Position-Independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure

Göktaş, Enes; Kollenda, Benjamin; Koppe, Philipp; Bosman, Erik; Portokalidis, Georgios; Holz, Thorsten; Bos, Herbert; Giuffrida, Cristiano

doi:10.1109/eurosp.2018.00024

Cited by 36 publications

(36 citation statements)

References 74 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, without such primitives, the attack surface for common systems software is believed to be limited. PIROP [36] shows position-independent codereuse attacks are still possible with at least massaging primitives, but only against basic ASLR. In contrast, BlindSide can operate in absence of information disclosure primitives and blindly craft such primitives despite fine-grained, leakage-resistant randomization.…”

Section: Related Workmentioning

confidence: 99%

Speculative Probing

Göktaş

Razavi

Portokalidis

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

To defeat ASLR or more advanced fine-grained and leakage-resistant code randomization schemes, modern software exploits rely on information disclosure to locate gadgets inside the victim's code. In the absence of such info-leak vulnerabilities, attackers can still hack blind and derandomize the address space by repeatedly probing the victim's memory while observing crash side effects, but doing so is only feasible for crash-resistant programs. However, high-value targets such as the Linux kernel are not crash-resistant. Moreover, the anomalously large number of crashes is often easily detectable. In this paper, we show that the Spectre era enables an attacker armed with a single memory corruption vulnerability to hack blind without triggering any crashes. Using speculative execution for crash suppression allows the elevation of basic memory write vulnerabilities into powerful speculative probing primitives that leak through microarchitectural side effects. Such primitives can repeatedly probe victim memory and break strong randomization schemes without crashes and bypass all deployed mitigations against Spectrelike attacks. The key idea behind speculative probing is to break Spectre mitigations using memory corruption and resurrect Spectrestyle disclosure primitives to mount practical blind software exploits. To showcase speculative probing, we target the Linux kernel, a crash-sensitive victim that has so far been out of reach of blind attacks, mount end-to-end exploits that compromise the system with just-in-time code reuse and data-only attacks from a single memory write vulnerability, and bypass strong Spectre and strong randomization defenses. Our results show that it is crucial to consider synergies between different (Spectre vs. code reuse) threat models to fully comprehend the attack surface of modern systems. CCS CONCEPTS • Security and privacy → Operating systems security.

show abstract

Section: Related Workmentioning

confidence: 99%

Speculative Probing

Göktaş

Razavi

Portokalidis

et al. 2020

Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…Finally, in the case where an attack can be mounted without disclosing the text segment of the process (e.g., indirect JIT-ROP), any binary obfuscation technique can be used along with our ISR with strong encryption to provide sufficient protection. Such attacks require extensive knowledge of the victim application to succeed [32].…”

Section: Return Address Encryptionmentioning

confidence: 99%

On Architectural Support for Instruction Set Randomization

Christou

Vasiliadis

Papaefstathiou

et al. 2020

ACM Trans. Archit. Code Optim.

View full text Add to dashboard Cite

Instruction Set Randomization (ISR) is able to protect against remote code injection attacks by randomizing the instruction set of each process. Thereby, even if an attacker succeeds to inject code, it will fail to execute on the randomized processor. The majority of existing ISR implementations is based on emulators and binary instrumentation tools that unfortunately: (i) incur significant runtime performance overheads, (ii) limit the ease of deployment, (iii) cannot protect the underlying operating system kernel, and (iv) are vulnerable to evasion attempts that bypass the ISR protection itself. To address these issues, we present the design and implementation of ASIST, an architecture with both hardware and operating system support for ISR. ASIST uses our extended SPARC processor that is mapped onto a FPGA board and runs our modified Linux kernel to support the new features. In particular, before executing a new user-level process, the operating system loads its randomization key into a newly defined register, and the modified processor decodes the process’s instructions with this key. Besides that, ASIST uses a separate randomization key for the operating system to protect the base system against attacks that exploit kernel vulnerabilities to run arbitrary code with elevated privileges. Our evaluation shows that ASIST can transparently protect both user-land applications and the operating system kernel from code injection and code reuse attacks, with about 1.5% runtime overhead when using simple encryption schemes, such as XOR and Transposition; more secure ciphers, such as AES, even though they are much more complicated for mapping them to hardware, they are still within acceptable margins,with approximately 10% runtime overhead, when efficiently leveraging the spatial locality of code through modern instruction cache configurations.

show abstract

“…We focus on hardening arbitrary code reuse defenses against information hiding attacks which have shown to trivially bypass even advanced defenses. We make no attempt to address other design weaknesses of such defenses, such as leakage-resistant code randomization being vulnerable to sophisticated code-reuse attacks [32,56,64].…”

Section: Securitymentioning

confidence: 99%

ProbeGuard

Bhat

Kouwe

Bos

et al. 2019

Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Syst

Self Cite

View full text Add to dashboard Cite

Many modern defenses against code reuse rely on hiding sensitive data such as shadow stacks in a huge memory address space. While much more efficient than traditional integritybased defenses, these solutions are vulnerable to probing attacks which quickly locate the hidden data and compromise security. This has led researchers to question the value of information hiding in real-world software security. Instead, we argue that such a limitation is not fundamental and that information hiding and integrity-based defenses are two extremes of a continuous spectrum of solutions. We propose a solution, ProbeGuard, that automatically balances performance and security by deploying an existing information hiding based baseline defense and then incrementally moving to more powerful integrity-based defenses by hotpatching when probing attacks occur. ProbeGuard is efficient, provides strong security, and gracefully trades off performance upon encountering more probing primitives. CCS Concepts • Security and privacy → Systems security; Software security engineering.

show abstract

Position-Independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure

Cited by 36 publications

References 74 publications

Speculative Probing

Speculative Probing

On Architectural Support for Instruction Set Randomization

ProbeGuard

Contact Info

Product

Resources

About