Polymorphing Software by Randomizing Data Structure Layout

Lin, Zhiqiang; Riley, Ryan; Xu, Dongyan

doi:10.1007/978-3-642-02918-9_7

Cited by 48 publications

(41 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, C programs which emulate a variant of object orientation sometimes keep tables of function pointers to perform virtual dispatch, depending on the type in question. Previous work has explored randomizing the layout of data structures [23], and these techniques could be extended to randomize structures or arrays of function pointers. In combination with code-pointer hiding, data structure randomization could protect these pointers from disclosure and reuse.…”

Section: Discussionmentioning

confidence: 99%

It's a TRaP

Crane

Volckaert

Schuster

et al. 2015

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Code-reuse attacks continue to evolve and remain a severe threat to modern software. Recent research has proposed a variety of defenses with differing security, efficiency, and practicality characteristics. Whereas the majority of these solutions focus on specific code-reuse attack variants such as return-oriented programming (ROP), other attack variants that reuse whole functions, such as the classic return-into-libc, have received much less attention. Mitigating function-level code reuse is highly challenging because one needs to distinguish a legitimate call to a function from an illegitimate one. In fact, the recent counterfeit object-oriented programming (COOP) attack demonstrated that the majority of code-reuse defenses can be bypassed by reusing dynamically bound functions, i.e., functions that are accessed through global offset tables and virtual function tables, respectively.In this paper, we first significantly improve and simplify the COOP attack. Based on a strong adversarial model, we then present the design and implementation of a comprehensive code-reuse defense which is resilient against reuse of dynamically-bound functions. In particular, we introduce two novel defense techniques: (i) a practical technique to randomize the layout of tables containing code pointers resilient to memory disclosure and (ii) booby trap insertion to mitigate the threat of brute-force attacks iterating over the randomized tables. Booby traps serve the dual purpose of preventing fault-analysis side channels and ensuring that each table has sufficiently many possible permutations. Our detailed evaluation demonstrates that our approach is secure, effective, and practical. We prevent realistic, COOP-style attacks against the Chromium web browser and report an average overhead of 1.1% on the SPEC CPU2006 benchmarks.

show abstract

Section: Discussionmentioning

confidence: 99%

It's a TRaP

Crane

Volckaert

Schuster

et al. 2015

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Software diversity has previously been investigated for fault tolerance [5], [25] and cyber security [13], [16]. The most recent work focuses on automatic synthesis of software diversity to maximize its potential impact on resilience.…”

Section: B Evolution Rules For Diversified Softwarementioning

confidence: 99%

“…Many randomization techniques aim at diversifying the execution environment on different machines. For example, Lin et al [16] randomize the data structure layout of a program to generate diverse binaries that are semantically equivalent. Several other pieces of work randomize instruction sets to provide unique execution environments and limit the ability of attackers to inject malicious code [13], [3].…”

mentioning

confidence: 99%

DIVERSIFY: Ecology-inspired software evolution for diversity emergence

Baudry¹,

Monperrus²,

Mony³

et al. 2014

2014 Software Evolution Week - IEEE Conference on Software Maintenance, Reengineering, and Reverse Engineering (CSMR-WCRE)

View full text Add to dashboard Cite

Abstract-DIVERSIFY is an EU funded project, which aims at favoring spontaneous diversification in software systems in order to increase their adaptive capacities. This objective is founded on three observations: software has to constantly evolve to face unpredictable changes in its requirements, execution environment or to respond to failure (bugs, attacks, etc.); the emergence and maintenance of high levels of diversity are essential to provide adaptive capacities to many forms of complex systems, ranging from ecological and biological systems to social and economical systems; diversity levels tend to be very low in software systems.DIVERSIFY explores how the biological evolutionary mechanisms, which sustain high levels of biodiversity in ecosystems (speciation, phenotypic plasticity and natural selection) can be translated in software evolution principles. In this work, we consider evolution as a driver for diversity as a means to increase resilience in software systems. In particular, we are inspired by bipartite ecological relationships to investigate the automatic diversification of the server side of a client-server architecture. This type of software diversity aims at mitigating the risks of software monoculture. The consortium gathers researchers from the software-intensive, distributed systems and the ecology areas in order to transfer ecological concepts and processes as software design principles.

show abstract

“…For data obfuscation, if the data of interest is encrypted SIGPATH can still find it using structural memory diffing and fuzzing, and can modify it by replaying a previously seen (encrypted) value. Other obfuscation techniques such as data structure randomization (DSR) [25] target data analysis techniques. SIGPATH cannot handle DSR, but DSR requires expensive code refactoring to existing programs.…”

Section: Limitations and Future Workmentioning

confidence: 99%

SigPath: A Memory Graph Based Approach for Program Data Introspection and Modification

Urbina

Caballero

et al. 2014

Computer Security - ESORICS 2014

Self Cite

View full text Add to dashboard Cite

Abstract. Examining and modifying data of interest in the memory of a target program is an important capability for security applications such as memory forensics, rootkit detection, game hacking, and virtual machine introspection. In this paper we present a novel memory graph based approach for program data introspection and modification, which does not require source code, debugging symbols, or any API in the target program. It takes as input a sequence of memory snapshots taken while the program executes, and produces a path signature, which can be used in different executions of the program to efficiently locate and traverse the in-memory data structures where the data of interest is stored. We have implemented our approach in a tool called SIGPATH. We have applied SIG-PATH to game hacking, building cheats for 10 popular real-time and turn-based games, and for memory forensics, recovering from snapshots the contacts a user has stored in four IM applications including Skype and Yahoo Messenger.

show abstract

Polymorphing Software by Randomizing Data Structure Layout

Cited by 48 publications

References 19 publications

It's a TRaP

It's a TRaP

DIVERSIFY: Ecology-inspired software evolution for diversity emergence

SigPath: A Memory Graph Based Approach for Program Data Introspection and Modification

Contact Info

Product

Resources

About