You Can Run but You Can't Read

Backes, Michael; Holz, Thorsten; Kollenda, Benjamin; Koppe, Philipp; Nürnberger, Stefan; Pewny, Jannik

doi:10.1145/2660267.2660378

Cited by 98 publications

(11 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the Intel Core microarchitecture, there are three levels of CPU caches 1 . The caches that are closer to the CPU are smaller and faster whereas the caches further away are slower 1 The mobile version of the Skylake processors has a level 4 cache too. but can store a larger amount of data.…”

Section: Cache Architecturementioning

confidence: 99%

“…Leakage-resilient code randomization schemes based on techniques like XnR and code pointer hiding [1], [7], [13] aim to provide protection by making code regions execute-only and the location of target code in memory fully unpredictable. This makes it difficult to perform code-reuse attacks given that the attacker cannot directly or indirectly disclose the code layout.…”

Section: B Leakage-resilient Code Randomizationmentioning

confidence: 99%

See 1 more Smart Citation

ASLR on the Line: Practical Cache Attacks on the MMU

Gras¹,

Razavi²,

Bosman³

et al. 2017

Proceedings 2017 Network and Distributed System Security Symposium

163

132

View full text Add to dashboard Cite

Address space layout randomization (ASLR) is an important first line of defense against memory corruption attacks and a building block for many modern countermeasures. Existing attacks against ASLR rely on software vulnerabilities and/or on repeated (and detectable) memory probing. In this paper, we show that neither is a hard requirement and that ASLR is fundamentally insecure on modern cachebased architectures, making ASLR and caching conflicting requirements (ASLR⊕Cache, or simply AnC). To support this claim, we describe a new EVICT+TIME cache attack on the virtual address translation performed by the memory management unit (MMU) of modern processors. Our AnC attack relies on the property that the MMU's page-table walks result in caching page-table pages in the shared last-level cache (LLC). As a result, an attacker can derandomize virtual addresses of a victim's code and data by locating the cache lines that store the page-table entries used for address translation. Relying only on basic memory accesses allows AnC to be implemented in JavaScript without any specific instructions or software features. We show our JavaScript implementation can break code and heap ASLR in two major browsers running on the latest Linux operating system with 28 bits of entropy in 150 seconds. We further verify that the AnC attack is applicable to every modern architecture that we tried, including Intel, ARM and AMD. Mitigating this attack without naively disabling caches is hard, since it targets the low-level operations of the MMU. We conclude that ASLR is fundamentally flawed in sandboxed environments such as JavaScript and future defenses should not rely on randomized virtual addresses as a building block. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Section: Cache Architecturementioning

confidence: 99%

Section: B Leakage-resilient Code Randomizationmentioning

confidence: 99%

ASLR on the Line: Practical Cache Attacks on the MMU

Gras¹,

Razavi²,

Bosman³

et al. 2017

Proceedings 2017 Network and Distributed System Security Symposium

163

132

View full text Add to dashboard Cite

show abstract

“…Source code instrumentation. When the source code of a program is available and the analysis is meaningful regardless of its compiled form 1 , instrumentation can take place at compilation time. Analyses can thus be encoded using source-to-source transformation languages like CIL [38] or by resorting to compiler assistance.…”

Section: Alternative Technologiesmentioning

confidence: 99%

“…Consider the case of a loop trying to read the page containing its own instructions in the cache: such an access cannot be denied on the x86 architecture. An answer to the problem may come from recent research on non-readable executable memory (XnR) [1] to prevent disclosure exploits for code reuse attacks. While the default XnR setting does not support our "in-page" reading loop scenario, follow-up techniques can be used to handle it: in particular, [62] shows how to achieve an effective separation between read and execution capabilities using Extended Page Tables on a thin hypervisor layer.…”

Section: Design Space Of Dbi Frameworkmentioning

confidence: 99%

SoK

D’Elia

Coppa

Nicchi

et al. 2019

Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Dynamic binary instrumentation (DBI) techniques allow for monitoring and possibly altering the execution of a running program up to the instruction level granularity. The ease of use and flexibility of DBI primitives has made them popular in a large body of research in different domains, including software security. Lately, the suitability of DBI for security has been questioned in light of transparency concerns from artifacts that popular frameworks introduce in the execution: while they do not perturb benign programs, a dedicated adversary may detect their presence and defeat the analysis. The contributions we provide are twofold. We first present the abstraction and inner workings of DBI frameworks, how DBI assisted prominent security research works, and alternative solutions. We then dive into the DBI evasion and escape problems, discussing attack surfaces, transparency concerns, and possible mitigations. We make available to the community a library of detection patterns and stopgap measures that could be of interest to DBI users. CCS CONCEPTS • Security and privacy → Systems security; Intrusion/anomaly detection and malware mitigation; Software reverse engineering; Software security engineering.

show abstract

“…The compiler generates masks for each data partition and embeds them directly in the binary code of the application [8,11], or stores them in a dedicated key cache [7]. In both cases, the masks can be protected from memory exploit-based disclosure, either by giving the binary code pages execute-only permissions [6,19,24], or by modifying the CPU such that the key cache can only be accessed through custom data access instructions [7].…”

mentioning

confidence: 99%

CoDaRR: Continuous Data Space Randomization against Data-Only Attacks

Rajasekaran

Crane²,

Gens

et al. 2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

The widespread deployment of exploit mitigations such as CFI and shadow stacks are making code-reuse attacks increasingly difficult. This has forced adversaries to consider data-only attacks against which the venerable ASLR remains the primary deployed defense. Data-Space Randomization (DSR) techniques raise the bar against data-only attacks by making it harder for adversaries to inject malicious data flows into vulnerable applications. DSR works by masking memory load and store instructions. Masks are chosen (i) to not interfere with intended data flows and (ii) such that masking likely interferes with unintended flows introduced by malicious program inputs. In this paper, we show two new attacks that bypass all existing static DSR approaches; one that directly discloses memory and another using speculative execution. We then present CoDaRR, the first dynamic DSR scheme resilient to disclosure attacks. CoDaRR continuously rerandomizes the masks used in loads and stores, and re-masks all memory objects to remain transparent w.r.t. program execution. Our evaluation confirms that CoDaRR successfully thwarts these attacks with limited run-time overhead in standard benchmarks as well as real-world applications.

show abstract

You Can Run but You Can't Read

Cited by 98 publications

References 23 publications

ASLR on the Line: Practical Cache Attacks on the MMU

ASLR on the Line: Practical Cache Attacks on the MMU

SoK

CoDaRR: Continuous Data Space Randomization against Data-Only Attacks

Contact Info

Product

Resources

About