research-article

Open access

CoDaRR: Continuous Data Space Randomization against Data-Only Attacks

Authors:

Prabhu Rajasekaran,

Stijn Volckaert,

Michael FranzAuthors Info & Claims

ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

Pages 494 - 505

https://doi.org/10.1145/3320269.3384757

Published: 05 October 2020 Publication History

Abstract

The widespread deployment of exploit mitigations such as CFI and shadow stacks are making code-reuse attacks increasingly difficult. This has forced adversaries to consider data-only attacks against which the venerable ASLR remains the primary deployed defense.Data-Space Randomization (DSR) techniques raise the bar against data-only attacks by making it harder for adversaries to inject malicious data flows into vulnerable applications. DSR works by masking memory load and store instructions. Masks are chosen (i) to not interfere with intended data flows and (ii) such that masking likely interferes with unintended flows introduced by malicious program inputs.

In this paper, we show two new attacks that bypass all existing static DSR approaches; one that directly discloses memory and another using speculative execution. We then present CoDaRR, the first dynamic DSR scheme resilient to disclosure attacks. CoDaRR continuously rerandomizes the masks used in loads and stores, and re-masks all memory objects to remain transparent w.r.t. program execution. Our evaluation confirms that CoDaRR successfully thwarts these attacks with limited run-time overhead in standard benchmarks as well as real-world applications.

References

[1]

Martin Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. 2009. Control-Flow Integrity Principles, Implementations, and Applications. ACM Trans. Inf. Syst. Secur., Vol. 13, 1, Article Article 4, 40 pages. https://doi.org/10.1145/1609956.1609960

Digital Library

[2]

P. Akritidis, C. Cadar, C. Raiciu, M. Costa, and M. Castro. 2008. Preventing Memory Error Exploits with WIT. In 2008 IEEE Symposium on Security and Privacy (sp 2008). 263--277. https://doi.org/10.1109/SP.2008.30

[3]

Amogh Akshintala, Bhushan Jain, Chia-Che Tsai, Michael Ferdman, and Donald E. Porter. 2019. X86--64 Instruction Usage among C/C+ Applications. In Proceedings of the 12th ACM International Conference on Systems and Storage (SYSTOR '19). 68--79. https://doi.org/10.1145/3319647.3325833

[4]

Lars Ole Andersen. 1994. Program analysis and specialization for the C programming language. Ph.D. Dissertation. University of Cophenhagen.

[5]

Dzintars Avots, Michael Dalton, V Benjamin Livshits, and Monica S Lam. 2005. Improving software security with a C pointer analysis. In Proceedings of the 27th international conference on Software engineering. ACM, 332--341.

Digital Library

[6]

Michael Backes, Thorsten Holz, Benjamin Kollenda, Philipp Koppe, Stefan Nürnberger, and Jannik Pewny. 2014. You Can Run but You Can't Read: Preventing Disclosure Exploits in Executable Code. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14). 1342--1353. https://doi.org/10.1145/2660267.2660378

Digital Library

[7]

Brian Belleville, Hyungon Moon, Jangseop Shin, Dongil Hwang, Joseph M. Nash, Seonhwa Jung, Yeoul Na, Stijn Volckaert, Per Larsen, Yunheung Paek, and Michael Franz. 2018. Hardware Assisted Randomization of Data. In Research in Attacks, Intrusions, and Defenses, Michael Bailey, Thorsten Holz, Manolis Stamatogiannakis, and Sotiris Ioannidis (Eds.). 337--358.

[8]

Sandeep Bhatkar and R. Sekar. 2008. Data Space Randomization. In Detection of Intrusions and Malware, and Vulnerability Assessment, Diego Zamboni (Ed.). 1--22.

[9]

David Bigelow, Thomas Hobson, Robert Rudd, William Streilein, and Hamed Okhravi. 2015. Timely Rerandomization for Mitigating Memory Disclosures. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). 268--279. https://doi.org/10.1145/2810103.2813691

Digital Library

[10]

A. Bittau, A. Belay, A. Mashtizadeh, D. Mazières, and D. Boneh. 2014. Hacking Blind. In 2014 IEEE Symposium on Security and Privacy. 227--242. https://doi.org/10.1109/SP.2014.22

[11]

Cristian Cadar, Periklis Akritidis, Manuel Costa, Jean-Phillipe Martin, and Miguel Castro. 2008. Data randomization. Technical Report. Technical Report MSR-TR-2008--120, Microsoft Research.

[12]

Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin Von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin, and Daniel Gruss. 2019. A systematic evaluation of transient execution attacks and defenses. In 28th USENIX Security Symposium (USENIX Security 19). 249--266.

[13]

Miguel Castro, Manuel Costa, and Tim Harris. 2006. Securing software by enforcing data-flow integrity. In Proceedings of the 7th symposium on Operating systems design and implementation. 147--160.

Digital Library

[14]

Shuo Chen, Jun Xu, Emre Can Sezer, Prachi Gauriar, and Ravishankar K Iyer. 2005. Non-Control-Data Attacks Are Realistic Threats. In USENIX Security Symposium. 177--192.

[15]

X. Chen, H. Bos, and C. Giuffrida. 2017. CodeArmor: Virtualizing the Code Space to Counter Disclosure Attacks. In 2017 IEEE European Symposium on Security and Privacy (EuroS P). 514--529. https://doi.org/10.1109/EuroSP.2017.17

[16]

Yue Chen, Zhi Wang, David Whalley, and Long Lu. 2016. Remix: On-Demand Live Randomization. In Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (CODASPY '16). 50--61. https://doi.org/10.1145/2857705.2857726

Digital Library

[17]

Long Cheng, Hans Liljestrand, Md Salman Ahmed, Thomas Nyman, Trent Jaeger, N Asokan, and Danfeng Yao. 2019. Exploitation techniques and defenses for data-oriented attacks. In 2019 IEEE Cybersecurity Development (SecDev). IEEE, 114--128.

[18]

Mauro Conti, Stephen Crane, Lucas Davi, Michael Franz, Per Larsen, Marco Negro, Christopher Liebchen, Mohaned Qunaibit, and Ahmad-Reza Sadeghi. 2015. Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). 952--963. https://doi.org/10.1145/2810103.2813671

Digital Library

[19]

S. Crane, C. Liebchen, A. Homescu, L. Davi, P. Larsen, A. Sadeghi, S. Brunthaler, and M. Franz. 2015. Readactor: Practical Code Randomization Resilient to Memory Disclosure. In 2015 IEEE Symposium on Security and Privacy. 763--780. https://doi.org/10.1109/SP.2015.52

Digital Library

[20]

Lucas Davi, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. PT-Rand: Practical Mitigation of Data-only Attacks against Page Tables. In Symposium on Network and Distributed System Security (NDSS).

[21]

Archibald Samuel Elliott, Andrew Ruef, Michael Hicks, and David Tarditi. 2018. Checked C: Making C Safe by Extension. In IEEE Cybersecurity Development (SecDev).

[22]

Tommaso Frassetto, David Gens, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2017. JITGuard: Hardening Just-in-Time Compilers with SGX. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). 2405--2419. https://doi.org/10.1145/3133956.3134037

Digital Library

[23]

Mark Gallagher, Lauren Biernacki, Shibo Chen, Zelalem Birhanu Aweke, Salessawi Ferede Yitbarek, Misiker Tadesse Aga, Austin Harris, Zhixing Xu, Baris Kasikci, Valeria Bertacco, and et al. 2019. Morpheus: A Vulnerability-Tolerant Secure Architecture Based on Ensembles of Moving Target Defenses with Churn. In Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS '19). 469--484. https://doi.org/10.1145/3297858.3304037

[24]

Jason Gionta, William Enck, and Peng Ning. 2015. HideM: Protecting the Contents of Userspace Memory in the Face of Disclosure Vulnerabilities. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY '15). 325--336. https://doi.org/10.1145/2699026.2699107

Digital Library

[25]

Cristiano Giuffrida, Anton Kuijsten, and Andrew S. Tanenbaum. 2012. Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization. In Presented as part of the 21st USENIX Security Symposium (USENIX Security 12). 475--490. https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/giuffrida

Digital Library

[26]

Hong Hu, Zheng Leong Chua, Sendroiu Adrian, Prateek Saxena, and Zhenkai Liang. 2015. Automatic Generation of Data-Oriented Exploits. In 24th USENIX Security Symposium (USENIX Security 15). 177--192. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/hu

Digital Library

[27]

H. Hu, S. Shinde, S. Adrian, Z. L. Chua, P. Saxena, and Z. Liang. 2016. Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks. In 2016 IEEE Symposium on Security and Privacy (SP). 969--986. https://doi.org/10.1109/SP.2016.62

[28]

Kyriakos K. Ispoglou, Bader AlBassam, Trent Jaeger, and Mathias Payer. 2018. Block Oriented Programming: Automating Data-Only Attacks. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

[29]

Trevor Jim, J Gregory Morrisett, Dan Grossman, Michael W Hicks, James Cheney, and Yanling Wang. 2002. Cyclone: A Safe Dialect of C. In USENIX Annual Technical Conference.

[30]

Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2019. Spectre Attacks: Exploiting Speculative Execution. In IEEE Symposium on Security and Privacy (S&P).

[31]

William Landi and Barbara G Ryder. 1991. Pointer-induced aliasing: A problem classification. In ACM Symposium on Principles of Programming Languages (POPL).

[32]

Per Larsen, Andrei Homescu, Stefan Brunthaler, and Michael Franz. 2014. SoK: Automated software diversity. In IEEE Symposium on Security and Privacy (S&P).

Digital Library

[33]

Chris Lattner, Andrew Lenharth, and Vikram Adve. 2007. Making context-sensitive points-to analysis with heap cloning practical for the real world. In ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI).

Digital Library

[34]

Fangfei Liu, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B Lee. 2015. Last-level cache side-channel attacks are practical. In 2015 IEEE Symposium on Security and Privacy. IEEE, 605--622.

Digital Library

[35]

Kangjie Lu, Wenke Lee, Stefan Nürnberger, and Michael Backes. 2016. How to Make ASLR Win the Clone Wars: Runtime Re-Randomization. In Symposium on Network and Distributed System Security (NDSS).

[36]

Microsoft. 2006. Data Execution Prevention (DEP). http://support.microsoft.com/kb/875352/EN-US.

[37]

George C Necula, Scott McPeak, and Westley Weimer. 2002. CCured: Type-safe retrofitting of legacy code. In ACM SIGPLAN Notices, Vol. 37. ACM.

Digital Library

[38]

Taemin Park, Julian Lettner, Yeoul Na, Stijn Volckaert, and Michael Franz. 2018. Bytecode Corruption Attacks Are Real--And How to Defend Against Them. In Detection of Intrusions and Malware, and Vulnerability Assessment, Cristiano Giuffrida, Sébastien Bardin, and Gregory Blanc (Eds.). 326--348.

[39]

PaX Team. 2001. Address Space Layout Randomization (ASLR). https://pax.grsecurity.net/docs/aslr.txt.

[40]

Colin Percival. 2005. Cache missing for fun and profit.

[41]

Ganesan Ramalingam. 1994. The Undecidability of Aliasing. ACM Transactions on Programming Languages and Systems (TOPLAS), Vol. 16, 5 (1994), 1467--1471.

Digital Library

[42]

rinon. 2018. Multicompiler DataRando. https://github.com/securesystemslab/multicompiler/tree/master/lib/DataRando.

[43]

Michael Schwarz, Martin Schwarzl, Moritz Lipp, Jon Masters, and Daniel Gruss. 2019. NetSpectre: Read Arbitrary Memory over Network. In Computer Security -- ESORICS 2019, Kazue Sako, Steve Schneider, and Peter Y. A. Ryan (Eds.). 279--299.

[44]

Kevin Z. Snow, Fabian Monrose, Lucas Davi, Alexandra Dmitrienko, Christopher Liebchen, and Ahmad-Reza Sadeghi. 2013. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In IEEE Symposium on Security and Privacy (S&P).

[45]

Chengyu Song, Hyungon Moon, Monjur Alam, Insu Yun, Byoungyoung Lee, Taesoo Kim, Wenke Lee, and Yunheung Paek. 2016. HDFI: Hardware-assisted data-flow isolation. In IEEE Symposium on Security and Privacy (S&P).

[46]

Dokyung Song, Julian Lettner, Prabhu Rajasekaran, Yeoul Na, Stijn Volckaert, Per Larsen, and Michael Franz. 2019. SoK: Sanitizing for Security. In IEEE Symposium on Security and Privacy (S&P).

[47]

Bjarne Steensgaard. 1996. Points-to analysis in almost linear time. In ACM Symposium on Principles of Programming Languages (POPL).

Digital Library

[48]

Eran Tromer, Dag Arne Osvik, and Adi Shamir. 2010. Efficient Cache Attacks on AES, and Countermeasures. Journal of Cryptology (2010).

[49]

Ye Wang, Qingbao Li, Zhifeng Chen, Ping Zhang, and Guimin Zhang. 2019. Shapeshifter: Intelligence-Driven Data Plane Randomization Resilient to Data-Oriented Programming Attacks. Computers & Security (2019), 101679.

[50]

Zhe Wang, Chenggang Wu, Jianjun Li, Yuanming Lai, Xiangyu Zhang, Wei-Chung Hsu, and Yueqiang Cheng. 2017. Reranz: A light-weight virtual machine to mitigate memory disclosure attacks. In International Conference on Virtual Execution Environments (VEE).

Digital Library

[51]

David Williams-King, Graham Gobieski, Kent Williams-King, James P Blake, Xinhao Yuan, Patrick Colp, Michelle Zheng, Vasileios P Kemerlis, Junfeng Yang, and William Aiello. 2016. Shuffler: Fast and Deployable Continuous Code Re-Randomization. In USENIX Symposium on Operating Systems Design and Implementation (OSDI).

[52]

Yuval Yarom and Katrina Falkner. 2014. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. In USENIX Security Symposium.

Digital Library

Cited By

Wei JChen P(2024)DSLR–: A low-overhead data structure layout randomization for defending data-oriented programmingJournal of Computer Security10.3233/JCS-23005332:3(221-246)Online publication date: 17-Jun-2024
https://doi.org/10.3233/JCS-230053
Li YBao YChung Y(2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
https://doi.org/10.1109/TC.2024.3371776
Chen KYang QWang JMa DWang LXu Z(2024)What You See Is The Tip Of The Iceberg: A Novel Technique For Data Leakage Prevention2024 27th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD61410.2024.10580487(2870-2875)Online publication date: 8-May-2024
https://doi.org/10.1109/CSCWD61410.2024.10580487
Show More Cited By

Index Terms

CoDaRR: Continuous Data Space Randomization against Data-Only Attacks
1. Security and privacy
  1. Software and application security
    1. Software security engineering
    2. Web application security
  2. Systems security
    1. Information flow control

Recommendations

Data space randomization for securing cyber-physical systems
Abstract
Non-control data attacks have become widely popular for circumventing authentication mechanisms in websites, servers, and personal computers. These attacks can be executed against cyber-physical systems (CPSs) in which not only authentication is ...
Integrated data space randomization and control reconfiguration for securing cyber-physical systems
HotSoS '19: Proceedings of the 6th Annual Symposium on Hot Topics in the Science of Security

Non-control data attacks have become widely popular for circumventing authentication mechanisms in websites, servers, and personal computers. Moreover, in the context of Cyber-Physical Systems (CPS) attacks can be executed against not only ...
Moving Targets vs. Moving Adversaries: On the Effectiveness of System Randomization
MTD '17: Proceedings of the 2017 Workshop on Moving Target Defense

Memory-corruption vulnerabilities pose a severe threat on modern systems security. Although this problem is known for almost three decades it is unlikely to be solved in the near future because a large amount of modern software is still programmed in ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

October 2020

957 pages

ISBN:9781450367509

DOI:10.1145/3320269

General Chairs:
Hung-Min Sun
National Tsing Hua University, Taiwan
,
Shiuhpyng Shieh
National Chiao Tung University, Taiwan
,
Program Chairs:
Guofei Gu
Texas A&M University, USA
,
Giuseppe Ateniese
Stevens Institute of Technology, USA

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ASIA CCS '20

Sponsor:

SIGSAC

ASIA CCS '20: The 15th ACM Asia Conference on Computer and Communications Security

October 5 - 9, 2020

Taipei, Taiwan

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
928
Total Downloads

Downloads (Last 12 months)304
Downloads (Last 6 weeks)38

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wei JChen P(2024)DSLR–: A low-overhead data structure layout randomization for defending data-oriented programmingJournal of Computer Security10.3233/JCS-23005332:3(221-246)Online publication date: 17-Jun-2024
https://doi.org/10.3233/JCS-230053
Li YBao YChung Y(2024)Randomize the Running Function When It Is DisclosedIEEE Transactions on Computers10.1109/TC.2024.337177673:6(1516-1530)Online publication date: Jun-2024
https://doi.org/10.1109/TC.2024.3371776
Chen KYang QWang JMa DWang LXu Z(2024)What You See Is The Tip Of The Iceberg: A Novel Technique For Data Leakage Prevention2024 27th International Conference on Computer Supported Cooperative Work in Design (CSCWD)10.1109/CSCWD61410.2024.10580487(2870-2875)Online publication date: 8-May-2024
https://doi.org/10.1109/CSCWD61410.2024.10580487
Wichelmann JPätschke AWilke LEisenbarth TCalandrino JTroncoso C(2023)CipherfixProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620617(6789-6806)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620617
Ahmed SLiljestrand HJamjoom HHicks MAsokan NYao DCalandrino JTroncoso C(2023)Not all data are created equalProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620318(1433-1450)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620318
Gaidis AMoreira JSun KMilburn AAtlidakis VKemerlis V(2023)FineIBT: Fine-grain Control-flow Enforcement with Indirect Branch TrackingProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607219(527-546)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607219
Tang ZMa DSun XChen KWang LJiang J(2023)Every Time Can Be Different: A Data Dynamic Protection Method Based on Moving Target Defense2023 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC58397.2023.10218253(568-574)Online publication date: 9-Jul-2023
https://doi.org/10.1109/ISCC58397.2023.10218253
Ghosh PGholap YSingh V(2023)On-Chip SRAM Disclosure Attack Prevention Technique for SoC2023 IEEE 29th International Symposium on On-Line Testing and Robust System Design (IOLTS)10.1109/IOLTS59296.2023.10224860(1-7)Online publication date: 3-Jul-2023
https://doi.org/10.1109/IOLTS59296.2023.10224860
Nie XChen LWei HZhang YCui NShi G(2023)KPDFIComputers and Security10.1016/j.cose.2023.103183128:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103183
Shen ZDharsee KCriswell J(2022)Randezvous: Making Randomization Effective on MCUsProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567970(28-41)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567970
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents