research-article

Public Access

Sleak: automating address space layout derandomization

Authors:

Christophe Hauser,

Jayakrishna Menon,

Yan Shoshitaishvili,

Giovanni Vigna,

Christopher KruegelAuthors Info & Claims

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Pages 190 - 202

https://doi.org/10.1145/3359789.3359820

Published: 09 December 2019 Publication History

Abstract

We present a novel approach to automatically recover information about the address space layout of remote processes in the presence of Address Space Layout Randomization (ASLR). Our system, dubbed Sleak, performs static analysis and symbolic execution of binary executable programs, and identifies program paths and input parameters leading to partial (i.e., only a few bits) or complete (i.e., the whole address) information disclosure vulnerabilities, revealing addresses of known objects of the target service or application. Sleak takes, as input, the binary executable program, and generates a symbolic expression for each program output that leaks information about the addresses of objects, such as stack variables, heap structures, or function pointers. By comparing these expressions with the concrete output of a remote process executing the same binary program image, our system is able to recover from a few bits to whole addresses of objects of the target application or service. Discovering the address of a single object in the target application is often enough to guess the layout of entire sections of the address space, which can be leveraged by attackers to bypass ASLR.

References

[1]

Angr, a binary analysis framework. http://angr.io.

[2]

CQUAL, A tool for adding type qualifiers to C. http://www.cs.umd.edu/jfoster/cqual/.

[3]

OpenBSD's W^X. http://www.openbsd.org/papers/bsdcan04/mgp00005.txt.

[4]

The PAX Team. https://pax.grsecurity.net.

[5]

A. V. Aho, M. S. Lam, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools (2Nd Edition). Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2006.

Digital Library

[6]

M. S. Alvim, M. E. Andrés, K. Chatzikokolakis, and C. Palamidessi. Foundations of security analysis and design vi. chapter Quantitative Information Flow and Applications to Differential Privacy, pages 211--230. Springer-Verlag, Berlin, Heidelberg, 2011.

[7]

T. Avgerinos, A. Rebert, S. K. Cha, and D. Brumley. Enhancing symbolic execution with veritesting. In Proceedings of the 36th International Conference on Software Engineering, ICSE 2014, pages 1083--1094, New York, NY, USA, 2014. ACM.

Digital Library

[8]

M. Backes, B. Kopf, and A. Rybalchenko. Automatic discovery and quantification of information leaks. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP '09, pages 141--153, Washington, DC, USA, 2009. IEEE Computer Society.

Digital Library

[9]

T. Bao, J. Burket, M. Woo, R. Turner, and D. Brumley. Byteweight: Learning to recognize functions in binary code. In Proceedings of the 23rd USENIX Conference on Security Symposium, SEC'14, pages 845--860, Berkeley, CA, USA, 2014. USENIX Association.

[10]

A. Bittau, A. Belay, A. Mashtizadeh, D. Mazieres, and D. Boneh. Hacking blind. In Security and Privacy (SP), 2014 IEEE Symposium on, pages 227--242, May 2014.

Digital Library

[11]

C. Cadar, D. Dunbar, D. R. Engler, et al. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In OSDI, volume 8, pages 209--224, 2008.

Digital Library

[12]

M. Carvalho, J. DeMott, R. Ford, and D. Wheeler. Heartbleed 101. Security Privacy, IEEE, 12(4):63--67, July 2014.

[13]

V. Chipounov and G. Candea. Reverse engineering of binary device drivers with revnic. In Proceedings of the 5th European Conference on Computer Systems, EuroSys '10, pages 167--180, New York, NY, USA, 2010. ACM.

Digital Library

[14]

V. Chipounov, V. Kuznetsov, and G. Candea. S2E: A platform for in-vivo multi-path analysis of software systems, volume 47. ACM, 2012.

[15]

C. Cowan, C. Pu, D. Maier, H. Hintony, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th Conference on USENIX Security Symposium - Volume 7, SSYM'98, pages 5--5, Berkeley, CA, USA, 1998. USENIX Association.

Digital Library

[16]

G. J. Duck and R. H. Yap. Effectivesan: type and memory error detection using dynamically typed c/c++. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 181--195. ACM, 2018.

Digital Library

[17]

Z. Durumeric, J. Kasten, D. Adrian, J. A. Halderman, M. Bailey, F. Li, N. Weaver, J. Amann, J. Beekman, M. Payer, and V. Paxson. The matter of heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference, IMC '14, pages 475--488, New York, NY, USA, 2014. ACM.

Digital Library

[18]

P. Godefroid, M. Y. Levin, and D. Molnar. SAGE: Whitebox fuzzing for security testing. Communications of the ACM, 55(3):40--44, 2012.

Digital Library

[19]

W. Herlands, T. Hobson, and P. J. Donovan. Effective entropy: Security-centric metric for memory randomization techniques. In Proceedings of the 7th USENIX Conference on Cyber Security Experimentation and Test, CSET'14, pages 5--5, Berkeley, CA, USA, 2014. USENIX Association.

[20]

E. R. Jacobson, N. Rosenblum, and B. P. Miller. Labeling library functions in stripped binaries. In Proceedings of the 10th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools, PASTE '11, pages 1--8, New York, NY, USA, 2011. ACM.

Digital Library

[21]

Y. Jeon, P. Biswas, S. Carr, B. Lee, and M. Payer. Hextype: Efficient detection of type confusion errors for c++. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2373--2387. ACM, 2017.

Digital Library

[22]

R. Johnson and D. Wagner. Finding user/kernel pointer bugs with type inference. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13, SSYM'04, pages 9--9, Berkeley, CA, USA, 2004. USENIX Association.

[23]

V. Kuznetsov, V. Chipounov, and G. Candea. Testing closed-source binary device drivers with ddt. In Proceedings of the 2010 USENIX Conference on USENIX Annual Technical Conference, USENIXATC'10, pages 12--12, Berkeley, CA, USA, 2010. USENIX Association.

Digital Library

[24]

B. Lee, C. Song, T. Kim, and W. Lee. Type casting verification: Stopping an emerging attack vector. In USENIX Security Symposium, pages 81--96, 2015.

[25]

H. Marco-Gisbert and smael Ripoll-Ripoll. Exploiting linux and pax aslr's weaknesses on 32- and 64-bit systems. In Blakhat Asia 2016, 2016.

[26]

M. Neugschwandtner, P. Milani Comparetti, I. Haller, and H. Bos. The borg: Nanoprobing binaries for buffer overreads. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, CODASPY '15, pages 87--97, New York, NY, USA, 2015. ACM.

Digital Library

[27]

S. Peiró, M. Muñoz, M. Masmano, and A. Crespo. Detecting stack based kernel information leaks. In International Joint Conference SOCO'14-CISIS'14-ICEUTE'14, pages 321--331. Springer, 2014.

[28]

D. A. Ramos and D. R. Engler. Under-constrained symbolic execution: Correctness checking for real code. In USENIX Security Symposium, pages 49--64, 2015.

Digital Library

[29]

N. Redini, A. Machiry, D. Das, Y. Fratantonio, A. Bianchi, E. Gustafson, Y. Shoshitaishvili, C. Kruegel, and G. Vigna. Bootstomp: on the security of bootloaders in mobile devices. In 26th USENIX Security Symposium, 2017.

[30]

D. E. Robling Denning. Cryptography and Data Security. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1982.

Digital Library

[31]

Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. Unleashing mayhem on binary code. In Proceedings of the IEEE Symposium on Security and Privacy, pages 380--394. IEEE, 2012.

Digital Library

[32]

J. Seibert, H. Okhravi, and E. Söderström. Information leaks without memory disclosures: Remote side channel attacks on diversified code. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, pages 54--65, New York, NY, USA, 2014. ACM.

Digital Library

[33]

K. Serebryany, D. Bruening, A. Potapenko, and D. Vyukov. Addresssanitizer: A fast address sanity checker. In USENIX Annual Technical Conference, pages 309--318, 2012.

Digital Library

[34]

F. J. Serna. The info leak era on software exploitation. Black Hat USA, 2012.

[35]

H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS '07, pages 552--561, New York, NY, USA, 2007. ACM.

Digital Library

[36]

H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS '04, pages 298--307, New York, NY, USA, 2004. ACM.

Digital Library

[37]

Y. Shoshitaishvili, R. Wang, C. Hauser, C. Kruegel, and G. Vigna. Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware. 2015.

[38]

G. Smith. On the foundations of quantitative information flow. In Proceedings of the 12th International Conference on Foundations of Software Science and Computational Structures: Held As Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, FOSSACS '09, pages 288--302, Berlin, Heidelberg, 2009. Springer-Verlag.

[39]

D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. Bitblaze: A new approach to computer security via binary analysis. In Proceedings of the 4th International Conference on Information Systems Security, ICISS '08, pages 1--25, Berlin, Heidelberg, 2008. Springer-Verlag.

Digital Library

[40]

R. Strackx, Y. Younan, P. Philippaerts, F. Piessens, S. Lachmund, and T. Walter. Breaking the memory secrecy assumption. In Proceedings of the Second European Workshop on System Security, EUROSEC '09, pages 1--8, New York, NY, USA, 2009. ACM.

Digital Library

[41]

Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao, and David Brumley. AEG: Automatic Exploit Generation. In Proceedings of the network and Distributed System Security Symposium, Feb. 2011.

[42]

T. B. Tok, S. Z. Guyer, and C. Lin. Efficient flow-sensitive interprocedural data-flow analysis in the presence of pointers. In Proceedings of the 15th International Conference on Compiler Construction, CC'06, pages 17--31, Berlin, Heidelberg, 2006. Springer-Verlag.

Digital Library

[43]

M. Tran, M. Etheridge, T. Bletsch, X. Jiang, V. Freeh, and P. Ning. On the expressiveness of return-into-libc attacks. In Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection, RAID'11, pages 121--141, Berlin, Heidelberg, 2011. Springer-Verlag.

Digital Library

[44]

J. Zaddach, L. Bruno, A. Francillon, and D. Balzarotti. Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares. In Network and Distributed System Security (NDSS) Symposium, NDSS 14, February 2014.

Cited By

Mow WHuang SHsiao H(2022)LAEG: Leak-based AEG using Dynamic Binary Analysis to Defeat ASLR2022 IEEE Conference on Dependable and Secure Computing (DSC)10.1109/DSC54232.2022.9888796(1-8)Online publication date: 22-Jun-2022
https://doi.org/10.1109/DSC54232.2022.9888796
Pagani FBalzarotti D(2021)AutoProfile: Towards Automated Profile Generation for Memory AnalysisACM Transactions on Privacy and Security10.1145/348547125:1(1-26)Online publication date: 23-Nov-2021
https://dl.acm.org/doi/10.1145/3485471

Index Terms

Sleak: automating address space layout derandomization
1. Security and privacy
  1. Formal methods and theory of security
    1. Logic and verification
  2. Software and application security
    1. Software reverse engineering

Recommendations

Scriptless attacks: Stealing more pie without touching the sill
Web Application Security Web @ 25

Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the members of security community worldwide. In the same way, a plethora of more or less effective defense techniques have been proposed, ...
Harm-DoS: Hash Algorithm Replacement for Mitigating Denial-of-Service Vulnerabilities in Binary Executables
RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses

Programs and services relying on weak hash algorithms as part of their hash table implementations are vulnerable to hash-collision denial-of-service attacks. In the context of such an attack, the attacker sends a series of program inputs leading to ...
UAF-GUARD: Defending the use-after-free exploits via fine-grained memory permission management
Abstract
The defense of Use-After-Free (UAF) exploits generally could be guaranteed via static or dynamic analysis, however, both of which are restricted to intrinsic deficiency. The static analysis has limitations in loop handling, optimization of memory ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

December 2019

821 pages

ISBN:9781450376280

DOI:10.1145/3359789

Conference Chair:
David Balenson
SRI International

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ACSAC '19

ACSAC '19: 2019 Annual Computer Security Applications Conference

December 9 - 13, 2019

Puerto Rico, San Juan, USA

Acceptance Rates

ACSAC '19 Paper Acceptance Rate 60 of 266 submissions, 23%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
466
Total Downloads

Downloads (Last 12 months)114
Downloads (Last 6 weeks)7

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mow WHuang SHsiao H(2022)LAEG: Leak-based AEG using Dynamic Binary Analysis to Defeat ASLR2022 IEEE Conference on Dependable and Secure Computing (DSC)10.1109/DSC54232.2022.9888796(1-8)Online publication date: 22-Jun-2022
https://doi.org/10.1109/DSC54232.2022.9888796
Pagani FBalzarotti D(2021)AutoProfile: Towards Automated Profile Generation for Memory AnalysisACM Transactions on Privacy and Security10.1145/348547125:1(1-26)Online publication date: 23-Nov-2021
https://dl.acm.org/doi/10.1145/3485471

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents