SoK: Automated Software Diversity

Larsen, Per; Homescu, Andrei; Brunthaler, Stefan; Franz, Michael

doi:10.1109/sp.2014.25

Cited by 261 publications

(167 citation statements)

References 48 publications

Supporting

Mentioning

166

Contrasting

Order By: Relevance

“…Forrest subsequently demonstrated stack-layout randomization as a defense against stack smashing [15]. Subsequent work on artificial diversity is extensive; Larsen et al [27] provide an overview.…”

Section: A Software Diversitymentioning

confidence: 99%

Opaque Control-Flow Integrity

Mohan¹,

Larsen²,

Brunthaler

et al. 2015

Proceedings 2015 Network and Distributed System Security Symposium

Self Cite

114

View full text Add to dashboard Cite

Abstract-A new binary software randomization and ControlFlow Integrity (CFI) enforcement system is presented, which is the first to efficiently resist code-reuse attacks launched by informed adversaries who possess full knowledge of the inmemory code layout of victim programs. The defense mitigates a recent wave of implementation disclosure attacks, by which adversaries can exfiltrate in-memory code details in order to prepare code-reuse attacks (e.g., Return-Oriented Programming (ROP) attacks) that bypass fine-grained randomization defenses. Such implementation-aware attacks defeat traditional fine-grained randomization by undermining its assumption that the randomized locations of abusable code gadgets remain secret.Opaque CFI (O-CFI) overcomes this weakness through a novel combination of fine-grained code-randomization and coarsegrained control-flow integrity checking. It conceals the graph of hijackable control-flow edges even from attackers who can view the complete stack, heap, and binary code of the victim process. For maximal efficiency, the integrity checks are implemented using instructions that will soon be hardware-accelerated on commodity x86-x64 processors. The approach is highly practical since it does not require a modified compiler and can protect legacy binaries without access to source code. Experiments using our fully functional prototype implementation show that O-CFI provides significant probabilistic protection against ROP attacks launched by adversaries with complete code layout knowledge, and exhibits only 4.7% mean performance overhead on current hardware (with further overhead reductions to follow on forthcoming Intel processors). I. MOTIVATIONCode-reuse attacks (cf., [5]) have become a mainstay of software exploitation over the past several years, due to the rise of data execution protections that nullify traditional codeinjection attacks. Rather than injecting malicious payload code directly onto the stack or heap, where modern data execution protections block it from being executed, attackers now ingeniously inject addresses of existing in-memory code fragments (gadgets) onto victim stacks, causing the victim process to execute its own binary code in an unanticipated order [38]. With a sufficiently large victim code section, the pool of exploitable gadgets becomes arbitrarily expressive (e.g., Turing-complete) [20], facilitating the construction of arbitrary attack payloads without the need for code-injection. Such payload construction has even been automated [34]. As Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment. NDSS '15, 8-11 February 2015, San Diego, CA, USA Copyright 2015 Internet Society...

show abstract

Section: A Software Diversitymentioning

confidence: 99%

Opaque Control-Flow Integrity

Mohan¹,

Larsen²,

Brunthaler

et al. 2015

Proceedings 2015 Network and Distributed System Security Symposium

Self Cite

114

View full text Add to dashboard Cite

show abstract

“…Initially, the problem seemed to be the coarsegrained nature of ASLR. This motivated many finer-grained code randomization schemes (systematized by Larsen et al [22]). However, Snow et al [35] demonstrated just-in-time code reuse (JIT-ROP) that exploits memory disclosure and malicious scripting to read the randomized code layout and construct a compatible code-reuse payload on the fly.…”

Section: Motivationmentioning

confidence: 99%

“…Prominent examples of these security enhancing mechanisms are control-flow integrity [1], code-pointer integrity [21], and fine-grained code randomization [22]. While these defenses raise the bar to exploitation relative to current countermeasures, they differ with respect to performance, practicality, and security.…”

Section: Motivationmentioning

confidence: 99%

“…Address space layout randomization (ASLR), a weak form of diversity [32,33], is widely deployed today and many diversification approaches with finer granularity have been proposed in the literature (see Larsen et al [22] for an overview). Specifically relevant to this work is the previous proposal to randomize the order of elements in the PLT [4].…”

Section: Code Layout Randomizationmentioning

confidence: 99%

See 1 more Smart Citation

It's a TRaP

Crane

Volckaert

Schuster

et al. 2015

Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Self Cite

View full text Add to dashboard Cite

Code-reuse attacks continue to evolve and remain a severe threat to modern software. Recent research has proposed a variety of defenses with differing security, efficiency, and practicality characteristics. Whereas the majority of these solutions focus on specific code-reuse attack variants such as return-oriented programming (ROP), other attack variants that reuse whole functions, such as the classic return-into-libc, have received much less attention. Mitigating function-level code reuse is highly challenging because one needs to distinguish a legitimate call to a function from an illegitimate one. In fact, the recent counterfeit object-oriented programming (COOP) attack demonstrated that the majority of code-reuse defenses can be bypassed by reusing dynamically bound functions, i.e., functions that are accessed through global offset tables and virtual function tables, respectively.In this paper, we first significantly improve and simplify the COOP attack. Based on a strong adversarial model, we then present the design and implementation of a comprehensive code-reuse defense which is resilient against reuse of dynamically-bound functions. In particular, we introduce two novel defense techniques: (i) a practical technique to randomize the layout of tables containing code pointers resilient to memory disclosure and (ii) booby trap insertion to mitigate the threat of brute-force attacks iterating over the randomized tables. Booby traps serve the dual purpose of preventing fault-analysis side channels and ensuring that each table has sufficiently many possible permutations. Our detailed evaluation demonstrates that our approach is secure, effective, and practical. We prevent realistic, COOP-style attacks against the Chromium web browser and report an average overhead of 1.1% on the SPEC CPU2006 benchmarks.

show abstract

“…In the years since these seminal papers, many have explored the idea further. A recent survey of the area was presented in [32]. Address Space Layout Randomization (ASLR) is one of the most widely used applications of this technique.…”

Section: Introductionmentioning

confidence: 99%

Containing a Confused Deputy on x86: A Survey of Privilege Escalation Mitigation Techniques

Brookes¹,

Taylor²

2016

ijacsa

View full text Add to dashboard Cite

Abstract-The weak separation between user-and kernelspace in modern operating systems facilitates several forms of privilege escalation. This paper provides a survey of protection techniques, both cutting-edge and time-tested, used to prevent common privilege escalation attacks. The techniques are compared against each other in terms of their effectiveness, their performance impact, the complexity of their implementation, and their impact on diversification techniques such as ASLR. Overall the literature provides a litany of disjoint techniques, each of which trades some performance cost for effectiveness against a particular isolated threat. No single technique was found to effectively mitigate all known and potential attack vectors with reasonable performance cost overhead.

show abstract

SoK: Automated Software Diversity

Cited by 261 publications

References 48 publications

Opaque Control-Flow Integrity

Opaque Control-Flow Integrity

It's a TRaP

Containing a Confused Deputy on x86: A Survey of Privilege Escalation Mitigation Techniques

Contact Info

Product

Resources

About