Address Space Layout Permutation

Slides:



Advertisements
Similar presentations
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Advertisements

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.
Memory Management Questions answered in this lecture: How do processes share memory? What is static relocation? What is dynamic relocation? What is segmentation?
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
On the Effectiveness of Address-Space Randomization CS6V Brian Ricks and Vasundhara Chimmad.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Computer Security and Penetration Testing
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.
Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st.
Hardware Assisted Control Flow Obfuscation for Embedded Processors Xiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh Pande HIDE: An Infrastructure.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Mitigation of Buffer Overflow Attacks
{ Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Cristiano Giuffrida, Anton Kuijsten & Andrew S.Tanenbaum.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Vikram Reddy Enukonda.
Topic 2d High-Level languages and Systems Software
Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.
Exploit Defenses: ASLR, W X, TaintCheck Brad Karp UCL Computer Science CS GZ03 / th December, 2007.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
SCP: A System Call Protector against Buffer Overflow Attacks
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
CISC Machine Learning for Solving Systems Problems Presented by: Suman Chander B Dept of Computer & Information Sciences University of Delaware Automatic.
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
Defeating Security Attacks Through Runtime Mechanisms Jun Xu Center for Reliable and High-Performance Computing Coordinated Science Lab. & Dept. of Computer.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.
On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Papers ● S. Forrest, A. Somayaji, and D. Ackley. "Building Diverse Computer Systems", HotOS (1997). paperpaper ● PaX Team, "Documentation for the PaX project",
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt Cyber Defense.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Object Files & Linking. Object Sections Compiled code store as object files – Linux : ELF : Extensible Linking Format – Windows : PE : Portable Execution.
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
Mitigation against Buffer Overflow Attacks
Remix: On-demand Live Randomization
EnGarde: Mutually Trusted Inspection of SGX Enclaves
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
CSC 495/583 Topics of Software Security Stack Overflows (2)
Program Execution in Linux
CSC 495/583 Topics of Software Security Return-oriented programming
A System for Protecting the Integrity of Virtual Function Tables
Topic 2e High-Level languages and Systems Software
Trust Boundary Vulnerability Exploitation State of the Exploit
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Software Security Lesson Introduction
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
Dr. Si Chen Class15 CSC 495/583 Topics of Software Security Bypassing ASLR/NX with GOT Overwrite Dr. Si Chen
The future of Software Security Dr. Si Chen
CTF Class 2018 By: Shawn Stone
Program Execution in Linux
Return-to-libc Attacks
Presentation transcript:

Address Space Layout Permutation Chongkyung Kil Systems Research Seminar 10/06/05

Overview Problem Description Current Approaches Limitations of Current Approaches Solution Evaluation Limitations Conclusions and Future Work

The Problems: Memory Corruption Memory Corruption Vulnerability Popular means to take control of target program 50-80% of US CERT Alerts Common Memory Corruption Attacks Buffer overflows, format string exploits, return-to- libc attacks Successful attacks cause a remote code execution

Memory Corruption Attack Example Stack Frame c o d e r e t a d r e t a d b u f Exploit! 3 GB Attack packet: NOP NOP NOP NOP Attacker’s code retAddr retAddr retAddr retAddr retAddr

Ad-hoc Solutions Static Analysis Dynamic Analysis MOPS, CQUAL, SLAM, etc Dynamic Analysis StackGuard, PointGuard, Taintcheck, etc. Most target specific type of known attacks

A Generic Solution: Randomization Critical Observation Attackers use absolute memory addresses during the attacks Nullify Attacker’s Assumption Makes the memory locations of program objects unpredictable Forces attackers to guess memory location with low probability of success Benefit Protection against known and unknown memory corruption attacks Downtime better than system compromise

Attack Example: With Randomization Stack Frame c o d e r e t a d r e t a d b u f b u f crash 3 GB

A Generic Solution: Randomization State-of-the-Art Approaches Kernel level approaches Exec-Shield, PaX Address Space Layout Randomization (ASLR) User level approach Address Obfuscation

Randomization Examples Fig 1. Normal Process Memory Layout Fig 2. PaX ASLR Process Memory Layout

Limitations of Current Approaches Kernel Level Approaches Low entropy: heap 13 bit, mmap 16 bit, stack 24 bit De-Randomization attack can defeat PaX ASLR in about 4 minutes Kernel modification required Pad wastes memory space. Increasing randomness means wasting more memory by pad Locations of code and data segments can be randomized with PIE Causes performance overhead (14%) User Level Approaches Source-to-source transformation Wastes memory space by pad Runtime overhead: 11-23%

Solution Goal Address Space Layout Permutation Increase randomness entropy Low overhead with negligible pad size No need of source code modification Address Space Layout Permutation A novel binary rewriting tool Permutes code and data segments with fine-grained randomization A modified Linux kernel Permutes stack, heap, and mmap areas

Contributions Stronger Protection than Related Works Provides maximum 29 bits of randomness Fine-grained randomization on static code and data segments Low Performance Overhead (less than 1%) Ease of Use: Automatic Program Transformation Non-Intrusive Randomization: No Need for Source Code Modification Only need relocation info in the program

ASLP Implementations User Level Address Permutation Uses binary rewriting technique Alters base addresses of static code and data segments Changes orders of functions and variables within the code and data segments Mitigates partial overwrite attacks, dtors attacks, bss overflow, and data forgery attacks Kernel level address permutation can not deter these attacks Works with Linux file format (ELF)

Partial Overwrite Attacks Stack Frame code r e t a d Exploit! r e t a d r e t a d func Vul func b u f 3 GB

Dtors Attacks with Coarse-grained Stack Frame data code r e t a d r e t a d d t o r s M A I N b u f v a r 1 2 3 4 Exploit! 3 GB

Dtors Attacks with Fine-grained Stack Frame data code r e t a d r e t a d d t o r s M A I N b u f v a r 3 1 2 4 3 GB

ASLP Implementations Kernel Level Address Permutation Randomizes the base addresses of stack, heap, and mmap()- ed regions Mitigates attacks on the stack , heap, and shared library regions Done by previous work: Chris Bookholt

ASLP Implementations Object Reference Fig 3. Object Reference Example

ASLP Implementations Challenges What parts of an ELF file need rewriting? How do we find the correct locations of those parts and rewrite them? How those parts affect each other during run time? How to find cross-references between program objects

ASLP Implementations Challenges What parts of an ELF file need rewriting? Total of 12 sections need to be modified How do we find the correct locations of those parts and rewrite them? Use .symtab section (symbol tables and string tables) How those parts affect each other during run time? Use relocation sections (e.g. .rel.text, .rel.data)

ASLP Implementations: User Level Two phases: Coarse-grained and Fine-grained Permutation Coarse-grained Permutation Relocates static code and data segments Benefit Provides 20 bits of randomness to each segment Coarse-grained Permutation Process ELF header rewriting: modify the program entry point (e_entry) Program header rewriting: modify virtual/physical addresses of code and data segments Section rewriting: modify 12 sections including symbol table, procedure linkage table, global offset table, relocation data

ASLP Implementations: User Level Fig 4. ELF Header and Program Header Before Permutation Fig 5. ELF Header and Program Header After Permutation (Move Code Segment by 4KB and Data Segment by 14KB)

ASLP Implementations: User Level Fig 6. PLT & GOT Before Permutation Fig 7. PLT & GOT Before Permutation

ASLP Implementations: User Level Fine-grained Permutation Randomly changes the orders of functions and variables in the code and data segments Benefit Provides further protections on code and data segments Fine-grained Permutation Process Information Gathering: total number of functions and variables, original order and sizes of each function and variable, etc Random Sequence Generation: two random sequences Entry Rewriting: re-order the functions and variables Modify cross-references (relocation sections)

Demonstration of Permutation Fig 8. Normal Process Memory Layout Fig 9. Process Layout after Coarse-grained Permutation with ASLP Kernel

Demonstration of Permutation < Before the permutation > < After the permutation > Fig 10. Example of Fine-grained Permutation (Data Segment)

Security Evaluation Randomness example: 220 possible locations/2 = 524K average guesses needed

Security Evaluation 152 Guesses Per Second

Performance Evaluation CPU 2K Benchmark All kernel level approaches show less than 0.3% including ASLP Randomizes Stack, heap, and mmap regions ASLP shows better performance on user level approaches Randomizes Code and data segments ASLP (-0.3 %) , PIE (14.38%), Address obfuscation (11%) LMBench Benchmark Tests only kernel level approaches (micro benchmarks e.g.context- switching overhead) ASLP shows 50% better performance compared to other techniques fork(), exec(), and context-switching

Performance Evaluation Apache Benchmark Measures the performance of web server Tests 1 million requests with 100 worker processes All techniques incur less than 1% overhead Except PIE: 14%

Limitations Information Leakage Protection is Probabilistic Location information can be leaked via bugs or format-string attack Applies to all randomization techniques Protection is Probabilistic Brute force de-randomization attack will eventually succeed (e.g. modified return-to-libc attack [20]) With IDS integration, de-randomization could be detected and blocked

Conclusions and Future Work ASLP provides both user/kernel level randomization ASLP allows users to permute static code and data segments with fine-grained level. Effectiveness More randomness, more time to respond to attacks Low overhead, greater unpredictability Stack frame layout permutation will add stronger protection

Questions? Thank you for coming