1. { Enhanced Operating System Security Through Efficient and Fine-grained Address Space Randomization Cristiano Giuffrida, Anton Kuijsten & Andrew S.Tanenbaum Vrije Universiteit, Amsterdam Presented By Neil Parmar

2. Kernel Level Exploitations Exploitations: Kernel-level exploitation gaining a vast momentum Many exploitations are available for Windows, Linux, BSD, Mac OS X, iOS Causes of Exploitations: Plenty of memory error vulnerabilities to choose from Improved Kernel codebase is complex, large, and in continuous evolution A large number of internet-connected users running the same kernel version Many attack opportunities for both local and remote exploits

3. Existing Countermeasures Countermeasures: Preserving Kernel code Integrity [SecVisor, NICKLE, hvmHarvard] Kernel hook protection [HookSafe, HookScout, Indexed hooks] Control-flow Integrity [SBCFI] Drawbacks of the particular Countermeasures: No comprehensive memory error protection Virtualization Support required, high overhead

4. Address Space Randomization (ASR) Well-established defense mechanism against memory error exploits Application-level support in all major operating systems The operating system itself typically not randomized at all Only recent Windows releases perform basic text randomization No strategy has been proposed for comprehensive and fine-grained OS level ASR GOAL: Fine-Grained ASR for operating systems

5. Contributions Identify the challenges and the key requirements for a comprehensive OS-Level ASR Solution. Fine-Grained ASR: Improve existing ASR solution in terms of both performance and security. Introduction to Live Rerandomization Strategy

6. Background Code and data locations are unpredictable in memory Preventing adversary for detecting precise assumption on the memory layout Fine-Grained ASR permute the order of individual memory objects

7. Background Code and data locations be unpredictable in memory.

8. Challenges in OS-Level ASR Instrumentation Run-time constraints Information Leakage Brute Force

9. A Design for OS-Level ASR Make both location and layout of memory objects unpredictable LLVM-based link-time transformation for safe and efficient ASR Minimal amount of untrusted code exposed to the runtime Live randomization n to maximize observability of the system No changes in software distribution model

10. Architecture The OS Architecture for ASR Design

11. Code Randomization Original Function (LLVM IR)

12. Code Randomization Randomize function location

13. Code Randomization Adding Random size padding

14. Code Randomization Basic Block Shifting

15. Static Data Randomization Original variable and type (LLVM IR)

16. Static Data Randomization Random Variable Location

17. Static Data Randomization Add Random-sized padding

18. Static Data Randomization Internal Layout Randomization

19. Stack Randomization

20. Dynamic Data Randomization Support for malloc()/mmap()-like allocator abstractions Memory mapped regions are fully randomized Heap allocations are interleaved with random-sized padding Full heap randomization enforced at live randomization time ILR (Internal Link Randomization) for all the dynamically allocated memory objects

21. Live Randomization First stateful live randomization technique Periodically rerandomize the memory address space layout Support arbitary memory layout changes at rerandomization time Support all the standard C idioms with minimal manual effort Sandbox the rerandomization code to recover from run-time errors

22. ASRR Transformations

23. ASRR Metadata Types Global Variables Static Variables String constants Functions Dynamic memory allocation

24. The Randomization Process

32. ASR Performance

34. Summary A new fine-grained technique for operating systems Better performance and security than prior ASR solutions Live rerandomization and ILR to counter information leakage No heavyweight instrumentation exposed to the runtime Process-based isolation to recover from run-time ASRR error