security and Privacy, 2014.

Digital Library

[11]

T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented Programming: A New Class of Code-reuse Attack. In Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, 2011.

Digital Library

[12]

E. Buchanan, R. Roemer, H. Shacham, and S. Savage. When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC. In Proceedings of the 15th ACM Conference on Computer and Communications Security, 2008.

Digital Library

[13]

N. Carlini and D. Wagner. Rop is Still Dangerous: Breaking Modern Defenses. In Proceedings of the 23rd USENIX Security Symposium, 2014.

Digital Library

[14]

M. Castro, M. Costa, and T. Harris. Securing Software by Enforcing Data-flow Integrity. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation, 2006.

Digital Library

[15]

S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented Programming without Returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security, 2010.

Digital Library

[16]

Y. Cheng, Z. Zhou, M. Yu, X. Ding, and R. H. Deng. ROPecker: A Generic and Practical Approach for Defending against ROP Attacks. In Proceedings of the 21st Network and Distributed Systems Security Symposium, 2014.

[17]

C. Cifuentes and M. Van Emmerik. Recovery of Jump Table Case Statements from Binary Code. In Proceedings of 7th International Workshop on Program Comprehension, 1999.

Digital Library

[18]

C. Cowan, S. Beattie, J. Johansen, and P. Wagle. Pointguard TM: protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th conference on USENIX Security Symposium, 2003.

Digital Library

[19]

S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A.-R. Sadeghi, S. Brunthaler, and M. Franz. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In Proceedings of the 36th IEEE Symposium on Security and Privacy, 2015.

Digital Library

[20]

Memory Protection Technologies. http://technet.microsoft.com/en-us/library/bb457155.aspx.

[21]

x86 NX support. http://lwn.net/Articles/87814/.

[22]

L. Davi, C. Liebchen, A.-R. Sadeghi, K. Z. Snow, and F. Monrose. Isomeron: Code randomization resilient to (just-in-time) return-oriented programming. In Proceedings of the 22nd Network and Distributed Systems Security Symposium, 2015.

[23]

L. Davi, A.-R. Sadeghi, D. Lehmann, and F. Monrose. Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection. In Proceedings of the 23rd USENIX Security Symposium, 2014.

Digital Library

[24]

Data Execution Prevention. http://en.wikipedia.org/wiki/Data_Execution_Prevention.

[25]

U. Erlingsson, M. Abadi, and M.-D. Budiu. Architectural Support for Software-based Protection, Mar. 13 2012. US Patent 8,136,091.

[26]

J. Gionta, W. Enck, and P. Ning. HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities. In Proceedings of the 5th ACM conference on Data and application security and privacy, 2015.

Digital Library

[27]

C. Giuffrida, A. Kuijsten, and A. S. Tanenbaum. Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization. In Proceedings of the 21st USENIX Conference on Security Symposium, 2012.

Digital Library

[28]

E. Göktas, E. Athanasopoulos, H. Bos, and G. Portokalidis. Out of Control: Overcoming Control-Flow Integrity. In Proceedings of the 35th IEEE Symposium on Security and Privacy, 2014.

Digital Library

[29]

E. Göktaş, E. Athanasopoulos, M. Polychronakis, H. Bos, and G. Portokalidis. Size Does Matter: Why Using Gadget-chain Length to Prevent Code-reuse Attacks is Hard. In Proceedings of the 23rd USENIX Security Symposium, 2014.

Digital Library

[30]

J. Hiser, A. Nguyen-Tuong, M. Co, M. Hall, and J. W. Davidson. ILR: Where'd My Gadgets Go? In Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.

Digital Library

[31]

Intel. Intel 64 and IA-32 Architectures Software Developer\'s Manual, 2014.

[32]

G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering Code-injection Attacks with Instruction-set Randomization. In Proceedings of the 10th ACM Conference on Computer and Communications Security, 2003.

Digital Library

[33]

C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software. In Proceedings of the 22nd Annual Computer Security Applications Conference, 2006.

Digital Library

[34]

P. Larsen, A. Homescu, S. Brunthaler, and M. Franz. Sok: Automated Software Diversity. In Proceedings of the 35th IEEE Symposium on Security and Privacy, 2014.

Digital Library

[35]

J. R. Levine. Linkers and Loaders. Morgan Kaufmann, 1999.

Digital Library

[36]

J. Li, Z. Wang, X. Jiang, M. Grace, and S. Bahram. Defeating Return-Oriented Rootkits withtextquotedblleft Return-less\textquotedblright Kernels. In Proceedings of the 5th ACM SIGOPS EuroSys Conference, 2010.

Digital Library

[37]

A. I. Mark Russinovich, David Solomon. Windows Internals, 6th Edition. Microsoft Press, 2012.

Digital Library

[38]

V. Mohan, P. Larsen, S. Brunthaler, K. Hamlen, and M. Franz. Opaque Control-Flow Integrity. In Proceedings of the 22nd Network and Distributed Systems Security Symposium, 2015.

[39]

B. Niu and G. Tan. RockJIT: Securing Just-in-time Compilation Using Modular Control-flow Integrity. In Proceedings of the 21st ACM Conference on Computer and Communications Security, 2014.

Digital Library

[40]

W. D. Norcott and D. Capps. Iozone Filesystem Benchmark. URL: www.iozone.org, 2003.

[41]

K. Onarlioglu, L. Bilge, A. Lanzi, D. Balzarotti, and E. Kirda. G-Free: Defeating Return-oriented Programming Through Gadget-less Binaries. In Proceedings of the 26th Annual Computer Security Applications Conference, 2010.

Digital Library

[42]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Smashing the Gadgets: Hindering Return-Oriented Programming Using In-place Code Randomization. In Proceedings of the 33rd IEEE Symposium on Security and Privacy, 2012.

Digital Library

[43]

V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent ROP Exploit Mitigation Using Indirect Branch Tracing. In Proceedings of the 22nd USENIX Conference on Security, 2013.

Digital Library

[44]

H. Reiser. ReiserFS, 2004.

[45]

H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-Into-Libc without Function Calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, October 2007.

Digital Library

[46]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the Effectiveness of Address-space Randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security, 2004.

Digital Library

[47]

K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-in-time Code Reuse: On the Effectiveness of Fine-grained Address Space Layout Randomization. In Proceedings of the 34th IEEE Symposium on Security and Privacy, 2013.

Digital Library

[48]

P. Team. PaX Address Space Layout Randomization (ASLR), 2003.

[49]

R. Wartell, V. Mohan, K. W. Hamlen, and Z. Lin. Binary Stirring: Self-randomizing Instruction Addresses of Legacy x86 Binary Code. In Proceedings of the 19th ACM Conference on Computer and Communications Security, 2012.

Digital Library

[50]

Wikipedia. Basic Block. http://en.wikipedia.org/wiki/Basic_block.

[51]

Wikipedia. Pwn2Own. http://en.wikipedia.org/wiki/Pwn2Own.

[52]

Wikipedia. Tail Call. http://en.wikipedia.org/wiki/Tail_call.

[53]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Orm, S. Okasaka, N. Narula, N. Fullagar, and G. Inc. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In Proceedings of the 30th IEEE Symposium on Security and Privacy, 2009.

Digital Library

[54]

C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical Control Flow Integrity and Randomization for Binary Executables. In Proceedings of the 34th IEEE Symposium on Security and Privacy, 2013.

Digital Library

[55]

M. Zhang and R. Sekar. Control Flow Integrity for COTS Binaries. In Proceedings of the 22nd USENIX Security Symposium, 2013.

Digital Library

[56]

X. Zhang, R. Gupta, and Y. Zhang. Precise Dynamic Slicing Algorithms. In Proceedings of the 25th International Conference on Software Engineering, 2003.

Digital Library

Cited By

Li YBao YChung Y(2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
https://doi.org/10.1109/TC.2024.3371776
Zhang LLiu PChoi YChen P(2023)Semantics-Preserving Reinforcement Learning Attack Against Graph Neural Networks for Malware DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.315384420:2(1390-1402)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3153844
Tsoupidi RCastañeda Lozano RBaudry B(2022)Constraint-based Diversification of JOP GadgetsJournal of Artificial Intelligence Research10.1613/jair.1.1284872(1471-1505)Online publication date: 4-Jan-2022
https://dl.acm.org/doi/10.1613/jair.1.12848
Show More Cited By

Index Terms

Remix: On-demand Live Randomization
1. Security and privacy
  1. Software and application security

Recommendations

ASLR-Guard: Stopping Address Space Leakage for Code Reuse Attacks
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

A general prerequisite for a code reuse attack is that the attacker needs to locate code gadgets that perform the desired operations and then direct the control flow of a vulnerable application to those gadgets. Address Space Layout Randomization (ASLR) ...
Defending ROP Attacks Using Basic Block Level Randomization
SERE-C '14: Proceedings of the 2014 IEEE Eighth International Conference on Software Security and Reliability-Companion

Code reuse attacks such as return-oriented programming, one of the most powerful threats to software system, rely on the absolute address of instructions. Therefore, address space randomization should be an effective defending method. However, current ...
ILR: Where'd My Gadgets Go?
SP '12: Proceedings of the 2012 IEEE Symposium on Security and Privacy

Through randomization of the memory space and the confinement of code to non-data pages, computer security researchers have made a wide range of attacks against program binaries more difficult. However, attacks have evolved to exploit weaknesses in ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy

March 2016

340 pages

ISBN:9781450339353

DOI:10.1145/2857705

General Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Sandhu
University of Texas at San Antonio, USA
,
Program Chair:
Alexander Pretschner
Technische Universität München, Germany

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 March 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CODASPY'16

Sponsor:

SIGSAC

CODASPY'16: Sixth ACM Conference on Data and Application Security and Privacy

March 9 - 11, 2016

Louisiana, New Orleans, USA

Acceptance Rates

CODASPY '16 Paper Acceptance Rate 22 of 115 submissions, 19%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

50
Total Citations
View Citations
636
Total Downloads

Downloads (Last 12 months)82
Downloads (Last 6 weeks)10

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li YBao YChung Y(2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
https://doi.org/10.1109/TC.2024.3371776
Zhang LLiu PChoi YChen P(2023)Semantics-Preserving Reinforcement Learning Attack Against Graph Neural Networks for Malware DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.315384420:2(1390-1402)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3153844
Tsoupidi RCastañeda Lozano RBaudry B(2022)Constraint-based Diversification of JOP GadgetsJournal of Artificial Intelligence Research10.1613/jair.1.1284872(1471-1505)Online publication date: 4-Jan-2022
https://dl.acm.org/doi/10.1613/jair.1.12848
Shen ZDharsee KCriswell J(2022)Randezvous: Making Randomization Effective on MCUsProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567970(28-41)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567970
Nikolaev RNadeem HStone CRavindran BFalsafi BFerdman MLu SWenisch T(2022)Adelie: continuous address space layout re-randomization for Linux driversProceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/3503222.3507779(483-498)Online publication date: 28-Feb-2022
https://dl.acm.org/doi/10.1145/3503222.3507779
Shi JGuan LLi WZhang DChen PZhang N(2022)HARM: Hardware-Assisted Continuous Re-randomization for Microcontrollers2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00039(520-536)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00039
Ying JHou RZhao LYuan FZhao PMeng D(2022)CPP: A lightweight memory page management extension to prevent code pointer leakageJournal of Systems Architecture10.1016/j.sysarc.2022.102679130(102679)Online publication date: Sep-2022
https://doi.org/10.1016/j.sysarc.2022.102679
Novkovic B(2021)A Taxonomy of Defenses against Memory Corruption Attacks2021 44th International Convention on Information, Communication and Electronic Technology (MIPRO)10.23919/MIPRO52101.2021.9596951(1196-1201)Online publication date: 27-Sep-2021
https://doi.org/10.23919/MIPRO52101.2021.9596951
Cheng LAhmed SLiljestrand HNyman TCai HJaeger TAsokan NYao D(2021)Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense ApproachesACM Transactions on Privacy and Security10.1145/346269924:4(1-36)Online publication date: 2-Sep-2021
https://dl.acm.org/doi/10.1145/3462699
Biernacki LGallagher MXu ZAga MHarris AWei STiwari MKasikci BMalik SAustin T(2021)Software-driven Security Attacks: From Vulnerability Sources to Durable Hardware DefensesACM Journal on Emerging Technologies in Computing Systems10.1145/345629917:3(1-38)Online publication date: 1-Aug-2021
https://dl.acm.org/doi/10.1145/3456299
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents